From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by mx.groups.io with SMTP id smtpd.web09.18182.1627901237077358014 for ; Mon, 02 Aug 2021 03:47:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=HXXDme4y; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.50, mailfrom: gjb@semihalf.com) Received: by mail-lf1-f50.google.com with SMTP id t9so19926828lfc.6 for ; Mon, 02 Aug 2021 03:47:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Up2hOhXEPWbVoxrd3Ilz8bnfNB2R9bqoOY5d8nT2XuM=; b=HXXDme4yu66YR6rHRF17tiv9AjoRZ2s4H/3zfGrYxbzSoPOMgRgBMA9DEfpx+YX52F ZNImJrW5r99H7nADN+HaXHe2cDya2OQB23v9tlKg78kpa0WsOeKWna1vKrK2j4OnSQnL /MOjKXbrPxwiTwbcIyPP2HAeMFDrFhZZ0fsUwXl+6jwc9ojAg+rkA8C3ttvQRZo96uR0 GO0FwKoDWKsgRrN5fA86zr3Yjdfz5EPRZWoyo1JMPpsryiV2r4Ps2P7OiECiXx5yvJOP Aqr0OjmsuJwZ5i0CrjHt5VA4H6E9gHhhr1eMxaWigvm3lHB58RdRQO1jW1gb24N1+TGU Xaxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Up2hOhXEPWbVoxrd3Ilz8bnfNB2R9bqoOY5d8nT2XuM=; b=VjYNRSBE0Tf4a7go6eXZY9d/ToXNiBYC30sR5eaaKSFlFOFX0DROISp70ZsAWQ5p1C 8iV9zPZQ+B5TpHGNxWvh/hzjZllYoCbMrH4KsGkubbg3TnOlEAdR9DQclxoweFBeFteH e2Vqhd1tp/EoB9rmw8Iw9gTEE5s/E4Iu5irccb2+xd+SzN5bCTlNvf0TH/MzHKdNgDVV s8raLtBn+h42Q+ZlxSwL3x6oDBEP6D+J2QjGHrbrqPCxD/6+7ZfEFVKuIXs8kPvFJAty 8v2w6QUguQgb9HEkazKsd8e16y694eg+wM4Im5vPfTR2FRDAOX28YFqfL6WIpVmG5adW xlxg== X-Gm-Message-State: AOAM530B6n/Zf6qpo/rL1GoFjm+fyHHLb8aOtO0+yDYxCKEliJxwZpsf J5Mn2xFrE9F/hhuK39wJz2s6ngvDJNQEV4Nn X-Google-Smtp-Source: ABdhPJyylDiIRJExewbKuD6XZG6ilxHkwPbXKaVwlqZ9+K8Y3PDiFHMl/g6NnrUB4wdKCzV4QJo5MQ== X-Received: by 2002:ac2:4c29:: with SMTP id u9mr2078274lfq.410.1627901235264; Mon, 02 Aug 2021 03:47:15 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:14 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [PATCH v8 11/11] SecurityPkg: Add option to reset secure boot keys. Date: Mon, 2 Aug 2021 12:46:33 +0200 Message-Id: <20210802104633.2833333-12-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Jiewen Yao Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 153 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 + 5 files changed, 166 insertions(+) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf index 14c7311b08..420687a211 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf @@ -110,6 +110,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiPopupProtocolGuid [Depex] gEfiHiiConfigRoutingProtocolGuid AND diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h index 6e54a4b0f2..4ecc25efc3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr index fa7e11848c..e4560c592c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr @@ -69,6 +69,12 @@ formset endif; endif; + text + help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), + text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), + flags = INTERACTIVE, + key = KEY_SECURE_BOOT_RESET_TO_DEFAULT; + endform; // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index f527aa32e6..65a8188d6d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "SecureBootConfigImpl.h" +#include #include #include #include @@ -4155,6 +4156,131 @@ ON_EXIT: return Status; } +/** + This function reinitializes Secure Boot variables with default values. + + @retval EFI_SUCCESS Success to update the signature list page + @retval others Fail to delete or enroll signature data. +**/ +STATIC EFI_STATUS +EFIAPI +KeyEnrollReset ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status = EFI_SUCCESS; + + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR(Status)) { + return Status; + } + + // Clear all the keys and databases + Status = DeleteDb (); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); + return Status; + } + + Status = DeleteDbx (); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); + return Status; + } + + Status = DeleteDbt (); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); + return Status; + } + + Status = DeleteKEK (); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); + return Status; + } + + Status = DeletePlatformKey (); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); + return Status; + } + + // After PK clear, Setup Mode shall be enabled + Status = GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", + Status)); + return Status; + } + + if (SetupMode == USER_MODE) { + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); + return EFI_SUCCESS; + } + + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", + Status)); + return EFI_SUCCESS; + } + + // Enroll all the keys from default variables + Status = EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); + goto error; + } + + Status = EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); + } + + Status = EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); + } + + Status = EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); + goto cleardbs; + } + + Status = EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); + goto clearKEK; + } + + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n")); + } + + return Status; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); + } + return Status; +} + /** This function is called to provide results data to the driver. @@ -4206,6 +4332,8 @@ SecureBootCallback ( SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; BOOLEAN GetBrowserDataResult; ENROLL_KEY_ERROR EnrollKeyErrorCode; + EFI_HII_POPUP_PROTOCOL *HiiPopup; + EFI_HII_POPUP_SELECTION UserSelection; Status = EFI_SUCCESS; SecureBootEnable = NULL; @@ -4756,6 +4884,31 @@ SecureBootCallback ( FreePool (SetupMode); } break; + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: + { + Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup); + if (EFI_ERROR (Status)) { + return Status; + } + Status = HiiPopup->CreatePopup ( + HiiPopup, + EfiHiiPopupStyleInfo, + EfiHiiPopupTypeYesNo, + Private->HiiHandle, + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), + &UserSelection + ); + if (UserSelection == EfiHiiPopupSelectionYes) { + Status = KeyEnrollReset (); + } + // + // Update secure boot strings after key reset + // + if (Status == EFI_SUCCESS) { + Status = UpdateSecureBootString (Private); + SecureBootExtractConfigFromVariable (Private, IfrNvData); + } + } default: break; } diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni index ac783453cc..0d01701de7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset" +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys with data from default variables" +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure Boot Keys" +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?" + #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature" #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signature List Form" -- 2.25.1