From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.78]) by mx.groups.io with SMTP id smtpd.web11.89996.1674255548068651465 for ; Fri, 20 Jan 2023 14:59:08 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@nvidia.com header.s=selector2 header.b=BcqS39DH; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.243.78, mailfrom: jbobek@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MpD7D4ksaa3cDMH1UTBJytstArmOefmUBOYEAs3YIpYfp9skxq9q7zdzG44/fHJg1aQOJ8d7gIxjLt+xsQs+EA4fmsaswbZxTDJqoQ7qr779y7AJoaCTXzDGKQ4adPwLvWVFF2Q3lJFvZYAjaOoU/nxx+Jc2Y3ibOvOwLi8XO7P1UDMaCqlcTaqnb2HPcQbGaHcWryHTYu8P7R0O+gG7IuKl4qu/ePf7OpinqZAT0cwZnw4CtrAds7h4dINIaeJIXT25cQ3K9Jb+9YQL/XI+PSvJC/RayrxrHiXZJIJsUdUN48paoaoo+ZoHdokEP44zvLG3hEsk6IJymW31ANbfww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cQlV9zxZs0wDwRh6L3G4hwJoFXWHfZVvOIOwr8JtAXE=; b=ihKMUcQd6u1+2N06/DkhUZkeadOKc2tXl+mXGhfajW0kWxXKNXXSoHNXYFPCF02cewovyPksXD2XW/BGJizxpD7z5VAVNrUuL7pa/QSRAk3QglVPynsICIgDaZ9PfMUcLtY8LbCuKYpeZwYtxIiKjQKbNI1DH+wSs8EN3wJP05KU8mkXtwJ6CdeYtuG3syxlkJUQMcfxnhewTz469hceUOGs/sZ1EAYlRK9bPaYipLcingAXta47oVAEgb64hcAQhUc4Fv5GhJ0BupPAzE3OqYpYWHVwLs29kpqMD3jPhkiF958LSnUUPgUv2RguZLfs8BmHhmE0PGSrCxg1426qDQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cQlV9zxZs0wDwRh6L3G4hwJoFXWHfZVvOIOwr8JtAXE=; b=BcqS39DH48XwLIU7dNSgEbJSD6v8z+ldO3a6OCHEU+6aNpEBtMHW5yD4ctmVIN/eYIcbKsFb6ZWnJix7tC4140xon4fEGZPBE+YKFN6YgUT7+4F4Lov3sDbJns6sFTia+Zfv5Ar12OTmiSvv/Ra1FwJKQnWvTEXLSgmXRQTuULSqnPu7iFAET20Ifq1A0f64xKmb2KKJkAS7C/bFeFPqOFKlH/rncUGf1J0VFIUDRpcyaOtVXi0zxAeKKgL9TvgTCONfwFLK7cxRt+xRzTFC7x1SkeR8f2hcGROkw4EOtNNdgpJtChZqwuvIsfv/BmTorNgY474FU7TSKXznNf6rYg== Received: from DM6PR12CA0025.namprd12.prod.outlook.com (2603:10b6:5:1c0::38) by SA3PR12MB7880.namprd12.prod.outlook.com (2603:10b6:806:305::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.23; Fri, 20 Jan 2023 22:59:06 +0000 Received: from DS1PEPF0000E63A.namprd02.prod.outlook.com (2603:10b6:5:1c0:cafe::a1) by DM6PR12CA0025.outlook.office365.com (2603:10b6:5:1c0::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E63A.mail.protection.outlook.com (10.167.17.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:54 -0800 Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:54 -0800 From: "Jan Bobek" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode Date: Fri, 20 Jan 2023 15:58:31 -0700 Message-ID: <20230120225835.42733-1-jbobek@nvidia.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Return-Path: jbobek@nvidia.com X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E63A:EE_|SA3PR12MB7880:EE_ X-MS-Office365-Filtering-Correlation-Id: adbc0cbb-6426-4235-def2-08dafb39eea2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: f9P424p3T9ub+N7gburrqcePvnb0PKR78YNjETHv5SMQV9koaD/HqHa7URmWPZbQM5Ib4+0J9nixFWekpmqhdafpkqjtY6r2+sHeX8FwbbpOcre3Txp9Pq9GpGw2bnCzTCkylB9w7ulVKNOgE8tbjO1ImKVstDzY1n4qMbaod56hGc8ko6z2n2McucMxWu7ea5znGxlBsonDRE3qe31SQWGnkfIFGnQrlrx2kgJaayHWtEF7Y8kc5mIoyH2AoGlUCQdFB+dnf3zPYdsfKNSAAh9hV0bz8TOXjM/eA+8veqD1/bBQeaQW8ShBlqnOgZCUaY9/QUoB9+B6rCDNSYcGPk2K9fOgy0EL3n4khgQfEhF9ZBoYBQCTQnwRxu4oC2LaWEroehS2VISppOc2m+U/4S7AHh07vl7mAPoS17ynXCO1Kfz507UheePIAD+O5STobT6GjMXYXidBwEXoRd9WgcL7fKIZDCqLsohjIldf0VfgKW87fc06HF3BdF+1tsvpnYMtOSdWUXFvoI1pCQQ/53JvHkXb+vjCzDk4ktJPvYf4qiSn0LsVrf+bDMCIa3514vuGO99EzvW2XFE0QsXj1IUiiSXuvp9j+pC1QrTDQ1d10QBOberDyREIF5giDGl3VQc9DY9GAN3rmH6KmCKIapVWTIYT3ujgUizqPUxexSsDxUCUNs7LyM3R8219nLw9nOAOVRwcU3SKylhwq7mt212GvAWG+tbnUbqG5OJ5mvXDOSfaJb2OfHS3KWPlMVNp778SmARPaWEuKazRYWHQGQoIsH2xX5wcYdoQ9P06lzw= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(346002)(376002)(39860400002)(136003)(451199015)(36840700001)(40470700004)(46966006)(2616005)(16526019)(40460700003)(40480700001)(26005)(82740400003)(356005)(82310400005)(186003)(7636003)(478600001)(54906003)(86362001)(966005)(2906002)(336012)(316002)(19627235002)(70206006)(1076003)(7696005)(70586007)(66899015)(36860700001)(5660300002)(36756003)(426003)(6666004)(41300700001)(6916009)(47076005)(4326008)(83380400001)(8676002)(8936002);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:06.0299 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: adbc0cbb-6426-4235-def2-08dafb39eea2 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E63A.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR12MB7880 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain Hi all, I'm sending out v1 of my patch series that addresses a UEFI spec non-compliance when enrolling PK in setup mode. Additional info can be found in bugzilla [1]; the changes are split into 4 patches as suggested by Laszlo Ersek in comment #4. I've based my work on the patch by Matthew Carlson; I've credited him with co-authorship of the first patch even though in the end I decided to do the implementation a bit differently. Comments & reviews welcome! Cheers, -Jan References: 1. https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 Jan Bobek (4): SecurityPkg: limit verification of enrolled PK in setup mode OvmfPkg: require self-signed PK when secure boot is enabled ArmVirtPkg: require self-signed PK when secure boot is enabled SecurityPkg: don't require PK to be self-signed by default SecurityPkg/SecurityPkg.dec | 7 +++++++ ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++ ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++ ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++ OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++ SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++-- 13 files changed, 50 insertions(+), 2 deletions(-) --=20 2.30.2