From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.41]) by mx.groups.io with SMTP id smtpd.web10.89952.1674255550826156466 for ; Fri, 20 Jan 2023 14:59:10 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@nvidia.com header.s=selector2 header.b=GmdKKLUL; spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.243.41, mailfrom: jbobek@nvidia.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dGObxrjo0omTeZ5VX1Xr7qt+zLe5dPqFs7mcEQL36KTCsefgjU/hgFq5dutYw910HaVPHLco9yjSc3AQ9PYf7Hdvv2s8xgD8Ge+qIjoynllUhCyAyQ/vmGJzOveaMMF4u2LudZhj7SIrxiVQ2ZVzP8lhZZKQrbkhb5XLQkMJRK38JT8CgUUTczSjn94cpjKzKB+xRE3SkaUOAi32q5HNneboHho8PFIaG3H6H2E7OIaIICS7Vk0qTxdDXtqOCi4Anj7nAyr3msP7yd3k9ks+WCb6pf3qHJXXa6jG/dBw8Y2FFshGQTulRE12ixW55zyj7O/fuGfkYubfz4PPj4N4Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0LcYhle67it80FQRtXzBebqxOa0c8G4kQb9RtYgn59Y=; b=ZkBToCwYIXjswI63axRbUZKYNqoq1DLNIOBm7aT72jihzoQ8h8AABALUMszcLQmlahRLZv2wPTRmLNsKoXNwVxT4qre6diARx2n2W79CjjgTFtCgON6Tym30/rcVusEAyDbsCqcRMFDtPQ19LguQl1hC65DX8HZmBYsq0MbnKTVIGBYvF70i4L4rnq2Y/fFEMkp0QGyR/1a+MM13f6jfUU2vd7uAs6ZUKeNSHFlooqz8SCVHLx5sTE5rTindbITKelIbk+Hq2gq7CqRG7YOMbrpH8Rmk8b6355sHdI9833bBgV2wUAaq28o/FZwH0q2P5cNOglu+6BFWhmNkex3ccw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0LcYhle67it80FQRtXzBebqxOa0c8G4kQb9RtYgn59Y=; b=GmdKKLULcfQ7kR0p4vggbU0dyYv4ijdYeg34inqhrBWBFGIwFrbkgGytudWbZJccEs6MrrPvyxkShsAG3q4XaIG+GAVtyEfoszO2q+LJkXh5retB+ysmmZ4f7s3HZEDQSvAY+iMjb8DeLde89EABYb/Wj4+PcInP9Ovxe6sU5Mw1gNuIsf6wrf9FOIBQrUUK3992uulnVJ7NEjEex4DU0iVDdIVpPWqOX3IIuyRVaupZWEbdpIl3T6a/J86NMhruzcafwhWV9VAJYVnDcgddG1F3zR7ijZhQjawy0plLI/mnwwvfu/Xb5E3oBaVyWSKQEd0bf4Z7aX+wJ44E2D0FRQ== Received: from DS7PR05CA0020.namprd05.prod.outlook.com (2603:10b6:5:3b9::25) by PH7PR12MB5926.namprd12.prod.outlook.com (2603:10b6:510:1d9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan 2023 22:59:08 +0000 Received: from DS1PEPF0000E638.namprd02.prod.outlook.com (2603:10b6:5:3b9:cafe::cf) by DS7PR05CA0020.outlook.office365.com (2603:10b6:5:3b9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.7 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E638.mail.protection.outlook.com (10.167.17.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:56 -0800 Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:55 -0800 From: "Jan Bobek" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf Subject: [PATCH v1 2/4] OvmfPkg: require self-signed PK when secure boot is enabled Date: Fri, 20 Jan 2023 15:58:33 -0700 Message-ID: <20230120225835.42733-3-jbobek@nvidia.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 Return-Path: jbobek@nvidia.com X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E638:EE_|PH7PR12MB5926:EE_ X-MS-Office365-Filtering-Correlation-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: bVty3xKMBs7emBTFoW5j00mL+qq+P6B49b+lDF2/uxHPUb3fHncmtLveuaXnJzXzVAYkN40EU8QJiXEf2Kt7a7H0WYIFlYc95xu8A6G+B8j4Oud6xI1xgLbwW3JDbVPe5C56Sd/OPETpjPisZBapOa0eZYUJCYGDwOddDiHSuMwL6XRoIt2JVCKdalof6sjD7OUtWfiZxvYGQqQ9E11Q8i96UKg2EdBQtSXqW7GoO8I4wV9cmjkIrnsDLZiFOEecld/7ByE3WTAZKunNE4BZ7ZdHhxFL6Akh/Z1lr7K8TFw5dFuJEK0vjMxF/wYCaQTycLQdstP7Bvu8ZbxKNQvvum7si7OBQPthQNPT9fzvtnEhFSllBqyIQtwWWiDSCVKJ2ftggDh2hBIGRbB3ifCsGLe3mRGzoCD8ENelbsPjGoKYDsjcNvexn4YByiC4de3X8/Fj2kQJ1NokB+U7mASA0Es2CpnAGyDGg/ARGcukHsuyLJ5CyapVWT2iFYOi3xbWlVnemwWau8bnYULuatF9k1NGb3u4bev2tCQm0BRUi1A7UQTuY9ys5Pf8RodTpR+DFsEucZB2ozafv6WHCifIql8H36ylBcDwd0tLi0xqeZ842Ia9qdgYVpVjPem1lXLIajFOkkFRxm8LDJhS9e9zyrgikaBrzX46GSYE3c+vwdS9fP6hjFqrU8xxSgA7EZZkXsADNwj/swtY4+1fsibJRKVWcdvl3Qcm9N6Sve8NrTQN09OsUdx/IO5l3wWZtelNLqJQXCC8vHrKDBMQjkWgJVXnoC8AAp04RYwbxn4EksY= X-Forefront-Antispam-Report: CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(136003)(376002)(39860400002)(346002)(396003)(451199015)(36840700001)(46966006)(40470700004)(5660300002)(8936002)(4326008)(70206006)(8676002)(19627235002)(82310400005)(6916009)(70586007)(6666004)(26005)(2906002)(16526019)(186003)(966005)(7696005)(478600001)(36756003)(316002)(2616005)(54906003)(41300700001)(82740400003)(356005)(40480700001)(36860700001)(86362001)(40460700003)(7636003)(47076005)(426003)(336012)(1076003);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:08.0300 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E638.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB5926 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Signed-off-by: Jan Bobek --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ 7 files changed, 21 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index befec670d4f3..66a2ae8868e5 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -422,6 +422,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration|TRUE diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.ds= c index 7326417eab62..9cb267f98942 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -480,6 +480,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 0f1e970fbbb3..93918b55b1a5 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -390,6 +390,9 @@ [PcdsFeatureFlag] !ifdef $(CSM_ENABLE) gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.ds= c index 2d53b5c2950d..3c988f3e65e0 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -476,6 +476,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f232de13a7b6..22dc29330d2d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -488,6 +488,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a9d422bd9169..6b539814bdb0 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -493,6 +493,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..f6b8b342c4ed 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -513,6 +513,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 --=20 2.30.2