From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web09.725.1651687491842308106 for ; Wed, 04 May 2022 11:04:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=RfmkT8xz; spf=pass (domain: gmail.com, ip: 209.85.210.176, mailfrom: kuqin12@gmail.com) Received: by mail-pf1-f176.google.com with SMTP id g8so1737596pfh.5 for ; Wed, 04 May 2022 11:04:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2H7s57pPL+l1+zDZVjrrfk+6qpshTA4A3tNJezkpgYY=; b=RfmkT8xz7+NLTAxPR4FJEp0jbGvu4oYsml3LG35c0ZQLwphJUNQu5jegyZi6D2asNT 4Jx+pzD3GZ3Dr4lkjCucP31w5/myacNPcUK2i+rEfp0z5DwTOIeo79k9UW8Om67EdNPP hDH8kskaDYS4NlT90yXsMMQNP1fplWcZsmzqLokfel5FZRwyujWtr8YYcCOul4xcwgd9 j2lBCJzPBU+E5p+sR6d1btg7DfILEk/QovChACd06AJlwzNDqHyMYneJlfrpsZ/IPdXv 5lHphYrd3XMJIH7aCPWtaiNncUXO2Vf2wbJb5/MMTkpxuVyZfCz3n6wB1/pkrjE1sWfT cF1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2H7s57pPL+l1+zDZVjrrfk+6qpshTA4A3tNJezkpgYY=; b=pDEBFQFIKAIy3RFlm2n4IVm2LLMuP3rHmxy9h/qBtH+mEnqElIxAQYfgWM14n8Dtb4 NpziDOhtQaSFocWAvojmQ3rV0bxTk4i1Quhs8Z6Sp3hdW4KbzBvIhY1otJ0mO3VuX2YW wWChMy6zi2Sh39IplRA80iEmfhhYSb5SyPXggpPl13u/3JVsFMjBpQRYHr0N6/pWDWl8 FL5yyMsNYxZDqzxvD9uojrhzcyAbQw4xwWpBoYaWFqr/t14kZJC4qDG3QKGucP55RJFc 26pP8F4BY3UyokUrmFAuFTwHVIERm/QBrfjDZ1dIE7T7sDAl10iety5xjIj8qruIxq21 6dIA== X-Gm-Message-State: AOAM5325j3aPuvvfbJS5gVnZnlAeIirNAsWWQFpB0oaf5sarCS54yRxS fvRqRQX9XZMOvkhwk3jxANON8NXEsiILAw== X-Google-Smtp-Source: ABdhPJxzg0Q4W/z0fKHN/3hSLmexClBOm06Z9TDKH1VfTCnxqVyDjQEkZPK0TVj3MJ6TfP3CR4+7Pg== X-Received: by 2002:a63:9043:0:b0:3ab:18b:474e with SMTP id a64-20020a639043000000b003ab018b474emr18850873pge.544.1651687490718; Wed, 04 May 2022 11:04:50 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id n5-20020aa79045000000b0050dc7628143sm8496347pfo.29.2022.05.04.11.04.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 11:04:50 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Sean Brogan , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf , Andrew Fish , Ray Ni Subject: [PATCH v1 00/11] Enhance Secure Boot Variable Libraries Date: Wed, 4 May 2022 11:04:26 -0700 Message-Id: <20220504180438.1321-1-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 Current SecureBootVariableLib provide great support for deleting secure boot related variables, creating time-based payloads. However, for secure boot enrollment, the SecureBootVariableProvisionLib interfaces always assume the changes from variable storage, limiting the usage, requiring existing platforms to change key initialization process to adapt to the new methods, as well as bringing in extra dependencies such as FV protocol, time protocols. This patch series proposes to update the implementation for Secure Boot Variable libraries and their consumers to better support the related variables operations. Patch v1 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v1 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Sean Brogan Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Cc: Andrew Fish Cc: Ray Ni Kun Qin (8): SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures SecurityPkg: PlatformPKProtectionLib: Added PK protection interface SecurityPkg: SecureBootVariableLib: Updated time based payload creator SecurityPkg: SecureBootVariableProvisionLib: Updated implementation SecurityPkg: Secure Boot Drivers: Added common header files SecurityPkg: SecureBootConfigDxe: Updated invocation pattern OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency kuqin (3): SecurityPkg: SecureBootVariableLib: Updated signature list creator SecurityPkg: SecureBootVariableLib: Added newly supported interfaces SecurityPkg: SecureBootVariableLib: Added unit tests SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 1 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 484 ++++- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c | 36 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c | 201 ++ SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c | 13 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c | 2037 ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 +- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 128 +- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 1 + EmulatorPkg/EmulatorPkg.dsc | 1 + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 + SecurityPkg/Include/Library/SecureBootVariableLib.h | 103 +- SecurityPkg/Include/UefiSecureBoot.h | 94 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 13 +- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf | 33 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf | 45 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf | 25 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf | 36 + SecurityPkg/SecurityPkg.ci.yaml | 11 + SecurityPkg/SecurityPkg.dec | 5 + SecurityPkg/SecurityPkg.dsc | 2 + SecurityPkg/Test/SecurityPkgHostTest.dsc | 38 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 + 31 files changed, 3465 insertions(+), 112 deletions(-) create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h create mode 100644 SecurityPkg/Include/UefiSecureBoot.h create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc -- 2.34.1.windows.1