From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.85.221.67, mailfrom: philmd@redhat.com) Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by groups.io with SMTP; Mon, 29 Apr 2019 22:12:00 -0700 Received: by mail-wr1-f67.google.com with SMTP id o4so7400458wra.3 for ; Mon, 29 Apr 2019 22:11:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=xZnT4xliwcljLHmFmPT1x1hs88JOfa9ANLSNbu9fLo4=; b=gqEFMKf7qQkNBsE1U2LcEQfAJ38Cz69ZZ27f12uJD6e7WO+tbOFDzg2FKGJiOy+2Ze aOaL2f5qHTu2wvGTVjlLxGgsceOtA4apflPYo3MimnbocPYWVyaJpSRtwrc/yJR5nrip NqFRcZ7U7RsJbN/HJBpsMi0Rydkh8IL27RTJseT46HKuCYWWlusimdmHFqZ/LIcuriS7 oErNuPslJrFEw+tWXmoSnDD/1SCA3OFu4Kn06W5hINnSxZbyiRTx3Z+MRHmsiEmSaXgM obhcNOMCfGVNohNTlf95g5NO/VNPB/z4RXHLBQ4pya9BPGfLp2xqR8EfgXC9K9ghpejp w9+g== X-Gm-Message-State: APjAAAVvW5MTixQxuexf9y3oAW7FS8Re8XC5RlC1nd2Sy+qhE+u4BeZZ 0+WKKpG8t55yyNly9IZGHNhh+g== X-Google-Smtp-Source: APXvYqzo2uI2oG1XZBhD4KBJTdEOOVDn4mtfsRq+Cau2wGeuEiGSSPZp7KyoYuyqr+DIbJxGj6vGbA== X-Received: by 2002:adf:9e86:: with SMTP id a6mr2636566wrf.178.1556601118271; Mon, 29 Apr 2019 22:11:58 -0700 (PDT) Return-Path: Received: from [192.168.1.37] (193.red-88-21-103.staticip.rima-tde.net. [88.21.103.193]) by smtp.gmail.com with ESMTPSA id n6sm1176422wmn.48.2019.04.29.22.11.57 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 29 Apr 2019 22:11:57 -0700 (PDT) Subject: Re: [edk2-devel] [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID To: devel@edk2.groups.io, lersek@redhat.com Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall References: <20190427005328.27005-1-lersek@redhat.com> <20190427005328.27005-12-lersek@redhat.com> From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= Openpgp: id=89C1E78F601EE86C867495CBA2A3FD6EDEADC0DE; url=http://pgp.mit.edu/pks/lookup?op=get&search=0xA2A3FD6EDEADC0DE Message-ID: <21f49eb4-f8a2-3530-9d5e-8e20f5b981f4@redhat.com> Date: Tue, 30 Apr 2019 07:11:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190427005328.27005-12-lersek@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 4/27/19 2:53 AM, Laszlo Ersek wrote: > The GUID > > 77FA9ABD-0359-4D32-BD60-28F4E78F784B > > is specified in MSDN, at > , therefore it > deserves an entry in the package DEC file, and a header file under > "Include/Guid". > > (Arguably, this GUID declaration / definition could even live under > SecurityPkg, but the edk2 tradition has been to hoist GUIDs, > protocols/PPIs, and lib classes from OvmfPkg to a core package only when > dependent C code is added to the core package.) > > Cc: Anthony Perard > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Julien Grall > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 > Signed-off-by: Laszlo Ersek > --- > OvmfPkg/OvmfPkg.dec | 1 + > OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++++++++++++++++++++ > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 + > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 - > OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ---------- > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +-- > 6 files changed, 62 insertions(+), 33 deletions(-) > > diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec > index cc2a4909afd4..922e061cc85c 100644 > --- a/OvmfPkg/OvmfPkg.dec > +++ b/OvmfPkg/OvmfPkg.dec > @@ -72,16 +72,17 @@ [LibraryClasses] > [Guids] > gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} > gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} > gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}} > gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}} > gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} > gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} > gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} > + gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} > > [Protocols] > gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} > gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}} > gXenIoProtocolGuid = {0x6efac84f, 0x0ab0, 0x4747, {0x81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}} > gIoMmuAbsentProtocolGuid = {0xf8775d50, 0x8abd, 0x4adf, {0x92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}} > gEfiLegacy8259ProtocolGuid = {0x38321dba, 0x4fe0, 0x4e17, {0x8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}} > > diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h > new file mode 100644 > index 000000000000..db7a326c3194 > --- /dev/null > +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h > @@ -0,0 +1,55 @@ > +/** @file > + Declare the GUID that is expected: > + > + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and > + RSA2048 Secure Boot certificates issued by/for Microsoft, > + > + - as UEFI variable vendor GUID in association with (unspecified) > + Microsoft-owned variables. > + > + Copyright (C) 2014-2019, Red Hat, Inc. > + > + SPDX-License-Identifier: BSD-2-Clause-Patent > + > + @par Specification Reference: > + - MSDN: System.Fundamentals.Firmware at > + . > +**/ > + > +#ifndef MICROSOFT_VENDOR_H_ > +#define MICROSOFT_VENDOR_H_ > + > +#include > + > +// > +// The following test cases of the Secure Boot Logo Test in the Microsoft > +// Hardware Certification Kit: > +// > +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent > +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB > +// > +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be > +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the > +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 > +// certificates: > +// > +// - "Microsoft Corporation KEK CA 2011" (in KEK) > +// - "Microsoft Windows Production PCA 2011" (in db) > +// - "Microsoft Corporation UEFI CA 2011" (in db) > +// > +// This is despite the fact that the UEFI specification requires > +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, > +// application or driver) that enrolled and therefore owns > +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued > +// EFI_SIGNATURE_DATA.SignatureData. > +// > +#define MICROSOFT_VENDOR_GUID \ > + { 0x77fa9abd, \ > + 0x0359, \ > + 0x4d32, \ > + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \ > + } > + > +extern EFI_GUID gMicrosoftVendorGuid; > + > +#endif /* MICROSOFT_VENDOR_H_ */ > diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > index 3f093c768585..28db52586a9b 100644 > --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > @@ -17,27 +17,29 @@ [Defines] > [Sources] > AuthData.c > EnrollDefaultKeys.c > EnrollDefaultKeys.h > > [Packages] > MdeModulePkg/MdeModulePkg.dec > MdePkg/MdePkg.dec > + OvmfPkg/OvmfPkg.dec > SecurityPkg/SecurityPkg.dec > ShellPkg/ShellPkg.dec > > [Guids] > gEfiCertPkcs7Guid > gEfiCertSha256Guid > gEfiCertX509Guid > gEfiCustomModeEnableGuid > gEfiGlobalVariableGuid > gEfiImageSecurityDatabaseGuid > gEfiSecureBootEnableDisableGuid > + gMicrosoftVendorGuid > > [LibraryClasses] > BaseMemoryLib > DebugLib > MemoryAllocationLib > ShellCEntryLib > UefiLib > UefiRuntimeServicesTableLib > diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h > index 07f4aa04e469..e3a7e43da4e3 100644 > --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h > +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h > @@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[]; > extern CONST UINTN mSizeOfMicrosoftPca; > > extern CONST UINT8 mMicrosoftUefiCa[]; > extern CONST UINTN mSizeOfMicrosoftUefiCa; > > extern CONST UINT8 mSha256OfDevNull[]; > extern CONST UINTN mSizeOfSha256OfDevNull; > > -extern CONST EFI_GUID mMicrosoftOwnerGuid; > - > #endif /* ENROLL_DEFAULT_KEYS_H_ */ > diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c > index e0a543785fb5..9a96dcc440b3 100644 > --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c > +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c > @@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa; > // > CONST UINT8 mSha256OfDevNull[] = { > 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, > 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, > 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 > }; > > CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull; > - > - > -// > -// The following test cases of the Secure Boot Logo Test in the Microsoft > -// Hardware Certification Kit: > -// > -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent > -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB > -// > -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be > -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the > -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 > -// certificates: > -// > -// - "Microsoft Corporation KEK CA 2011" (in KEK) > -// - "Microsoft Windows Production PCA 2011" (in db) > -// - "Microsoft Corporation UEFI CA 2011" (in db) > -// > -// This is despite the fact that the UEFI specification requires > -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, > -// application or driver) that enrolled and therefore owns > -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued > -// EFI_SIGNATURE_DATA.SignatureData. > -// > -CONST EFI_GUID mMicrosoftOwnerGuid = { > - 0x77fa9abd, 0x0359, 0x4d32, > - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, > -}; > diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > index 528718b15ae9..e4f6a50e008b 100644 > --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > @@ -3,16 +3,17 @@ > > Copyright (C) 2014-2019, Red Hat, Inc. > > SPDX-License-Identifier: BSD-2-Clause-Patent > **/ > #include // gEfiCustomModeEnableGuid > #include // EFI_SETUP_MODE_NAME > #include // EFI_IMAGE_SECURITY_DATABASE > +#include // gMicrosoftVendorGuid > #include // CopyGuid() > #include // ASSERT() > #include // FreePool() > #include // ShellAppMain() > #include // AsciiPrint() > #include // gRT > > #include "EnrollDefaultKeys.h" > @@ -310,18 +311,18 @@ ShellAppMain ( > return 1; > } > } > > Status = EnrollListOfCerts ( > EFI_IMAGE_SECURITY_DATABASE, > &gEfiImageSecurityDatabaseGuid, > &gEfiCertX509Guid, > - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid, > - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid, > + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid, > + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid, > NULL); > if (EFI_ERROR (Status)) { > return 1; > } > > Status = EnrollListOfCerts ( > EFI_IMAGE_SECURITY_DATABASE1, > &gEfiImageSecurityDatabaseGuid, > @@ -332,17 +333,17 @@ ShellAppMain ( > return 1; > } > > Status = EnrollListOfCerts ( > EFI_KEY_EXCHANGE_KEY_NAME, > &gEfiGlobalVariableGuid, > &gEfiCertX509Guid, > mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, > - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, > + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, > NULL); > if (EFI_ERROR (Status)) { > return 1; > } > > Status = EnrollListOfCerts ( > EFI_PLATFORM_KEY_NAME, > &gEfiGlobalVariableGuid, > Reviewed-by: Philippe Mathieu-Daude