Re: [OvmfPkg] Secure Boot issues

[Laszlo Ersek <lersek@redhat.com>]

On 06/12/18 15:12, Philipp Deppenwiese wrote:
> Hey people,
> 
> We are experiencing issues with UEFI secure boot enabled
> on UDK 2018 for the OvmfPkg.

UDK2018 does not include OvmfPkg; no UDK does, to my knowledge.

> Reproducible issue:
> 
> 1) Add following code + files as dxe driver.
> https://gist.github.com/zaolin/976d0d2ad68bcd05c10ffdb2530341fc

This looks like a modified copy of (a possibly older version of) my
EnrollDefaultKeys module. The latest source for that is available from
the "edk2-20180529gitee3198e672e2-1.fc29" SRPM at
<https://koji.fedoraproject.org/koji/buildinfo?buildID=1087595>.

> 2) Build OvmfPkg with -DSECURE_BOOT_ENABLE=TRUE
> 3) Windows 10 boots and crashes in Qemu with a
> /KMODE_EXCEPTION_NOT_HANDLED./
> 
> If we don't populate the keys or use Linux in with secure boot turned on
> everything is totally fine.

Relative to the EnrollDefaultKeys.c source that I know, your variant
does not include the certificates as UINT8 arrays in the source code;
instead it seems to include them in firmware filesystem (FFS) files, and
to look them up with GetSectionFromAnyFv(). I assume you have some INF
file changes as well, where you build the certificates as binary blobs
into DXEFV.

Did you verify that the exact same blobs (and same other arguments) are
passed to the gRT->SetVariable() calls in your variant?

I've now retested my variant with Windows 10 Enterprise N 2015 LTSB; it
works as expected.

Thanks,
Laszlo