public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v1 00/11] Enhance Secure Boot Variable Libraries
@ 2022-05-04 18:04 Kun Qin
  2022-05-04 18:04 ` [PATCH v1 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
                   ` (10 more replies)
  0 siblings, 11 replies; 12+ messages in thread
From: Kun Qin @ 2022-05-04 18:04 UTC (permalink / raw)
  To: devel
  Cc: Jiewen Yao, Jian J Wang, Min Xu, Sean Brogan, Ard Biesheuvel,
	Jordan Justen, Gerd Hoffmann, Rebecca Cran, Peter Grehan,
	Sebastien Boeuf, Andrew Fish, Ray Ni

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911

Current SecureBootVariableLib provide great support for deleting secure
boot related variables, creating time-based payloads.

However, for secure boot enrollment, the SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage, limiting the
usage, requiring existing platforms to change key initialization process
to adapt to the new methods, as well as bringing in extra dependencies
such as FV protocol, time protocols.

This patch series proposes to update the implementation for Secure Boot
Variable libraries and their consumers to better support the related
variables operations.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v1

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
Cc: Peter Grehan <grehan@freebsd.org>
Cc: Sebastien Boeuf <sebastien.boeuf@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>

Kun Qin (8):
  SecurityPkg: UefiSecureBoot: Definitions of cert and payload
    structures
  SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
  SecurityPkg: SecureBootVariableLib: Updated time based payload creator
  SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
  SecurityPkg: Secure Boot Drivers: Added common header files
  SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
  OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
  EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency

kuqin (3):
  SecurityPkg: SecureBootVariableLib: Updated signature list creator
  SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
  SecurityPkg: SecureBootVariableLib: Added unit tests

 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                           |    1 +
 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c   |   51 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                         |  484 ++++-
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c          |   36 +
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c                          |  201 ++
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c      |   13 +
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c        | 2037 ++++++++++++++++++++
 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c       |  145 +-
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c              |  128 +-
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c     |    1 +
 EmulatorPkg/EmulatorPkg.dsc                                                               |    1 +
 OvmfPkg/Bhyve/BhyveX64.dsc                                                                |    1 +
 OvmfPkg/CloudHv/CloudHvX64.dsc                                                            |    1 +
 OvmfPkg/IntelTdx/IntelTdxX64.dsc                                                          |    1 +
 OvmfPkg/OvmfPkgIa32.dsc                                                                   |    1 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                                |    1 +
 OvmfPkg/OvmfPkgX64.dsc                                                                    |    1 +
 SecurityPkg/Include/Library/PlatformPKProtectionLib.h                                     |   31 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                       |  103 +-
 SecurityPkg/Include/UefiSecureBoot.h                                                      |   94 +
 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf |   36 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                       |   13 +-
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf        |   33 +
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf                        |   45 +
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf    |   25 +
 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf      |   36 +
 SecurityPkg/SecurityPkg.ci.yaml                                                           |   11 +
 SecurityPkg/SecurityPkg.dec                                                               |    5 +
 SecurityPkg/SecurityPkg.dsc                                                               |    2 +
 SecurityPkg/Test/SecurityPkgHostTest.dsc                                                  |   38 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf             |    1 +
 31 files changed, 3465 insertions(+), 112 deletions(-)
 create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
 create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h
 create mode 100644 SecurityPkg/Include/UefiSecureBoot.h
 create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
 create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc

-- 
2.34.1.windows.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-05-04 18:05 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-04 18:04 [PATCH v1 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-05-04 18:04 ` [PATCH v1 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
2022-05-04 18:04 ` [PATCH v1 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Kun Qin
2022-05-04 18:04 ` [PATCH v1 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Kun Qin
2022-05-04 18:04 ` [PATCH v1 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Kun Qin
2022-05-04 18:04 ` [PATCH v1 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Kun Qin
2022-05-04 18:04 ` [PATCH v1 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Kun Qin
2022-05-04 18:04 ` [PATCH v1 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Kun Qin
2022-05-04 18:04 ` [PATCH v1 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Kun Qin
2022-05-04 18:04 ` [PATCH v1 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Kun Qin
2022-05-04 18:04 ` [PATCH v1 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Kun Qin
2022-05-04 18:04 ` [PATCH v1 11/11] EmulatorPkg: " Kun Qin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox