From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.76])
 by mx.groups.io with SMTP id smtpd.web11.89998.1674255549672006080
 for <devel@edk2.groups.io>;
 Fri, 20 Jan 2023 14:59:09 -0800
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@nvidia.com header.s=selector2 header.b=n6Z3Fc9T;
 spf=permerror, err=parse error for token &{10 18 %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email}: invalid domain name (domain: nvidia.com, ip: 40.107.223.76, mailfrom: jbobek@nvidia.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Jxzk2vKv8Md8Y5L8zCL3KyMocPZaLokNAmFTGROhdIOTnRoGbQYz6du3t1WVJA7iBQvw1ISvzgUszQRxJQfa2n/maN5A6FIxftPtPXwb43G3rb3bw55zNzb4xhMgO7jBDwjhEYozYjk+1pwPHmeeBUGcn7B4A/4ADr6paU2G1oPNBZZa5Lgy5JDbECC//0dINDjyr5/P7XsDEDIB43hqAXJOJrYcdeO1OAdWMm2bgqI//Qyo8VjUwAKXQzTOSzMrTNbfcsf+Z9w3z4GWgMAxvELQLVx1fjC9lngT6Q0a7OSb0CgxZjnbxFdhfXrWpw9pw1dAGwdlus99J5s8p9JhcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=ZlTsEkd5qyGLLFOjC8m4JgTm/Q0mbD/sGqzGgnKYJZM=;
 b=LuNtQ6W3pi3hkhWgtR3afyv6sfVXbASmkfXRVXxy675EU/a8GGwOXZSQq4xlbb5JLVnbqNbvV02WmbIa/3MIaoEu4nab7dncTvgE9xAxjtJog0/0/IDmUG4+kzJJe18XsnI6mSOyvCKD+p3dqS+2HsBchRj0HSDP8yRiX9xDCPkhR4Wm0AkSBrz9bAj1+22vQPwCi6pa2RJVXdkPv91FfGnoq/7L5M2TH1QQvUJ4Ly2+d0sP8+BtxK+W5DAIE8rxp3LF4xJj/RbnFRIN9qAuOTPdmq5vWAJAJtR1zJ5tYC81YZed7GLdn9IUIgKDHywR3PpbD67FCy1xVYw5ft9MzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ZlTsEkd5qyGLLFOjC8m4JgTm/Q0mbD/sGqzGgnKYJZM=;
 b=n6Z3Fc9T3yPV0d9pUR8Rnbqc1vfSZ5WNy2jWYpUXt0jWzKKio7ZbPOrZcel4iAY2ddb05XgtsCkDcXxojIIjWL/qpH81UI/qc8iWalB+0/9lWC3t2B0yDEOajgX/8OLnJGRHg0qhu373QBKAr9UixiuHmzsHIEhbFeN1CyEwaEq98AKP97pV7+yAjX9R2t2FxhtcBTKKP7ceFuD4cczEs1JWzm50clytyD4yqFpIQX8VoHQ7afoUyDDqT3bviIkMlpZdJ8kYnLFBAh7sVZs+8/7uFAIPXjuShidxcNWPJi8Z9hpNsg3sInuj9HUoQgL6omVNvRmxQ73t84KQwn3gpA==
Received: from CY5PR03CA0013.namprd03.prod.outlook.com (2603:10b6:930:8::44)
 by PH8PR12MB7328.namprd12.prod.outlook.com (2603:10b6:510:214::7) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.26; Fri, 20 Jan
 2023 22:59:07 +0000
Received: from CY4PEPF0000C982.namprd02.prod.outlook.com
 (2603:10b6:930:8:cafe::81) by CY5PR03CA0013.outlook.office365.com
 (2603:10b6:930:8::44) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27 via Frontend
 Transport; Fri, 20 Jan 2023 22:59:07 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 CY4PEPF0000C982.mail.protection.outlook.com (10.167.241.196) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan
 2023 14:58:57 -0800
Received: from jbobek-titan.nvidia.com (10.126.231.37) by
 rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.36; Fri, 20 Jan 2023 14:58:56 -0800
From: "Jan Bobek" <jbobek@nvidia.com>
To: <devel@edk2.groups.io>
CC: Jan Bobek <jbobek@nvidia.com>, Laszlo Ersek <lersek@redhat.com>, "Jiewen
 Yao" <jiewen.yao@intel.com>, Ard Biesheuvel <ardb+tianocore@kernel.org>,
	"Leif Lindholm" <quic_llindhol@quicinc.com>, Sami Mujawar
	<sami.mujawar@arm.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled
Date: Fri, 20 Jan 2023 15:58:34 -0700
Message-ID: <20230120225835.42733-4-jbobek@nvidia.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com>
References: <20230120225835.42733-1-jbobek@nvidia.com>
MIME-Version: 1.0
Return-Path: jbobek@nvidia.com
X-Originating-IP: [10.126.231.37]
X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000C982:EE_|PH8PR12MB7328:EE_
X-MS-Office365-Filtering-Correlation-Id: 7f412aaa-2df8-4641-ebba-08dafb39ef1a
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	QBFBNiFnh7Ax1uibNSgnUfrRsM4ykcqJ+Oo4DmMBBKf7Q3ca6Xf4aKxcp8oiSIbQSB0JIFy25cSaQx0F/indIPGudX/PQdUw6AjalQ3UZUamehE/IYfW2STq+tdv4vYtLv80jVtDr0kKKxmGTTrmYvoXQqXs0t2+UvVLjG9KJn2mxGSzHKE4ao5OwFeieH7TLKCq/rvi/AW5PNfE72YK+JUPaMZnJ32Lj6gzo0ejLFuY4WLxTlmHuOIcGGDdj+cm7xvuFUgWmxHbm2mjV8tK/Ck8+p4v7OGf9OYqIUX1ZMFxQUxsyi2NcX2zh0ijbhRhot7ZEpg3HDitxFaINYtPivEVxU8MJTig+U5lNhs/KmevrpScqT//fSLY+pbIHIx5DbvSFPAotgrBH0rLPBRP3rOOwiZqbLxC8dx5HZDch6JsfzliyPhXZOtqwXtVApxt/ezFWKIgVU0EyZugnf3dGr/3d6Vme64wMqNedJAQKGIwsAaeEWau2dryOwTztzK/lkYjS3qK/oNB0JasTqFpPtkW8bmtzEqxztrXXY1LbOsFpKXyC4thMt9LAdFyflnd4ohcz/gRNhU8CFHU0/dhaJTa+GLxONNgvAH08gPQQIRCbLK6B28cS0XU+VoCjt+bj4kwyge6LOV7sYIEU6z42aD/WV3jNWC4jqg5SHIC1kzz/J1b+/D77UIbe2DkTHMLalfS8goq84KTE+3RkROC0lNmqlA46M/B1K1J+aeRi1VrHWGsc9iBcYsjxUuiFQ0N/1gCDTVd6+l8WGB5bmZNVCKOGNMqIpipy596JqI1jm0=
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230022)(4636009)(376002)(136003)(346002)(39860400002)(396003)(451199015)(40470700004)(46966006)(36840700001)(36756003)(40460700003)(40480700001)(54906003)(316002)(6916009)(70206006)(8676002)(4326008)(41300700001)(70586007)(82740400003)(36860700001)(82310400005)(7696005)(7636003)(1076003)(356005)(6666004)(2616005)(5660300002)(966005)(2906002)(86362001)(8936002)(26005)(186003)(16526019)(336012)(47076005)(426003)(478600001);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:06.7853
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f412aaa-2df8-4641-ebba-08dafb39ef1a
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	CY4PEPF0000C982.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB7328
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506

In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring
self-signed PK when SECURE_BOOT_ENABLE is TRUE.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
---
 ArmVirtPkg/ArmVirtCloudHv.dsc    | 4 ++++
 ArmVirtPkg/ArmVirtQemu.dsc       | 4 ++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc
index 7ca7a391d9cf..dc33936d6f03 100644
--- a/ArmVirtPkg/ArmVirtCloudHv.dsc
+++ b/ArmVirtPkg/ArmVirtCloudHv.dsc
@@ -85,6 +85,10 @@ [PcdsFeatureFlag.common]
=20
   gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
=20
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) =3D=3D AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc
index 0f1c6395488a..31fd0e5279ab 100644
--- a/ArmVirtPkg/ArmVirtQemu.dsc
+++ b/ArmVirtPkg/ArmVirtQemu.dsc
@@ -145,6 +145,10 @@ [PcdsFeatureFlag.common]
=20
   gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE)
=20
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) =3D=3D AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne=
l.dsc
index 807c85d48285..1e0f06c91137 100644
--- a/ArmVirtPkg/ArmVirtQemuKernel.dsc
+++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc
@@ -114,6 +114,10 @@ [PcdsFeatureFlag.common]
=20
   gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE
=20
+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE
+!endif
+
 [PcdsFixedAtBuild.common]
 !if $(ARCH) =3D=3D AARCH64
   gArmTokenSpaceGuid.PcdVFPEnabled|1
--=20
2.30.2