From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com,
mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com,
jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com,
jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org,
thomas.abraham@arm.com, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie,
Grzegorz Bernacki <gjb@semihalf.com>,
Sunny Wang <sunny.wang@arm.com>,
Jiewen Yao <Jiewen.yao@intel.com>
Subject: [PATCH v8 10/11] SecurityPkg: Add new modules to Security package.
Date: Mon, 2 Aug 2021 12:46:32 +0200 [thread overview]
Message-ID: <20210802104633.2833333-11-gjb@semihalf.com> (raw)
In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com>
This commits adds modules and dependencies related
to initialization and usage of default Secure Boot
key variables to SecurityPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
SecurityPkg/SecurityPkg.dsc | 7 ++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index e30c39f321..d5ace6f654 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -198,6 +198,20 @@
## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
gTcg2MmSwSmiRegisteredGuid = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
+ ## GUID used to specify section with default PK content
+ gDefaultPKFileGuid = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+ ## GUID used to specify section with default KEK content
+ gDefaultKEKFileGuid = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+ ## GUID used to specify section with default db content
+ gDefaultdbFileGuid = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+ ## GUID used to specify section with default dbx content
+ gDefaultdbxFileGuid = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+ ## GUID used to specify section with default dbt content
+ gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 99c227dad2..64157e20f9 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -73,7 +73,7 @@
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
-[LibraryClasses.ARM]
+[LibraryClasses.ARM, LibraryClasses.AARCH64]
#
# It is not possible to prevent the ARM compiler for generic intrinsic functions.
# This library provides the intrinsic functions generate by a given compiler.
@@ -149,6 +149,7 @@
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
!endif
HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRouterDxe.inf
+ HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
@@ -260,6 +261,10 @@
[Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
+ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
[Components.IA32, Components.X64, Components.AARCH64]
#
--
2.25.1
next prev parent reply other threads:[~2021-08-02 10:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-02 10:46 [PATCH v8 00/11] Secure Boot default keys Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 01/11] SecurityPkg: Create SecureBootVariableLib Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables Grzegorz Bernacki
2021-08-24 12:22 ` [edk2-devel] " Patrick Rudolph
2021-08-24 12:26 ` Grzegorz Bernacki
2021-08-30 12:48 ` Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 03/11] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 04/11] OvmfPkg: " Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 05/11] EmulatorPkg: " Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 07/11] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 08/11] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 09/11] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-08-02 10:46 ` Grzegorz Bernacki [this message]
2021-08-02 10:46 ` [PATCH v8 11/11] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-08-03 7:29 ` [PATCH v8 00/11] Secure Boot default keys Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210802104633.2833333-11-gjb@semihalf.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox