From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web12.32569.1656633237326093412 for ; Thu, 30 Jun 2022 16:53:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CTymFP8C; spf=pass (domain: gmail.com, ip: 209.85.215.182, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f182.google.com with SMTP id q140so838478pgq.6 for ; Thu, 30 Jun 2022 16:53:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=f2apf37fcFyrTK8hKxAc0IBpcjgYeXl0HSKeYi02z9U=; b=CTymFP8CZwz6bbIgVtNMfYoe/qg/303/bcVwvjGKOvMKHugqxcwveB9Z6LKkYN3om3 /eWsl7nMVfuKB4bUP+7EPo8FiOZ4jumeEc8f389oLpf8EOw4oG363DEXOqRq4rronKTc qkwQmV0BFcUzNauTARv8H3eqLlu6dZdjfRaicn2muwKmyZoHjJQMrBs33q/Jkdgksgm8 NRj1MrG2aZl3vsLNga9pPnJ9FBJltwgfYI1uI/Y9ejzXKwM5kQ5CnhYNqj3SjAbRqR4J hNPWxkRTFQNT/iqeRY6ep+3XtGIgSyvGdZ6fAajDI51wfj11ttodOL/lSYogXRw/yFKq ep4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=f2apf37fcFyrTK8hKxAc0IBpcjgYeXl0HSKeYi02z9U=; b=E9vmPauXQ12NzPZIun2AkZw7Fgaa0qVYMS+ETvl+Z/ZrEUN8ECsMzxaNsZHahkjGCd nQcwzoNz5pXrG9pxrPhZTj353c70qibTk0eaa1PZDJdxt7juq61mdIbKS1ZIovCg3B/M sAg6o3t+zjmZ3wAOnr1XzvcmsJrEzIhF27+Lbqw2JPEuRkdeCOhV0ORAMgtmy5822XnA yBAmh0ZEq5A0DAn8bST0JT7LBXJihTSZWmQsNqSwdMt52wPfaaWu+pCGzhfBM4141LHG R7Lav6Gi893Rtc5xoxaHF7iE9Zb0urm3Fl0rcQeaWYoKajpq9muAx2UmxPEOzE1CxxPx qzOw== X-Gm-Message-State: AJIora+YaIATrAxSauMjEmzDRgsKAdhGf/f1y+vVcv6Kg9wnPJoP7DnT /4HI8ko3Foa1esF+EIZGQlhwa4EXLfU= X-Google-Smtp-Source: AGRyM1tt8gwNym6uVBex5mXz/ciaT8OwAxHYkYdWucBvoXAMd+54KgJNvWOB2Ypxaca1yLMkw4nFxw== X-Received: by 2002:a63:2014:0:b0:411:90a4:6e9c with SMTP id g20-20020a632014000000b0041190a46e9cmr7465713pgg.500.1656633236571; Thu, 30 Jun 2022 16:53:56 -0700 (PDT) Return-Path: Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:56 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Sean Brogan , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf , Andrew Fish , Ray Ni Subject: [PATCH v3 00/11] Enhance Secure Boot Variable Libraries Date: Thu, 30 Jun 2022 16:53:30 -0700 Message-Id: <20220630235341.1746-1-kuqin12@gmail.com> X-Mailer: git-send-email 2.36.0.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 This is a follow-up of a previously submitted patch series based on top of master branch: https://edk2.groups.io/g/devel/message/90491. The main changes between v2 and v3 patches are: - Added reviewed-by and acked-by tags collected from previous iteration - Updated default timestamp for default secure boot variable enrollment The updated changes are verified on QEMU based Q35 virtual platform as well as proprietary physical platforms. Patch v3 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v3 Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Cc: Sean Brogan Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Cc: Andrew Fish Cc: Ray Ni Kun Qin (8): SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures SecurityPkg: PlatformPKProtectionLib: Added PK protection interface SecurityPkg: SecureBootVariableLib: Updated time based payload creator SecurityPkg: SecureBootVariableProvisionLib: Updated implementation SecurityPkg: Secure Boot Drivers: Added common header files SecurityPkg: SecureBootConfigDxe: Updated invocation pattern OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency kuqin (3): SecurityPkg: SecureBootVariableLib: Updated signature list creator SecurityPkg: SecureBootVariableLib: Added newly supported interfaces SecurityPkg: SecureBootVariableLib: Added unit tests SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 1 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 485 ++++- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c | 36 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c | 201 ++ SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c | 13 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c | 2037 ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 +- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 128 +- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 1 + EmulatorPkg/EmulatorPkg.dsc | 1 + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 + SecurityPkg/Include/Library/SecureBootVariableLib.h | 103 +- SecurityPkg/Include/UefiSecureBoot.h | 94 + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 14 +- SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf | 33 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf | 45 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf | 25 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf | 36 + SecurityPkg/SecurityPkg.ci.yaml | 11 + SecurityPkg/SecurityPkg.dec | 5 + SecurityPkg/SecurityPkg.dsc | 2 + SecurityPkg/Test/SecurityPkgHostTest.dsc | 38 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 + 31 files changed, 3467 insertions(+), 112 deletions(-) create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h create mode 100644 SecurityPkg/Include/UefiSecureBoot.h create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc -- 2.36.0.windows.1