From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web12.11166.1655152796811981330 for ; Mon, 13 Jun 2022 13:39:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=TppvgAWq; spf=pass (domain: gmail.com, ip: 209.85.210.182, mailfrom: kuqin12@gmail.com) Received: by mail-pf1-f182.google.com with SMTP id bo5so6769740pfb.4 for ; Mon, 13 Jun 2022 13:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RhS6ucWjBO0w+UFTdY7Gx6DqL123njv4NKuuI6tWuS8=; b=TppvgAWqzIhxq4xolc36e3z8bYqcYl1MjkiIWT5De76dK9o/jUfaOearGbk4T1pxua wbyymVux45orkLMZcGlhW24U9g5zVyFpcmUzIPkYDa4ty/Bq9W0lqTA5yKvhG/1CIGf1 GX9sXb2keZ+B6Q4gxsgYrXATbtWiMUsGnX6NeyEvZyOKjh3kwKH6a1rcaJpdnEBI/OCo irOEQKEJhyVHu8nUZ0M2wDIwbIcOyZQ7OBu0sOl8UNB5lxyWWQ3M9wDYGn6EpK2bKTXH dqCXiY/VETkrOdKSH05beYEhBgjTebCa7BTZtjzXFXZKWFld24Y5u5sh7M1IXzKUsbbU dDow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=RhS6ucWjBO0w+UFTdY7Gx6DqL123njv4NKuuI6tWuS8=; b=et/xZiNIN6qQD8BG5/lcfXU9x/UeHvZcvh+F2WCmXcPQ6xCbj5Joze6+q5f9/w488D zgNXzV4AeiDBdJWbKmJ4LTWvzHIn0ABBYpGPug+pBav5zAuoqtpVn7Vt3Ba1AfHRXnVz iwnIRdA0pHLnhDZ0ldBy+teNT3viqlViyhuy6qBlMmTut+aJpZGxzpyG4qaajbQ35J8O rP/I2ZoLxu2dwRCeOv1+ZRzPJWi6vLnHc4mUnpPhRF0dgkz/9EpF63bR71maIPjLNmkO XXHBerk7ge2CaymEWqX9gGCpI8e7Eu0jiMQwv5WKsGXfmQ/GHbVoJzY8gU6uBDy9xFQH XhnQ== X-Gm-Message-State: AOAM530V+9BRuIA22L8/kvugToh/utl7sTzdftyefwy4kDkGA3DBcFrP kJC4gGK+8GSF8FIVUiwWiCWSlPDB0lVoMg== X-Google-Smtp-Source: ABdhPJxrECroExiuNRM/FputWe3cqaXUL3PghPIDaBz7CEyzSYp7WyRRMrmNgiC339ja2uutdzjJ+g== X-Received: by 2002:a63:2482:0:b0:3fc:55e3:1410 with SMTP id k124-20020a632482000000b003fc55e31410mr1266612pgk.583.1655152796145; Mon, 13 Jun 2022 13:39:56 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.39.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:39:55 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Sean Brogan , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf , Andrew Fish , Ray Ni Subject: [PATCH v2 00/11] Enhance Secure Boot Variable Libraries Date: Mon, 13 Jun 2022 13:39:31 -0700 Message-Id: <20220613203943.704-1-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 This is a revamp of a previously submitted patch series based on top of master branch: https://edk2.groups.io/g/devel/message/89507. No changes added. Current SecureBootVariableLib provide great support for deleting secure boot related variables, creating time-based payloads. However, for secure boot enrollment, the SecureBootVariableProvisionLib interfaces always assume the changes from variable storage, limiting the usage, requiring existing platforms to change key initialization process to adapt to the new methods, as well as bringing in extra dependencies such as FV protocol, time protocols. This patch series proposes to update the implementation for Secure Boot Variable libraries and their consumers to better support the related variables operations. Patch v2 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Sean Brogan Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Cc: Andrew Fish Cc: Ray Ni Kun Qin (8): SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures SecurityPkg: PlatformPKProtectionLib: Added PK protection interface SecurityPkg: SecureBootVariableLib: Updated time based payload creator SecurityPkg: SecureBootVariableProvisionLib: Updated implementation SecurityPkg: Secure Boot Drivers: Added common header files SecurityPkg: SecureBootConfigDxe: Updated invocation pattern OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency kuqin (3): SecurityPkg: SecureBootVariableLib: Updated signature list creator SecurityPkg: SecureBootVariableLib: Added newly supported interfaces SecurityPkg: SecureBootVariableLib: Added unit tests SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 1 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 486 ++++- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c | 36 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c | 201 ++ SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c | 13 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c | 2037 ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 +- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 128 +- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 1 + EmulatorPkg/EmulatorPkg.dsc | 1 + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 + SecurityPkg/Include/Library/SecureBootVariableLib.h | 103 +- SecurityPkg/Include/UefiSecureBoot.h | 94 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 14 +- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf | 33 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf | 45 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf | 25 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf | 36 + SecurityPkg/SecurityPkg.ci.yaml | 11 + SecurityPkg/SecurityPkg.dec | 5 + SecurityPkg/SecurityPkg.dsc | 2 + SecurityPkg/Test/SecurityPkgHostTest.dsc | 38 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 + 31 files changed, 3468 insertions(+), 112 deletions(-) create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h create mode 100644 SecurityPkg/Include/UefiSecureBoot.h create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc -- 2.35.1.windows.2