From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.47])
 by mx.groups.io with SMTP id smtpd.web10.89951.1674255549219426179
 for <devel@edk2.groups.io>;
 Fri, 20 Jan 2023 14:59:09 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@nvidia.com header.s=selector2 header.b=ocdZTGp6;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.223.47, mailfrom: jbobek@nvidia.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=WMFpD2bHvZ3dPnJV2Ae9Do5LjFuGBCHkTWJwUHGfDliPQcSVg+13DCHp1EtxvQ958WDF6mtlKaKi1HEnNdQsWeCMfDEiRZdGWHnTTB0b033tBKAiJ09Zq5u5XDoOxyXxaLu2OhzQ0hnyf5alK7s6+onlWK5/AHGTr1KeVq2JTKnvpz8A6VffQeqeia2cDO3c/zvIq6pt1qmnq6e6JRpJD8pOgwXZ5Ow2n1O4B8q+VwDKoy48P6/dWJAG7jaXhuZQlAFkuCx1finyijLyb7I4Sixq7K5PMHr8917GXRuLrgI+BItU3JaPshtJxjqcNUoZWeSS3knZWWqbrFg6Hg8oUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=d1E6BWTBIh48sHs9oQh1eM1Djty0oVjcxzhFlGcgkfg=;
 b=dBsjMog9hBX6vjTvvvYjh4gm/mwM2KvCIhYYZOU+6bHYaZ1GkCx1kQr48sGTvSg7Zy+Syajjf3B0GgHyLYJ77VKymP5c6yGCA6QeyB3NysuaGHeGERXuDZ4o28/yvm8JXcKn/nzU3hf1JW8bHb3vq5aDBLVae5TdkqI97YIbYS9d5rV87d+0biLPO4FEw6V3cVjZIJT26+MMH5+0gIQkMOxtl4yiEGF+o3XseTnP2ujHM6/0WGjPyk2Lx33qCQjJx3SaTlcygpwIp6bxI/4CwjSskgz5+8p24d5AtcVUswqPROL7mqyQn6p17Po3OgSrUFO48HW+KtzvaRU3lml15Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=d1E6BWTBIh48sHs9oQh1eM1Djty0oVjcxzhFlGcgkfg=;
 b=ocdZTGp6391QviKL6YNJovCCLuOh0sUIljFHc5/EIS1VBU8BSJeRxjxFDBQMK5gK6WKcnkG6evoCnZMiUtfL7DONsdphuz2hzv+b6rtRq4OS/I+HPDHPeDXMVqS1UtX62q/UlKzB4jeDb8lu1TXvutRyokR5IEeSsZEfxAoFGbrdLBg8jGRPlELQQ9yazqjSIXCm7oSHjZ6eoNYbo7rGJeaMe0WQH9BaWSWM34uo8SVQ/KzrWjTXDGPw3FJhGb6EMw09uJwD95b1zpryyRi7lQh9RCSh15ZIF8daqUi01NJ8Zh9KIEdDyLS/L2w5UQ+apFiqKljS/iKTThdEDtL2Jw==
Received: from DM6PR12CA0025.namprd12.prod.outlook.com (2603:10b6:5:1c0::38)
 by CH0PR12MB5315.namprd12.prod.outlook.com (2603:10b6:610:d6::24) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan
 2023 22:59:07 +0000
Received: from DS1PEPF0000E63A.namprd02.prod.outlook.com
 (2603:10b6:5:1c0:cafe::a1) by DM6PR12CA0025.outlook.office365.com
 (2603:10b6:5:1c0::38) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27 via Frontend
 Transport; Fri, 20 Jan 2023 22:59:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.160 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.160) by
 DS1PEPF0000E63A.mail.protection.outlook.com (10.167.17.72) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan
 2023 14:58:55 -0800
Received: from jbobek-titan.nvidia.com (10.126.231.37) by
 rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.36; Fri, 20 Jan 2023 14:58:54 -0800
From: "Jan Bobek" <jbobek@nvidia.com>
To: <devel@edk2.groups.io>
CC: Jan Bobek <jbobek@nvidia.com>, Laszlo Ersek <lersek@redhat.com>, "Jiewen
 Yao" <jiewen.yao@intel.com>, Jian J Wang <jian.j.wang@intel.com>, Min Xu
	<min.m.xu@intel.com>, Matthew Carlson <macarl@microsoft.com>
Subject: [PATCH v1 1/4] SecurityPkg: limit verification of enrolled PK in setup mode
Date: Fri, 20 Jan 2023 15:58:32 -0700
Message-ID: <20230120225835.42733-2-jbobek@nvidia.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com>
References: <20230120225835.42733-1-jbobek@nvidia.com>
MIME-Version: 1.0
Return-Path: jbobek@nvidia.com
X-Originating-IP: [10.126.231.37]
X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF0000E63A:EE_|CH0PR12MB5315:EE_
X-MS-Office365-Filtering-Correlation-Id: a96c85ae-6786-423f-26b8-08dafb39ef2d
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	+/0EWyvyuqXPFsys0MpwP0GVR/dU66HpP1FMk32CiOhAdJO1Rtb6V0hQ7N382JNBFCEYONhE/+vOz3rRu83oM+GxaTXrfQvW+TylWP1nVdB4maqV0jahTpvuopOSltbxebysy1kCrphkZmYEuO9qwBfR8y6ECzo7tU3N/H0HZIOYzmlCs47rL26uS7ubPD/UTHCys5M4GuDGgVFWUFYS5dgpIOUYBrxwUhDCoKIen5Ae/DhLf6vK5YYdGbYlyRSpN4glLFfy7zDlobxWMOEPp2ICM/NvHFwXoeO1AG8T4i2lDrTsaIlZ56W0slD6Rh8tlhg3Smg3bvEK4GipD1VMXykBhDf29VmtIbNIoXTMaHGmua9gPwOZDSx0o6M4Y4kdk9TtCT2P1tEDJSit4qENdtlcmmwGjsc6k6HLnU5ITSFviB2yqZgxBdRaezqpsXJKyIUMppNzvIK8M5y3n7OLUH3NQ2sVSJpct8eexlCh7Susz6XF4gbleaFYajLl0jfQejaACdkzpHirSWg3pKYDVcU2GzuegbFcfRrbqOjaPzR4rOVM/s8AYmcPG4d8uJfsoftwpfYkmPCh3e01WYFvb3lkPTXctt6bzMoKEZfkq1fgsuYTEuvvav/XCB0UoLkzstSMcuH+60hNVKN+RdYpe51Rw2kqyDdtbr7Tw57Ryq2EVavr6VIdlHw3oGdEpwEfzX7Xql172zF+PYtou16JYA7hGv3Ix0cZQUtZNEgIVGcdswpFyWtPVha8yUN5sODTqnymapgPjtfU3oDgyuUdufnhxkMbU5ZbOqRCJYGUId4=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(396003)(376002)(136003)(39860400002)(346002)(451199015)(36840700001)(40470700004)(46966006)(966005)(7636003)(316002)(478600001)(1076003)(54906003)(41300700001)(82740400003)(7696005)(36756003)(16526019)(45080400002)(15650500001)(82310400005)(83380400001)(40480700001)(40460700003)(86362001)(336012)(26005)(8936002)(186003)(5660300002)(6666004)(36860700001)(356005)(47076005)(2616005)(8676002)(19627235002)(6916009)(426003)(4326008)(2906002)(70206006)(70586007);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:06.9205
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a96c85ae-6786-423f-26b8-08dafb39ef2d
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DS1PEPF0000E63A.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB5315
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506

Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
---
 SecurityPkg/SecurityPkg.dec                             | 7 +++++++
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
 SecurityPkg/Library/AuthVariableLib/AuthService.c       | 9 +++++++--
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8257f11d17c7..d3b7ad7ff6fb 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -580,5 +580,12 @@ [PcdsDynamic, PcdsDynamicEx]
   ## This PCD records LASA field in CC EVENTLOG ACPI table.
   gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x0001=
0026
=20
+[PcdsFeatureFlag]
+  ## Indicates if the platform requires PK to be self-signed when setting =
the PK in setup mode.
+  #   TRUE  - Require PK to be self-signed.
+  #   FALSE - Do not require PK to be self-signed.
+  # @Prompt Require PK to be self-signed
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x000=
10027
+
 [UserExtensions.TianoCore."ExtraFiles"]
   SecurityPkgExtra.uni
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu=
rityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8eadeebcebd7..e5985c5f8b60 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -86,3 +86,6 @@ [Guids]
   gEfiCertTypeRsa2048Sha256Guid  ## SOMETIMES_CONSUMES   ## GUID  # Unique=
 ID for the type of the certificate.
   gEfiCertPkcs7Guid              ## SOMETIMES_CONSUMES   ## GUID  # Unique=
 ID for the type of the certificate.
   gEfiCertX509Guid               ## SOMETIMES_CONSUMES   ## GUID  # Unique=
 ID for the type of the signature.
+
+[FeaturePcd]
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c
index 054ee4d1d988..e9989695626e 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -603,7 +603,10 @@ ProcessVarWithPk (
   // Init state of Del. State may change due to secure check
   //
   Del =3D FALSE;
-  if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode =3D=
=3D SETUP_MODE) && !IsPk)) {
+  if (  (InCustomMode () && UserPhysicalPresent ())
+     || (  (mPlatformMode =3D=3D SETUP_MODE)
+        && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))
+  {
     Payload     =3D (UINT8 *)Data + AUTHINFO2_SIZE (Data);
     PayloadSize =3D DataSize - AUTHINFO2_SIZE (Data);
     if (PayloadSize =3D=3D 0) {
@@ -627,7 +630,9 @@ ProcessVarWithPk (
       return Status;
     }
=20
-    if ((mPlatformMode !=3D SETUP_MODE) || IsPk) {
+    if (  (mPlatformMode !=3D SETUP_MODE)
+       || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))
+    {
       Status =3D VendorKeyIsModified ();
     }
   } else if (mPlatformMode =3D=3D USER_MODE) {
--=20
2.30.2