[edk2-platforms PATCH v6 0/4] Secure Boot default keys

[edk2-platforms PATCH v6 0/4] Secure Boot default keys

[Grzegorz Bernacki]

This patchset is a consequence of "Secure Boot default keys"
patchset in edk2. It adds SecureBootVariableLib class resolution
for each platform which uses SecureBootConfigDxe and also
enables Secure Boot variables initialization for RPi4.
Previously these commits were part of edk2 patchset, but since 
number of commits increased in v5 version, it is now separate
patchset.

Changes related to both edk2 & edk-platform versions:
Changes since v1:                                                                                                                                   
- change names:                                                                                                                             
  SecBootVariableLib => SecureBootVariableLib                                                                                                                              
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe                                                                                                                        
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp                                                                                                                      
- change name of function CheckSetupMode to GetSetupMode                                                                                                                   
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp                                                                                                                  
- rebase to master                                                                                                                                      

Changes since v2:                                                                                                                                   
- fix coding style for functions headers in SecureBootVariableLib.h                                                                                                        
- add header to SecureBootDefaultKeys.fdf.inc                                                                                                                              
- remove empty line spaces in SecureBootDefaultKeysDxe files                                                                                                               
- revert FAIL macro in EnrollFromDefaultKeysApp                                                                                                                            
- remove functions duplicates and  add SecureBootVariableLib                                                                                                               
  to platforms which used it                                                                                                                                               

Changes since v3:
- move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
- leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
- fix typo in guid description

Changes since v4:
- reorder patches to make it bisectable
- split commits related to more than one platform
- move edk2-platform commits to separate patchset

Changes since v5:
- split SecureBootVariableLib into SecureBootVariableLib and
  SecureBootVariableProvisionLib

Grzegorz Bernacki (4):
  Intel Platforms: add SecureBootVariableLib class resolution
  ARM Silicon and Platforms: add SecureBootVariableLib class resolution
  RISC-V Platforms: add SecureBootVariableLib class resolution
  Platform/RaspberryPi: Enable default Secure Boot variables
    initialization

 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc                         | 2 ++
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc          | 2 ++
 Platform/Intel/QuarkPlatformPkg/Quark.dsc                            | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc                 | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc                  | 2 ++
 Platform/Qemu/SbsaQemu/SbsaQemu.dsc                                  | 2 ++
 Platform/RaspberryPi/RPi3/RPi3.dsc                                   | 2 ++
 Platform/RaspberryPi/RPi4/RPi4.dsc                                   | 4 ++++
 Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 2 ++
 Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 2 ++
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc                     | 5 +++++
 Platform/RaspberryPi/RPi4/RPi4.fdf                                   | 2 ++
 12 files changed, 29 insertions(+)

-- 
2.25.1

[edk2-platforms PATCH v6 1/4] Intel Platforms: add SecureBootVariableLib class resolution

[Grzegorz Bernacki]

The edk2 patch
  SecurityPkg: Create library for setting Secure Boot variables.

removes generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for each Intel platform which uses SecureBootConfigDxe.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
---
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc | 2 ++
 Platform/Intel/QuarkPlatformPkg/Quark.dsc                   | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc        | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc         | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc
index b154f9615d..c3d05fc913 100644
--- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc
+++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc
@@ -139,6 +139,8 @@
 
 !if gMinPlatformPkgTokenSpaceGuid.PcdUefiSecureBootEnable == TRUE
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !endif
 
   SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
diff --git a/Platform/Intel/QuarkPlatformPkg/Quark.dsc b/Platform/Intel/QuarkPlatformPkg/Quark.dsc
index cc1eba4df4..bc6f552ce0 100644
--- a/Platform/Intel/QuarkPlatformPkg/Quark.dsc
+++ b/Platform/Intel/QuarkPlatformPkg/Quark.dsc
@@ -175,6 +175,8 @@
 !if $(SECURE_BOOT_ENABLE)
   PlatformSecureLib|QuarkPlatformPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
diff --git a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc
index d15da40819..48c3c5bc60 100644
--- a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc
+++ b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc
@@ -227,6 +227,8 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
diff --git a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc
index 4a5548b80e..4bb540b63a 100644
--- a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc
+++ b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc
@@ -229,6 +229,8 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
 !endif
-- 
2.25.1

[edk2-platforms PATCH v6 2/4] ARM Silicon and Platforms: add SecureBootVariableLib class resolution

[Grzegorz Bernacki]

The edk2 patch
  SecurityPkg: Create library for setting Secure Boot variables.

removes generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for each ARM platform which uses SecureBootConfigDxe.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Graeme Gregory <graeme@nuviainc.com> #SbsaQemu
Reviewed by: Sami Mujawar <sami.mujawar@arm.com>  #ArmVExpress
---
 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc     | 2 ++
 Platform/Qemu/SbsaQemu/SbsaQemu.dsc              | 2 ++
 Platform/RaspberryPi/RPi3/RPi3.dsc               | 2 ++
 Platform/RaspberryPi/RPi4/RPi4.dsc               | 2 ++
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 5 +++++
 5 files changed, 13 insertions(+)

diff --git a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
index fee7cfcc2d..d6f31ecda4 100644
--- a/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
+++ b/Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
@@ -129,6 +129,8 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc
index 11ce361cdb..063a45b3ce 100644
--- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc
+++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc
@@ -156,6 +156,8 @@ DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
   #
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/Platform/RaspberryPi/RPi3/RPi3.dsc b/Platform/RaspberryPi/RPi3/RPi3.dsc
index 53825bcf62..a47069cc39 100644
--- a/Platform/RaspberryPi/RPi3/RPi3.dsc
+++ b/Platform/RaspberryPi/RPi3/RPi3.dsc
@@ -167,6 +167,8 @@
 
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index fd73c4d14b..79e2571d62 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,6 +164,8 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 
   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
index 88454c1f90..9af262a2d1 100644
--- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
+++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc
@@ -52,6 +52,11 @@
 
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
 
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+!endif
+
 [LibraryClasses.common.SEC]
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
   BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
-- 
2.25.1

[edk2-platforms PATCH v6 3/4] RISC-V Platforms: add SecureBootVariableLib class resolution

[Grzegorz Bernacki]

The edk2 patch
  SecurityPkg: Create library for setting Secure Boot variables.

removes generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for each RICS-V platform which uses SecureBootConfigDxe.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Abner Chang <abner.chang@hpe.com>
Reviewed-by: Daniel Schaefer <daniel.schaefer@hpe.com>
---
 Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 2 ++
 Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc b/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc
index b91823ceeb..c8efa35029 100644
--- a/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc
+++ b/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc
@@ -122,6 +122,8 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
diff --git a/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc b/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc
index 0eafe29880..a5ffa79dd0 100644
--- a/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc
+++ b/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc
@@ -122,6 +122,8 @@
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 !else
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
-- 
2.25.1

[edk2-platforms PATCH v6 4/4] Platform/RaspberryPi: Enable default Secure Boot variables initialization

[Grzegorz Bernacki]

This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
 Platform/RaspberryPi/RPi4/RPi4.dsc | 2 ++
 Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index 79e2571d62..218411b70c 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -622,6 +622,8 @@
       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !else
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
 !endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..8508065a77 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS   = TRUE
   INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
   INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
   INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
-- 
2.25.1

Re: [edk2-platforms PATCH v6 0/4] Secure Boot default keys

[Sunny Wang]

Hi Ard and Maintainers,

For this patchset,
 1/4 - Intel Platforms: add SecureBootVariableLib class resolution
 2/4 - ARM Silicon and Platforms: add SecureBootVariableLib class resolution
 3/4 - RISC-V Platforms: add SecureBootVariableLib class resolution
 4/4 - Platform/RaspberryPi: Enable default Secure Boot variables initialization

Only Intel platform patch (1/4) hasn't got all Review-bys. I offline sent a reminder to Intel platform Maintainers. I think they may be busy with other things or need more time to review it.

Therefore, how about we merge another three patches (2/4, 3/4, and 4/4) first?

Best Regards,
Sunny Wang

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Wednesday, July 14, 2021 8:31 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [edk2-platforms PATCH v6 0/4] Secure Boot default keys

This patchset is a consequence of "Secure Boot default keys"
patchset in edk2. It adds SecureBootVariableLib class resolution
for each platform which uses SecureBootConfigDxe and also
enables Secure Boot variables initialization for RPi4.
Previously these commits were part of edk2 patchset, but since
number of commits increased in v5 version, it is now separate
patchset.

Changes related to both edk2 & edk-platform versions:
Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and  add SecureBootVariableLib
  to platforms which used it

Changes since v3:
- move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
- leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
- fix typo in guid description

Changes since v4:
- reorder patches to make it bisectable
- split commits related to more than one platform
- move edk2-platform commits to separate patchset

Changes since v5:
- split SecureBootVariableLib into SecureBootVariableLib and
  SecureBootVariableProvisionLib

Grzegorz Bernacki (4):
  Intel Platforms: add SecureBootVariableLib class resolution
  ARM Silicon and Platforms: add SecureBootVariableLib class resolution
  RISC-V Platforms: add SecureBootVariableLib class resolution
  Platform/RaspberryPi: Enable default Secure Boot variables
    initialization

 Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc                         | 2 ++
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc          | 2 ++
 Platform/Intel/QuarkPlatformPkg/Quark.dsc                            | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc                 | 2 ++
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc                  | 2 ++
 Platform/Qemu/SbsaQemu/SbsaQemu.dsc                                  | 2 ++
 Platform/RaspberryPi/RPi3/RPi3.dsc                                   | 2 ++
 Platform/RaspberryPi/RPi4/RPi4.dsc                                   | 4 ++++
 Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 2 ++
 Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 2 ++
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc                     | 5 +++++
 Platform/RaspberryPi/RPi4/RPi4.fdf                                   | 2 ++
 12 files changed, 29 insertions(+)

--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

回复: [edk2-platforms PATCH v6 0/4] Secure Boot default keys

[gaoliming]

Sunny:
  I am OK to merge the reviewed patched first. 

Thanks
Liming
> -----邮件原件-----
> 发件人: Sunny Wang <Sunny.Wang@arm.com>
> 发送时间: 2021年8月3日 22:11
> 收件人: Grzegorz Bernacki <gjb@semihalf.com>; devel@edk2.groups.io;
> ardb+tianocore@kernel.org
> 抄送: leif@nuviainc.com; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; mw@semihalf.com;
> upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com;
> min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar
> <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com;
> jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> Sunny Wang <Sunny.Wang@arm.com>
> 主题: RE: [edk2-platforms PATCH v6 0/4] Secure Boot default keys
> 
> Hi Ard and Maintainers,
> 
> For this patchset,
>  1/4 - Intel Platforms: add SecureBootVariableLib class resolution
>  2/4 - ARM Silicon and Platforms: add SecureBootVariableLib class
resolution
>  3/4 - RISC-V Platforms: add SecureBootVariableLib class resolution
>  4/4 - Platform/RaspberryPi: Enable default Secure Boot variables
> initialization
> 
> Only Intel platform patch (1/4) hasn't got all Review-bys. I offline sent
a
> reminder to Intel platform Maintainers. I think they may be busy with
other
> things or need more time to review it.
> 
> Therefore, how about we merge another three patches (2/4, 3/4, and 4/4)
> first?
> 
> Best Regards,
> Sunny Wang
> 
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Wednesday, July 14, 2021 8:31 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>;
> mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami
> Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com;
> jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> Grzegorz Bernacki <gjb@semihalf.com>
> Subject: [edk2-platforms PATCH v6 0/4] Secure Boot default keys
> 
> This patchset is a consequence of "Secure Boot default keys"
> patchset in edk2. It adds SecureBootVariableLib class resolution
> for each platform which uses SecureBootConfigDxe and also
> enables Secure Boot variables initialization for RPi4.
> Previously these commits were part of edk2 patchset, but since
> number of commits increased in v5 version, it is now separate
> patchset.
> 
> Changes related to both edk2 & edk-platform versions:
> Changes since v1:
> - change names:
>   SecBootVariableLib => SecureBootVariableLib
>   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
>   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
> 
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and  add SecureBootVariableLib
>   to platforms which used it
> 
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
> 
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
> 
> Changes since v5:
> - split SecureBootVariableLib into SecureBootVariableLib and
>   SecureBootVariableProvisionLib
> 
> Grzegorz Bernacki (4):
>   Intel Platforms: add SecureBootVariableLib class resolution
>   ARM Silicon and Platforms: add SecureBootVariableLib class resolution
>   RISC-V Platforms: add SecureBootVariableLib class resolution
>   Platform/RaspberryPi: Enable default Secure Boot variables
>     initialization
> 
>  Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
> | 2 ++
>  Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc
> | 2 ++
>  Platform/Intel/QuarkPlatformPkg/Quark.dsc
> | 2 ++
>  Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc
> | 2 ++
>  Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc
> | 2 ++
>  Platform/Qemu/SbsaQemu/SbsaQemu.dsc
> | 2 ++
>  Platform/RaspberryPi/RPi3/RPi3.dsc
> | 2 ++
>  Platform/RaspberryPi/RPi4/RPi4.dsc
> | 4 ++++
>  Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc
> | 2 ++
> 
> Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc
> | 2 ++
>  Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> | 5 +++++
>  Platform/RaspberryPi/RPi4/RPi4.fdf
> | 2 ++
>  12 files changed, 29 insertions(+)
> 
> --
> 2.25.1
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
recipient,
> please notify the sender immediately and do not disclose the contents to
any
> other person, use it for any purpose, or store or copy the information in
any
> medium. Thank you.

Re: [edk2-devel] 回复: [edk2-platforms PATCH v6 0/4] Secure Boot default keys

[Ard Biesheuvel]

On Wed, 4 Aug 2021 at 04:21, gaoliming <gaoliming@byosoft.com.cn> wrote:
>
> Sunny:
>   I am OK to merge the reviewed patched first.
>

Patches 2-4 merged as 2f0188b56ef4..5ba08a9b7516

Thanks all



> > -----邮件原件-----
> > 发件人: Sunny Wang <Sunny.Wang@arm.com>
> > 发送时间: 2021年8月3日 22:11
> > 收件人: Grzegorz Bernacki <gjb@semihalf.com>; devel@edk2.groups.io;
> > ardb+tianocore@kernel.org
> > 抄送: leif@nuviainc.com; Samer El-Haj-Mahmoud
> > <Samer.El-Haj-Mahmoud@arm.com>; mw@semihalf.com;
> > upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com;
> > min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar
> > <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com;
> > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> > Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Sunny Wang <Sunny.Wang@arm.com>
> > 主题: RE: [edk2-platforms PATCH v6 0/4] Secure Boot default keys
> >
> > Hi Ard and Maintainers,
> >
> > For this patchset,
> >  1/4 - Intel Platforms: add SecureBootVariableLib class resolution
> >  2/4 - ARM Silicon and Platforms: add SecureBootVariableLib class
> resolution
> >  3/4 - RISC-V Platforms: add SecureBootVariableLib class resolution
> >  4/4 - Platform/RaspberryPi: Enable default Secure Boot variables
> > initialization
> >
> > Only Intel platform patch (1/4) hasn't got all Review-bys. I offline sent
> a
> > reminder to Intel platform Maintainers. I think they may be busy with
> other
> > things or need more time to review it.
> >
> > Therefore, how about we merge another three patches (2/4, 3/4, and 4/4)
> > first?
> >
> > Best Regards,
> > Sunny Wang
> >
> > -----Original Message-----
> > From: Grzegorz Bernacki <gjb@semihalf.com>
> > Sent: Wednesday, July 14, 2021 8:31 PM
> > To: devel@edk2.groups.io
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>;
> > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami
> > Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com;
> > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> > Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Grzegorz Bernacki <gjb@semihalf.com>
> > Subject: [edk2-platforms PATCH v6 0/4] Secure Boot default keys
> >
> > This patchset is a consequence of "Secure Boot default keys"
> > patchset in edk2. It adds SecureBootVariableLib class resolution
> > for each platform which uses SecureBootConfigDxe and also
> > enables Secure Boot variables initialization for RPi4.
> > Previously these commits were part of edk2 patchset, but since
> > number of commits increased in v5 version, it is now separate
> > patchset.
> >
> > Changes related to both edk2 & edk-platform versions:
> > Changes since v1:
> > - change names:
> >   SecBootVariableLib => SecureBootVariableLib
> >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Changes since v2:
> > - fix coding style for functions headers in SecureBootVariableLib.h
> > - add header to SecureBootDefaultKeys.fdf.inc
> > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > - revert FAIL macro in EnrollFromDefaultKeysApp
> > - remove functions duplicates and  add SecureBootVariableLib
> >   to platforms which used it
> >
> > Changes since v3:
> > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > - fix typo in guid description
> >
> > Changes since v4:
> > - reorder patches to make it bisectable
> > - split commits related to more than one platform
> > - move edk2-platform commits to separate patchset
> >
> > Changes since v5:
> > - split SecureBootVariableLib into SecureBootVariableLib and
> >   SecureBootVariableProvisionLib
> >
> > Grzegorz Bernacki (4):
> >   Intel Platforms: add SecureBootVariableLib class resolution
> >   ARM Silicon and Platforms: add SecureBootVariableLib class resolution
> >   RISC-V Platforms: add SecureBootVariableLib class resolution
> >   Platform/RaspberryPi: Enable default Secure Boot variables
> >     initialization
> >
> >  Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc
> > | 2 ++
> >  Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc
> > | 2 ++
> >  Platform/Intel/QuarkPlatformPkg/Quark.dsc
> > | 2 ++
> >  Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc
> > | 2 ++
> >  Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc
> > | 2 ++
> >  Platform/Qemu/SbsaQemu/SbsaQemu.dsc
> > | 2 ++
> >  Platform/RaspberryPi/RPi3/RPi3.dsc
> > | 2 ++
> >  Platform/RaspberryPi/RPi4/RPi4.dsc
> > | 4 ++++
> >  Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc
> > | 2 ++
> >
> > Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc
> > | 2 ++
> >  Platform/Socionext/DeveloperBox/DeveloperBox.dsc
> > | 5 +++++
> >  Platform/RaspberryPi/RPi4/RPi4.fdf
> > | 2 ++
> >  12 files changed, 29 insertions(+)
> >
> > --
> > 2.25.1
> >
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended
> recipient,
> > please notify the sender immediately and do not disclose the contents to
> any
> > other person, use it for any purpose, or store or copy the information in
> any
> > medium. Thank you.
>
>
>
>
> 
>
>