From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52])
 by mx.groups.io with SMTP id smtpd.web10.27549.1623663817693697783
 for <devel@edk2.groups.io>;
 Mon, 14 Jun 2021 02:43:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=sDIvy9Rm;
 spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.52, mailfrom: gjb@semihalf.com)
Received: by mail-lf1-f52.google.com with SMTP id m21so20003139lfg.13
        for <devel@edk2.groups.io>; Mon, 14 Jun 2021 02:43:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=semihalf-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=xDhGSi4qwyeZ8TXbOMDUSQT69CJPcu92iV/o3fe4/zM=;
        b=sDIvy9RmQpCiM9/4koJk+U8NmIXG617LO0pPuFuplz4UIQcu7IWZr1XcBDdh++QDPM
         YAyTcOLjcfkC8Z3m2X2TfY6gq6kdtV8ZoapPHMesoIBspmw30O8xc45QJfxv4Eww6UBG
         7QJzzP7tK4ptTPWBY+oI7OB93TQ5zAYERBfWneS7HTQFQuAtvux7BTyiiuBg6FEGvrdO
         z/7kLDoW/3/g+VOk6Iob6bFskm7bUOndQf2A/6fjjgK2ERWv6jmFKjfoOsyT4WvmrGRa
         z0cif6SSlu6VztKIOZUCmmWDXiDB51AiJEFrEBEZXzx1R2iU2D27+/w1nzwdSz8SUMtP
         zNRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=xDhGSi4qwyeZ8TXbOMDUSQT69CJPcu92iV/o3fe4/zM=;
        b=rpX6y4SyMTU0kRXbp2jVWHOKLNgJj6fld74l14zt37qHLEMfuw2XAhLtoB5Z6qgi+h
         4A892hxuKFVBT+/nFJsX+fftV5KtHBhHgMUkI4rK0yt+jD2ANOyEIKt7K0PQ5gL28IRy
         A5F7ewlnZ9QDCY3BXQPeN59nuK13x858dU/PNv2SXjVmBwCrZJgPkqNvkQOCuF/8733J
         OwuhiLHZs5xS8wGk/3W6GRSJy5RtzFyiFLFVHnc6BzIGiH2HSv4DEhLcEvPnXxgbGG02
         dC71DaGHN0WOLmv4NA62uJWewZMzz2KD1TsoPSVoRRweiMN98K69rlJ/g7AnQNDKH8mN
         KrVA==
X-Gm-Message-State: AOAM533OoTpDqlVon1H+nU/M7k/aabvQeRQHJNUIxPQyNUZ2GWEJf1dd
	0OM+DsSvea/ASemcs3X1JVDJIQ2/0Yh4PBgL
X-Google-Smtp-Source: ABdhPJzL5Ib6Dnu1bguyPxtHc5tqw/J60DbuQJ9Q5m9podrsHrCueN5PZpPGLysqjcLcy2sJsNF8Wg==
X-Received: by 2002:a05:6512:a83:: with SMTP id m3mr11190210lfu.199.1623663815609;
        Mon, 14 Jun 2021 02:43:35 -0700 (PDT)
Return-Path: <gjb@semihalf.com>
Received: from gilgamesh.lab.semihalf.net ([83.142.187.85])
        by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jun 2021 02:43:35 -0700 (PDT)
From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io
Cc: leif@nuviainc.com,
	ardb+tianocore@kernel.org,
	Samer.El-Haj-Mahmoud@arm.com,
	sunny.Wang@arm.com,
	mw@semihalf.com,
	upstream@semihalf.com,
	jiewen.yao@intel.com,
	jian.j.wang@intel.com,
	min.m.xu@intel.com,
	lersek@redhat.com,
	sami.mujawar@arm.com,
	afish@apple.com,
	ray.ni@intel.com,
	jordan.l.justen@intel.com,
	rebecca@bsdio.com,
	grehan@freebsd.org,
	thomas.abraham@arm.com,
	chasel.chiu@intel.com,
	nathaniel.l.desimone@intel.com,
	gaoliming@byosoft.com.cn,
	eric.dong@intel.com,
	michael.d.kinney@intel.com,
	zailiang.sun@intel.com,
	yi.qian@intel.com,
	graeme@nuviainc.com,
	rad@semihalf.com,
	pete@akeo.ie,
	Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v3 0/8] Secure Boot default keys
Date: Mon, 14 Jun 2021 11:42:58 +0200
Message-Id: <20210614094308.2314345-1-gjb@semihalf.com>
X-Mailer: git-send-email 2.29.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and  add SecureBootVariableLib
  to platforms which used it

Grzegorz Bernacki (10):
[edk2]
  SecurityPkg: Create library for setting Secure Boot variables.
  Platforms: add SecureBootVariableLib class resolution
  SecurityPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.
  MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.
[edk2-platform]
  Platforms: add SecureBootVariableLib class resolution
  Platform/RaspberryPi: Enable default Secure Boot variables initialization

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 ArmVirtPkg/ArmVirtQemu.dsc                                                              |   3 +
 ArmVirtPkg/ArmVirtQemuKernel.dsc                                                        |   3 +
 EmulatorPkg/EmulatorPkg.dsc                                                             |   1 +
 OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgIa32.dsc                                                                 |   1 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgX64.dsc                                                                  |   1 +
 SecurityPkg/SecurityPkg.dsc                                                             |   4 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf                    |   2 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  45 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h                             |   1 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 251 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c                          |  84 --
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 109 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 980 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  68 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  70 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
 Platform/ARM/SgiPkg/SgiPlatform.dsc.inc                              | 1 +
 Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc                 | 1 +
 Platform/Comcast/RDKQemu/RDKQemu.dsc                                 | 3 +++
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc          | 1 +
 Platform/Intel/QuarkPlatformPkg/Quark.dsc                            | 1 +
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc                 | 1 +
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc                  | 3 ++-
 Platform/Qemu/SbsaQemu/SbsaQemu.dsc                                  | 1 +
 Platform/RaspberryPi/RPi3/RPi3.dsc                                   | 1 +
 Platform/RaspberryPi/RPi4/RPi4.dsc                                   | 4 ++++
 Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 1 +
 Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 1 +
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc                     | 4 ++++
 Platform/RaspberryPi/RPi4/RPi4.fdf                                   | 2 ++
 41 files changed, 1882 insertions(+), 272 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

-- 
2.25.1