From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) by mx.groups.io with SMTP id smtpd.web09.5123.1622022161627166054 for ; Wed, 26 May 2021 02:42:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=rmcWvPKc; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.51, mailfrom: gjb@semihalf.com) Received: by mail-lf1-f51.google.com with SMTP id q7so1581128lfr.6 for ; Wed, 26 May 2021 02:42:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fA/5qE0mcUMstiYAggypZzKqEmHWh8oI0auUEG+eYGk=; b=rmcWvPKccPBCVwU/8m8XJJvz2Z/pO/MMnwuq3l4KyPNz7mVhvx9rfXNlbnpCguvKBG oSPaSw5+YJq4jrytkiY/ZvewBez3thR3NsF0neYhGX4SgB8y3wsXlDTvkNOYl8a8lZ7D 8ob7EPvUyCfjuEYkDL1PG8I0XXYASgAJ8NJTph4ENCdYID2Ptq3uJLfH1Xvyg2uUl5WM h6TfgHHaPph681tprQm7GIQwG35fjFDfozAa0uakJ+01sV9WtUXMh5EVMzRwbcwwqDYE zGFrYXchb3uV5KvCWg6JvJCWQd9qHBcW7X7eUCo5hQOZNUJOoVLlxltPfM7XLjk9xvZe wpUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fA/5qE0mcUMstiYAggypZzKqEmHWh8oI0auUEG+eYGk=; b=qZFSZjB8lGEaIN220vuqwwnDKcUQKkDkmYMqbuqkLItgGtsewVB4dlCT3+iETravHI 7Ddgg0hI2ejn/nNeyjswyAvHO9wMXc9PuAmWq/jpLEDwQiv8nZDfTGa1nTzO+NHFYCS0 3MMq7qXByXLCAZubdms9zQCi4DmChcNDgrePpgNskK0E/H3UqENvWvjvwH5pkEFJpNCE 9jzghZdq1n428vVpJ1SDmpPejKsYibOWValc1116a4tXQ9WFbTjUS0Yp9GrMR+XsGGgH S6HqDJPrt10s9LrLE4/x3gnlNRLBHH2H60mtYQzAotBVsuKwdBwztWwj9zcW7/euiJvc Qk/g== X-Gm-Message-State: AOAM533TH3YdAnvfx0B4PQzOhX7Yj6t714So3A5XHFly5T53GDwjXKxR BNtRlZGkq5LVAWDN0SWf5aUMpb9IZRbCPFr0gjM= X-Google-Smtp-Source: ABdhPJzF81rqcsYJYTp36FWuUK+Hxz5O0B63dyEClkBedJPH4yCE/h+qxDB5kPFYdEYhbyrjC9Viiw== X-Received: by 2002:a05:6512:3dac:: with SMTP id k44mr1578340lfv.256.1622022159593; Wed, 26 May 2021 02:42:39 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id y19sm2380268ljy.32.2021.05.26.02.42.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 02:42:39 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, gjb@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com Subject: [PATCH 3/6] SecurityPkg: Add SecBootDefaultKeysDxe driver Date: Wed, 26 May 2021 11:42:01 +0200 Message-Id: <20210526094204.73600-5-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 In-Reply-To: <20210526094204.73600-1-gjb@semihalf.com> References: <20210526094204.73600-1-gjb@semihalf.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This driver initializes default Secure Boot keys and databases based on keys embedded in flash. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 +++++++++++++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 +++++ 3 files changed, 132 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf new file mode 100644 index 0000000000..28e197ca2f --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf @@ -0,0 +1,46 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = SecBootDefaultKeysDxe + FILE_GUID = C937FCB7-25AC-4376-89A2-4EA8B317DE83 + MODULE_TYPE = DXE_DRIVER + ENTRY_POINT = SecBootDefaultKeysEntryPoint + +# +# VALID_ARCHITECTURES = IA32 X64 AARCH64 +# +[Sources] + SecBootDefaultKeysDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiDriverEntryPoint + DebugLib + SecBootVariableLib + +[Guids] + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault" + gEfiGlobalVariableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid + diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c new file mode 100644 index 0000000000..a68dc2571d --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c @@ -0,0 +1,69 @@ +/** @file + This driver init default Secure Boot variables + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + The entry point for SecBootDefaultKeys driver. + + @param[in] ImageHandle The image handle of the driver. + @param[in] SystemTable The system table. + + @retval EFI_ALREADY_STARTED The driver already exists in system. + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources. + @retval EFI_SUCCESS All the related protocols are installed on the driver. + @retval Others Fail to get the SecureBootEnable variable. + +**/ +EFI_STATUS +EFIAPI +SecBootDefaultKeysEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status = SecBootInitPKDefault (); + if (EFI_ERROR (Status)) { + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status)); + return Status; + } + + Status = SecBootInitKEKDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status)); + return Status; + } + Status = SecBootInitdbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status)); + return Status; + } + + Status = SecBootInitdbtDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__)); + } + + Status = SecBootInitdbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__)); + } + + return Status; +} + diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni new file mode 100644 index 0000000000..30f03aee5d --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni @@ -0,0 +1,17 @@ +// /** @file +// Provides the capability to intialize Secure Boot default variables +// +// Module which initializes Secure boot default variables. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Module which initializes Secure boot default variables" + +#string STR_MODULE_DESCRIPTION #language en-US "This module reads embedded keys and initializes Secure Boot default variables." + -- 2.25.1