From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44])
 by mx.groups.io with SMTP id smtpd.web09.57764.1622553174371197622
 for <devel@edk2.groups.io>;
 Tue, 01 Jun 2021 06:12:54 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=M77OJ2ng;
 spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.44, mailfrom: gjb@semihalf.com)
Received: by mail-lf1-f44.google.com with SMTP id a5so21741880lfm.0
        for <devel@edk2.groups.io>; Tue, 01 Jun 2021 06:12:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=semihalf-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=HBQUieioNss3CayG4jeDygeTKtp9KsL+2xWttgTAYg0=;
        b=M77OJ2ngtPrEf0HQ3Akr5RconotDcQ+XN25j3hkvkSg1Of1Ve1QWpMCOzSUjXRUhvc
         +yr86l5bb2HeTssnw2T1EEUtnGgkcqGoVbCOUg3HOPP8enqJboMgk7BuiJd6mxEgx+4F
         Cqop0oNeU3TtJwyF16wrWyl9gf0+mX0xsG//IMIM7FNu1wrHTmlXpDsXn+P6HZZeRHrv
         /AAHYlIVNJZhAIvl2JgMYPZ5PRXui0NjMTfsJZsQ1ncccQkPyNDyyAMrtxmX1wzM2k28
         OMZZCB49nGjZaQ1M6DtgTOuafeomf/MoA26URh5jW3ht5+y2rljWzEGNf6S0975k96/r
         6Z0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=HBQUieioNss3CayG4jeDygeTKtp9KsL+2xWttgTAYg0=;
        b=LSLaJSzLF6tqSmEmx4xY3Ueb2aRVItxjEsfatEnGBR/jhqBiB6+UPt0fXVkzaLF9Oo
         2A3wKszir93y68vp2ApiygI3+f1uZYgkpuAdUlJvl01CIVTRKmRLTyhUtsfMx+UDlTsM
         xHQ50EcypZuKzSnaUBy+s16BiwYSoobwoW86Z6AalHAjQBiFI4zrPv5mVkoWdMnJ/jW9
         geC5cGBdU8x2z/ZQC9UNxbk3nPlSrH23yq04unoY3xKwctOWcDsQtLD5xUWMpBgisTGo
         vAeupQjj4ByKXwmzLy6lSkl8cvz12pdHTDd/XqCIOv0hlKX10fcKfwhghWg7n5l5Ql9R
         m9oQ==
X-Gm-Message-State: AOAM532vUg3m5HFpPnUb9cUW5pZ+CGilIGkhVsEReGOVsx7SelPA7Cs8
	wYz0OhbN1oNoWeeAvgtxwf3jvN/6kP5bY+6O
X-Google-Smtp-Source: ABdhPJxzEFFH918stMV4vR72P+1tMlm0Da32i00wKQIaOMktpOQ2ghLWrO0kVi4wVdbe9nA8XSYO0Q==
X-Received: by 2002:a19:911e:: with SMTP id t30mr9820425lfd.5.1622553172101;
        Tue, 01 Jun 2021 06:12:52 -0700 (PDT)
Return-Path: <gjb@semihalf.com>
Received: from gilgamesh.lab.semihalf.net ([83.142.187.85])
        by smtp.gmail.com with ESMTPSA id y5sm1681460lfa.148.2021.06.01.06.12.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Jun 2021 06:12:51 -0700 (PDT)
From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io
Cc: leif@nuviainc.com,
	ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com,
	sunny.Wang@arm.com,
	mw@semihalf.com,
	upstream@semihalf.com,
	jiewen.yao@intel.com,
	jian.j.wang@intel.com,
	min.m.xu@intel.com,
	lersek@redhat.com,
	Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 0/6] Secure Boot default keys
Date: Tue,  1 Jun 2021 15:12:22 +0200
Message-Id: <20210601131229.630611-1-gjb@semihalf.com>
X-Mailer: git-send-email 2.29.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
  SecurityPkg: Create library for setting Secure Boot variables.
  SecurityPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
  Platform/RaspberryPi: Enable default Secure Boot variables initialization

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 SecurityPkg/SecurityPkg.dsc                                                             |   5 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 252 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 107 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 979 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  17 +
 17 files changed, 1862 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

-- 
2.25.1