From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8431621274D4A for ; Tue, 12 Jun 2018 06:59:30 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A5D158A6F4; Tue, 12 Jun 2018 13:59:29 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-239.rdu2.redhat.com [10.10.120.239]) by smtp.corp.redhat.com (Postfix) with ESMTP id BFE76111C4A1; Tue, 12 Jun 2018 13:59:28 +0000 (UTC) To: Philipp Deppenwiese References: From: Laszlo Ersek Cc: edk2-devel@lists.01.org Message-ID: <2660d487-aa83-e92c-c816-dd205470fea3@redhat.com> Date: Tue, 12 Jun 2018 15:59:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 12 Jun 2018 13:59:29 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 12 Jun 2018 13:59:29 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [OvmfPkg] Secure Boot issues X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2018 13:59:30 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 06/12/18 15:12, Philipp Deppenwiese wrote: > Hey people, > > We are experiencing issues with UEFI secure boot enabled > on UDK 2018 for the OvmfPkg. UDK2018 does not include OvmfPkg; no UDK does, to my knowledge. > Reproducible issue: > > 1) Add following code + files as dxe driver. > https://gist.github.com/zaolin/976d0d2ad68bcd05c10ffdb2530341fc This looks like a modified copy of (a possibly older version of) my EnrollDefaultKeys module. The latest source for that is available from the "edk2-20180529gitee3198e672e2-1.fc29" SRPM at . > 2) Build OvmfPkg with -DSECURE_BOOT_ENABLE=TRUE > 3) Windows 10 boots and crashes in Qemu with a > /KMODE_EXCEPTION_NOT_HANDLED./ > > If we don't populate the keys or use Linux in with secure boot turned on > everything is totally fine. Relative to the EnrollDefaultKeys.c source that I know, your variant does not include the certificates as UINT8 arrays in the source code; instead it seems to include them in firmware filesystem (FFS) files, and to look them up with GetSectionFromAnyFv(). I assume you have some INF file changes as well, where you build the certificates as binary blobs into DXEFV. Did you verify that the exact same blobs (and same other arguments) are passed to the gRT->SetVariable() calls in your variant? I've now retested my variant with Windows 10 Enterprise N 2015 LTSB; it works as expected. Thanks, Laszlo