public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v2 0/6] Secure Boot default keys
@ 2021-06-01 13:12 Grzegorz Bernacki
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
                   ` (7 more replies)
  0 siblings, 8 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
  SecurityPkg: Create library for setting Secure Boot variables.
  SecurityPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
  Platform/RaspberryPi: Enable default Secure Boot variables initialization

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 SecurityPkg/SecurityPkg.dsc                                                             |   5 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 252 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 107 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 979 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  17 +
 17 files changed, 1862 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

-- 
2.25.1


^ permalink raw reply	[flat|nested] 35+ messages in thread

* [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
                     ` (2 more replies)
  2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
                   ` (6 subsequent siblings)
  7 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
 Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index d8c6fdd4bd..1fb4df0b81 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,7 +164,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
 !else
@@ -217,6 +217,7 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
 
 [LibraryClasses.common.UEFI_DRIVER]
@@ -612,6 +613,8 @@
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..0e43d24c7a 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
                     ` (2 more replies)
  2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
                   ` (5 subsequent siblings)
  7 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This commits add library, which consist functions related
creation/removal Secure Boot variables. Some of the functions
was moved from SecureBootConfigImpl.c file.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecurityPkg.dsc                                                   |   1 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf           |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf |   1 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                           | 252 +++++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c             | 979 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c  | 189 +---
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni           |  16 +
 7 files changed, 1329 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index bd4b810bce..854f250625 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -70,6 +70,7 @@
   RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
   TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 
 [LibraryClasses.ARM]
   #
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
new file mode 100644
index 0000000000..84367841d5
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -0,0 +1,79 @@
+## @file
+#  Provides initialization of Secure Boot keys and databases.
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecureBootVariableLib
+  MODULE_UNI_FILE                = SecureBootVariableLib.uni
+  FILE_GUID                      = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+
+[Sources]
+  SecureBootVariableLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  BaseCryptLib
+  DxeServicesLib
+
+[Guids]
+  ## CONSUMES            ## Variable:L"SetupMode"
+  ## PRODUCES            ## Variable:L"SetupMode"
+  ## CONSUMES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"PK"
+  ## PRODUCES            ## Variable:L"KEK"
+  ## CONSUMES            ## Variable:L"PKDefault"
+  ## CONSUMES            ## Variable:L"KEKDefault"
+  ## CONSUMES            ## Variable:L"dbDefault"
+  ## CONSUMES            ## Variable:L"dbxDefault"
+  ## CONSUMES            ## Variable:L"dbtDefault"
+  gEfiGlobalVariableGuid
+
+  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
+  gEfiImageSecurityDatabaseGuid
+
+  ## CONSUMES            ## Variable:L"SecureBootEnable"
+  ## PRODUCES            ## Variable:L"SecureBootEnable"
+  gEfiSecureBootEnableDisableGuid
+
+  ## CONSUMES            ## Variable:L"CustomMode"
+  ## PRODUCES            ## Variable:L"CustomMode"
+  gEfiCustomModeEnableGuid
+
+  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
+  gEfiCertX509Guid               ## CONSUMES
+  gEfiCertPkcs7Guid              ## CONSUMES
+
+  gDefaultPKFileGuid
+  gDefaultKEKFileGuid
+  gDefaultdbFileGuid
+  gDefaultdbxFileGuid
+  gDefaultdbtFileGuid
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 573efa6379..30d9cd8025 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -54,6 +54,7 @@
   DevicePathLib
   FileExplorerLib
   PeCoffLib
+  SecureBootVariableLib
 
 [Guids]
   ## SOMETIMES_CONSUMES      ## Variable:L"CustomMode"
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
new file mode 100644
index 0000000000..2961c93a36
--- /dev/null
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -0,0 +1,252 @@
+/** @file
+  Provides a function to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
+#define __SECURE_BOOT_VARIABLE_LIB_H__
+
+/**
+
+  Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+                                     CUSTOM_SECURE_BOOT_MODE.
+
+  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
+  @return other                      Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+  IN  UINT8  SecureBootMode
+);
+
+/**
+  Fetches the value of SetupMode variable.
+
+  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
+
+  @retval other                     Error codes from GetVariable.
+--*/
+BOOLEAN
+EFIAPI
+GetSetupMode (
+  OUT UINT8 *SetupMode
+);
+
+/**
+  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+  descriptor with the input data. NO authentication is required in this function.
+
+  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
+                                   On output, the size of data returned in Data
+                                   buffer in bytes.
+  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
+                                   pointer to NULL to wrap an empty payload.
+                                   On output, Pointer to the new payload date buffer allocated from pool,
+                                   it's caller's responsibility to free the memory when finish using it.
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
+  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
+  @retval Others                   Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+  IN OUT UINTN            *DataSize,
+  IN OUT UINT8            **Data
+);
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'db' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'dbx' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'dbt' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+  VOID
+);
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'KEK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+  VOID
+);
+
+/**
+  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'PK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+  VOID
+);
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  );
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  );
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+  IN VOID
+  );
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+  IN VOID
+  );
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+  IN VOID
+  );
+#endif
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
new file mode 100644
index 0000000000..16bad5530a
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -0,0 +1,979 @@
+/** @file
+  This library provides functions to set/clear Secure Boot
+  keys and databases.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include "Library/DxeServicesLib.h"
+
+/** Creates EFI Signature List structure.
+
+  @param[in]      Data     A pointer to signature data.
+  @param[in]      Size     Size of signature data.
+  @param[out]     SigList  Created Signature List.
+
+  @retval  EFI_SUCCESS           Signature List was created successfully.
+  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+CreateSigList (
+  IN VOID                *Data,
+  IN UINTN               Size,
+  OUT EFI_SIGNATURE_LIST **SigList
+  )
+{
+  UINTN                  SigListSize;
+  EFI_SIGNATURE_LIST     *TmpSigList;
+  EFI_SIGNATURE_DATA     *SigData;
+
+  //
+  // Allocate data for Signature Database
+  //
+  SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
+  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
+  if (TmpSigList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  //
+  // Only gEfiCertX509Guid type is supported
+  //
+  TmpSigList->SignatureListSize = (UINT32)SigListSize;
+  TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
+  TmpSigList->SignatureHeaderSize = 0;
+  CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
+
+  //
+  // Copy key data
+  //
+  SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
+  CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
+  CopyMem (&SigData->SignatureData[0], Data, Size);
+
+  *SigList = TmpSigList;
+
+  return EFI_SUCCESS;
+}
+
+/** Adds new signature list to signature database.
+
+  @param[in]      SigLists        A pointer to signature database.
+  @param[in]      SiglListAppend  A signature list to be added.
+  @param[out]     *SigListOut     Created signature database.
+  @param[out]     SigListsSize    A size of created signature database.
+
+  @retval  EFI_SUCCESS           Signature List was added successfully.
+  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+ConcatenateSigList (
+  IN  EFI_SIGNATURE_LIST *SigLists,
+  IN  EFI_SIGNATURE_LIST *SigListAppend,
+  OUT EFI_SIGNATURE_LIST **SigListOut,
+  IN OUT UINTN           *SigListsSize
+)
+{
+  EFI_SIGNATURE_LIST *TmpSigList;
+  UINT8              *Offset;
+  UINTN              NewSigListsSize;
+
+  NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
+
+  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
+  if (TmpSigList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (TmpSigList, SigLists, *SigListsSize);
+
+  Offset = (UINT8 *)TmpSigList;
+  Offset += *SigListsSize;
+  CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
+
+  *SigListsSize = NewSigListsSize;
+  *SigListOut = TmpSigList;
+  return EFI_SUCCESS;
+}
+
+/**
+  Create a EFI Signature List with data fetched from section specified as a argument.
+  Found keys are verified using RsaGetPublicKeyFromX509().
+
+  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
+  @param[out]       SigListsSize   A pointer to size of signature list
+  @param[out]       SigListsOut    a pointer to a callee-allocated buffer with signature lists
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_NOT_FOUND            Section with key has not been found.
+  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
+  @retval Others                   Unexpected error happens.
+
+--*/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+    IN  EFI_GUID           *KeyFileGuid,
+    OUT UINTN              *SigListsSize,
+    OUT EFI_SIGNATURE_LIST **SigListOut
+)
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  EFI_SIGNATURE_LIST *TmpEfiSig;
+  EFI_SIGNATURE_LIST *TmpEfiSig2;
+  EFI_STATUS         Status;
+  VOID               *Buffer;
+  VOID               *RsaPubKey;
+  UINTN               Size;
+  UINTN               KeyIndex;
+
+
+  KeyIndex = 0;
+  EfiSig = NULL;
+  *SigListsSize = 0;
+  while (1) {
+    Status = GetSectionFromAnyFv (
+               KeyFileGuid,
+               EFI_SECTION_RAW,
+               KeyIndex,
+               &Buffer,
+               &Size
+               );
+
+    if (Status == EFI_SUCCESS) {
+      RsaPubKey = NULL;
+      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+        if (EfiSig != NULL) {
+          FreePool(EfiSig);
+        }
+        FreePool(Buffer);
+        return EFI_INVALID_PARAMETER;
+      }
+
+      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+      //
+      // Concatenate lists if more than one section found
+      //
+      if (KeyIndex == 0) {
+        EfiSig = TmpEfiSig;
+        *SigListsSize = TmpEfiSig->SignatureListSize;
+      } else {
+        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
+        FreePool (EfiSig);
+        FreePool (TmpEfiSig);
+        EfiSig = TmpEfiSig2;
+      }
+
+      KeyIndex++;
+      FreePool (Buffer);
+    } if (Status == EFI_NOT_FOUND) {
+      break;
+    }
+  };
+
+  if (KeyIndex == 0) {
+    return EFI_NOT_FOUND;
+  }
+
+  *SigListOut = EfiSig;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+  descriptor with the input data. NO authentication is required in this function.
+
+  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
+                                   On output, the size of data returned in Data
+                                   buffer in bytes.
+  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
+                                   pointer to NULL to wrap an empty payload.
+                                   On output, Pointer to the new payload date buffer allocated from pool,
+                                   it's caller's responsibility to free the memory when finish using it.
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
+  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
+  @retval Others                   Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+  IN OUT UINTN            *DataSize,
+  IN OUT UINT8            **Data
+  )
+{
+  EFI_STATUS                       Status;
+  UINT8                            *NewData;
+  UINT8                            *Payload;
+  UINTN                            PayloadSize;
+  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
+  UINTN                            DescriptorSize;
+  EFI_TIME                         Time;
+
+  if (Data == NULL || DataSize == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // In Setup mode or Custom mode, the variable does not need to be signed but the
+  // parameters to the SetVariable() call still need to be prepared as authenticated
+  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
+  // data in it.
+  //
+  Payload     = *Data;
+  PayloadSize = *DataSize;
+
+  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
+  if (NewData == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  if ((Payload != NULL) && (PayloadSize != 0)) {
+    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
+  }
+
+  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
+
+  ZeroMem (&Time, sizeof (EFI_TIME));
+  Status = gRT->GetTime (&Time, NULL);
+  if (EFI_ERROR (Status)) {
+    FreePool(NewData);
+    return Status;
+  }
+  Time.Pad1       = 0;
+  Time.Nanosecond = 0;
+  Time.TimeZone   = 0;
+  Time.Daylight   = 0;
+  Time.Pad2       = 0;
+  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
+
+  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
+  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
+
+  if (Payload != NULL) {
+    FreePool(Payload);
+  }
+
+  *DataSize = DescriptorSize + PayloadSize;
+  *Data     = NewData;
+  return EFI_SUCCESS;
+}
+
+/**
+  Internal helper function to delete a Variable given its name and GUID, NO authentication
+  required.
+
+  @param[in]      VariableName            Name of the Variable.
+  @param[in]      VendorGuid              GUID of the Variable.
+
+  @retval EFI_SUCCESS              Variable deleted successfully.
+  @retval Others                   The driver failed to start the device.
+
+--*/
+EFI_STATUS
+DeleteVariable (
+  IN  CHAR16                    *VariableName,
+  IN  EFI_GUID                  *VendorGuid
+  )
+{
+  EFI_STATUS              Status;
+  VOID*                   Variable;
+  UINT8                   *Data;
+  UINTN                   DataSize;
+  UINT32                  Attr;
+
+  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
+  if (Variable == NULL) {
+    return EFI_SUCCESS;
+  }
+  FreePool (Variable);
+
+  Data     = NULL;
+  DataSize = 0;
+  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+  Status = CreateTimeBasedPayload (&DataSize, &Data);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  VariableName,
+                  VendorGuid,
+                  Attr,
+                  DataSize,
+                  Data
+                  );
+  if (Data != NULL) {
+    FreePool (Data);
+  }
+  return Status;
+}
+
+/**
+
+  Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+                                     CUSTOM_SECURE_BOOT_MODE.
+
+  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
+  @return other                      Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+  IN  UINT8  SecureBootMode
+  )
+{
+  return gRT->SetVariable (
+                EFI_CUSTOM_MODE_NAME,
+                &gEfiCustomModeEnableGuid,
+                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                sizeof (UINT8),
+                &SecureBootMode
+                );
+}
+
+
+/**
+  Enroll a key/certificate based on a default variable.
+
+  @param[in] VariableName        The name of the key/database.
+  @param[in] DefaultName         The name of the default variable.
+  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable
+
+
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.
+  @retval EFI_SUCCESS            Successful enrollment.
+  @return                        Error codes from GetTime () and SetVariable ().
+--*/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+  IN CHAR16   *VariableName,
+  IN CHAR16   *DefaultName,
+  IN EFI_GUID *VendorGuid
+  )
+{
+  VOID       *Data;
+  UINTN       DataSize;
+  EFI_STATUS  Status;
+
+  Status = EFI_SUCCESS;
+
+  DataSize = 0;
+  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
+      return Status;
+  }
+
+  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+    return Status;
+  }
+
+  //
+  // Allocate memory for auth variable
+  //
+  Status = gRT->SetVariable (
+                  VariableName,
+                  VendorGuid,
+                  (EFI_VARIABLE_NON_VOLATILE |
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                   EFI_VARIABLE_RUNTIME_ACCESS |
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+                  DataSize,
+                  Data
+                  );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+      VendorGuid, Status));
+  }
+
+  if (Data != NULL) {
+    FreePool (Data);
+  }
+
+  return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8               *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_PK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+
+  Status = gRT->SetVariable (
+                  EFI_KEK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DB_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBX_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBT_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Fetches the value of SetupMode variable.
+
+  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
+
+  @retval other                     Retval from GetVariable.
+--*/
+BOOLEAN
+EFIAPI
+GetSetupMode (
+    OUT UINT8 *SetupMode
+)
+{
+  UINTN      Size;
+  EFI_STATUS Status;
+
+  Size = sizeof (*SetupMode);
+  Status = gRT->GetVariable (
+                  EFI_SETUP_MODE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  NULL,
+                  &Size,
+                  SetupMode
+                  );
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE,
+             EFI_DB_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'db' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             EFI_DBX_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'dbx' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE2,
+             EFI_DBT_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid);
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'dbt' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE2,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             EFI_KEK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'KEK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_PLATFORM_KEY_NAME,
+             EFI_PK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Remove the PK variable.
+
+  @retval EFI_SUCCESS    Delete PK successfully.
+  @retval Others         Could not allow to delete PK.
+
+--*/
+EFI_STATUS
+DeletePlatformKey (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = DeleteVariable (
+             EFI_PLATFORM_KEY_NAME,
+             &gEfiGlobalVariableGuid
+             );
+  return Status;
+}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e82bfe7757..67e5e594ed 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include "SecureBootConfigImpl.h"
 #include <Library/BaseCryptLib.h>
+#include <Library/SecureBootVariableLib.h>
 
 CHAR16              mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
 
@@ -237,168 +238,6 @@ SaveSecureBootVariable (
   return Status;
 }
 
-/**
-  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
-  descriptor with the input data. NO authentication is required in this function.
-
-  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
-                                   On output, the size of data returned in Data
-                                   buffer in bytes.
-  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
-                                   pointer to NULL to wrap an empty payload.
-                                   On output, Pointer to the new payload date buffer allocated from pool,
-                                   it's caller's responsibility to free the memory when finish using it.
-
-  @retval EFI_SUCCESS              Create time based payload successfully.
-  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
-  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
-  @retval Others                   Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
-  IN OUT UINTN            *DataSize,
-  IN OUT UINT8            **Data
-  )
-{
-  EFI_STATUS                       Status;
-  UINT8                            *NewData;
-  UINT8                            *Payload;
-  UINTN                            PayloadSize;
-  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
-  UINTN                            DescriptorSize;
-  EFI_TIME                         Time;
-
-  if (Data == NULL || DataSize == NULL) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  //
-  // In Setup mode or Custom mode, the variable does not need to be signed but the
-  // parameters to the SetVariable() call still need to be prepared as authenticated
-  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
-  // data in it.
-  //
-  Payload     = *Data;
-  PayloadSize = *DataSize;
-
-  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
-  if (NewData == NULL) {
-    return EFI_OUT_OF_RESOURCES;
-  }
-
-  if ((Payload != NULL) && (PayloadSize != 0)) {
-    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
-  }
-
-  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
-  ZeroMem (&Time, sizeof (EFI_TIME));
-  Status = gRT->GetTime (&Time, NULL);
-  if (EFI_ERROR (Status)) {
-    FreePool(NewData);
-    return Status;
-  }
-  Time.Pad1       = 0;
-  Time.Nanosecond = 0;
-  Time.TimeZone   = 0;
-  Time.Daylight   = 0;
-  Time.Pad2       = 0;
-  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
-  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
-  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
-  if (Payload != NULL) {
-    FreePool(Payload);
-  }
-
-  *DataSize = DescriptorSize + PayloadSize;
-  *Data     = NewData;
-  return EFI_SUCCESS;
-}
-
-/**
-  Internal helper function to delete a Variable given its name and GUID, NO authentication
-  required.
-
-  @param[in]      VariableName            Name of the Variable.
-  @param[in]      VendorGuid              GUID of the Variable.
-
-  @retval EFI_SUCCESS              Variable deleted successfully.
-  @retval Others                   The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS              Status;
-  VOID*                   Variable;
-  UINT8                   *Data;
-  UINTN                   DataSize;
-  UINT32                  Attr;
-
-  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
-  if (Variable == NULL) {
-    return EFI_SUCCESS;
-  }
-  FreePool (Variable);
-
-  Data     = NULL;
-  DataSize = 0;
-  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
-             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
-  Status = CreateTimeBasedPayload (&DataSize, &Data);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    return Status;
-  }
-
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  Attr,
-                  DataSize,
-                  Data
-                  );
-  if (Data != NULL) {
-    FreePool (Data);
-  }
-  return Status;
-}
-
-/**
-
-  Set the platform secure boot mode into "Custom" or "Standard" mode.
-
-  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
-                                     CUSTOM_SECURE_BOOT_MODE.
-
-  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
-  @return other                      Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
-  IN     UINT8         SecureBootMode
-  )
-{
-  return gRT->SetVariable (
-                EFI_CUSTOM_MODE_NAME,
-                &gEfiCustomModeEnableGuid,
-                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                sizeof (UINT8),
-                &SecureBootMode
-                );
-}
-
 /**
   This code checks if the encode type and key strength of X.509
   certificate is qualified.
@@ -646,32 +485,6 @@ ON_EXIT:
   return Status;
 }
 
-/**
-  Remove the PK variable.
-
-  @retval EFI_SUCCESS    Delete PK successfully.
-  @retval Others         Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
-  VOID
-)
-{
-  EFI_STATUS Status;
-
-  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
-
-  Status = DeleteVariable (
-             EFI_PLATFORM_KEY_NAME,
-             &gEfiGlobalVariableGuid
-             );
-  return Status;
-}
-
 /**
   Enroll a new KEK item from public key storing file (*.pbk).
 
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
new file mode 100644
index 0000000000..2c51e4db53
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
@@ -0,0 +1,16 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
+#string STR_MODULE_DESCRIPTION          #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
  2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
                     ` (2 more replies)
  2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
                   ` (4 subsequent siblings)
  7 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This commits add file which can be included by platform Flash
Description File. It allows to specify certificate files, which
will be embedded into binary file. The content of these files
can be used to initialize Secure Boot default keys and databases.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc

diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
new file mode 100644
index 0000000000..056586b204
--- /dev/null
+++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
@@ -0,0 +1,62 @@
+
+!if $(DEFAULT_KEYS) == TRUE
+  FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+  !ifdef $(PK_DEFAULT_FILE)
+    SECTION RAW = $(PK_DEFAULT_FILE)
+  !endif
+    SECTION UI = "PK Default"
+  }
+
+  FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+  !ifdef $(KEK_DEFAULT_FILE1)
+    SECTION RAW = $(KEK_DEFAULT_FILE1)
+  !endif
+  !ifdef $(KEK_DEFAULT_FILE2)
+    SECTION RAW = $(KEK_DEFAULT_FILE2)
+  !endif
+  !ifdef $(KEK_DEFAULT_FILE3)
+    SECTION RAW = $(KEK_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "KEK Default"
+  }
+
+  FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+  !ifdef $(DB_DEFAULT_FILE1)
+    SECTION RAW = $(DB_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DB_DEFAULT_FILE2)
+    SECTION RAW = $(DB_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DB_DEFAULT_FILE3)
+    SECTION RAW = $(DB_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DB Default"
+  }
+
+  FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
+  !ifdef $(DBT_DEFAULT_FILE1)
+    SECTION RAW = $(DBT_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DBT_DEFAULT_FILE2)
+    SECTION RAW = $(DBT_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DBT_DEFAULT_FILE3)
+    SECTION RAW = $(DBT_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DBT Default"
+  }
+
+  FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+  !ifdef $(DBX_DEFAULT_FILE1)
+    SECTION RAW = $(DBX_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DBX_DEFAULT_FILE2)
+    SECTION RAW = $(DBX_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DBX_DEFAULT_FILE3)
+    SECTION RAW = $(DBX_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DBX Default"
+  }
+
+!endif
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
                   ` (2 preceding siblings ...)
  2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
                     ` (2 more replies)
  2021-06-01 13:12 ` [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
                   ` (3 subsequent siblings)
  7 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   | 69 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +++++
 3 files changed, 132 insertions(+)
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..27345eab2e
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,46 @@
+## @file
+#  Initializes Secure Boot default keys
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+  INF_VERSION = 0x00010005
+  BASE_NAME   = SecureBootDefaultKeysDxe
+  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+  MODULE_TYPE = DXE_DRIVER
+  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+[Sources]
+  SecureBootDefaultKeysDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  MemoryAllocationLib
+  UefiDriverEntryPoint
+  DebugLib
+  SecureBootVariableLib
+
+[Guids]
+  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
+  gEfiGlobalVariableGuid
+
+[Depex]
+  gEfiVariableArchProtocolGuid      AND
+  gEfiVariableWriteArchProtocolGuid
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..0928489e15
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,69 @@
+/** @file
+  This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+  The entry point for SecureBootDefaultKeys driver.
+
+  @param[in]  ImageHandle        The image handle of the driver.
+  @param[in]  SystemTable        The system table.
+
+  @retval EFI_ALREADY_STARTED    The driver already exists in system.
+  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack of resources.
+  @retval EFI_SUCCESS            All the related protocols are installed on the driver.
+  @retval Others                 Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+  IN EFI_HANDLE          ImageHandle,
+  IN EFI_SYSTEM_TABLE    *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+
+  Status = SecureBootInitPKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitKEKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+  Status = SecureBootInitdbDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitdbtDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+  }
+
+  Status = SecureBootInitdbxDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+  }
+
+  return Status;
+}
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..30f03aee5d
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Module which initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
+
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
                   ` (3 preceding siblings ...)
  2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
  2021-06-04  8:24   ` Sunny Wang
  2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
                   ` (2 subsequent siblings)
  7 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This application allows user to force key enrollment from
Secure Boot default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf |  47 +++++++++
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c   | 107 ++++++++++++++++++++
 2 files changed, 154 insertions(+)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c

diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+#  Enroll PK, KEK, db, dbx from Default variables
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 1.28
+  BASE_NAME                      = EnrollFromDefaultKeysApp
+  FILE_GUID                      = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 0.1
+  ENTRY_POINT                    = UefiMain
+
+[Sources]
+  EnrollFromDefaultKeysApp.c
+
+[Packages]
+  MdeModulePkg/MdeModulePkg.dec
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[Guids]
+  gEfiCertPkcs7Guid
+  gEfiCertSha256Guid
+  gEfiCertX509Guid
+  gEfiCustomModeEnableGuid
+  gEfiGlobalVariableGuid
+  gEfiImageSecurityDatabaseGuid
+  gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+  gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  PrintLib
+  UefiApplicationEntryPoint
+  UefiBootServicesTableLib
+  UefiLib
+  UefiRuntimeServicesTableLib
+  SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..1907ce1d4e
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,107 @@
+/** @file
+  Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
+#include <Library/DebugLib.h>                    // ASSERT()
+#include <Library/MemoryAllocationLib.h>         // FreePool()
+#include <Library/PrintLib.h>                    // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h>    // gBS
+#include <Library/UefiLib.h>                     // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
+
+/**
+  Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS Status;
+  UINT8      SetupMode;
+
+  Status = GetSetupMode (&SetupMode);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot get SetupMode variable: %r\n", Status);
+    return 1;
+  }
+
+  if (SetupMode == USER_MODE) {
+    FAIL ("Skipped - USER_MODE\n");
+    return 1;
+  }
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+    return 1;
+  }
+
+  Status = EnrollDbFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll db: %r\n", Status);
+    goto error;
+  }
+
+  Status = EnrollDbxFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll dbt: %r\n", Status);
+  }
+
+  Status = EnrollDbtFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll dbx: %r\n", Status);
+  }
+
+  Status = EnrollKEKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll KEK: %r\n", Status);
+    goto cleardbs;
+  }
+
+  Status = EnrollPKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll PK: %r\n", Status);
+    goto clearKEK;
+  }
+
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n");
+  }
+  return 0;
+
+clearKEK:
+  DeleteKEK ();
+
+cleardbs:
+  DeleteDbt ();
+  DeleteDbx ();
+  DeleteDb ();
+
+error:
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n");
+  }
+
+  return 1;
+}
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 5/6] SecurityPkg: Add new modules to Security package.
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
                   ` (4 preceding siblings ...)
  2021-06-01 13:12 ` [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
                     ` (2 more replies)
  2021-06-01 13:12 ` [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
  2021-06-04  8:17 ` [PATCH v2 0/6] Secure Boot default keys Min Xu
  7 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This commits adds modules related to initialization and
usage of default Secure Boot key variables to SecurityPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
 SecurityPkg/SecurityPkg.dsc |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4001650fa2..dad3cae0ba 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -190,6 +190,20 @@
   ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
   gTcg2MmSwSmiRegisteredGuid         = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
 
+  ## GUID used to specify section with default PK content
+  gDefaultPKFileGuid                 = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+  ## GUID used to specify section with default KEK content
+  gDefaultKEKFileGuid                = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+  ## GUID used to specify section with default db content
+  gDefaultdbFileGuid                 = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+  ## GUID used to specify section with default dbt content
+  gDefaultdbxFileGuid                = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+  ## GUID used to specify section with default dbx content
+  gDefaultdbtFileGuid                = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
 
 [Ppis]
   ## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 854f250625..e031775ca8 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -259,6 +259,10 @@
 
 [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultKeys.inf
+
 
 [Components.IA32, Components.X64, Components.AARCH64]
   #
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys.
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
                   ` (5 preceding siblings ...)
  2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
@ 2021-06-01 13:12 ` Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
  2021-06-04  8:30   ` Sunny Wang
  2021-06-04  8:17 ` [PATCH v2 0/6] Secure Boot default keys Min Xu
  7 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-01 13:12 UTC (permalink / raw)
  To: devel
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek,
	Grzegorz Bernacki

This commit add option which allows reset content of Secure Boot
keys and databases to default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf     |   1 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h    |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr        |   6 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c      | 154 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni |   4 +
 5 files changed, 167 insertions(+)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 30d9cd8025..bd8d256dde 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -109,6 +109,7 @@
 [Protocols]
   gEfiHiiConfigAccessProtocolGuid               ## PRODUCES
   gEfiDevicePathProtocolGuid                    ## PRODUCES
+  gEfiHiiPopupProtocolGuid
 
 [Depex]
   gEfiHiiConfigRoutingProtocolGuid  AND
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index 6e54a4b0f2..4ecc25efc3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #define KEY_VALUE_FROM_DBX_TO_LIST_FORM       0x100f
 
+#define KEY_SECURE_BOOT_RESET_TO_DEFAULT      0x1010
+
 #define KEY_SECURE_BOOT_OPTION                0x1100
 #define KEY_SECURE_BOOT_PK_OPTION             0x1101
 #define KEY_SECURE_BOOT_KEK_OPTION            0x1102
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index fa7e11848c..e4560c592c 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -69,6 +69,12 @@ formset
     endif;
     endif;
 
+    text
+      help   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
+      text   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
+      flags  = INTERACTIVE,
+      key    = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
+
   endform;
 
   //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 67e5e594ed..47f281873b 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
 #include "SecureBootConfigImpl.h"
+#include <Protocol/HiiPopup.h>
 #include <Library/BaseCryptLib.h>
 #include <Library/SecureBootVariableLib.h>
 
@@ -4154,6 +4155,132 @@ ON_EXIT:
   return Status;
 }
 
+/**
+  This function reinitializes Secure Boot variables with default values.
+
+  @retval   EFI_SUCCESS           Success to update the signature list page
+  @retval   others                Fail to delete or enroll signature data.
+**/
+
+STATIC EFI_STATUS
+EFIAPI
+KeyEnrollReset (
+  VOID
+  )
+{
+  EFI_STATUS  Status;
+  UINT8       SetupMode;
+
+  Status = EFI_SUCCESS;
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR(Status)) {
+    return Status;
+  }
+
+  // Clear all the keys and databases
+  Status = DeleteDb ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteDbx ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteDbt ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteKEK ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeletePlatformKey ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
+    return Status;
+  }
+
+  // After PK clear, Setup Mode shall be enabled
+  Status = GetSetupMode (&SetupMode);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
+      Status));
+    return Status;
+  }
+
+  if (SetupMode == USER_MODE) {
+    DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
+    return EFI_SUCCESS;
+  }
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
+      Status));
+    return EFI_SUCCESS;
+  }
+
+  // Enroll all the keys from default variables
+  Status = EnrollDbFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
+    goto error;
+  }
+
+  Status = EnrollDbxFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
+  }
+
+  Status = EnrollDbtFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
+  }
+
+  Status = EnrollKEKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
+    goto cleardbs;
+  }
+
+  Status = EnrollPKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
+    goto clearKEK;
+  }
+
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n"));
+  }
+
+  return Status;
+
+clearKEK:
+  DeleteKEK ();
+
+cleardbs:
+  DeleteDbt ();
+  DeleteDbx ();
+  DeleteDb ();
+
+error:
+  if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
+    DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
+  }
+  return Status;
+}
+
 /**
   This function is called to provide results data to the driver.
 
@@ -4205,6 +4332,8 @@ SecureBootCallback (
   SECUREBOOT_CONFIG_PRIVATE_DATA  *PrivateData;
   BOOLEAN                         GetBrowserDataResult;
   ENROLL_KEY_ERROR                EnrollKeyErrorCode;
+  EFI_HII_POPUP_PROTOCOL          *HiiPopup;
+  EFI_HII_POPUP_SELECTION         UserSelection;
 
   Status             = EFI_SUCCESS;
   SecureBootEnable   = NULL;
@@ -4755,6 +4884,31 @@ SecureBootCallback (
         FreePool (SetupMode);
       }
       break;
+    case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
+    {
+      Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
+      if (EFI_ERROR (Status)) {
+        return Status;
+      }
+      Status = HiiPopup->CreatePopup (
+                           HiiPopup,
+                           EfiHiiPopupStyleInfo,
+                           EfiHiiPopupTypeYesNo,
+                           Private->HiiHandle,
+                           STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
+                           &UserSelection
+                           );
+      if (UserSelection == EfiHiiPopupSelectionYes) {
+        Status = KeyEnrollReset ();
+      }
+      //
+      // Update secure boot strings after key reset
+      //
+      if (Status == EFI_SUCCESS) {
+        Status = UpdateSecureBootString (Private);
+        SecureBootExtractConfigFromVariable (Private, IfrNvData);
+      }
+    }
     default:
       break;
     }
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index ac783453cc..0d01701de7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_SECURE_BOOT_PROMPT             #language en-US "Attempt Secure Boot"
 #string STR_SECURE_BOOT_HELP               #language en-US "Enable/Disable the Secure Boot feature after platform reset"
 
+#string STR_SECURE_RESET_TO_DEFAULTS_HELP  #language en-US "Enroll keys with data from default variables"
+#string STR_SECURE_RESET_TO_DEFAULTS       #language en-US "Reset Secure Boot Keys"
+#string STR_RESET_TO_DEFAULTS_POPUP        #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
+
 #string STR_SECURE_BOOT_ENROLL_SIGNATURE   #language en-US "Enroll Signature"
 #string STR_SECURE_BOOT_DELETE_SIGNATURE   #language en-US "Delete Signature"
 #string STR_SECURE_BOOT_DELETE_LIST_FORM   #language en-US "Delete Signature List Form"
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.
  2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
@ 2021-06-02 17:39   ` Pete Batard
  2021-06-02 19:43     ` [EXTERNAL] " Bret Barkelew
  2021-06-03  6:56   ` Min Xu
  2021-06-04  7:49   ` Sunny Wang
  2 siblings, 1 reply; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:39 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commits add library, which consist functions related
> creation/removal Secure Boot variables. Some of the functions
> was moved from SecureBootConfigImpl.c file.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/SecurityPkg.dsc                                                   |   1 +
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf           |  79 ++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf |   1 +
>   SecurityPkg/Include/Library/SecureBootVariableLib.h                           | 252 +++++
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c             | 979 ++++++++++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c  | 189 +---
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni           |  16 +
>   7 files changed, 1329 insertions(+), 188 deletions(-)
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>   create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> 
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index bd4b810bce..854f250625 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -70,6 +70,7 @@
>     RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
>     TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
>     MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
> +  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>   
>   [LibraryClasses.ARM]
>     #
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> new file mode 100644
> index 0000000000..84367841d5
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> @@ -0,0 +1,79 @@
> +## @file
> +#  Provides initialization of Secure Boot keys and databases.
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SecureBootVariableLib
> +  MODULE_UNI_FILE                = SecureBootVariableLib.uni
> +  FILE_GUID                      = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
> +  MODULE_TYPE                    = DXE_DRIVER
> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required by the build tools.
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
> +#
> +
> +[Sources]
> +  SecureBootVariableLib.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  BaseCryptLib
> +  DxeServicesLib
> +
> +[Guids]
> +  ## CONSUMES            ## Variable:L"SetupMode"
> +  ## PRODUCES            ## Variable:L"SetupMode"
> +  ## CONSUMES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"PK"
> +  ## PRODUCES            ## Variable:L"KEK"
> +  ## CONSUMES            ## Variable:L"PKDefault"
> +  ## CONSUMES            ## Variable:L"KEKDefault"
> +  ## CONSUMES            ## Variable:L"dbDefault"
> +  ## CONSUMES            ## Variable:L"dbxDefault"
> +  ## CONSUMES            ## Variable:L"dbtDefault"
> +  gEfiGlobalVariableGuid
> +
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
> +  gEfiImageSecurityDatabaseGuid
> +
> +  ## CONSUMES            ## Variable:L"SecureBootEnable"
> +  ## PRODUCES            ## Variable:L"SecureBootEnable"
> +  gEfiSecureBootEnableDisableGuid
> +
> +  ## CONSUMES            ## Variable:L"CustomMode"
> +  ## PRODUCES            ## Variable:L"CustomMode"
> +  gEfiCustomModeEnableGuid
> +
> +  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
> +  gEfiCertX509Guid               ## CONSUMES
> +  gEfiCertPkcs7Guid              ## CONSUMES
> +
> +  gDefaultPKFileGuid
> +  gDefaultKEKFileGuid
> +  gDefaultdbFileGuid
> +  gDefaultdbxFileGuid
> +  gDefaultdbtFileGuid
> +
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> index 573efa6379..30d9cd8025 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> @@ -54,6 +54,7 @@
>     DevicePathLib
>     FileExplorerLib
>     PeCoffLib
> +  SecureBootVariableLib
>   
>   [Guids]
>     ## SOMETIMES_CONSUMES      ## Variable:L"CustomMode"
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> new file mode 100644
> index 0000000000..2961c93a36
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> @@ -0,0 +1,252 @@
> +/** @file
> +  Provides a function to enroll keys based on default values.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
> +#define __SECURE_BOOT_VARIABLE_LIB_H__
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +);
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Error codes from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +  OUT UINT8 *SetupMode
> +);
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +);
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'PK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> +  VOID
> +);
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  );
> +#endif
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> new file mode 100644
> index 0000000000..16bad5530a
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> @@ -0,0 +1,979 @@
> +/** @file
> +  This library provides functions to set/clear Secure Boot
> +  keys and databases.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +#include "Library/DxeServicesLib.h"
> +
> +/** Creates EFI Signature List structure.
> +
> +  @param[in]      Data     A pointer to signature data.
> +  @param[in]      Size     Size of signature data.
> +  @param[out]     SigList  Created Signature List.
> +
> +  @retval  EFI_SUCCESS           Signature List was created successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +CreateSigList (
> +  IN VOID                *Data,
> +  IN UINTN               Size,
> +  OUT EFI_SIGNATURE_LIST **SigList
> +  )
> +{
> +  UINTN                  SigListSize;
> +  EFI_SIGNATURE_LIST     *TmpSigList;
> +  EFI_SIGNATURE_DATA     *SigData;
> +
> +  //
> +  // Allocate data for Signature Database
> +  //
> +  SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
> +  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
> +  if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  //
> +  // Only gEfiCertX509Guid type is supported
> +  //
> +  TmpSigList->SignatureListSize = (UINT32)SigListSize;
> +  TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
> +  TmpSigList->SignatureHeaderSize = 0;
> +  CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
> +
> +  //
> +  // Copy key data
> +  //
> +  SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
> +  CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
> +  CopyMem (&SigData->SignatureData[0], Data, Size);
> +
> +  *SigList = TmpSigList;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/** Adds new signature list to signature database.
> +
> +  @param[in]      SigLists        A pointer to signature database.
> +  @param[in]      SiglListAppend  A signature list to be added.
> +  @param[out]     *SigListOut     Created signature database.
> +  @param[out]     SigListsSize    A size of created signature database.
> +
> +  @retval  EFI_SUCCESS           Signature List was added successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +ConcatenateSigList (
> +  IN  EFI_SIGNATURE_LIST *SigLists,
> +  IN  EFI_SIGNATURE_LIST *SigListAppend,
> +  OUT EFI_SIGNATURE_LIST **SigListOut,
> +  IN OUT UINTN           *SigListsSize
> +)
> +{
> +  EFI_SIGNATURE_LIST *TmpSigList;
> +  UINT8              *Offset;
> +  UINTN              NewSigListsSize;
> +
> +  NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
> +
> +  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
> +  if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  CopyMem (TmpSigList, SigLists, *SigListsSize);
> +
> +  Offset = (UINT8 *)TmpSigList;
> +  Offset += *SigListsSize;
> +  CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
> +
> +  *SigListsSize = NewSigListsSize;
> +  *SigListOut = TmpSigList;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a EFI Signature List with data fetched from section specified as a argument.
> +  Found keys are verified using RsaGetPublicKeyFromX509().
> +
> +  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
> +  @param[out]       SigListsSize   A pointer to size of signature list
> +  @param[out]       SigListsOut    a pointer to a callee-allocated buffer with signature lists
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_NOT_FOUND            Section with key has not been found.
> +  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +STATIC
> +EFI_STATUS
> +SecureBootFetchData (
> +    IN  EFI_GUID           *KeyFileGuid,
> +    OUT UINTN              *SigListsSize,
> +    OUT EFI_SIGNATURE_LIST **SigListOut
> +)
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig2;
> +  EFI_STATUS         Status;
> +  VOID               *Buffer;
> +  VOID               *RsaPubKey;
> +  UINTN               Size;
> +  UINTN               KeyIndex;
> +
> +
> +  KeyIndex = 0;
> +  EfiSig = NULL;
> +  *SigListsSize = 0;
> +  while (1) {
> +    Status = GetSectionFromAnyFv (
> +               KeyFileGuid,
> +               EFI_SECTION_RAW,
> +               KeyIndex,
> +               &Buffer,
> +               &Size
> +               );
> +
> +    if (Status == EFI_SUCCESS) {
> +      RsaPubKey = NULL;
> +      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
> +        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
> +        if (EfiSig != NULL) {
> +          FreePool(EfiSig);
> +        }
> +        FreePool(Buffer);
> +        return EFI_INVALID_PARAMETER;
> +      }
> +
> +      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
> +
> +      //
> +      // Concatenate lists if more than one section found
> +      //
> +      if (KeyIndex == 0) {
> +        EfiSig = TmpEfiSig;
> +        *SigListsSize = TmpEfiSig->SignatureListSize;
> +      } else {
> +        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
> +        FreePool (EfiSig);
> +        FreePool (TmpEfiSig);
> +        EfiSig = TmpEfiSig2;
> +      }
> +
> +      KeyIndex++;
> +      FreePool (Buffer);
> +    } if (Status == EFI_NOT_FOUND) {
> +      break;
> +    }
> +  };
> +
> +  if (KeyIndex == 0) {
> +    return EFI_NOT_FOUND;
> +  }
> +
> +  *SigListOut = EfiSig;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +  )
> +{
> +  EFI_STATUS                       Status;
> +  UINT8                            *NewData;
> +  UINT8                            *Payload;
> +  UINTN                            PayloadSize;
> +  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> +  UINTN                            DescriptorSize;
> +  EFI_TIME                         Time;
> +
> +  if (Data == NULL || DataSize == NULL) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  //
> +  // In Setup mode or Custom mode, the variable does not need to be signed but the
> +  // parameters to the SetVariable() call still need to be prepared as authenticated
> +  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
> +  // data in it.
> +  //
> +  Payload     = *Data;
> +  PayloadSize = *DataSize;
> +
> +  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> +  if (NewData == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  if ((Payload != NULL) && (PayloadSize != 0)) {
> +    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> +  }
> +
> +  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> +
> +  ZeroMem (&Time, sizeof (EFI_TIME));
> +  Status = gRT->GetTime (&Time, NULL);
> +  if (EFI_ERROR (Status)) {
> +    FreePool(NewData);
> +    return Status;
> +  }
> +  Time.Pad1       = 0;
> +  Time.Nanosecond = 0;
> +  Time.TimeZone   = 0;
> +  Time.Daylight   = 0;
> +  Time.Pad2       = 0;
> +  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> +
> +  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> +  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> +  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> +
> +  if (Payload != NULL) {
> +    FreePool(Payload);
> +  }
> +
> +  *DataSize = DescriptorSize + PayloadSize;
> +  *Data     = NewData;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Internal helper function to delete a Variable given its name and GUID, NO authentication
> +  required.
> +
> +  @param[in]      VariableName            Name of the Variable.
> +  @param[in]      VendorGuid              GUID of the Variable.
> +
> +  @retval EFI_SUCCESS              Variable deleted successfully.
> +  @retval Others                   The driver failed to start the device.
> +
> +--*/
> +EFI_STATUS
> +DeleteVariable (
> +  IN  CHAR16                    *VariableName,
> +  IN  EFI_GUID                  *VendorGuid
> +  )
> +{
> +  EFI_STATUS              Status;
> +  VOID*                   Variable;
> +  UINT8                   *Data;
> +  UINTN                   DataSize;
> +  UINT32                  Attr;
> +
> +  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> +  if (Variable == NULL) {
> +    return EFI_SUCCESS;
> +  }
> +  FreePool (Variable);
> +
> +  Data     = NULL;
> +  DataSize = 0;
> +  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> +             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> +  Status = CreateTimeBasedPayload (&DataSize, &Data);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  Attr,
> +                  DataSize,
> +                  Data
> +                  );
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +  return Status;
> +}
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +  )
> +{
> +  return gRT->SetVariable (
> +                EFI_CUSTOM_MODE_NAME,
> +                &gEfiCustomModeEnableGuid,
> +                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                sizeof (UINT8),
> +                &SecureBootMode
> +                );
> +}
> +
> +
> +/**
> +  Enroll a key/certificate based on a default variable.
> +
> +  @param[in] VariableName        The name of the key/database.
> +  @param[in] DefaultName         The name of the default variable.
> +  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable
> +
> +
> +  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.
> +  @retval EFI_SUCCESS            Successful enrollment.
> +  @return                        Error codes from GetTime () and SetVariable ().
> +--*/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> +  IN CHAR16   *VariableName,
> +  IN CHAR16   *DefaultName,
> +  IN EFI_GUID *VendorGuid
> +  )
> +{
> +  VOID       *Data;
> +  UINTN       DataSize;
> +  EFI_STATUS  Status;
> +
> +  Status = EFI_SUCCESS;
> +
> +  DataSize = 0;
> +  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
> +      return Status;
> +  }
> +
> +  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  //
> +  // Allocate memory for auth variable
> +  //
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  (EFI_VARIABLE_NON_VOLATILE |
> +                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
> +                   EFI_VARIABLE_RUNTIME_ACCESS |
> +                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> +                  DataSize,
> +                  Data
> +                  );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
> +      VendorGuid, Status));
> +  }
> +
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +
> +  return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8               *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_PK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +
> +  Status = gRT->SetVariable (
> +                  EFI_KEK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DB_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBX_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBT_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Retval from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +    OUT UINT8 *SetupMode
> +)
> +{
> +  UINTN      Size;
> +  EFI_STATUS Status;
> +
> +  Size = sizeof (*SetupMode);
> +  Status = gRT->GetVariable (
> +                  EFI_SETUP_MODE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  NULL,
> +                  &Size,
> +                  SetupMode
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             EFI_DB_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             EFI_DBX_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             EFI_DBT_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid);
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             EFI_KEK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_PLATFORM_KEY_NAME,
> +             EFI_PK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Remove the PK variable.
> +
> +  @retval EFI_SUCCESS    Delete PK successfully.
> +  @retval Others         Could not allow to delete PK.
> +
> +--*/
> +EFI_STATUS
> +DeletePlatformKey (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  Status = DeleteVariable (
> +             EFI_PLATFORM_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +  return Status;
> +}
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index e82bfe7757..67e5e594ed 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>   
>   #include "SecureBootConfigImpl.h"
>   #include <Library/BaseCryptLib.h>
> +#include <Library/SecureBootVariableLib.h>
>   
>   CHAR16              mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
>   
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (
>     return Status;
>   }
>   
> -/**
> -  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> -  descriptor with the input data. NO authentication is required in this function.
> -
> -  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> -                                   On output, the size of data returned in Data
> -                                   buffer in bytes.
> -  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> -                                   pointer to NULL to wrap an empty payload.
> -                                   On output, Pointer to the new payload date buffer allocated from pool,
> -                                   it's caller's responsibility to free the memory when finish using it.
> -
> -  @retval EFI_SUCCESS              Create time based payload successfully.
> -  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> -  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> -  @retval Others                   Unexpected error happens.
> -
> -**/
> -EFI_STATUS
> -CreateTimeBasedPayload (
> -  IN OUT UINTN            *DataSize,
> -  IN OUT UINT8            **Data
> -  )
> -{
> -  EFI_STATUS                       Status;
> -  UINT8                            *NewData;
> -  UINT8                            *Payload;
> -  UINTN                            PayloadSize;
> -  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> -  UINTN                            DescriptorSize;
> -  EFI_TIME                         Time;
> -
> -  if (Data == NULL || DataSize == NULL) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
> -  //
> -  // In Setup mode or Custom mode, the variable does not need to be signed but the
> -  // parameters to the SetVariable() call still need to be prepared as authenticated
> -  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
> -  // data in it.
> -  //
> -  Payload     = *Data;
> -  PayloadSize = *DataSize;
> -
> -  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> -  if (NewData == NULL) {
> -    return EFI_OUT_OF_RESOURCES;
> -  }
> -
> -  if ((Payload != NULL) && (PayloadSize != 0)) {
> -    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> -  }
> -
> -  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> -
> -  ZeroMem (&Time, sizeof (EFI_TIME));
> -  Status = gRT->GetTime (&Time, NULL);
> -  if (EFI_ERROR (Status)) {
> -    FreePool(NewData);
> -    return Status;
> -  }
> -  Time.Pad1       = 0;
> -  Time.Nanosecond = 0;
> -  Time.TimeZone   = 0;
> -  Time.Daylight   = 0;
> -  Time.Pad2       = 0;
> -  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> -
> -  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> -  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> -  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> -
> -  if (Payload != NULL) {
> -    FreePool(Payload);
> -  }
> -
> -  *DataSize = DescriptorSize + PayloadSize;
> -  *Data     = NewData;
> -  return EFI_SUCCESS;
> -}
> -
> -/**
> -  Internal helper function to delete a Variable given its name and GUID, NO authentication
> -  required.
> -
> -  @param[in]      VariableName            Name of the Variable.
> -  @param[in]      VendorGuid              GUID of the Variable.
> -
> -  @retval EFI_SUCCESS              Variable deleted successfully.
> -  @retval Others                   The driver failed to start the device.
> -
> -**/
> -EFI_STATUS
> -DeleteVariable (
> -  IN  CHAR16                    *VariableName,
> -  IN  EFI_GUID                  *VendorGuid
> -  )
> -{
> -  EFI_STATUS              Status;
> -  VOID*                   Variable;
> -  UINT8                   *Data;
> -  UINTN                   DataSize;
> -  UINT32                  Attr;
> -
> -  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> -  if (Variable == NULL) {
> -    return EFI_SUCCESS;
> -  }
> -  FreePool (Variable);
> -
> -  Data     = NULL;
> -  DataSize = 0;
> -  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> -             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> -
> -  Status = CreateTimeBasedPayload (&DataSize, &Data);
> -  if (EFI_ERROR (Status)) {
> -    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
> -    return Status;
> -  }
> -
> -  Status = gRT->SetVariable (
> -                  VariableName,
> -                  VendorGuid,
> -                  Attr,
> -                  DataSize,
> -                  Data
> -                  );
> -  if (Data != NULL) {
> -    FreePool (Data);
> -  }
> -  return Status;
> -}
> -
> -/**
> -
> -  Set the platform secure boot mode into "Custom" or "Standard" mode.
> -
> -  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> -                                     CUSTOM_SECURE_BOOT_MODE.
> -
> -  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> -  @return other                      Fail to operate the secure boot mode.
> -
> -**/
> -EFI_STATUS
> -SetSecureBootMode (
> -  IN     UINT8         SecureBootMode
> -  )
> -{
> -  return gRT->SetVariable (
> -                EFI_CUSTOM_MODE_NAME,
> -                &gEfiCustomModeEnableGuid,
> -                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> -                sizeof (UINT8),
> -                &SecureBootMode
> -                );
> -}
> -
>   /**
>     This code checks if the encode type and key strength of X.509
>     certificate is qualified.
> @@ -646,32 +485,6 @@ ON_EXIT:
>     return Status;
>   }
>   
> -/**
> -  Remove the PK variable.
> -
> -  @retval EFI_SUCCESS    Delete PK successfully.
> -  @retval Others         Could not allow to delete PK.
> -
> -**/
> -EFI_STATUS
> -DeletePlatformKey (
> -  VOID
> -)
> -{
> -  EFI_STATUS Status;
> -
> -  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> -  if (EFI_ERROR (Status)) {
> -    return Status;
> -  }
> -
> -  Status = DeleteVariable (
> -             EFI_PLATFORM_KEY_NAME,
> -             &gEfiGlobalVariableGuid
> -             );
> -  return Status;
> -}
> -
>   /**
>     Enroll a new KEK item from public key storing file (*.pbk).
>   
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> new file mode 100644
> index 0000000000..2c51e4db53
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
> +
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
  2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
@ 2021-06-02 17:39   ` Pete Batard
  2021-06-03  7:06   ` Min Xu
  2021-06-04  8:11   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:39 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commits add file which can be included by platform Flash
> Description File. It allows to specify certificate files, which
> will be embedded into binary file. The content of these files
> can be used to initialize Secure Boot default keys and databases.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++++++++++++++++++++
>   1 file changed, 62 insertions(+)
>   create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> 
> diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> new file mode 100644
> index 0000000000..056586b204
> --- /dev/null
> +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> @@ -0,0 +1,62 @@
> +
> +!if $(DEFAULT_KEYS) == TRUE
> +  FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
> +  !ifdef $(PK_DEFAULT_FILE)
> +    SECTION RAW = $(PK_DEFAULT_FILE)
> +  !endif
> +    SECTION UI = "PK Default"
> +  }
> +
> +  FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
> +  !ifdef $(KEK_DEFAULT_FILE1)
> +    SECTION RAW = $(KEK_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(KEK_DEFAULT_FILE2)
> +    SECTION RAW = $(KEK_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(KEK_DEFAULT_FILE3)
> +    SECTION RAW = $(KEK_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "KEK Default"
> +  }
> +
> +  FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
> +  !ifdef $(DB_DEFAULT_FILE1)
> +    SECTION RAW = $(DB_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DB_DEFAULT_FILE2)
> +    SECTION RAW = $(DB_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DB_DEFAULT_FILE3)
> +    SECTION RAW = $(DB_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DB Default"
> +  }
> +
> +  FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
> +  !ifdef $(DBT_DEFAULT_FILE1)
> +    SECTION RAW = $(DBT_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DBT_DEFAULT_FILE2)
> +    SECTION RAW = $(DBT_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DBT_DEFAULT_FILE3)
> +    SECTION RAW = $(DBT_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DBT Default"
> +  }
> +
> +  FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
> +  !ifdef $(DBX_DEFAULT_FILE1)
> +    SECTION RAW = $(DBX_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DBX_DEFAULT_FILE2)
> +    SECTION RAW = $(DBX_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DBX_DEFAULT_FILE3)
> +    SECTION RAW = $(DBX_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DBX Default"
> +  }
> +
> +!endif
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver
  2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
@ 2021-06-02 17:39   ` Pete Batard
  2021-06-04  8:02   ` Min Xu
  2021-06-04  8:15   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:39 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

3 very minor remarks below:

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This driver initializes default Secure Boot keys and databases
> based on keys embedded in flash.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   | 69 ++++++++++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +++++
>   3 files changed, 132 insertions(+)
>   create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
>   create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
> 
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
> new file mode 100644
> index 0000000000..27345eab2e
> --- /dev/null
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
> @@ -0,0 +1,46 @@
> +## @file
> +#  Initializes Secure Boot default keys
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +[Defines]
> +  INF_VERSION = 0x00010005
> +  BASE_NAME   = SecureBootDefaultKeysDxe
> +  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
> +  MODULE_TYPE = DXE_DRIVER
> +  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
> +
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
> +#
> +[Sources]
> +  SecureBootDefaultKeysDxe.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  MemoryAllocationLib
> +  UefiDriverEntryPoint
> +  DebugLib
> +  SecureBootVariableLib
> +
> +[Guids]
> +  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
> +  gEfiGlobalVariableGuid
> +
> +[Depex]
> +  gEfiVariableArchProtocolGuid      AND
> +  gEfiVariableWriteArchProtocolGuid
> +

This adds an extra trailing blank line.

> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> new file mode 100644
> index 0000000000..0928489e15
> --- /dev/null
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> @@ -0,0 +1,69 @@
> +/** @file
> +  This driver init default Secure Boot variables
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiBootServicesTableLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +/**
> +  The entry point for SecureBootDefaultKeys driver.
> +
> +  @param[in]  ImageHandle        The image handle of the driver.
> +  @param[in]  SystemTable        The system table.
> +
> +  @retval EFI_ALREADY_STARTED    The driver already exists in system.
> +  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack of resources.
> +  @retval EFI_SUCCESS            All the related protocols are installed on the driver.
> +  @retval Others                 Fail to get the SecureBootEnable variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SecureBootDefaultKeysEntryPoint (
> +  IN EFI_HANDLE          ImageHandle,
> +  IN EFI_SYSTEM_TABLE    *SystemTable
> +  )
> +{
> +  EFI_STATUS  Status;
> +
> +  Status = SecureBootInitPKDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
> +    return Status;
> +  }
> +
> +  Status = SecureBootInitKEKDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
> +    return Status;
> +  }
> +  Status = SecureBootInitdbDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
> +    return Status;
> +  }
> +
> +  Status = SecureBootInitdbtDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
> +  }
> +
> +  Status = SecureBootInitdbxDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
> +  }
> +
> +  return Status;
> +}
> +

This adds an extra trailing blank line.

> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
> new file mode 100644
> index 0000000000..30f03aee5d
> --- /dev/null
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides the capability to intialize Secure Boot default variables
> +//
> +// Module which initializes Secure boot default variables.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Module which initializes Secure boot default variables"
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
> +

This adds an extra trailing blank line.

> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
  2021-06-01 13:12 ` [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
@ 2021-06-02 17:40   ` Pete Batard
  2021-06-02 19:38     ` [EXTERNAL] " Bret Barkelew
  2021-06-04  8:24   ` Sunny Wang
  1 sibling, 1 reply; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:40 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This application allows user to force key enrollment from
> Secure Boot default variables.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf |  47 +++++++++
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c   | 107 ++++++++++++++++++++
>   2 files changed, 154 insertions(+)
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> 
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> @@ -0,0 +1,47 @@
> +## @file
> +#  Enroll PK, KEK, db, dbx from Default variables
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 1.28
> +  BASE_NAME                      = EnrollFromDefaultKeysApp
> +  FILE_GUID                      = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> +  MODULE_TYPE                    = UEFI_APPLICATION
> +  VERSION_STRING                 = 0.1
> +  ENTRY_POINT                    = UefiMain
> +
> +[Sources]
> +  EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> +  MdeModulePkg/MdeModulePkg.dec
> +  MdePkg/MdePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> +  gEfiCertPkcs7Guid
> +  gEfiCertSha256Guid
> +  gEfiCertX509Guid
> +  gEfiCustomModeEnableGuid
> +  gEfiGlobalVariableGuid
> +  gEfiImageSecurityDatabaseGuid
> +  gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> +  gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  PrintLib
> +  UefiApplicationEntryPoint
> +  UefiBootServicesTableLib
> +  UefiLib
> +  UefiRuntimeServicesTableLib
> +  SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> new file mode 100644
> index 0000000000..1907ce1d4e
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> @@ -0,0 +1,107 @@
> +/** @file
> +  Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h>               // CopyGuid()
> +#include <Library/DebugLib.h>                    // ASSERT()
> +#include <Library/MemoryAllocationLib.h>         // FreePool()
> +#include <Library/PrintLib.h>                    // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h>    // gBS
> +#include <Library/UefiLib.h>                     // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
> +
> +/**
> +  Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> +  IN EFI_HANDLE        ImageHandle,
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> +  )
> +{
> +  EFI_STATUS Status;
> +  UINT8      SetupMode;
> +
> +  Status = GetSetupMode (&SetupMode);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot get SetupMode variable: %r\n", Status);
> +    return 1;
> +  }
> +
> +  if (SetupMode == USER_MODE) {
> +    FAIL ("Skipped - USER_MODE\n");
> +    return 1;
> +  }
> +
> +  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> +    return 1;
> +  }
> +
> +  Status = EnrollDbFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll db: %r\n", Status);
> +    goto error;
> +  }
> +
> +  Status = EnrollDbxFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbt: %r\n", Status);
> +  }
> +
> +  Status = EnrollDbtFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbx: %r\n", Status);
> +  }
> +
> +  Status = EnrollKEKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll KEK: %r\n", Status);
> +    goto cleardbs;
> +  }
> +
> +  Status = EnrollPKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll PK: %r\n", Status);
> +    goto clearKEK;
> +  }
> +
> +  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised\n");
> +  }
> +  return 0;
> +
> +clearKEK:
> +  DeleteKEK ();
> +
> +cleardbs:
> +  DeleteDbt ();
> +  DeleteDbx ();
> +  DeleteDb ();
> +
> +error:
> +  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised\n");
> +  }
> +
> +  return 1;
> +}
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 5/6] SecurityPkg: Add new modules to Security package.
  2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
@ 2021-06-02 17:40   ` Pete Batard
  2021-06-04  8:09   ` Min Xu
  2021-06-04  8:26   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:40 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

One very minor remark:

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commits adds modules related to initialization and
> usage of default Secure Boot key variables to SecurityPkg.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
>   SecurityPkg/SecurityPkg.dsc |  4 ++++
>   2 files changed, 18 insertions(+)
> 
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 4001650fa2..dad3cae0ba 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -190,6 +190,20 @@
>     ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
>     gTcg2MmSwSmiRegisteredGuid         = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
>   
> +  ## GUID used to specify section with default PK content
> +  gDefaultPKFileGuid                 = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
> +
> +  ## GUID used to specify section with default KEK content
> +  gDefaultKEKFileGuid                = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
> +
> +  ## GUID used to specify section with default db content
> +  gDefaultdbFileGuid                 = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
> +
> +  ## GUID used to specify section with default dbt content
> +  gDefaultdbxFileGuid                = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
> +
> +  ## GUID used to specify section with default dbx content
> +  gDefaultdbtFileGuid                = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
>   
>   [Ppis]
>     ## The PPI GUID for that TPM physical presence should be locked.
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index 854f250625..e031775ca8 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -259,6 +259,10 @@
>   
>   [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
>     SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> +  SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
> +  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultKeys.inf
> +

I don't think we need the extra line here.

>   
>   [Components.IA32, Components.X64, Components.AARCH64]
>     #
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys.
  2021-06-01 13:12 ` [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
@ 2021-06-02 17:40   ` Pete Batard
  2021-06-04  8:30   ` Sunny Wang
  1 sibling, 0 replies; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:40 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commit add option which allows reset content of Secure Boot
> keys and databases to default variables.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf     |   1 +
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h    |   2 +
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr        |   6 +
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c      | 154 ++++++++++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni |   4 +
>   5 files changed, 167 insertions(+)
> 
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> index 30d9cd8025..bd8d256dde 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> @@ -109,6 +109,7 @@
>   [Protocols]
>     gEfiHiiConfigAccessProtocolGuid               ## PRODUCES
>     gEfiDevicePathProtocolGuid                    ## PRODUCES
> +  gEfiHiiPopupProtocolGuid
>   
>   [Depex]
>     gEfiHiiConfigRoutingProtocolGuid  AND
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
> index 6e54a4b0f2..4ecc25efc3 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
> @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>   
>   #define KEY_VALUE_FROM_DBX_TO_LIST_FORM       0x100f
>   
> +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT      0x1010
> +
>   #define KEY_SECURE_BOOT_OPTION                0x1100
>   #define KEY_SECURE_BOOT_PK_OPTION             0x1101
>   #define KEY_SECURE_BOOT_KEK_OPTION            0x1102
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
> index fa7e11848c..e4560c592c 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
> @@ -69,6 +69,12 @@ formset
>       endif;
>       endif;
>   
> +    text
> +      help   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
> +      text   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
> +      flags  = INTERACTIVE,
> +      key    = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
> +
>     endform;
>   
>     //
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index 67e5e594ed..47f281873b 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>   **/
>   
>   #include "SecureBootConfigImpl.h"
> +#include <Protocol/HiiPopup.h>
>   #include <Library/BaseCryptLib.h>
>   #include <Library/SecureBootVariableLib.h>
>   
> @@ -4154,6 +4155,132 @@ ON_EXIT:
>     return Status;
>   }
>   
> +/**
> +  This function reinitializes Secure Boot variables with default values.
> +
> +  @retval   EFI_SUCCESS           Success to update the signature list page
> +  @retval   others                Fail to delete or enroll signature data.
> +**/
> +
> +STATIC EFI_STATUS
> +EFIAPI
> +KeyEnrollReset (
> +  VOID
> +  )
> +{
> +  EFI_STATUS  Status;
> +  UINT8       SetupMode;
> +
> +  Status = EFI_SUCCESS;
> +
> +  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR(Status)) {
> +    return Status;
> +  }
> +
> +  // Clear all the keys and databases
> +  Status = DeleteDb ();
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
> +    return Status;
> +  }
> +
> +  Status = DeleteDbx ();
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
> +    return Status;
> +  }
> +
> +  Status = DeleteDbt ();
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
> +    return Status;
> +  }
> +
> +  Status = DeleteKEK ();
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
> +    return Status;
> +  }
> +
> +  Status = DeletePlatformKey ();
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
> +    return Status;
> +  }
> +
> +  // After PK clear, Setup Mode shall be enabled
> +  Status = GetSetupMode (&SetupMode);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
> +      Status));
> +    return Status;
> +  }
> +
> +  if (SetupMode == USER_MODE) {
> +    DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
> +      Status));
> +    return EFI_SUCCESS;
> +  }
> +
> +  // Enroll all the keys from default variables
> +  Status = EnrollDbFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
> +    goto error;
> +  }
> +
> +  Status = EnrollDbxFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
> +  }
> +
> +  Status = EnrollDbtFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
> +  }
> +
> +  Status = EnrollKEKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
> +    goto cleardbs;
> +  }
> +
> +  Status = EnrollPKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
> +    goto clearKEK;
> +  }
> +
> +  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised\n"));
> +  }
> +
> +  return Status;
> +
> +clearKEK:
> +  DeleteKEK ();
> +
> +cleardbs:
> +  DeleteDbt ();
> +  DeleteDbx ();
> +  DeleteDb ();
> +
> +error:
> +  if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
> +    DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
> +  }
> +  return Status;
> +}
> +
>   /**
>     This function is called to provide results data to the driver.
>   
> @@ -4205,6 +4332,8 @@ SecureBootCallback (
>     SECUREBOOT_CONFIG_PRIVATE_DATA  *PrivateData;
>     BOOLEAN                         GetBrowserDataResult;
>     ENROLL_KEY_ERROR                EnrollKeyErrorCode;
> +  EFI_HII_POPUP_PROTOCOL          *HiiPopup;
> +  EFI_HII_POPUP_SELECTION         UserSelection;
>   
>     Status             = EFI_SUCCESS;
>     SecureBootEnable   = NULL;
> @@ -4755,6 +4884,31 @@ SecureBootCallback (
>           FreePool (SetupMode);
>         }
>         break;
> +    case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
> +    {
> +      Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
> +      if (EFI_ERROR (Status)) {
> +        return Status;
> +      }
> +      Status = HiiPopup->CreatePopup (
> +                           HiiPopup,
> +                           EfiHiiPopupStyleInfo,
> +                           EfiHiiPopupTypeYesNo,
> +                           Private->HiiHandle,
> +                           STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
> +                           &UserSelection
> +                           );
> +      if (UserSelection == EfiHiiPopupSelectionYes) {
> +        Status = KeyEnrollReset ();
> +      }
> +      //
> +      // Update secure boot strings after key reset
> +      //
> +      if (Status == EFI_SUCCESS) {
> +        Status = UpdateSecureBootString (Private);
> +        SecureBootExtractConfigFromVariable (Private, IfrNvData);
> +      }
> +    }
>       default:
>         break;
>       }
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> index ac783453cc..0d01701de7 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
> @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>   #string STR_SECURE_BOOT_PROMPT             #language en-US "Attempt Secure Boot"
>   #string STR_SECURE_BOOT_HELP               #language en-US "Enable/Disable the Secure Boot feature after platform reset"
>   
> +#string STR_SECURE_RESET_TO_DEFAULTS_HELP  #language en-US "Enroll keys with data from default variables"
> +#string STR_SECURE_RESET_TO_DEFAULTS       #language en-US "Reset Secure Boot Keys"
> +#string STR_RESET_TO_DEFAULTS_POPUP        #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
> +
>   #string STR_SECURE_BOOT_ENROLL_SIGNATURE   #language en-US "Enroll Signature"
>   #string STR_SECURE_BOOT_DELETE_SIGNATURE   #language en-US "Delete Signature"
>   #string STR_SECURE_BOOT_DELETE_LIST_FORM   #language en-US "Delete Signature List Form"
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
@ 2021-06-02 17:40   ` Pete Batard
  2021-06-04  8:35   ` Sunny Wang
  2021-07-08 18:37   ` Samer El-Haj-Mahmoud
  2 siblings, 0 replies; 35+ messages in thread
From: Pete Batard @ 2021-06-02 17:40 UTC (permalink / raw)
  To: devel, gjb
  Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
	upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek

This whole patch series looks fine to me.

I have tested it on Raspberry Pi 4, and I have some changes lined up to 
ensure that the next Pi 4 firmware we produce, after this series has 
been integrated, can use the new feature.

For the record, since we are using an automated build system (and the Pi 
4 can't exactly be considered as a secure platform anyway), my plan is 
to discard the PK's private key and include only MS KEK and DBs for the 
time being.

Basically, it should go something like this:

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform 
Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes 
-sha256
curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.crt
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.crt
curl -L 
https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o 
keys/arm64_dbx.bin

and then use the files above for the DEFAULT_FILE vars.

With this, I was able to get the default keys installed using the new 
Secure Boot menu, and validated that something like the Windows 
bootloader would load properly, whereas an unsigned bootloader such as 
the GRUB one wouldn't.

Please find my formal R-b for this patch below:

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commit allows to initialize Secure Boot default key
> and databases from data embedded in firmware binary.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
>   Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
>   2 files changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
> index d8c6fdd4bd..1fb4df0b81 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.dsc
> +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
> @@ -164,7 +164,7 @@
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>     TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
>     AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -
> +  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>     # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
>     PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>   !else
> @@ -217,6 +217,7 @@
>     MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
>     HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
>     ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> +  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
>     FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>   
>   [LibraryClasses.common.UEFI_DRIVER]
> @@ -612,6 +613,8 @@
>         NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
>     }
>     SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> +  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !else
>     MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>   !endif
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
> index 1e13909a57..0e43d24c7a 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.fdf
> +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
> @@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
>     INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>     INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>   !if $(SECURE_BOOT_ENABLE) == TRUE
> +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
>     INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !endif
>     INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
>     INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> 

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie>

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
@ 2021-06-02 19:38     ` Bret Barkelew
  0 siblings, 0 replies; 35+ messages in thread
From: Bret Barkelew @ 2021-06-02 19:38 UTC (permalink / raw)
  To: devel@edk2.groups.io, pete@akeo.ie, gjb@semihalf.com
  Cc: Lindholm, Leif, ardb+tianocore@kernel.org, Samer El-Haj-Mahmoud,
	sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com,
	Yao, Jiewen, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com

[-- Attachment #1: Type: text/plain, Size: 6953 bytes --]

> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)

I don’t think this sort of implied concatenation works on all compilers.

- Bret

From: Pete Batard via groups.io<mailto:pete=akeo.ie@groups.io>
Sent: Wednesday, June 2, 2021 10:40 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; gjb@semihalf.com<mailto:gjb@semihalf.com>
Cc: Lindholm, Leif<mailto:leif@nuviainc.com>; ardb+tianocore@kernel.org<mailto:ardb+tianocore@kernel.org>; Samer El-Haj-Mahmoud<mailto:Samer.El-Haj-Mahmoud@arm.com>; sunny.Wang@arm.com<mailto:sunny.Wang@arm.com>; mw@semihalf.com<mailto:mw@semihalf.com>; upstream@semihalf.com<mailto:upstream@semihalf.com>; Yao, Jiewen<mailto:jiewen.yao@intel.com>; jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>; min.m.xu@intel.com<mailto:min.m.xu@intel.com>; lersek@redhat.com<mailto:lersek@redhat.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This application allows user to force key enrollment from
> Secure Boot default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf |  47 +++++++++
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c   | 107 ++++++++++++++++++++
>   2 files changed, 154 insertions(+)
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> @@ -0,0 +1,47 @@
> +## @file
> +#  Enroll PK, KEK, db, dbx from Default variables
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 1.28
> +  BASE_NAME                      = EnrollFromDefaultKeysApp
> +  FILE_GUID                      = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> +  MODULE_TYPE                    = UEFI_APPLICATION
> +  VERSION_STRING                 = 0.1
> +  ENTRY_POINT                    = UefiMain
> +
> +[Sources]
> +  EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> +  MdeModulePkg/MdeModulePkg.dec
> +  MdePkg/MdePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> +  gEfiCertPkcs7Guid
> +  gEfiCertSha256Guid
> +  gEfiCertX509Guid
> +  gEfiCustomModeEnableGuid
> +  gEfiGlobalVariableGuid
> +  gEfiImageSecurityDatabaseGuid
> +  gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> +  gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  PrintLib
> +  UefiApplicationEntryPoint
> +  UefiBootServicesTableLib
> +  UefiLib
> +  UefiRuntimeServicesTableLib
> +  SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> new file mode 100644
> index 0000000000..1907ce1d4e
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> @@ -0,0 +1,107 @@
> +/** @file
> +  Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h>               // CopyGuid()
> +#include <Library/DebugLib.h>                    // ASSERT()
> +#include <Library/MemoryAllocationLib.h>         // FreePool()
> +#include <Library/PrintLib.h>                    // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h>    // gBS
> +#include <Library/UefiLib.h>                     // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
> +
> +/**
> +  Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> +  IN EFI_HANDLE        ImageHandle,
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> +  )
> +{
> +  EFI_STATUS Status;
> +  UINT8      SetupMode;
> +
> +  Status = GetSetupMode (&SetupMode);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot get SetupMode variable: %r\n", Status);
> +    return 1;
> +  }
> +
> +  if (SetupMode == USER_MODE) {
> +    FAIL ("Skipped - USER_MODE\n");
> +    return 1;
> +  }
> +
> +  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> +    return 1;
> +  }
> +
> +  Status = EnrollDbFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll db: %r\n", Status);
> +    goto error;
> +  }
> +
> +  Status = EnrollDbxFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbt: %r\n", Status);
> +  }
> +
> +  Status = EnrollDbtFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbx: %r\n", Status);
> +  }
> +
> +  Status = EnrollKEKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll KEK: %r\n", Status);
> +    goto cleardbs;
> +  }
> +
> +  Status = EnrollPKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll PK: %r\n", Status);
> +    goto clearKEK;
> +  }
> +
> +  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised\n");
> +  }
> +  return 0;
> +
> +clearKEK:
> +  DeleteKEK ();
> +
> +cleardbs:
> +  DeleteDbt ();
> +  DeleteDbx ();
> +  DeleteDb ();
> +
> +error:
> +  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> +      "Please do it manually, otherwise system can be easily compromised\n");
> +  }
> +
> +  return 1;
> +}
>

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4






[-- Attachment #2: Type: text/html, Size: 12546 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
@ 2021-06-02 19:43     ` Bret Barkelew
  0 siblings, 0 replies; 35+ messages in thread
From: Bret Barkelew @ 2021-06-02 19:43 UTC (permalink / raw)
  To: devel@edk2.groups.io, pete@akeo.ie, gjb@semihalf.com
  Cc: Lindholm, Leif, ardb+tianocore@kernel.org, Samer El-Haj-Mahmoud,
	sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com,
	Yao, Jiewen, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com

[-- Attachment #1: Type: text/plain, Size: 55070 bytes --]

> +CreateTimeBasedPayload (

I feel like we have a couple other instances of this floating around. Should we consolidate on a single implementation?

- Bret

From: Pete Batard via groups.io<mailto:pete=akeo.ie@groups.io>
Sent: Wednesday, June 2, 2021 10:39 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; gjb@semihalf.com<mailto:gjb@semihalf.com>
Cc: Lindholm, Leif<mailto:leif@nuviainc.com>; ardb+tianocore@kernel.org<mailto:ardb+tianocore@kernel.org>; Samer El-Haj-Mahmoud<mailto:Samer.El-Haj-Mahmoud@arm.com>; sunny.Wang@arm.com<mailto:sunny.Wang@arm.com>; mw@semihalf.com<mailto:mw@semihalf.com>; upstream@semihalf.com<mailto:upstream@semihalf.com>; Yao, Jiewen<mailto:jiewen.yao@intel.com>; jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>; min.m.xu@intel.com<mailto:min.m.xu@intel.com>; lersek@redhat.com<mailto:lersek@redhat.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.

On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This commits add library, which consist functions related
> creation/removal Secure Boot variables. Some of the functions
> was moved from SecureBootConfigImpl.c file.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/SecurityPkg.dsc                                                   |   1 +
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf           |  79 ++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf |   1 +
>   SecurityPkg/Include/Library/SecureBootVariableLib.h                           | 252 +++++
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c             | 979 ++++++++++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c  | 189 +---
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni           |  16 +
>   7 files changed, 1329 insertions(+), 188 deletions(-)
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>   create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>   create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index bd4b810bce..854f250625 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -70,6 +70,7 @@
>     RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
>     TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
>     MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
> +  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>
>   [LibraryClasses.ARM]
>     #
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> new file mode 100644
> index 0000000000..84367841d5
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> @@ -0,0 +1,79 @@
> +## @file
> +#  Provides initialization of Secure Boot keys and databases.
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SecureBootVariableLib
> +  MODULE_UNI_FILE                = SecureBootVariableLib.uni
> +  FILE_GUID                      = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
> +  MODULE_TYPE                    = DXE_DRIVER
> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required by the build tools.
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
> +#
> +
> +[Sources]
> +  SecureBootVariableLib.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  BaseCryptLib
> +  DxeServicesLib
> +
> +[Guids]
> +  ## CONSUMES            ## Variable:L"SetupMode"
> +  ## PRODUCES            ## Variable:L"SetupMode"
> +  ## CONSUMES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"PK"
> +  ## PRODUCES            ## Variable:L"KEK"
> +  ## CONSUMES            ## Variable:L"PKDefault"
> +  ## CONSUMES            ## Variable:L"KEKDefault"
> +  ## CONSUMES            ## Variable:L"dbDefault"
> +  ## CONSUMES            ## Variable:L"dbxDefault"
> +  ## CONSUMES            ## Variable:L"dbtDefault"
> +  gEfiGlobalVariableGuid
> +
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
> +  gEfiImageSecurityDatabaseGuid
> +
> +  ## CONSUMES            ## Variable:L"SecureBootEnable"
> +  ## PRODUCES            ## Variable:L"SecureBootEnable"
> +  gEfiSecureBootEnableDisableGuid
> +
> +  ## CONSUMES            ## Variable:L"CustomMode"
> +  ## PRODUCES            ## Variable:L"CustomMode"
> +  gEfiCustomModeEnableGuid
> +
> +  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
> +  gEfiCertX509Guid               ## CONSUMES
> +  gEfiCertPkcs7Guid              ## CONSUMES
> +
> +  gDefaultPKFileGuid
> +  gDefaultKEKFileGuid
> +  gDefaultdbFileGuid
> +  gDefaultdbxFileGuid
> +  gDefaultdbtFileGuid
> +
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> index 573efa6379..30d9cd8025 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> @@ -54,6 +54,7 @@
>     DevicePathLib
>     FileExplorerLib
>     PeCoffLib
> +  SecureBootVariableLib
>
>   [Guids]
>     ## SOMETIMES_CONSUMES      ## Variable:L"CustomMode"
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> new file mode 100644
> index 0000000000..2961c93a36
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> @@ -0,0 +1,252 @@
> +/** @file
> +  Provides a function to enroll keys based on default values.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
> +#define __SECURE_BOOT_VARIABLE_LIB_H__
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +);
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Error codes from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +  OUT UINT8 *SetupMode
> +);
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +);
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'PK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> +  VOID
> +);
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  );
> +#endif
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> new file mode 100644
> index 0000000000..16bad5530a
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> @@ -0,0 +1,979 @@
> +/** @file
> +  This library provides functions to set/clear Secure Boot
> +  keys and databases.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +#include "Library/DxeServicesLib.h"
> +
> +/** Creates EFI Signature List structure.
> +
> +  @param[in]      Data     A pointer to signature data.
> +  @param[in]      Size     Size of signature data.
> +  @param[out]     SigList  Created Signature List.
> +
> +  @retval  EFI_SUCCESS           Signature List was created successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +CreateSigList (
> +  IN VOID                *Data,
> +  IN UINTN               Size,
> +  OUT EFI_SIGNATURE_LIST **SigList
> +  )
> +{
> +  UINTN                  SigListSize;
> +  EFI_SIGNATURE_LIST     *TmpSigList;
> +  EFI_SIGNATURE_DATA     *SigData;
> +
> +  //
> +  // Allocate data for Signature Database
> +  //
> +  SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
> +  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
> +  if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  //
> +  // Only gEfiCertX509Guid type is supported
> +  //
> +  TmpSigList->SignatureListSize = (UINT32)SigListSize;
> +  TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
> +  TmpSigList->SignatureHeaderSize = 0;
> +  CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
> +
> +  //
> +  // Copy key data
> +  //
> +  SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
> +  CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
> +  CopyMem (&SigData->SignatureData[0], Data, Size);
> +
> +  *SigList = TmpSigList;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/** Adds new signature list to signature database.
> +
> +  @param[in]      SigLists        A pointer to signature database.
> +  @param[in]      SiglListAppend  A signature list to be added.
> +  @param[out]     *SigListOut     Created signature database.
> +  @param[out]     SigListsSize    A size of created signature database.
> +
> +  @retval  EFI_SUCCESS           Signature List was added successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +ConcatenateSigList (
> +  IN  EFI_SIGNATURE_LIST *SigLists,
> +  IN  EFI_SIGNATURE_LIST *SigListAppend,
> +  OUT EFI_SIGNATURE_LIST **SigListOut,
> +  IN OUT UINTN           *SigListsSize
> +)
> +{
> +  EFI_SIGNATURE_LIST *TmpSigList;
> +  UINT8              *Offset;
> +  UINTN              NewSigListsSize;
> +
> +  NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
> +
> +  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
> +  if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  CopyMem (TmpSigList, SigLists, *SigListsSize);
> +
> +  Offset = (UINT8 *)TmpSigList;
> +  Offset += *SigListsSize;
> +  CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
> +
> +  *SigListsSize = NewSigListsSize;
> +  *SigListOut = TmpSigList;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a EFI Signature List with data fetched from section specified as a argument.
> +  Found keys are verified using RsaGetPublicKeyFromX509().
> +
> +  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
> +  @param[out]       SigListsSize   A pointer to size of signature list
> +  @param[out]       SigListsOut    a pointer to a callee-allocated buffer with signature lists
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_NOT_FOUND            Section with key has not been found.
> +  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +STATIC
> +EFI_STATUS
> +SecureBootFetchData (
> +    IN  EFI_GUID           *KeyFileGuid,
> +    OUT UINTN              *SigListsSize,
> +    OUT EFI_SIGNATURE_LIST **SigListOut
> +)
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig2;
> +  EFI_STATUS         Status;
> +  VOID               *Buffer;
> +  VOID               *RsaPubKey;
> +  UINTN               Size;
> +  UINTN               KeyIndex;
> +
> +
> +  KeyIndex = 0;
> +  EfiSig = NULL;
> +  *SigListsSize = 0;
> +  while (1) {
> +    Status = GetSectionFromAnyFv (
> +               KeyFileGuid,
> +               EFI_SECTION_RAW,
> +               KeyIndex,
> +               &Buffer,
> +               &Size
> +               );
> +
> +    if (Status == EFI_SUCCESS) {
> +      RsaPubKey = NULL;
> +      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
> +        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
> +        if (EfiSig != NULL) {
> +          FreePool(EfiSig);
> +        }
> +        FreePool(Buffer);
> +        return EFI_INVALID_PARAMETER;
> +      }
> +
> +      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
> +
> +      //
> +      // Concatenate lists if more than one section found
> +      //
> +      if (KeyIndex == 0) {
> +        EfiSig = TmpEfiSig;
> +        *SigListsSize = TmpEfiSig->SignatureListSize;
> +      } else {
> +        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
> +        FreePool (EfiSig);
> +        FreePool (TmpEfiSig);
> +        EfiSig = TmpEfiSig2;
> +      }
> +
> +      KeyIndex++;
> +      FreePool (Buffer);
> +    } if (Status == EFI_NOT_FOUND) {
> +      break;
> +    }
> +  };
> +
> +  if (KeyIndex == 0) {
> +    return EFI_NOT_FOUND;
> +  }
> +
> +  *SigListOut = EfiSig;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +  )
> +{
> +  EFI_STATUS                       Status;
> +  UINT8                            *NewData;
> +  UINT8                            *Payload;
> +  UINTN                            PayloadSize;
> +  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> +  UINTN                            DescriptorSize;
> +  EFI_TIME                         Time;
> +
> +  if (Data == NULL || DataSize == NULL) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  //
> +  // In Setup mode or Custom mode, the variable does not need to be signed but the
> +  // parameters to the SetVariable() call still need to be prepared as authenticated
> +  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
> +  // data in it.
> +  //
> +  Payload     = *Data;
> +  PayloadSize = *DataSize;
> +
> +  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> +  if (NewData == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  if ((Payload != NULL) && (PayloadSize != 0)) {
> +    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> +  }
> +
> +  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> +
> +  ZeroMem (&Time, sizeof (EFI_TIME));
> +  Status = gRT->GetTime (&Time, NULL);
> +  if (EFI_ERROR (Status)) {
> +    FreePool(NewData);
> +    return Status;
> +  }
> +  Time.Pad1       = 0;
> +  Time.Nanosecond = 0;
> +  Time.TimeZone   = 0;
> +  Time.Daylight   = 0;
> +  Time.Pad2       = 0;
> +  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> +
> +  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> +  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> +  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> +
> +  if (Payload != NULL) {
> +    FreePool(Payload);
> +  }
> +
> +  *DataSize = DescriptorSize + PayloadSize;
> +  *Data     = NewData;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Internal helper function to delete a Variable given its name and GUID, NO authentication
> +  required.
> +
> +  @param[in]      VariableName            Name of the Variable.
> +  @param[in]      VendorGuid              GUID of the Variable.
> +
> +  @retval EFI_SUCCESS              Variable deleted successfully.
> +  @retval Others                   The driver failed to start the device.
> +
> +--*/
> +EFI_STATUS
> +DeleteVariable (
> +  IN  CHAR16                    *VariableName,
> +  IN  EFI_GUID                  *VendorGuid
> +  )
> +{
> +  EFI_STATUS              Status;
> +  VOID*                   Variable;
> +  UINT8                   *Data;
> +  UINTN                   DataSize;
> +  UINT32                  Attr;
> +
> +  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> +  if (Variable == NULL) {
> +    return EFI_SUCCESS;
> +  }
> +  FreePool (Variable);
> +
> +  Data     = NULL;
> +  DataSize = 0;
> +  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> +             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> +  Status = CreateTimeBasedPayload (&DataSize, &Data);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  Attr,
> +                  DataSize,
> +                  Data
> +                  );
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +  return Status;
> +}
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +  )
> +{
> +  return gRT->SetVariable (
> +                EFI_CUSTOM_MODE_NAME,
> +                &gEfiCustomModeEnableGuid,
> +                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                sizeof (UINT8),
> +                &SecureBootMode
> +                );
> +}
> +
> +
> +/**
> +  Enroll a key/certificate based on a default variable.
> +
> +  @param[in] VariableName        The name of the key/database.
> +  @param[in] DefaultName         The name of the default variable.
> +  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable
> +
> +
> +  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.
> +  @retval EFI_SUCCESS            Successful enrollment.
> +  @return                        Error codes from GetTime () and SetVariable ().
> +--*/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> +  IN CHAR16   *VariableName,
> +  IN CHAR16   *DefaultName,
> +  IN EFI_GUID *VendorGuid
> +  )
> +{
> +  VOID       *Data;
> +  UINTN       DataSize;
> +  EFI_STATUS  Status;
> +
> +  Status = EFI_SUCCESS;
> +
> +  DataSize = 0;
> +  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
> +      return Status;
> +  }
> +
> +  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  //
> +  // Allocate memory for auth variable
> +  //
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  (EFI_VARIABLE_NON_VOLATILE |
> +                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
> +                   EFI_VARIABLE_RUNTIME_ACCESS |
> +                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> +                  DataSize,
> +                  Data
> +                  );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
> +      VendorGuid, Status));
> +  }
> +
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +
> +  return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8               *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_PK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +
> +  Status = gRT->SetVariable (
> +                  EFI_KEK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DB_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBX_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBT_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Retval from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +    OUT UINT8 *SetupMode
> +)
> +{
> +  UINTN      Size;
> +  EFI_STATUS Status;
> +
> +  Size = sizeof (*SetupMode);
> +  Status = gRT->GetVariable (
> +                  EFI_SETUP_MODE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  NULL,
> +                  &Size,
> +                  SetupMode
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             EFI_DB_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             EFI_DBX_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             EFI_DBT_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid);
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             EFI_KEK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_PLATFORM_KEY_NAME,
> +             EFI_PK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Remove the PK variable.
> +
> +  @retval EFI_SUCCESS    Delete PK successfully.
> +  @retval Others         Could not allow to delete PK.
> +
> +--*/
> +EFI_STATUS
> +DeletePlatformKey (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  Status = DeleteVariable (
> +             EFI_PLATFORM_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +  return Status;
> +}
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> index e82bfe7757..67e5e594ed 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>
>   #include "SecureBootConfigImpl.h"
>   #include <Library/BaseCryptLib.h>
> +#include <Library/SecureBootVariableLib.h>
>
>   CHAR16              mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
>
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (
>     return Status;
>   }
>
> -/**
> -  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
> -  descriptor with the input data. NO authentication is required in this function.
> -
> -  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> -                                   On output, the size of data returned in Data
> -                                   buffer in bytes.
> -  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
> -                                   pointer to NULL to wrap an empty payload.
> -                                   On output, Pointer to the new payload date buffer allocated from pool,
> -                                   it's caller's responsibility to free the memory when finish using it.
> -
> -  @retval EFI_SUCCESS              Create time based payload successfully.
> -  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
> -  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> -  @retval Others                   Unexpected error happens.
> -
> -**/
> -EFI_STATUS
> -CreateTimeBasedPayload (
> -  IN OUT UINTN            *DataSize,
> -  IN OUT UINT8            **Data
> -  )
> -{
> -  EFI_STATUS                       Status;
> -  UINT8                            *NewData;
> -  UINT8                            *Payload;
> -  UINTN                            PayloadSize;
> -  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> -  UINTN                            DescriptorSize;
> -  EFI_TIME                         Time;
> -
> -  if (Data == NULL || DataSize == NULL) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
> -  //
> -  // In Setup mode or Custom mode, the variable does not need to be signed but the
> -  // parameters to the SetVariable() call still need to be prepared as authenticated
> -  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
> -  // data in it.
> -  //
> -  Payload     = *Data;
> -  PayloadSize = *DataSize;
> -
> -  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> -  if (NewData == NULL) {
> -    return EFI_OUT_OF_RESOURCES;
> -  }
> -
> -  if ((Payload != NULL) && (PayloadSize != 0)) {
> -    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> -  }
> -
> -  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> -
> -  ZeroMem (&Time, sizeof (EFI_TIME));
> -  Status = gRT->GetTime (&Time, NULL);
> -  if (EFI_ERROR (Status)) {
> -    FreePool(NewData);
> -    return Status;
> -  }
> -  Time.Pad1       = 0;
> -  Time.Nanosecond = 0;
> -  Time.TimeZone   = 0;
> -  Time.Daylight   = 0;
> -  Time.Pad2       = 0;
> -  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> -
> -  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> -  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> -  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> -
> -  if (Payload != NULL) {
> -    FreePool(Payload);
> -  }
> -
> -  *DataSize = DescriptorSize + PayloadSize;
> -  *Data     = NewData;
> -  return EFI_SUCCESS;
> -}
> -
> -/**
> -  Internal helper function to delete a Variable given its name and GUID, NO authentication
> -  required.
> -
> -  @param[in]      VariableName            Name of the Variable.
> -  @param[in]      VendorGuid              GUID of the Variable.
> -
> -  @retval EFI_SUCCESS              Variable deleted successfully.
> -  @retval Others                   The driver failed to start the device.
> -
> -**/
> -EFI_STATUS
> -DeleteVariable (
> -  IN  CHAR16                    *VariableName,
> -  IN  EFI_GUID                  *VendorGuid
> -  )
> -{
> -  EFI_STATUS              Status;
> -  VOID*                   Variable;
> -  UINT8                   *Data;
> -  UINTN                   DataSize;
> -  UINT32                  Attr;
> -
> -  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> -  if (Variable == NULL) {
> -    return EFI_SUCCESS;
> -  }
> -  FreePool (Variable);
> -
> -  Data     = NULL;
> -  DataSize = 0;
> -  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> -             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> -
> -  Status = CreateTimeBasedPayload (&DataSize, &Data);
> -  if (EFI_ERROR (Status)) {
> -    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
> -    return Status;
> -  }
> -
> -  Status = gRT->SetVariable (
> -                  VariableName,
> -                  VendorGuid,
> -                  Attr,
> -                  DataSize,
> -                  Data
> -                  );
> -  if (Data != NULL) {
> -    FreePool (Data);
> -  }
> -  return Status;
> -}
> -
> -/**
> -
> -  Set the platform secure boot mode into "Custom" or "Standard" mode.
> -
> -  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> -                                     CUSTOM_SECURE_BOOT_MODE.
> -
> -  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
> -  @return other                      Fail to operate the secure boot mode.
> -
> -**/
> -EFI_STATUS
> -SetSecureBootMode (
> -  IN     UINT8         SecureBootMode
> -  )
> -{
> -  return gRT->SetVariable (
> -                EFI_CUSTOM_MODE_NAME,
> -                &gEfiCustomModeEnableGuid,
> -                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
> -                sizeof (UINT8),
> -                &SecureBootMode
> -                );
> -}
> -
>   /**
>     This code checks if the encode type and key strength of X.509
>     certificate is qualified.
> @@ -646,32 +485,6 @@ ON_EXIT:
>     return Status;
>   }
>
> -/**
> -  Remove the PK variable.
> -
> -  @retval EFI_SUCCESS    Delete PK successfully.
> -  @retval Others         Could not allow to delete PK.
> -
> -**/
> -EFI_STATUS
> -DeletePlatformKey (
> -  VOID
> -)
> -{
> -  EFI_STATUS Status;
> -
> -  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> -  if (EFI_ERROR (Status)) {
> -    return Status;
> -  }
> -
> -  Status = DeleteVariable (
> -             EFI_PLATFORM_KEY_NAME,
> -             &gEfiGlobalVariableGuid
> -             );
> -  return Status;
> -}
> -
>   /**
>     Enroll a new KEK item from public key storing file (*.pbk).
>
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> new file mode 100644
> index 0000000000..2c51e4db53
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
> +
>

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4






[-- Attachment #2: Type: text/html, Size: 105677 bytes --]

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.
  2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
@ 2021-06-03  6:56   ` Min Xu
  2021-06-04  7:49   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Min Xu @ 2021-06-03  6:56 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On Tuesday, June 1, 2021 9:12 PM, Grzegorz Bernacki wrote:
> This commits add library, which consist functions related creation/removal
> Secure Boot variables. Some of the functions was moved from
> SecureBootConfigImpl.c file.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  SecurityPkg/SecurityPkg.dsc                                                   |   1 +
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf           |
> 79 ++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf |   1 +
>  SecurityPkg/Include/Library/SecureBootVariableLib.h                           | 252
> +++++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c             |
> 979 ++++++++++++++++++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c  | 189 +---
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> |  16 +
>  7 files changed, 1329 insertions(+), 188 deletions(-)  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> 
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index
> bd4b810bce..854f250625 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -70,6 +70,7 @@
>    RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
> 
> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventL
> ogRecordLib.inf
> 
> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnbloc
> kMemoryLibNull.inf
> +
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Secure
> + BootVariableLib.inf
> 
>  [LibraryClasses.ARM]
>    #
> diff --git
> a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> new file mode 100644
> index 0000000000..84367841d5
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> +++ f
> @@ -0,0 +1,79 @@
> +## @file
> +#  Provides initialization of Secure Boot keys and databases.
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> #  Copyright
> +(c) 2021, Semihalf All rights reserved.<BR> # #
> +SPDX-License-Identifier: BSD-2-Clause-Patent # ##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SecureBootVariableLib
> +  MODULE_UNI_FILE                = SecureBootVariableLib.uni
> +  FILE_GUID                      = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
> +  MODULE_TYPE                    = DXE_DRIVER
> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = SecureBootVariableLib|DXE_DRIVER
> DXE_RUNTIME_DRIVER UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required by the
> build tools.
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
> +#
> +
> +[Sources]
> +  SecureBootVariableLib.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  BaseCryptLib
> +  DxeServicesLib
> +
> +[Guids]
> +  ## CONSUMES            ## Variable:L"SetupMode"
> +  ## PRODUCES            ## Variable:L"SetupMode"
> +  ## CONSUMES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"SecureBoot"
> +  ## PRODUCES            ## Variable:L"PK"
> +  ## PRODUCES            ## Variable:L"KEK"
> +  ## CONSUMES            ## Variable:L"PKDefault"
> +  ## CONSUMES            ## Variable:L"KEKDefault"
> +  ## CONSUMES            ## Variable:L"dbDefault"
> +  ## CONSUMES            ## Variable:L"dbxDefault"
> +  ## CONSUMES            ## Variable:L"dbtDefault"
> +  gEfiGlobalVariableGuid
> +
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
> +  gEfiImageSecurityDatabaseGuid
> +
> +  ## CONSUMES            ## Variable:L"SecureBootEnable"
> +  ## PRODUCES            ## Variable:L"SecureBootEnable"
> +  gEfiSecureBootEnableDisableGuid
> +
> +  ## CONSUMES            ## Variable:L"CustomMode"
> +  ## PRODUCES            ## Variable:L"CustomMode"
> +  gEfiCustomModeEnableGuid
> +
> +  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
> +  gEfiCertX509Guid               ## CONSUMES
> +  gEfiCertPkcs7Guid              ## CONSUMES
> +
> +  gDefaultPKFileGuid
> +  gDefaultKEKFileGuid
> +  gDefaultdbFileGuid
> +  gDefaultdbxFileGuid
> +  gDefaultdbtFileGuid
> +
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gDxe.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gDxe.inf
> index 573efa6379..30d9cd8025 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gDxe.inf
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
> +++ nfigDxe.inf
> @@ -54,6 +54,7 @@
>    DevicePathLib
>    FileExplorerLib
>    PeCoffLib
> +  SecureBootVariableLib
> 
>  [Guids]
>    ## SOMETIMES_CONSUMES      ## Variable:L"CustomMode"
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h
> b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> new file mode 100644
> index 0000000000..2961c93a36
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> @@ -0,0 +1,252 @@
> +/** @file
> +  Provides a function to enroll keys based on default values.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> Copyright (c)
> +2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
> +#define __SECURE_BOOT_VARIABLE_LIB_H__
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special
> mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +);
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Error codes from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +  OUT UINT8 *SetupMode
> +);
> +
> +/**
> +  Create a time based data payload by concatenating the
> +EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this
> function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be
> wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer
> allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish
> using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory
> resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +);
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'PK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> +  VOID
> +);
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  );
> +#endif
> diff --git
> a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> new file mode 100644
> index 0000000000..16bad5530a
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> @@ -0,0 +1,979 @@
> +/** @file
> +  This library provides functions to set/clear Secure Boot
> +  keys and databases.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> Copyright (c)
> +2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h> #include
> +"Library/DxeServicesLib.h"
> +
> +/** Creates EFI Signature List structure.
> +
> +  @param[in]      Data     A pointer to signature data.
> +  @param[in]      Size     Size of signature data.
> +  @param[out]     SigList  Created Signature List.
> +
> +  @retval  EFI_SUCCESS           Signature List was created successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +CreateSigList (
> +  IN VOID                *Data,
> +  IN UINTN               Size,
> +  OUT EFI_SIGNATURE_LIST **SigList
> +  )
> +{
> +  UINTN                  SigListSize;
> +  EFI_SIGNATURE_LIST     *TmpSigList;
> +  EFI_SIGNATURE_DATA     *SigData;
> +
> +  //
> +  // Allocate data for Signature Database  //  SigListSize = sizeof
> + (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
> + TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
> + if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  //
> +  // Only gEfiCertX509Guid type is supported  //
> + TmpSigList->SignatureListSize = (UINT32)SigListSize;
> + TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1
> + + Size);  TmpSigList->SignatureHeaderSize = 0;  CopyGuid
> + (&TmpSigList->SignatureType, &gEfiCertX509Guid);
> +
> +  //
> +  // Copy key data
> +  //
> +  SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);  CopyGuid
> + (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);  CopyMem
> + (&SigData->SignatureData[0], Data, Size);
> +
> +  *SigList = TmpSigList;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/** Adds new signature list to signature database.
> +
> +  @param[in]      SigLists        A pointer to signature database.
> +  @param[in]      SiglListAppend  A signature list to be added.
> +  @param[out]     *SigListOut     Created signature database.
> +  @param[out]     SigListsSize    A size of created signature database.
> +
> +  @retval  EFI_SUCCESS           Signature List was added successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +ConcatenateSigList (
> +  IN  EFI_SIGNATURE_LIST *SigLists,
> +  IN  EFI_SIGNATURE_LIST *SigListAppend,
> +  OUT EFI_SIGNATURE_LIST **SigListOut,
> +  IN OUT UINTN           *SigListsSize
> +)
> +{
> +  EFI_SIGNATURE_LIST *TmpSigList;
> +  UINT8              *Offset;
> +  UINTN              NewSigListsSize;
> +
> +  NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
> +
> +  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool
> + (NewSigListsSize);  if (TmpSigList == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  CopyMem (TmpSigList, SigLists, *SigListsSize);
> +
> +  Offset = (UINT8 *)TmpSigList;
> +  Offset += *SigListsSize;
> +  CopyMem ((VOID *)Offset, SigListAppend,
> + SigListAppend->SignatureListSize);
> +
> +  *SigListsSize = NewSigListsSize;
> +  *SigListOut = TmpSigList;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a EFI Signature List with data fetched from section specified as a
> argument.
> +  Found keys are verified using RsaGetPublicKeyFromX509().
> +
> +  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
> +  @param[out]       SigListsSize   A pointer to size of signature list
> +  @param[out]       SigListsOut    a pointer to a callee-allocated buffer with
> signature lists
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_NOT_FOUND            Section with key has not been found.
> +  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +STATIC
> +EFI_STATUS
> +SecureBootFetchData (
> +    IN  EFI_GUID           *KeyFileGuid,
> +    OUT UINTN              *SigListsSize,
> +    OUT EFI_SIGNATURE_LIST **SigListOut
> +)
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig2;
> +  EFI_STATUS         Status;
> +  VOID               *Buffer;
> +  VOID               *RsaPubKey;
> +  UINTN               Size;
> +  UINTN               KeyIndex;
> +
> +
> +  KeyIndex = 0;
> +  EfiSig = NULL;
> +  *SigListsSize = 0;
> +  while (1) {
> +    Status = GetSectionFromAnyFv (
> +               KeyFileGuid,
> +               EFI_SECTION_RAW,
> +               KeyIndex,
> +               &Buffer,
> +               &Size
> +               );
> +
> +    if (Status == EFI_SUCCESS) {
> +      RsaPubKey = NULL;
> +      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
> +        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n",
> __FUNCTION__, KeyIndex));
> +        if (EfiSig != NULL) {
> +          FreePool(EfiSig);
> +        }
> +        FreePool(Buffer);
> +        return EFI_INVALID_PARAMETER;
> +      }
> +
> +      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
> +
> +      //
> +      // Concatenate lists if more than one section found
> +      //
> +      if (KeyIndex == 0) {
> +        EfiSig = TmpEfiSig;
> +        *SigListsSize = TmpEfiSig->SignatureListSize;
> +      } else {
> +        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
> +        FreePool (EfiSig);
> +        FreePool (TmpEfiSig);
> +        EfiSig = TmpEfiSig2;
> +      }
> +
> +      KeyIndex++;
> +      FreePool (Buffer);
> +    } if (Status == EFI_NOT_FOUND) {
> +      break;
> +    }
> +  };
> +
> +  if (KeyIndex == 0) {
> +    return EFI_NOT_FOUND;
> +  }
> +
> +  *SigListOut = EfiSig;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a time based data payload by concatenating the
> +EFI_VARIABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required in this
> function.
> +
> +  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> +                                   On output, the size of data returned in Data
> +                                   buffer in bytes.
> +  @param[in, out]   Data           On input, Pointer to data buffer to be
> wrapped or
> +                                   pointer to NULL to wrap an empty payload.
> +                                   On output, Pointer to the new payload date buffer
> allocated from pool,
> +                                   it's caller's responsibility to free the memory when finish
> using it.
> +
> +  @retval EFI_SUCCESS              Create time based payload successfully.
> +  @retval EFI_OUT_OF_RESOURCES     There are not enough memory
> resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> +  @retval Others                   Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN            *DataSize,
> +  IN OUT UINT8            **Data
> +  )
> +{
> +  EFI_STATUS                       Status;
> +  UINT8                            *NewData;
> +  UINT8                            *Payload;
> +  UINTN                            PayloadSize;
> +  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> +  UINTN                            DescriptorSize;
> +  EFI_TIME                         Time;
> +
> +  if (Data == NULL || DataSize == NULL) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  //
> +  // In Setup mode or Custom mode, the variable does not need to be
> + signed but the  // parameters to the SetVariable() call still need to
> + be prepared as authenticated  // variable. So we create
> + EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate  // data in
> it.
> +  //
> +  Payload     = *Data;
> +  PayloadSize = *DataSize;
> +
> +  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2,
> AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> + if (NewData == NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  if ((Payload != NULL) && (PayloadSize != 0)) {
> +    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);  }
> +
> +  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> +
> +  ZeroMem (&Time, sizeof (EFI_TIME));
> +  Status = gRT->GetTime (&Time, NULL);
> +  if (EFI_ERROR (Status)) {
> +    FreePool(NewData);
> +    return Status;
> +  }
> +  Time.Pad1       = 0;
> +  Time.Nanosecond = 0;
> +  Time.TimeZone   = 0;
> +  Time.Daylight   = 0;
> +  Time.Pad2       = 0;
> +  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> +
> +  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
> +  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> +  DescriptorData->AuthInfo.Hdr.wCertificateType =
> + WIN_CERT_TYPE_EFI_GUID;  CopyGuid (&DescriptorData-
> >AuthInfo.CertType,
> + &gEfiCertPkcs7Guid);
> +
> +  if (Payload != NULL) {
> +    FreePool(Payload);
> +  }
> +
> +  *DataSize = DescriptorSize + PayloadSize;
> +  *Data     = NewData;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Internal helper function to delete a Variable given its name and
> +GUID, NO authentication
> +  required.
> +
> +  @param[in]      VariableName            Name of the Variable.
> +  @param[in]      VendorGuid              GUID of the Variable.
> +
> +  @retval EFI_SUCCESS              Variable deleted successfully.
> +  @retval Others                   The driver failed to start the device.
> +
> +--*/
> +EFI_STATUS
> +DeleteVariable (
> +  IN  CHAR16                    *VariableName,
> +  IN  EFI_GUID                  *VendorGuid
> +  )
> +{
> +  EFI_STATUS              Status;
> +  VOID*                   Variable;
> +  UINT8                   *Data;
> +  UINTN                   DataSize;
> +  UINT32                  Attr;
> +
> +  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);  if
> + (Variable == NULL) {
> +    return EFI_SUCCESS;
> +  }
> +  FreePool (Variable);
> +
> +  Data     = NULL;
> +  DataSize = 0;
> +  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
> | EFI_VARIABLE_BOOTSERVICE_ACCESS
> +             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> +  Status = CreateTimeBasedPayload (&DataSize, &Data);  if (EFI_ERROR
> + (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r",
> Status));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  Attr,
> +                  DataSize,
> +                  Data
> +                  );
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +  return Status;
> +}
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> +  @param[in]   SecureBootMode        New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> +                                     CUSTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS                The platform has switched to the special
> mode successfully.
> +  @return other                      Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +  )
> +{
> +  return gRT->SetVariable (
> +                EFI_CUSTOM_MODE_NAME,
> +                &gEfiCustomModeEnableGuid,
> +                EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                sizeof (UINT8),
> +                &SecureBootMode
> +                );
> +}
> +
> +
> +/**
> +  Enroll a key/certificate based on a default variable.
> +
> +  @param[in] VariableName        The name of the key/database.
> +  @param[in] DefaultName         The name of the default variable.
> +  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the
> variable
> +
> +
> +  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating
> AuthHeader.
> +  @retval EFI_SUCCESS            Successful enrollment.
> +  @return                        Error codes from GetTime () and SetVariable ().
> +--*/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> +  IN CHAR16   *VariableName,
> +  IN CHAR16   *DefaultName,
> +  IN EFI_GUID *VendorGuid
> +  )
> +{
> +  VOID       *Data;
> +  UINTN       DataSize;
> +  EFI_STATUS  Status;
> +
> +  Status = EFI_SUCCESS;
> +
> +  DataSize = 0;
> +  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data,
> + &DataSize);  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n",
> DefaultName, Status));
> +      return Status;
> +  }
> +
> +  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);  if (EFI_ERROR
> + (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r",
> Status));
> +    return Status;
> +  }
> +
> +  //
> +  // Allocate memory for auth variable
> +  //
> +  Status = gRT->SetVariable (
> +                  VariableName,
> +                  VendorGuid,
> +                  (EFI_VARIABLE_NON_VOLATILE |
> +                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
> +                   EFI_VARIABLE_RUNTIME_ACCESS |
> +                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> +                  DataSize,
> +                  Data
> +                  );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__,
> VariableName,
> +      VendorGuid, Status));
> +  }
> +
> +  if (Data != NULL) {
> +    FreePool (Data);
> +  }
> +
> +  return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8               *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it  //  Status =
> + GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid,
> + (VOID **) &Data, &DataSize);  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized  //  DEBUG
> + ((DEBUG_INFO, "Variable %s does not exist.\n",
> + EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize,
> + &EfiSig);  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_PK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> + EFI_PK_DEFAULT_VARIABLE_NAME));  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.

Please keep consistent that "Initializes KEKDefault ... " should be in a new line, instead of after the "/**" directly. 

> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it  //  Status =
> + GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid,
> + (VOID **) &Data, &DataSize);  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized  //  DEBUG
> + ((DEBUG_INFO, "Variable %s does not exist.\n",
> + EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize,
> + &EfiSig);  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +
> +  Status = gRT->SetVariable (
> +                  EFI_KEK_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> + EFI_KEK_DEFAULT_VARIABLE_NAME));  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.

Please keep consistent that "Initializes deDefault ... " should be in a new line, instead of after the "/**" directly.

> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);  if (Status ==
> EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> + EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize,
> + &EfiSig);  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DB_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> + EFI_DB_DEFAULT_VARIABLE_NAME));  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.

Please keep consistent that "Initializes dbxDefault ... " should be in a new line, instead of after the "/**" directly.

> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it  //  Status =
> + GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid,
> + (VOID **) &Data, &DataSize);  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized  //  DEBUG
> + ((DEBUG_INFO, "Variable %s does not exist.\n",
> + EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize,
> + &EfiSig);  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBX_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> + EFI_DBX_DEFAULT_VARIABLE_NAME));  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.

Please keep consistent that "Initializes dbtDefault ... " should be in a new line, instead of after the "/**" directly.

> +
> +
> +  @retval  EFI_SUCCESS           Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED       Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN               SigListsSize;
> +  EFI_STATUS          Status;
> +  UINT8              *Data;
> +  UINTN               DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it  //  Status =
> + GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid,
> + (VOID **) &Data, &DataSize);  if (Status == EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized  //  DEBUG
> + ((DEBUG_INFO, "Variable %s does not exist.\n",
> + EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> +  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize,
> + &EfiSig);  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status = gRT->SetVariable (
> +                  EFI_DBT_DEFAULT_VARIABLE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> +                  SigListsSize,
> +                  (VOID *)EfiSig
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> + EFI_DBT_DEFAULT_VARIABLE_NAME));  }
> +
> +  FreePool (EfiSig);
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
> +
> +  @retval other                     Retval from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +    OUT UINT8 *SetupMode
> +)
> +{
> +  UINTN      Size;
> +  EFI_STATUS Status;
> +
> +  Size = sizeof (*SetupMode);
> +  Status = gRT->GetVariable (
> +                  EFI_SETUP_MODE_NAME,
> +                  &gEfiGlobalVariableGuid,
> +                  NULL,
> +                  &Size,
> +                  SetupMode
> +                  );
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             EFI_DB_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             EFI_DBX_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE1,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             EFI_DBT_DEFAULT_VARIABLE_NAME,
> +             &gEfiImageSecurityDatabaseGuid);
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_IMAGE_SECURITY_DATABASE2,
> +             &gEfiImageSecurityDatabaseGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             EFI_KEK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = DeleteVariable (
> +             EFI_KEY_EXCHANGE_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> +                                    while VendorGuid is NULL.
> +  @retval other                     Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = EnrollFromDefault (
> +             EFI_PLATFORM_KEY_NAME,
> +             EFI_PK_DEFAULT_VARIABLE_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +
> +  return Status;
> +}
> +
> +/**
> +  Remove the PK variable.
> +
> +  @retval EFI_SUCCESS    Delete PK successfully.
> +  @retval Others         Could not allow to delete PK.
> +
> +--*/
> +EFI_STATUS
> +DeletePlatformKey (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  Status = DeleteVariable (
> +             EFI_PLATFORM_KEY_NAME,
> +             &gEfiGlobalVariableGuid
> +             );
> +  return Status;
> +}
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gImpl.c
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gImpl.c
> index e82bfe7757..67e5e594ed 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gImpl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo
> +++ nfigImpl.c
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  #include "SecureBootConfigImpl.h"
>  #include <Library/BaseCryptLib.h>
> +#include <Library/SecureBootVariableLib.h>
> 
>  CHAR16              mSecureBootStorageName[] =
> L"SECUREBOOT_CONFIGURATION";
> 
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (
>    return Status;
>  }
> 
> -/**
> -  Create a time based data payload by concatenating the
> EFI_VARIABLE_AUTHENTICATION_2
> -  descriptor with the input data. NO authentication is required in this
> function.
> -
> -  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
> -                                   On output, the size of data returned in Data
> -                                   buffer in bytes.
> -  @param[in, out]   Data           On input, Pointer to data buffer to be
> wrapped or
> -                                   pointer to NULL to wrap an empty payload.
> -                                   On output, Pointer to the new payload date buffer
> allocated from pool,
> -                                   it's caller's responsibility to free the memory when finish
> using it.
> -
> -  @retval EFI_SUCCESS              Create time based payload successfully.
> -  @retval EFI_OUT_OF_RESOURCES     There are not enough memory
> resources to create time based payload.
> -  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
> -  @retval Others                   Unexpected error happens.
> -
> -**/
> -EFI_STATUS
> -CreateTimeBasedPayload (
> -  IN OUT UINTN            *DataSize,
> -  IN OUT UINT8            **Data
> -  )
> -{
> -  EFI_STATUS                       Status;
> -  UINT8                            *NewData;
> -  UINT8                            *Payload;
> -  UINTN                            PayloadSize;
> -  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
> -  UINTN                            DescriptorSize;
> -  EFI_TIME                         Time;
> -
> -  if (Data == NULL || DataSize == NULL) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
> -  //
> -  // In Setup mode or Custom mode, the variable does not need to be signed
> but the
> -  // parameters to the SetVariable() call still need to be prepared as
> authenticated
> -  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> -  // data in it.
> -  //
> -  Payload     = *Data;
> -  PayloadSize = *DataSize;
> -
> -  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2,
> AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> -  if (NewData == NULL) {
> -    return EFI_OUT_OF_RESOURCES;
> -  }
> -
> -  if ((Payload != NULL) && (PayloadSize != 0)) {
> -    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> -  }
> -
> -  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> -
> -  ZeroMem (&Time, sizeof (EFI_TIME));
> -  Status = gRT->GetTime (&Time, NULL);
> -  if (EFI_ERROR (Status)) {
> -    FreePool(NewData);
> -    return Status;
> -  }
> -  Time.Pad1       = 0;
> -  Time.Nanosecond = 0;
> -  Time.TimeZone   = 0;
> -  Time.Daylight   = 0;
> -  Time.Pad2       = 0;
> -  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> -
> -  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
> -  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> -  DescriptorData->AuthInfo.Hdr.wCertificateType =
> WIN_CERT_TYPE_EFI_GUID;
> -  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> -
> -  if (Payload != NULL) {
> -    FreePool(Payload);
> -  }
> -
> -  *DataSize = DescriptorSize + PayloadSize;
> -  *Data     = NewData;
> -  return EFI_SUCCESS;
> -}
> -
> -/**
> -  Internal helper function to delete a Variable given its name and GUID, NO
> authentication
> -  required.
> -
> -  @param[in]      VariableName            Name of the Variable.
> -  @param[in]      VendorGuid              GUID of the Variable.
> -
> -  @retval EFI_SUCCESS              Variable deleted successfully.
> -  @retval Others                   The driver failed to start the device.
> -
> -**/
> -EFI_STATUS
> -DeleteVariable (
> -  IN  CHAR16                    *VariableName,
> -  IN  EFI_GUID                  *VendorGuid
> -  )
> -{
> -  EFI_STATUS              Status;
> -  VOID*                   Variable;
> -  UINT8                   *Data;
> -  UINTN                   DataSize;
> -  UINT32                  Attr;
> -
> -  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> -  if (Variable == NULL) {
> -    return EFI_SUCCESS;
> -  }
> -  FreePool (Variable);
> -
> -  Data     = NULL;
> -  DataSize = 0;
> -  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
> | EFI_VARIABLE_BOOTSERVICE_ACCESS
> -             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> -
> -  Status = CreateTimeBasedPayload (&DataSize, &Data);
> -  if (EFI_ERROR (Status)) {
> -    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r",
> Status));
> -    return Status;
> -  }
> -
> -  Status = gRT->SetVariable (
> -                  VariableName,
> -                  VendorGuid,
> -                  Attr,
> -                  DataSize,
> -                  Data
> -                  );
> -  if (Data != NULL) {
> -    FreePool (Data);
> -  }
> -  return Status;
> -}
> -
> -/**
> -
> -  Set the platform secure boot mode into "Custom" or "Standard" mode.
> -
> -  @param[in]   SecureBootMode        New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> -                                     CUSTOM_SECURE_BOOT_MODE.
> -
> -  @return EFI_SUCCESS                The platform has switched to the special
> mode successfully.
> -  @return other                      Fail to operate the secure boot mode.
> -
> -**/
> -EFI_STATUS
> -SetSecureBootMode (
> -  IN     UINT8         SecureBootMode
> -  )
> -{
> -  return gRT->SetVariable (
> -                EFI_CUSTOM_MODE_NAME,
> -                &gEfiCustomModeEnableGuid,
> -                EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> -                sizeof (UINT8),
> -                &SecureBootMode
> -                );
> -}
> -
>  /**
>    This code checks if the encode type and key strength of X.509
>    certificate is qualified.
> @@ -646,32 +485,6 @@ ON_EXIT:
>    return Status;
>  }
> 
> -/**
> -  Remove the PK variable.
> -
> -  @retval EFI_SUCCESS    Delete PK successfully.
> -  @retval Others         Could not allow to delete PK.
> -
> -**/
> -EFI_STATUS
> -DeletePlatformKey (
> -  VOID
> -)
> -{
> -  EFI_STATUS Status;
> -
> -  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> -  if (EFI_ERROR (Status)) {
> -    return Status;
> -  }
> -
> -  Status = DeleteVariable (
> -             EFI_PLATFORM_KEY_NAME,
> -             &gEfiGlobalVariableGuid
> -             );
> -  return Status;
> -}
> -
>  /**
>    Enroll a new KEK item from public key storing file (*.pbk).
> 
> diff --git
> a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> new file mode 100644
> index 0000000000..2c51e4db53
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> +++ i
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> // Copyright
> +(c) 2021, Semihalf All rights reserved.<BR> // //
> +SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Provides function
> to initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "Provides
> function to initialize PK, KEK and databases based on default variables."
> +
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
  2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
@ 2021-06-03  7:06   ` Min Xu
  2021-06-04  8:11   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Min Xu @ 2021-06-03  7:06 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On Tuesday, June 1, 2021 9:12 PM, Grzegorz Bernacki Wrote:
> This commits add file which can be included by platform Flash Description
> File. It allows to specify certificate files, which will be embedded into binary
> file. The content of these files can be used to initialize Secure Boot default
> keys and databases.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++++++++++++++++++++
>  1 file changed, 62 insertions(+)
>  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> 
> diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> new file mode 100644
> index 0000000000..056586b204
> --- /dev/null
> +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> @@ -0,0 +1,62 @@

File header should be included, for example, the file description, Copyright, License, etc.

> +
> +!if $(DEFAULT_KEYS) == TRUE
> +  FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
> +  !ifdef $(PK_DEFAULT_FILE)
> +    SECTION RAW = $(PK_DEFAULT_FILE)
> +  !endif
> +    SECTION UI = "PK Default"
> +  }
> +
> +  FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {  !ifdef
> + $(KEK_DEFAULT_FILE1)
> +    SECTION RAW = $(KEK_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(KEK_DEFAULT_FILE2)
> +    SECTION RAW = $(KEK_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(KEK_DEFAULT_FILE3)
> +    SECTION RAW = $(KEK_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "KEK Default"
> +  }
> +
> +  FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {  !ifdef
> + $(DB_DEFAULT_FILE1)
> +    SECTION RAW = $(DB_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DB_DEFAULT_FILE2)
> +    SECTION RAW = $(DB_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DB_DEFAULT_FILE3)
> +    SECTION RAW = $(DB_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DB Default"
> +  }
> +
> +  FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {  !ifdef
> + $(DBT_DEFAULT_FILE1)
> +    SECTION RAW = $(DBT_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DBT_DEFAULT_FILE2)
> +    SECTION RAW = $(DBT_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DBT_DEFAULT_FILE3)
> +    SECTION RAW = $(DBT_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DBT Default"
> +  }
> +
> +  FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {  !ifdef
> + $(DBX_DEFAULT_FILE1)
> +    SECTION RAW = $(DBX_DEFAULT_FILE1)
> +  !endif
> +  !ifdef $(DBX_DEFAULT_FILE2)
> +    SECTION RAW = $(DBX_DEFAULT_FILE2)
> +  !endif
> +  !ifdef $(DBX_DEFAULT_FILE3)
> +    SECTION RAW = $(DBX_DEFAULT_FILE3)
> +  !endif
> +    SECTION UI = "DBX Default"
> +  }
> +
> +!endif
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.
  2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
  2021-06-03  6:56   ` Min Xu
@ 2021-06-04  7:49   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  7:49 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io, Bret Barkelew
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and Greg already addressed all my comments, so It looks good to me. Please also address Bret and Min M's good catches/comments.
Moreover, for Bret's comment about CreateTimeBasedPayload (), I think we only missed one instance in edk2\MdeModulePkg\Library\PlatformVarCleanupLib\PlatVarCleanupLib.c. If not, feel free to add other instances, Bret.

Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables.

This commits add library, which consist functions related
creation/removal Secure Boot variables. Some of the functions
was moved from SecureBootConfigImpl.c file.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecurityPkg.dsc                                                   |   1 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf           |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf |   1 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                           | 252 +++++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c             | 979 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c  | 189 +---
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni           |  16 +
 7 files changed, 1329 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index bd4b810bce..854f250625 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -70,6 +70,7 @@
   RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
   TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf

 [LibraryClasses.ARM]
   #
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
new file mode 100644
index 0000000000..84367841d5
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -0,0 +1,79 @@
+## @file
+#  Provides initialization of Secure Boot keys and databases.
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SecureBootVariableLib
+  MODULE_UNI_FILE                = SecureBootVariableLib.uni
+  FILE_GUID                      = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+
+[Sources]
+  SecureBootVariableLib.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+  CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  BaseCryptLib
+  DxeServicesLib
+
+[Guids]
+  ## CONSUMES            ## Variable:L"SetupMode"
+  ## PRODUCES            ## Variable:L"SetupMode"
+  ## CONSUMES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"SecureBoot"
+  ## PRODUCES            ## Variable:L"PK"
+  ## PRODUCES            ## Variable:L"KEK"
+  ## CONSUMES            ## Variable:L"PKDefault"
+  ## CONSUMES            ## Variable:L"KEKDefault"
+  ## CONSUMES            ## Variable:L"dbDefault"
+  ## CONSUMES            ## Variable:L"dbxDefault"
+  ## CONSUMES            ## Variable:L"dbtDefault"
+  gEfiGlobalVariableGuid
+
+  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
+  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
+  gEfiImageSecurityDatabaseGuid
+
+  ## CONSUMES            ## Variable:L"SecureBootEnable"
+  ## PRODUCES            ## Variable:L"SecureBootEnable"
+  gEfiSecureBootEnableDisableGuid
+
+  ## CONSUMES            ## Variable:L"CustomMode"
+  ## PRODUCES            ## Variable:L"CustomMode"
+  gEfiCustomModeEnableGuid
+
+  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
+  gEfiCertX509Guid               ## CONSUMES
+  gEfiCertPkcs7Guid              ## CONSUMES
+
+  gDefaultPKFileGuid
+  gDefaultKEKFileGuid
+  gDefaultdbFileGuid
+  gDefaultdbxFileGuid
+  gDefaultdbtFileGuid
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 573efa6379..30d9cd8025 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -54,6 +54,7 @@
   DevicePathLib
   FileExplorerLib
   PeCoffLib
+  SecureBootVariableLib

 [Guids]
   ## SOMETIMES_CONSUMES      ## Variable:L"CustomMode"
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
new file mode 100644
index 0000000000..2961c93a36
--- /dev/null
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -0,0 +1,252 @@
+/** @file
+  Provides a function to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
+#define __SECURE_BOOT_VARIABLE_LIB_H__
+
+/**
+
+  Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+                                     CUSTOM_SECURE_BOOT_MODE.
+
+  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
+  @return other                      Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+  IN  UINT8  SecureBootMode
+);
+
+/**
+  Fetches the value of SetupMode variable.
+
+  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
+
+  @retval other                     Error codes from GetVariable.
+--*/
+BOOLEAN
+EFIAPI
+GetSetupMode (
+  OUT UINT8 *SetupMode
+);
+
+/**
+  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+  descriptor with the input data. NO authentication is required in this function.
+
+  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
+                                   On output, the size of data returned in Data
+                                   buffer in bytes.
+  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
+                                   pointer to NULL to wrap an empty payload.
+                                   On output, Pointer to the new payload date buffer allocated from pool,
+                                   it's caller's responsibility to free the memory when finish using it.
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
+  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
+  @retval Others                   Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+  IN OUT UINTN            *DataSize,
+  IN OUT UINT8            **Data
+);
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'db' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'dbx' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+  VOID
+);
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'dbt' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+  VOID
+);
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'KEK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+  VOID
+);
+
+/**
+  Sets the content of the 'PK' variable based on 'PKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+);
+
+/**
+  Clears the content of the 'PK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+  VOID
+);
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  );
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  );
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+  IN VOID
+  );
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+  IN VOID
+  );
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+  IN VOID
+  );
+#endif
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
new file mode 100644
index 0000000000..16bad5530a
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -0,0 +1,979 @@
+/** @file
+  This library provides functions to set/clear Secure Boot
+  keys and databases.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include "Library/DxeServicesLib.h"
+
+/** Creates EFI Signature List structure.
+
+  @param[in]      Data     A pointer to signature data.
+  @param[in]      Size     Size of signature data.
+  @param[out]     SigList  Created Signature List.
+
+  @retval  EFI_SUCCESS           Signature List was created successfully.
+  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+CreateSigList (
+  IN VOID                *Data,
+  IN UINTN               Size,
+  OUT EFI_SIGNATURE_LIST **SigList
+  )
+{
+  UINTN                  SigListSize;
+  EFI_SIGNATURE_LIST     *TmpSigList;
+  EFI_SIGNATURE_DATA     *SigData;
+
+  //
+  // Allocate data for Signature Database
+  //
+  SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
+  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
+  if (TmpSigList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  //
+  // Only gEfiCertX509Guid type is supported
+  //
+  TmpSigList->SignatureListSize = (UINT32)SigListSize;
+  TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
+  TmpSigList->SignatureHeaderSize = 0;
+  CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
+
+  //
+  // Copy key data
+  //
+  SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
+  CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
+  CopyMem (&SigData->SignatureData[0], Data, Size);
+
+  *SigList = TmpSigList;
+
+  return EFI_SUCCESS;
+}
+
+/** Adds new signature list to signature database.
+
+  @param[in]      SigLists        A pointer to signature database.
+  @param[in]      SiglListAppend  A signature list to be added.
+  @param[out]     *SigListOut     Created signature database.
+  @param[out]     SigListsSize    A size of created signature database.
+
+  @retval  EFI_SUCCESS           Signature List was added successfully.
+  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+ConcatenateSigList (
+  IN  EFI_SIGNATURE_LIST *SigLists,
+  IN  EFI_SIGNATURE_LIST *SigListAppend,
+  OUT EFI_SIGNATURE_LIST **SigListOut,
+  IN OUT UINTN           *SigListsSize
+)
+{
+  EFI_SIGNATURE_LIST *TmpSigList;
+  UINT8              *Offset;
+  UINTN              NewSigListsSize;
+
+  NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
+
+  TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
+  if (TmpSigList == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (TmpSigList, SigLists, *SigListsSize);
+
+  Offset = (UINT8 *)TmpSigList;
+  Offset += *SigListsSize;
+  CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
+
+  *SigListsSize = NewSigListsSize;
+  *SigListOut = TmpSigList;
+  return EFI_SUCCESS;
+}
+
+/**
+  Create a EFI Signature List with data fetched from section specified as a argument.
+  Found keys are verified using RsaGetPublicKeyFromX509().
+
+  @param[in]        KeyFileGuid    A pointer to to the FFS filename GUID
+  @param[out]       SigListsSize   A pointer to size of signature list
+  @param[out]       SigListsOut    a pointer to a callee-allocated buffer with signature lists
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_NOT_FOUND            Section with key has not been found.
+  @retval EFI_INVALID_PARAMETER    Embedded key has a wrong format.
+  @retval Others                   Unexpected error happens.
+
+--*/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+    IN  EFI_GUID           *KeyFileGuid,
+    OUT UINTN              *SigListsSize,
+    OUT EFI_SIGNATURE_LIST **SigListOut
+)
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  EFI_SIGNATURE_LIST *TmpEfiSig;
+  EFI_SIGNATURE_LIST *TmpEfiSig2;
+  EFI_STATUS         Status;
+  VOID               *Buffer;
+  VOID               *RsaPubKey;
+  UINTN               Size;
+  UINTN               KeyIndex;
+
+
+  KeyIndex = 0;
+  EfiSig = NULL;
+  *SigListsSize = 0;
+  while (1) {
+    Status = GetSectionFromAnyFv (
+               KeyFileGuid,
+               EFI_SECTION_RAW,
+               KeyIndex,
+               &Buffer,
+               &Size
+               );
+
+    if (Status == EFI_SUCCESS) {
+      RsaPubKey = NULL;
+      if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+        DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+        if (EfiSig != NULL) {
+          FreePool(EfiSig);
+        }
+        FreePool(Buffer);
+        return EFI_INVALID_PARAMETER;
+      }
+
+      Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+      //
+      // Concatenate lists if more than one section found
+      //
+      if (KeyIndex == 0) {
+        EfiSig = TmpEfiSig;
+        *SigListsSize = TmpEfiSig->SignatureListSize;
+      } else {
+        ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
+        FreePool (EfiSig);
+        FreePool (TmpEfiSig);
+        EfiSig = TmpEfiSig2;
+      }
+
+      KeyIndex++;
+      FreePool (Buffer);
+    } if (Status == EFI_NOT_FOUND) {
+      break;
+    }
+  };
+
+  if (KeyIndex == 0) {
+    return EFI_NOT_FOUND;
+  }
+
+  *SigListOut = EfiSig;
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+  descriptor with the input data. NO authentication is required in this function.
+
+  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
+                                   On output, the size of data returned in Data
+                                   buffer in bytes.
+  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
+                                   pointer to NULL to wrap an empty payload.
+                                   On output, Pointer to the new payload date buffer allocated from pool,
+                                   it's caller's responsibility to free the memory when finish using it.
+
+  @retval EFI_SUCCESS              Create time based payload successfully.
+  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
+  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
+  @retval Others                   Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+  IN OUT UINTN            *DataSize,
+  IN OUT UINT8            **Data
+  )
+{
+  EFI_STATUS                       Status;
+  UINT8                            *NewData;
+  UINT8                            *Payload;
+  UINTN                            PayloadSize;
+  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
+  UINTN                            DescriptorSize;
+  EFI_TIME                         Time;
+
+  if (Data == NULL || DataSize == NULL) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  //
+  // In Setup mode or Custom mode, the variable does not need to be signed but the
+  // parameters to the SetVariable() call still need to be prepared as authenticated
+  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
+  // data in it.
+  //
+  Payload     = *Data;
+  PayloadSize = *DataSize;
+
+  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
+  if (NewData == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  if ((Payload != NULL) && (PayloadSize != 0)) {
+    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
+  }
+
+  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
+
+  ZeroMem (&Time, sizeof (EFI_TIME));
+  Status = gRT->GetTime (&Time, NULL);
+  if (EFI_ERROR (Status)) {
+    FreePool(NewData);
+    return Status;
+  }
+  Time.Pad1       = 0;
+  Time.Nanosecond = 0;
+  Time.TimeZone   = 0;
+  Time.Daylight   = 0;
+  Time.Pad2       = 0;
+  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
+
+  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
+  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
+
+  if (Payload != NULL) {
+    FreePool(Payload);
+  }
+
+  *DataSize = DescriptorSize + PayloadSize;
+  *Data     = NewData;
+  return EFI_SUCCESS;
+}
+
+/**
+  Internal helper function to delete a Variable given its name and GUID, NO authentication
+  required.
+
+  @param[in]      VariableName            Name of the Variable.
+  @param[in]      VendorGuid              GUID of the Variable.
+
+  @retval EFI_SUCCESS              Variable deleted successfully.
+  @retval Others                   The driver failed to start the device.
+
+--*/
+EFI_STATUS
+DeleteVariable (
+  IN  CHAR16                    *VariableName,
+  IN  EFI_GUID                  *VendorGuid
+  )
+{
+  EFI_STATUS              Status;
+  VOID*                   Variable;
+  UINT8                   *Data;
+  UINTN                   DataSize;
+  UINT32                  Attr;
+
+  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
+  if (Variable == NULL) {
+    return EFI_SUCCESS;
+  }
+  FreePool (Variable);
+
+  Data     = NULL;
+  DataSize = 0;
+  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+  Status = CreateTimeBasedPayload (&DataSize, &Data);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  VariableName,
+                  VendorGuid,
+                  Attr,
+                  DataSize,
+                  Data
+                  );
+  if (Data != NULL) {
+    FreePool (Data);
+  }
+  return Status;
+}
+
+/**
+
+  Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+                                     CUSTOM_SECURE_BOOT_MODE.
+
+  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
+  @return other                      Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+  IN  UINT8  SecureBootMode
+  )
+{
+  return gRT->SetVariable (
+                EFI_CUSTOM_MODE_NAME,
+                &gEfiCustomModeEnableGuid,
+                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                sizeof (UINT8),
+                &SecureBootMode
+                );
+}
+
+
+/**
+  Enroll a key/certificate based on a default variable.
+
+  @param[in] VariableName        The name of the key/database.
+  @param[in] DefaultName         The name of the default variable.
+  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable
+
+
+  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.
+  @retval EFI_SUCCESS            Successful enrollment.
+  @return                        Error codes from GetTime () and SetVariable ().
+--*/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+  IN CHAR16   *VariableName,
+  IN CHAR16   *DefaultName,
+  IN EFI_GUID *VendorGuid
+  )
+{
+  VOID       *Data;
+  UINTN       DataSize;
+  EFI_STATUS  Status;
+
+  Status = EFI_SUCCESS;
+
+  DataSize = 0;
+  Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
+      return Status;
+  }
+
+  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+    return Status;
+  }
+
+  //
+  // Allocate memory for auth variable
+  //
+  Status = gRT->SetVariable (
+                  VariableName,
+                  VendorGuid,
+                  (EFI_VARIABLE_NON_VOLATILE |
+                   EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                   EFI_VARIABLE_RUNTIME_ACCESS |
+                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+                  DataSize,
+                  Data
+                  );
+
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+      VendorGuid, Status));
+  }
+
+  if (Data != NULL) {
+    FreePool (Data);
+  }
+
+  return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8               *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_PK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+
+  Status = gRT->SetVariable (
+                  EFI_KEK_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DB_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+    return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBX_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+  @retval  EFI_SUCCESS           Variable was initialized successfully.
+  @retval  EFI_UNSUPPORTED       Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+  IN VOID
+  )
+{
+  EFI_SIGNATURE_LIST *EfiSig;
+  UINTN               SigListsSize;
+  EFI_STATUS          Status;
+  UINT8              *Data;
+  UINTN               DataSize;
+
+  //
+  // Check if variable exists, if so do not change it
+  //
+  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+  if (Status == EFI_SUCCESS) {
+    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+    FreePool (Data);
+    return EFI_UNSUPPORTED;
+  }
+
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    return Status;
+  }
+
+  //
+  // Variable does not exist, can be initialized
+  //
+  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+
+  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
+  if (EFI_ERROR (Status)) {
+      return Status;
+  }
+
+  Status = gRT->SetVariable (
+                  EFI_DBT_DEFAULT_VARIABLE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+                  SigListsSize,
+                  (VOID *)EfiSig
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+  }
+
+  FreePool (EfiSig);
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Fetches the value of SetupMode variable.
+
+  @param[out] SetupMode             Pointer to UINT8 for SetupMode output
+
+  @retval other                     Retval from GetVariable.
+--*/
+BOOLEAN
+EFIAPI
+GetSetupMode (
+    OUT UINT8 *SetupMode
+)
+{
+  UINTN      Size;
+  EFI_STATUS Status;
+
+  Size = sizeof (*SetupMode);
+  Status = gRT->GetVariable (
+                  EFI_SETUP_MODE_NAME,
+                  &gEfiGlobalVariableGuid,
+                  NULL,
+                  &Size,
+                  SetupMode
+                  );
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
+  Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE,
+             EFI_DB_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'db' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             EFI_DBX_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'dbx' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE1,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_IMAGE_SECURITY_DATABASE2,
+             EFI_DBT_DEFAULT_VARIABLE_NAME,
+             &gEfiImageSecurityDatabaseGuid);
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'dbt' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_IMAGE_SECURITY_DATABASE2,
+             &gEfiImageSecurityDatabaseGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             EFI_KEK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Clears the content of the 'KEK' variable.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = DeleteVariable (
+             EFI_KEY_EXCHANGE_KEY_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+                                    while VendorGuid is NULL.
+  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = EnrollFromDefault (
+             EFI_PLATFORM_KEY_NAME,
+             EFI_PK_DEFAULT_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid
+             );
+
+  return Status;
+}
+
+/**
+  Remove the PK variable.
+
+  @retval EFI_SUCCESS    Delete PK successfully.
+  @retval Others         Could not allow to delete PK.
+
+--*/
+EFI_STATUS
+DeletePlatformKey (
+  VOID
+)
+{
+  EFI_STATUS Status;
+
+  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  Status = DeleteVariable (
+             EFI_PLATFORM_KEY_NAME,
+             &gEfiGlobalVariableGuid
+             );
+  return Status;
+}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e82bfe7757..67e5e594ed 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #include "SecureBootConfigImpl.h"
 #include <Library/BaseCryptLib.h>
+#include <Library/SecureBootVariableLib.h>

 CHAR16              mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";

@@ -237,168 +238,6 @@ SaveSecureBootVariable (
   return Status;
 }

-/**
-  Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
-  descriptor with the input data. NO authentication is required in this function.
-
-  @param[in, out]   DataSize       On input, the size of Data buffer in bytes.
-                                   On output, the size of data returned in Data
-                                   buffer in bytes.
-  @param[in, out]   Data           On input, Pointer to data buffer to be wrapped or
-                                   pointer to NULL to wrap an empty payload.
-                                   On output, Pointer to the new payload date buffer allocated from pool,
-                                   it's caller's responsibility to free the memory when finish using it.
-
-  @retval EFI_SUCCESS              Create time based payload successfully.
-  @retval EFI_OUT_OF_RESOURCES     There are not enough memory resources to create time based payload.
-  @retval EFI_INVALID_PARAMETER    The parameter is invalid.
-  @retval Others                   Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
-  IN OUT UINTN            *DataSize,
-  IN OUT UINT8            **Data
-  )
-{
-  EFI_STATUS                       Status;
-  UINT8                            *NewData;
-  UINT8                            *Payload;
-  UINTN                            PayloadSize;
-  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorData;
-  UINTN                            DescriptorSize;
-  EFI_TIME                         Time;
-
-  if (Data == NULL || DataSize == NULL) {
-    return EFI_INVALID_PARAMETER;
-  }
-
-  //
-  // In Setup mode or Custom mode, the variable does not need to be signed but the
-  // parameters to the SetVariable() call still need to be prepared as authenticated
-  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
-  // data in it.
-  //
-  Payload     = *Data;
-  PayloadSize = *DataSize;
-
-  DescriptorSize    = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
-  if (NewData == NULL) {
-    return EFI_OUT_OF_RESOURCES;
-  }
-
-  if ((Payload != NULL) && (PayloadSize != 0)) {
-    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
-  }
-
-  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
-  ZeroMem (&Time, sizeof (EFI_TIME));
-  Status = gRT->GetTime (&Time, NULL);
-  if (EFI_ERROR (Status)) {
-    FreePool(NewData);
-    return Status;
-  }
-  Time.Pad1       = 0;
-  Time.Nanosecond = 0;
-  Time.TimeZone   = 0;
-  Time.Daylight   = 0;
-  Time.Pad2       = 0;
-  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
-  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
-  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
-  DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
-  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
-  if (Payload != NULL) {
-    FreePool(Payload);
-  }
-
-  *DataSize = DescriptorSize + PayloadSize;
-  *Data     = NewData;
-  return EFI_SUCCESS;
-}
-
-/**
-  Internal helper function to delete a Variable given its name and GUID, NO authentication
-  required.
-
-  @param[in]      VariableName            Name of the Variable.
-  @param[in]      VendorGuid              GUID of the Variable.
-
-  @retval EFI_SUCCESS              Variable deleted successfully.
-  @retval Others                   The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
-  IN  CHAR16                    *VariableName,
-  IN  EFI_GUID                  *VendorGuid
-  )
-{
-  EFI_STATUS              Status;
-  VOID*                   Variable;
-  UINT8                   *Data;
-  UINTN                   DataSize;
-  UINT32                  Attr;
-
-  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
-  if (Variable == NULL) {
-    return EFI_SUCCESS;
-  }
-  FreePool (Variable);
-
-  Data     = NULL;
-  DataSize = 0;
-  Attr     = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
-             | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
-  Status = CreateTimeBasedPayload (&DataSize, &Data);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
-    return Status;
-  }
-
-  Status = gRT->SetVariable (
-                  VariableName,
-                  VendorGuid,
-                  Attr,
-                  DataSize,
-                  Data
-                  );
-  if (Data != NULL) {
-    FreePool (Data);
-  }
-  return Status;
-}
-
-/**
-
-  Set the platform secure boot mode into "Custom" or "Standard" mode.
-
-  @param[in]   SecureBootMode        New secure boot mode: STANDARD_SECURE_BOOT_MODE or
-                                     CUSTOM_SECURE_BOOT_MODE.
-
-  @return EFI_SUCCESS                The platform has switched to the special mode successfully.
-  @return other                      Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
-  IN     UINT8         SecureBootMode
-  )
-{
-  return gRT->SetVariable (
-                EFI_CUSTOM_MODE_NAME,
-                &gEfiCustomModeEnableGuid,
-                EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-                sizeof (UINT8),
-                &SecureBootMode
-                );
-}
-
 /**
   This code checks if the encode type and key strength of X.509
   certificate is qualified.
@@ -646,32 +485,6 @@ ON_EXIT:
   return Status;
 }

-/**
-  Remove the PK variable.
-
-  @retval EFI_SUCCESS    Delete PK successfully.
-  @retval Others         Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
-  VOID
-)
-{
-  EFI_STATUS Status;
-
-  Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
-
-  Status = DeleteVariable (
-             EFI_PLATFORM_KEY_NAME,
-             &gEfiGlobalVariableGuid
-             );
-  return Status;
-}
-
 /**
   Enroll a new KEK item from public key storing file (*.pbk).

diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
new file mode 100644
index 0000000000..2c51e4db53
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
@@ -0,0 +1,16 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
+#string STR_MODULE_DESCRIPTION          #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver
  2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
@ 2021-06-04  8:02   ` Min Xu
  2021-06-04  8:15   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Min Xu @ 2021-06-04  8:02 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On June 1, 2021 9:12 PM, Grzegorz Bernacki Wrote:
> This driver initializes default Secure Boot keys and databases based on keys
> embedded in flash.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf | 46 +++++++++++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c   | 69 ++++++++++++++++++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni | 17 +++++
>  3 files changed, 132 insertions(+)
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> 
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.inf
> new file mode 100644
> index 0000000000..27345eab2e
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> +++ ootDefaultKeysDxe.inf
> @@ -0,0 +1,46 @@
> +## @file
> +#  Initializes Secure Boot default keys # #  Copyright (c) 2021, ARM
> +Ltd. All rights reserved.<BR> #  Copyright (c) 2021, Semihalf All
> +rights reserved.<BR> #  SPDX-License-Identifier: BSD-2-Clause-Patent #
> +## [Defines]
> +  INF_VERSION = 0x00010005
> +  BASE_NAME   = SecureBootDefaultKeysDxe
> +  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
> +  MODULE_TYPE = DXE_DRIVER
> +  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
> +
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
> +#
> +[Sources]
> +  SecureBootDefaultKeysDxe.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  MemoryAllocationLib
> +  UefiDriverEntryPoint
> +  DebugLib
> +  SecureBootVariableLib
> +
> +[Guids]
> +  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
> +  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
> +  gEfiGlobalVariableGuid
> +
> +[Depex]
> +  gEfiVariableArchProtocolGuid      AND
> +  gEfiVariableWriteArchProtocolGuid
> +
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.c
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.c
> new file mode 100644
> index 0000000000..0928489e15
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> +++ ootDefaultKeysDxe.c
> @@ -0,0 +1,69 @@
> +/** @file
> +  This driver init default Secure Boot variables
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> Copyright (c)
> +2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/UefiBootServicesTableLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +/**
> +  The entry point for SecureBootDefaultKeys driver.
> +
> +  @param[in]  ImageHandle        The image handle of the driver.
> +  @param[in]  SystemTable        The system table.
> +
> +  @retval EFI_ALREADY_STARTED    The driver already exists in system.
> +  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack
> of resources.
> +  @retval EFI_SUCCESS            All the related protocols are installed on the
> driver.
> +  @retval Others                 Fail to get the SecureBootEnable variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SecureBootDefaultKeysEntryPoint (
> +  IN EFI_HANDLE          ImageHandle,
> +  IN EFI_SYSTEM_TABLE    *SystemTable
> +  )
> +{
> +  EFI_STATUS  Status;
> +
> +  Status = SecureBootInitPKDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n",
> __FUNCTION__, Status));
> +    return Status;
> +  }
> +
> +  Status = SecureBootInitKEKDefault ();  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n",
> __FUNCTION__, Status));
> +    return Status;
> +  }
> +  Status = SecureBootInitdbDefault ();
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n",
> __FUNCTION__, Status));
> +    return Status;
> +  }
> +
> +  Status = SecureBootInitdbtDefault ();  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n",
> + __FUNCTION__));  }
> +
> +  Status = SecureBootInitdbxDefault ();  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n",
> + __FUNCTION__));  }
> +
> +  return Status;
> +}
> +
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.uni
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo
> tDefaultKeysDxe.uni
> new file mode 100644
> index 0000000000..30f03aee5d
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> +++ ootDefaultKeysDxe.uni
> @@ -0,0 +1,17 @@
> +// /** @file
> +// Provides the capability to intialize Secure Boot default variables
> +// // Module which initializes Secure boot default variables.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> // Copyright
> +(c) 2021, Semihalf All rights reserved.<BR> // //
> +SPDX-License-Identifier: BSD-2-Clause-Patent // // **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Module which
> initializes Secure boot default variables"
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "This module
> reads embedded keys and initializes Secure Boot default variables."
> +
> --
> 2.25.1

It looks good to me.

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 5/6] SecurityPkg: Add new modules to Security package.
  2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
@ 2021-06-04  8:09   ` Min Xu
  2021-06-04  8:26   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Min Xu @ 2021-06-04  8:09 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On June 1, 2021 9:12 PM, Grzegorz Bernacki Wrote:
> This commits adds modules related to initialization and usage of default
> Secure Boot key variables to SecurityPkg.
> 
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
> SecurityPkg/SecurityPkg.dsc |  4 ++++
>  2 files changed, 18 insertions(+)
> 
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index
> 4001650fa2..dad3cae0ba 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -190,6 +190,20 @@
>    ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
>    gTcg2MmSwSmiRegisteredGuid         = { 0x9d4548b9, 0xa48d, 0x4db4,
> { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
> 
> +  ## GUID used to specify section with default PK content
> +  gDefaultPKFileGuid                 = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4,
> 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
> +
> +  ## GUID used to specify section with default KEK content
> +  gDefaultKEKFileGuid                = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52,
> 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
> +
> +  ## GUID used to specify section with default db content
> +  gDefaultdbFileGuid                 = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc,
> 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
> +
> +  ## GUID used to specify section with default dbt content
> +  gDefaultdbxFileGuid                = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35,
> 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
> +
> +  ## GUID used to specify section with default dbx content
> +  gDefaultdbtFileGuid                = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb,
> 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
> 
>  [Ppis]
>    ## The PPI GUID for that TPM physical presence should be locked.
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index
> 854f250625..e031775ca8 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -259,6 +259,10 @@
> 
>  [Components.IA32, Components.X64, Components.ARM,
> Components.AARCH64]
>    SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> +  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> +  SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
> +
> +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefa
> + ultKeys.inf
> +
> 
>  [Components.IA32, Components.X64, Components.AARCH64]
>    #
> --
> 2.25.1

It looks good to me.

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
  2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
  2021-06-03  7:06   ` Min Xu
@ 2021-06-04  8:11   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:11 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io, lersek@redhat.com
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and It looks good to me. Please also address Min M's good catch/comment.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

Hi Laszlo,
if you have time, I think you can still review this patch because this patch is a simple one and is based on your valuable feedback in RFC. It would be good to get your review on this one. :)

Thanks,
Sunny

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 2/6] SecurityPkg: Create include file for default key content.

This commits add file which can be included by platform Flash
Description File. It allows to specify certificate files, which
will be embedded into binary file. The content of these files
can be used to initialize Secure Boot default keys and databases.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc

diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
new file mode 100644
index 0000000000..056586b204
--- /dev/null
+++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
@@ -0,0 +1,62 @@
+
+!if $(DEFAULT_KEYS) == TRUE
+  FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+  !ifdef $(PK_DEFAULT_FILE)
+    SECTION RAW = $(PK_DEFAULT_FILE)
+  !endif
+    SECTION UI = "PK Default"
+  }
+
+  FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+  !ifdef $(KEK_DEFAULT_FILE1)
+    SECTION RAW = $(KEK_DEFAULT_FILE1)
+  !endif
+  !ifdef $(KEK_DEFAULT_FILE2)
+    SECTION RAW = $(KEK_DEFAULT_FILE2)
+  !endif
+  !ifdef $(KEK_DEFAULT_FILE3)
+    SECTION RAW = $(KEK_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "KEK Default"
+  }
+
+  FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+  !ifdef $(DB_DEFAULT_FILE1)
+    SECTION RAW = $(DB_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DB_DEFAULT_FILE2)
+    SECTION RAW = $(DB_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DB_DEFAULT_FILE3)
+    SECTION RAW = $(DB_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DB Default"
+  }
+
+  FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
+  !ifdef $(DBT_DEFAULT_FILE1)
+    SECTION RAW = $(DBT_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DBT_DEFAULT_FILE2)
+    SECTION RAW = $(DBT_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DBT_DEFAULT_FILE3)
+    SECTION RAW = $(DBT_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DBT Default"
+  }
+
+  FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+  !ifdef $(DBX_DEFAULT_FILE1)
+    SECTION RAW = $(DBX_DEFAULT_FILE1)
+  !endif
+  !ifdef $(DBX_DEFAULT_FILE2)
+    SECTION RAW = $(DBX_DEFAULT_FILE2)
+  !endif
+  !ifdef $(DBX_DEFAULT_FILE3)
+    SECTION RAW = $(DBX_DEFAULT_FILE3)
+  !endif
+    SECTION UI = "DBX Default"
+  }
+
+!endif
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver
  2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
  2021-06-02 17:39   ` [edk2-devel] " Pete Batard
  2021-06-04  8:02   ` Min Xu
@ 2021-06-04  8:15   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:15 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and It looks good to me. Please also address Pete's good catches/comments.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver

This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   | 69 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +++++
 3 files changed, 132 insertions(+)
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..27345eab2e
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,46 @@
+## @file
+#  Initializes Secure Boot default keys
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+  INF_VERSION = 0x00010005
+  BASE_NAME   = SecureBootDefaultKeysDxe
+  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+  MODULE_TYPE = DXE_DRIVER
+  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+[Sources]
+  SecureBootDefaultKeysDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  MemoryAllocationLib
+  UefiDriverEntryPoint
+  DebugLib
+  SecureBootVariableLib
+
+[Guids]
+  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
+  gEfiGlobalVariableGuid
+
+[Depex]
+  gEfiVariableArchProtocolGuid      AND
+  gEfiVariableWriteArchProtocolGuid
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..0928489e15
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,69 @@
+/** @file
+  This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+  The entry point for SecureBootDefaultKeys driver.
+
+  @param[in]  ImageHandle        The image handle of the driver.
+  @param[in]  SystemTable        The system table.
+
+  @retval EFI_ALREADY_STARTED    The driver already exists in system.
+  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack of resources.
+  @retval EFI_SUCCESS            All the related protocols are installed on the driver.
+  @retval Others                 Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+  IN EFI_HANDLE          ImageHandle,
+  IN EFI_SYSTEM_TABLE    *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+
+  Status = SecureBootInitPKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitKEKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+  Status = SecureBootInitdbDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitdbtDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+  }
+
+  Status = SecureBootInitdbxDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+  }
+
+  return Status;
+}
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..30f03aee5d
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Module which initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
+
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 0/6] Secure Boot default keys
  2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
                   ` (6 preceding siblings ...)
  2021-06-01 13:12 ` [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
@ 2021-06-04  8:17 ` Min Xu
  2021-06-07  7:29   ` Grzegorz Bernacki
  7 siblings, 1 reply; 35+ messages in thread
From: Min Xu @ 2021-06-04  8:17 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Tuesday, June 1, 2021 9:12 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> Subject: [PATCH v2 0/6] Secure Boot default keys
> 
> This patchset adds support for initialization of default Secure Boot variables
> based on keys content embedded in flash binary. This feature is active only if
> Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> also application to enroll keys from default variables and secure boot menu
> change to allow user to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
> 
> I also added patch for RPi4 which enables this feature for that platform.
> 
> Changes since v1:
> - change names:
>   SecBootVariableLib => SecureBootVariableLib
>   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
>   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
> 
> Grzegorz Bernacki (6):
> [edk2]
>   SecurityPkg: Create library for setting Secure Boot variables.
>   SecurityPkg: Create include file for default key content.
>   SecurityPkg: Add SecureBootDefaultKeysDxe driver
>   SecurityPkg: Add EnrollFromDefaultKeys application.
>   SecurityPkg: Add new modules to Security package.
>   SecurityPkg: Add option to reset secure boot keys.
> [edk2-platform]
>   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> 
>  SecurityPkg/SecurityPkg.dec                                                             |  14 +
>  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> |  47 +
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> |  79 ++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf           |   2 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf |  46 +
>  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> 252 +++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h          |   2 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr              |   6 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 107 +++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 979 ++++++++++++++++++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c            | 343 ++++---
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c   |  69 ++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> |  16 +
>  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni       |   4 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni |  17 +
>  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>  create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> 
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
  2021-06-01 13:12 ` [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
@ 2021-06-04  8:24   ` Sunny Wang
  1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:24 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io, Bret Barkelew
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and Greg already addressed all my comments, so It looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

As for Bret's comment, the "#define FAIL(fmt...).. " was added for addressing my internal review comment for better maintenance. If this would cause an error with some compilers, I'm fine with reverting FAIL() macro related changes.

Best Regards,
Sunny Wang

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.

This application allows user to force key enrollment from
Secure Boot default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf |  47 +++++++++
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c   | 107 ++++++++++++++++++++
 2 files changed, 154 insertions(+)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c

diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+#  Enroll PK, KEK, db, dbx from Default variables
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 1.28
+  BASE_NAME                      = EnrollFromDefaultKeysApp
+  FILE_GUID                      = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 0.1
+  ENTRY_POINT                    = UefiMain
+
+[Sources]
+  EnrollFromDefaultKeysApp.c
+
+[Packages]
+  MdeModulePkg/MdeModulePkg.dec
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[Guids]
+  gEfiCertPkcs7Guid
+  gEfiCertSha256Guid
+  gEfiCertX509Guid
+  gEfiCustomModeEnableGuid
+  gEfiGlobalVariableGuid
+  gEfiImageSecurityDatabaseGuid
+  gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+  gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  PrintLib
+  UefiApplicationEntryPoint
+  UefiBootServicesTableLib
+  UefiLib
+  UefiRuntimeServicesTableLib
+  SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..1907ce1d4e
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,107 @@
+/** @file
+  Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
+#include <Library/DebugLib.h>                    // ASSERT()
+#include <Library/MemoryAllocationLib.h>         // FreePool()
+#include <Library/PrintLib.h>                    // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h>    // gBS
+#include <Library/UefiLib.h>                     // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
+
+/**
+  Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS Status;
+  UINT8      SetupMode;
+
+  Status = GetSetupMode (&SetupMode);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot get SetupMode variable: %r\n", Status);
+    return 1;
+  }
+
+  if (SetupMode == USER_MODE) {
+    FAIL ("Skipped - USER_MODE\n");
+    return 1;
+  }
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+    return 1;
+  }
+
+  Status = EnrollDbFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll db: %r\n", Status);
+    goto error;
+  }
+
+  Status = EnrollDbxFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll dbt: %r\n", Status);
+  }
+
+  Status = EnrollDbtFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll dbx: %r\n", Status);
+  }
+
+  Status = EnrollKEKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll KEK: %r\n", Status);
+    goto cleardbs;
+  }
+
+  Status = EnrollPKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot enroll PK: %r\n", Status);
+    goto clearKEK;
+  }
+
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n");
+  }
+  return 0;
+
+clearKEK:
+  DeleteKEK ();
+
+cleardbs:
+  DeleteDbt ();
+  DeleteDbx ();
+  DeleteDb ();
+
+error:
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n");
+  }
+
+  return 1;
+}
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 5/6] SecurityPkg: Add new modules to Security package.
  2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
  2021-06-04  8:09   ` Min Xu
@ 2021-06-04  8:26   ` Sunny Wang
  2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:26 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and It looks good to me. Please also address Pete's good catches/comments.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 5/6] SecurityPkg: Add new modules to Security package.

This commits adds modules related to initialization and
usage of default Secure Boot key variables to SecurityPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
 SecurityPkg/SecurityPkg.dsc |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4001650fa2..dad3cae0ba 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -190,6 +190,20 @@
   ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
   gTcg2MmSwSmiRegisteredGuid         = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }

+  ## GUID used to specify section with default PK content
+  gDefaultPKFileGuid                 = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+  ## GUID used to specify section with default KEK content
+  gDefaultKEKFileGuid                = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+  ## GUID used to specify section with default db content
+  gDefaultdbFileGuid                 = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+  ## GUID used to specify section with default dbt content
+  gDefaultdbxFileGuid                = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+  ## GUID used to specify section with default dbx content
+  gDefaultdbtFileGuid                = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }

 [Ppis]
   ## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 854f250625..e031775ca8 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -259,6 +259,10 @@

 [Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultKeys.inf
+

 [Components.IA32, Components.X64, Components.AARCH64]
   #
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys.
  2021-06-01 13:12 ` [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
@ 2021-06-04  8:30   ` Sunny Wang
  1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:30 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and Greg already addressed all my comments, so It looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys.

This commit add option which allows reset content of Secure Boot
keys and databases to default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf     |   1 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h    |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr        |   6 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c      | 154 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni |   4 +
 5 files changed, 167 insertions(+)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 30d9cd8025..bd8d256dde 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -109,6 +109,7 @@
 [Protocols]
   gEfiHiiConfigAccessProtocolGuid               ## PRODUCES
   gEfiDevicePathProtocolGuid                    ## PRODUCES
+  gEfiHiiPopupProtocolGuid

 [Depex]
   gEfiHiiConfigRoutingProtocolGuid  AND
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index 6e54a4b0f2..4ecc25efc3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

 #define KEY_VALUE_FROM_DBX_TO_LIST_FORM       0x100f

+#define KEY_SECURE_BOOT_RESET_TO_DEFAULT      0x1010
+
 #define KEY_SECURE_BOOT_OPTION                0x1100
 #define KEY_SECURE_BOOT_PK_OPTION             0x1101
 #define KEY_SECURE_BOOT_KEK_OPTION            0x1102
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index fa7e11848c..e4560c592c 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -69,6 +69,12 @@ formset
     endif;
     endif;

+    text
+      help   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
+      text   = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
+      flags  = INTERACTIVE,
+      key    = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
+
   endform;

   //
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 67e5e594ed..47f281873b 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 **/

 #include "SecureBootConfigImpl.h"
+#include <Protocol/HiiPopup.h>
 #include <Library/BaseCryptLib.h>
 #include <Library/SecureBootVariableLib.h>

@@ -4154,6 +4155,132 @@ ON_EXIT:
   return Status;
 }

+/**
+  This function reinitializes Secure Boot variables with default values.
+
+  @retval   EFI_SUCCESS           Success to update the signature list page
+  @retval   others                Fail to delete or enroll signature data.
+**/
+
+STATIC EFI_STATUS
+EFIAPI
+KeyEnrollReset (
+  VOID
+  )
+{
+  EFI_STATUS  Status;
+  UINT8       SetupMode;
+
+  Status = EFI_SUCCESS;
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR(Status)) {
+    return Status;
+  }
+
+  // Clear all the keys and databases
+  Status = DeleteDb ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteDbx ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteDbt ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeleteKEK ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
+    return Status;
+  }
+
+  Status = DeletePlatformKey ();
+  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+    DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
+    return Status;
+  }
+
+  // After PK clear, Setup Mode shall be enabled
+  Status = GetSetupMode (&SetupMode);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
+      Status));
+    return Status;
+  }
+
+  if (SetupMode == USER_MODE) {
+    DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
+    return EFI_SUCCESS;
+  }
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
+      Status));
+    return EFI_SUCCESS;
+  }
+
+  // Enroll all the keys from default variables
+  Status = EnrollDbFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
+    goto error;
+  }
+
+  Status = EnrollDbxFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
+  }
+
+  Status = EnrollDbtFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
+  }
+
+  Status = EnrollKEKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
+    goto cleardbs;
+  }
+
+  Status = EnrollPKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
+    goto clearKEK;
+  }
+
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n"));
+  }
+
+  return Status;
+
+clearKEK:
+  DeleteKEK ();
+
+cleardbs:
+  DeleteDbt ();
+  DeleteDbx ();
+  DeleteDb ();
+
+error:
+  if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
+    DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
+  }
+  return Status;
+}
+
 /**
   This function is called to provide results data to the driver.

@@ -4205,6 +4332,8 @@ SecureBootCallback (
   SECUREBOOT_CONFIG_PRIVATE_DATA  *PrivateData;
   BOOLEAN                         GetBrowserDataResult;
   ENROLL_KEY_ERROR                EnrollKeyErrorCode;
+  EFI_HII_POPUP_PROTOCOL          *HiiPopup;
+  EFI_HII_POPUP_SELECTION         UserSelection;

   Status             = EFI_SUCCESS;
   SecureBootEnable   = NULL;
@@ -4755,6 +4884,31 @@ SecureBootCallback (
         FreePool (SetupMode);
       }
       break;
+    case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
+    {
+      Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
+      if (EFI_ERROR (Status)) {
+        return Status;
+      }
+      Status = HiiPopup->CreatePopup (
+                           HiiPopup,
+                           EfiHiiPopupStyleInfo,
+                           EfiHiiPopupTypeYesNo,
+                           Private->HiiHandle,
+                           STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
+                           &UserSelection
+                           );
+      if (UserSelection == EfiHiiPopupSelectionYes) {
+        Status = KeyEnrollReset ();
+      }
+      //
+      // Update secure boot strings after key reset
+      //
+      if (Status == EFI_SUCCESS) {
+        Status = UpdateSecureBootString (Private);
+        SecureBootExtractConfigFromVariable (Private, IfrNvData);
+      }
+    }
     default:
       break;
     }
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index ac783453cc..0d01701de7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #string STR_SECURE_BOOT_PROMPT             #language en-US "Attempt Secure Boot"
 #string STR_SECURE_BOOT_HELP               #language en-US "Enable/Disable the Secure Boot feature after platform reset"

+#string STR_SECURE_RESET_TO_DEFAULTS_HELP  #language en-US "Enroll keys with data from default variables"
+#string STR_SECURE_RESET_TO_DEFAULTS       #language en-US "Reset Secure Boot Keys"
+#string STR_RESET_TO_DEFAULTS_POPUP        #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
+
 #string STR_SECURE_BOOT_ENROLL_SIGNATURE   #language en-US "Enroll Signature"
 #string STR_SECURE_BOOT_DELETE_SIGNATURE   #language en-US "Delete Signature"
 #string STR_SECURE_BOOT_DELETE_LIST_FORM   #language en-US "Delete Signature List Form"
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
@ 2021-06-04  8:35   ` Sunny Wang
  2021-07-08 18:37   ` Samer El-Haj-Mahmoud
  2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-06-04  8:35 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
	jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
	lersek@redhat.com, Sunny Wang

Internally reviewed this patch before sending the edk2 mailing list and it looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization

This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
 Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index d8c6fdd4bd..1fb4df0b81 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,7 +164,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
 !else
@@ -217,6 +217,7 @@
   MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
   HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 [LibraryClasses.common.UEFI_DRIVER]
@@ -612,6 +613,8 @@
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..0e43d24c7a 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply related	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 0/6] Secure Boot default keys
  2021-06-04  8:17 ` [PATCH v2 0/6] Secure Boot default keys Min Xu
@ 2021-06-07  7:29   ` Grzegorz Bernacki
  2021-06-14  9:47     ` Grzegorz Bernacki
  0 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-07  7:29 UTC (permalink / raw)
  To: Xu, Min M
  Cc: devel@edk2.groups.io, leif@nuviainc.com,
	ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com,
	sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com,
	Yao, Jiewen, Wang, Jian J, lersek@redhat.com

Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
>
> Grzegorz
> Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> Would you post your test result in the mail?
> Thanks much!
>
> > -----Original Message-----
> > From: Grzegorz Bernacki <gjb@semihalf.com>
> > Sent: Tuesday, June 1, 2021 9:12 PM
> > To: devel@edk2.groups.io
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > Subject: [PATCH v2 0/6] Secure Boot default keys
> >
> > This patchset adds support for initialization of default Secure Boot variables
> > based on keys content embedded in flash binary. This feature is active only if
> > Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> > also application to enroll keys from default variables and secure boot menu
> > change to allow user to reset key content to default values.
> > Discussion on design can be found at:
> > https://edk2.groups.io/g/rfc/topic/82139806#600
> >
> > I also added patch for RPi4 which enables this feature for that platform.
> >
> > Changes since v1:
> > - change names:
> >   SecBootVariableLib => SecureBootVariableLib
> >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Grzegorz Bernacki (6):
> > [edk2]
> >   SecurityPkg: Create library for setting Secure Boot variables.
> >   SecurityPkg: Create include file for default key content.
> >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> >   SecurityPkg: Add EnrollFromDefaultKeys application.
> >   SecurityPkg: Add new modules to Security package.
> >   SecurityPkg: Add option to reset secure boot keys.
> > [edk2-platform]
> >   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> >
> >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > |  47 +
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > |  79 ++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf           |   2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf |  46 +
> >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > 252 +++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > NvData.h          |   2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > vfr              |   6 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > | 107 +++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > | 979 ++++++++++++++++++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c            | 343 ++++---
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c   |  69 ++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > |  16 +
> >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > trings.uni       |   4 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni |  17 +
> >  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf
> >  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> >  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> >  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni
> >
> > --
> > 2.25.1
>

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [PATCH v2 0/6] Secure Boot default keys
  2021-06-07  7:29   ` Grzegorz Bernacki
@ 2021-06-14  9:47     ` Grzegorz Bernacki
  2021-06-17  1:30       ` [edk2-devel] " Min Xu
  0 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-14  9:47 UTC (permalink / raw)
  To: Xu, Min M
  Cc: devel@edk2.groups.io, leif@nuviainc.com,
	ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com,
	sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com,
	Yao, Jiewen, Wang, Jian J, lersek@redhat.com

Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?usp=sharing

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
>
> Hi Min M,
>
> I tested it with Ovmf. I will try other compiler and provide you logs soon.
>
> thanks,
> greg
>
> pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> >
> > Grzegorz
> > Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > Would you post your test result in the mail?
> > Thanks much!
> >
> > > -----Original Message-----
> > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > To: devel@edk2.groups.io
> > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > >
> > > This patchset adds support for initialization of default Secure Boot variables
> > > based on keys content embedded in flash binary. This feature is active only if
> > > Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> > > also application to enroll keys from default variables and secure boot menu
> > > change to allow user to reset key content to default values.
> > > Discussion on design can be found at:
> > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > >
> > > I also added patch for RPi4 which enables this feature for that platform.
> > >
> > > Changes since v1:
> > > - change names:
> > >   SecBootVariableLib => SecureBootVariableLib
> > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > - change name of function CheckSetupMode to GetSetupMode
> > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > - rebase to master
> > >
> > > Grzegorz Bernacki (6):
> > > [edk2]
> > >   SecurityPkg: Create library for setting Secure Boot variables.
> > >   SecurityPkg: Create include file for default key content.
> > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > >   SecurityPkg: Add new modules to Security package.
> > >   SecurityPkg: Add option to reset secure boot keys.
> > > [edk2-platform]
> > >   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> > >
> > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > |  47 +
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > |  79 ++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > Dxe.inf           |   2 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.inf |  46 +
> > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > 252 +++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > NvData.h          |   2 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > vfr              |   6 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > | 107 +++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > | 979 ++++++++++++++++++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > mpl.c            | 343 ++++---
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.c   |  69 ++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > |  16 +
> > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > trings.uni       |   4 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.uni |  17 +
> > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.inf
> > >  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > >  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.c
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > >  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.uni
> > >
> > > --
> > > 2.25.1
> >

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
  2021-06-14  9:47     ` Grzegorz Bernacki
@ 2021-06-17  1:30       ` Min Xu
  2021-06-17 12:54         ` Grzegorz Bernacki
  0 siblings, 1 reply; 35+ messages in thread
From: Min Xu @ 2021-06-17  1:30 UTC (permalink / raw)
  To: devel@edk2.groups.io, gjb@semihalf.com
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
> Hi Min M,
> 
> Please find log from tests of OvmfX64 built with VS2019 at:
> https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
> sp=sharing
> 
Usually we summarize the test in a table which is posted in the mail thread, so that
the test result is clear and easy to read. Also in this way the test result can be recorded in
the review thread. I am afraid the test log in the google drive cannot be accessed
one day.

> thanks,
> greg
> 
> pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
> >
> > Hi Min M,
> >
> > I tested it with Ovmf. I will try other compiler and provide you logs soon.
> >
> > thanks,
> > greg
> >
> > pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> > >
> > > Grzegorz
> > > Have you built this feature with different tool chains, such as
> VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > > Would you post your test result in the mail?
> > > Thanks much!
> > >
> > > > -----Original Message-----
> > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > > To: devel@edk2.groups.io
> > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> > > > Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > > >
> > > > This patchset adds support for initialization of default Secure
> > > > Boot variables based on keys content embedded in flash binary.
> > > > This feature is active only if Secure Boot is enabled and
> > > > DEFAULT_KEY is defined. The patchset consist also application to
> > > > enroll keys from default variables and secure boot menu change to allow
> user to reset key content to default values.
> > > > Discussion on design can be found at:
> > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > >
> > > > I also added patch for RPi4 which enables this feature for that platform.
> > > >
> > > > Changes since v1:
> > > > - change names:
> > > >   SecBootVariableLib => SecureBootVariableLib
> > > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > - change name of function CheckSetupMode to GetSetupMode
> > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > - rebase to master
> > > >
> > > > Grzegorz Bernacki (6):
> > > > [edk2]
> > > >   SecurityPkg: Create library for setting Secure Boot variables.
> > > >   SecurityPkg: Create include file for default key content.
> > > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > > >   SecurityPkg: Add new modules to Security package.
> > > >   SecurityPkg: Add option to reset secure boot keys.
> > > > [edk2-platform]
> > > >   Platform/RaspberryPi: Enable default Secure Boot variables
> > > > initialization
> > > >
> > > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > |  47 +
> > > >
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > f
> > > > |  79 ++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > Dxe.inf           |   2 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.inf |  46 +
> > > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > > 252 +++++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > NvData.h          |   2 +
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > > vfr              |   6 +
> > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > | 107 +++
> > > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > | 979 ++++++++++++++++++++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > > mpl.c            | 343 ++++---
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > > efaultKeysDxe.c   |  69 ++
> > > >
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > i
> > > > |  16 +
> > > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62
> ++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > > trings.uni       |   4 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.uni |  17 +
> > > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create
> > > > mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > f
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.inf
> > > >  create mode 100644
> > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > >  create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.c
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > i  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.uni
> > > >
> > > > --
> > > > 2.25.1
> > >
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
  2021-06-17  1:30       ` [edk2-devel] " Min Xu
@ 2021-06-17 12:54         ` Grzegorz Bernacki
  2021-06-17 13:37           ` Min Xu
  0 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-06-17 12:54 UTC (permalink / raw)
  To: Xu, Min M
  Cc: devel@edk2.groups.io, leif@nuviainc.com,
	ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com,
	sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com,
	Yao, Jiewen, Wang, Jian J, lersek@redhat.com

Hi Min M,

Sure, I will send the test result after I make changes for the v4
version. Can you please point me to a few mails with the test result
table so I can copy the format?
thanks,
greg

czw., 17 cze 2021 o 03:30 Xu, Min M <min.m.xu@intel.com> napisał(a):
>
> On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
> > Hi Min M,
> >
> > Please find log from tests of OvmfX64 built with VS2019 at:
> > https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
> > sp=sharing
> >
> Usually we summarize the test in a table which is posted in the mail thread, so that
> the test result is clear and easy to read. Also in this way the test result can be recorded in
> the review thread. I am afraid the test log in the google drive cannot be accessed
> one day.
>
> > thanks,
> > greg
> >
> > pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
> > >
> > > Hi Min M,
> > >
> > > I tested it with Ovmf. I will try other compiler and provide you logs soon.
> > >
> > > thanks,
> > > greg
> > >
> > > pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> > > >
> > > > Grzegorz
> > > > Have you built this feature with different tool chains, such as
> > VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > > > Would you post your test result in the mail?
> > > > Thanks much!
> > > >
> > > > > -----Original Message-----
> > > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> > > > > Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > > > >
> > > > > This patchset adds support for initialization of default Secure
> > > > > Boot variables based on keys content embedded in flash binary.
> > > > > This feature is active only if Secure Boot is enabled and
> > > > > DEFAULT_KEY is defined. The patchset consist also application to
> > > > > enroll keys from default variables and secure boot menu change to allow
> > user to reset key content to default values.
> > > > > Discussion on design can be found at:
> > > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > > >
> > > > > I also added patch for RPi4 which enables this feature for that platform.
> > > > >
> > > > > Changes since v1:
> > > > > - change names:
> > > > >   SecBootVariableLib => SecureBootVariableLib
> > > > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > > - change name of function CheckSetupMode to GetSetupMode
> > > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > > - rebase to master
> > > > >
> > > > > Grzegorz Bernacki (6):
> > > > > [edk2]
> > > > >   SecurityPkg: Create library for setting Secure Boot variables.
> > > > >   SecurityPkg: Create include file for default key content.
> > > > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > > > >   SecurityPkg: Add new modules to Security package.
> > > > >   SecurityPkg: Add option to reset secure boot keys.
> > > > > [edk2-platform]
> > > > >   Platform/RaspberryPi: Enable default Secure Boot variables
> > > > > initialization
> > > > >
> > > > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > > > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > > |  47 +
> > > > >
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > > f
> > > > > |  79 ++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > > Dxe.inf           |   2 +
> > > > >
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.inf |  46 +
> > > > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > > > 252 +++++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > > NvData.h          |   2 +
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > > > vfr              |   6 +
> > > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > > | 107 +++
> > > > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > > | 979 ++++++++++++++++++++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > > > mpl.c            | 343 ++++---
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > > > efaultKeysDxe.c   |  69 ++
> > > > >
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > > i
> > > > > |  16 +
> > > > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62
> > ++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > > > trings.uni       |   4 +
> > > > >
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.uni |  17 +
> > > > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create
> > > > > mode 100644
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > > f
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.inf
> > > > >  create mode 100644
> > > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > > >  create mode 100644
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.c
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > > i  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.uni
> > > > >
> > > > > --
> > > > > 2.25.1
> > > >
> >
> >
> > 
> >
>

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
  2021-06-17 12:54         ` Grzegorz Bernacki
@ 2021-06-17 13:37           ` Min Xu
  0 siblings, 0 replies; 35+ messages in thread
From: Min Xu @ 2021-06-17 13:37 UTC (permalink / raw)
  To: devel@edk2.groups.io, gjb@semihalf.com
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
	upstream@semihalf.com, Yao, Jiewen, Wang, Jian J,
	lersek@redhat.com

On 06/17/2021, Grzegorz Bernacki wrote:
> Hi Min M,
> 
> Sure, I will send the test result after I make changes for the v4 version. Can
> you please point me to a few mails with the test result table so I can copy the
> format?
>
Please refer to https://edk2.groups.io/g/devel/message/74239
Just summarize the validation you do.
>
> thanks,
> greg

Thanks
Min

^ permalink raw reply	[flat|nested] 35+ messages in thread

* Re: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization
  2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
  2021-06-02 17:40   ` [edk2-devel] " Pete Batard
  2021-06-04  8:35   ` Sunny Wang
@ 2021-07-08 18:37   ` Samer El-Haj-Mahmoud
  2 siblings, 0 replies; 35+ messages in thread
From: Samer El-Haj-Mahmoud @ 2021-07-08 18:37 UTC (permalink / raw)
  To: Grzegorz Bernacki, devel@edk2.groups.io
  Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Sunny Wang,
	mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com,
	jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com,
	Samer El-Haj-Mahmoud

Reviewed-By: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>

> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Tuesday, June 1, 2021 9:12 AM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default
> Secure Boot variables initialization
>
> This commit allows to initialize Secure Boot default key
> and databases from data embedded in firmware binary.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>  Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
>  Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
>  2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc
> b/Platform/RaspberryPi/RPi4/RPi4.dsc
> index d8c6fdd4bd..1fb4df0b81 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.dsc
> +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
> @@ -164,7 +164,7 @@
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTp
> mMeasurementLib.inf
>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -
> +
> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo
> otVariableLib.inf
>    # re-use the UserPhysicalPresent() dummy implementation from the ovmf
> tree
>
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.in
> f
>  !else
> @@ -217,6 +217,7 @@
>
> MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemor
> yAllocationLib.inf
>    HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
>    ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
> +  ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
>    FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
>
>  [LibraryClasses.common.UEFI_DRIVER]
> @@ -612,6 +613,8 @@
>
> NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i
> nf
>    }
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  !else
>    MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>  !endif
> diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf
> b/Platform/RaspberryPi/RPi4/RPi4.fdf
> index 1e13909a57..0e43d24c7a 100644
> --- a/Platform/RaspberryPi/RPi4/RPi4.fdf
> +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
> @@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
>    INF
> MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
>    INF
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>  !if $(SECURE_BOOT_ENABLE) == TRUE
> +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
>    INF
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +  INF
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  !endif
>    INF
> MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCount
> erRuntimeDxe.inf
>    INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
> --
> 2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply	[flat|nested] 35+ messages in thread

end of thread, other threads:[~2021-07-08 18:38 UTC | newest]

Thread overview: 35+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-01 13:12 [PATCH v2 0/6] Secure Boot default keys Grzegorz Bernacki
2021-06-01 13:12 ` [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-06-02 17:40   ` [edk2-devel] " Pete Batard
2021-06-04  8:35   ` Sunny Wang
2021-07-08 18:37   ` Samer El-Haj-Mahmoud
2021-06-01 13:12 ` [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-06-02 17:39   ` [edk2-devel] " Pete Batard
2021-06-02 19:43     ` [EXTERNAL] " Bret Barkelew
2021-06-03  6:56   ` Min Xu
2021-06-04  7:49   ` Sunny Wang
2021-06-01 13:12 ` [PATCH v2 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-06-02 17:39   ` [edk2-devel] " Pete Batard
2021-06-03  7:06   ` Min Xu
2021-06-04  8:11   ` Sunny Wang
2021-06-01 13:12 ` [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-06-02 17:39   ` [edk2-devel] " Pete Batard
2021-06-04  8:02   ` Min Xu
2021-06-04  8:15   ` Sunny Wang
2021-06-01 13:12 ` [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-06-02 17:40   ` [edk2-devel] " Pete Batard
2021-06-02 19:38     ` [EXTERNAL] " Bret Barkelew
2021-06-04  8:24   ` Sunny Wang
2021-06-01 13:12 ` [PATCH v2 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-06-02 17:40   ` [edk2-devel] " Pete Batard
2021-06-04  8:09   ` Min Xu
2021-06-04  8:26   ` Sunny Wang
2021-06-01 13:12 ` [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-06-02 17:40   ` [edk2-devel] " Pete Batard
2021-06-04  8:30   ` Sunny Wang
2021-06-04  8:17 ` [PATCH v2 0/6] Secure Boot default keys Min Xu
2021-06-07  7:29   ` Grzegorz Bernacki
2021-06-14  9:47     ` Grzegorz Bernacki
2021-06-17  1:30       ` [edk2-devel] " Min Xu
2021-06-17 12:54         ` Grzegorz Bernacki
2021-06-17 13:37           ` Min Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox