From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io, jiewen.yao@intel.com
Cc: "Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Rebecca Cran <rebecca@bsdio.com>,
Peter Grehan <grehan@freebsd.org>,
"Boeuf, Sebastien" <sebastien.boeuf@intel.com>,
Andrew Fish <afish@apple.com>, "Ni, Ray" <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Date: Wed, 29 Jun 2022 17:23:37 -0700 [thread overview]
Message-ID: <578e5abd-c22b-ed1f-cbf7-3d2b478f4f36@gmail.com> (raw)
In-Reply-To: <MW4PR11MB5872218B292DAE6EDBD3B48D8CBA9@MW4PR11MB5872.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 13207 bytes --]
Thanks, Jiewen. I will incorporate the change you suggested below and
re-validate on the platforms we have, while I wait for the tags from MU
repo owners.
Regards,
Kun
On 6/29/2022 5:19 PM, Yao, Jiewen wrote:
>
> Sounds great.
>
> 1) I assume that if it is accepted by project MU, then it must be
> reviewed and tested. Please add required tag in next patch set.
>
> 2) I suggest just use one of: a) all zero, b) initial data Jan/1/1970,
> c) current data.
>
> With above change, reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
>
> Thank you
>
> Yao, Jiewen
>
> *From:* devel@edk2.groups.io <devel@edk2.groups.io> *On Behalf Of *Kun Qin
> *Sent:* Thursday, June 30, 2022 2:07 AM
> *To:* devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> *Cc:* Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> <min.m.xu@intel.com>; Sean Brogan <sean.brogan@microsoft.com>; Ard
> Biesheuvel <ardb+tianocore@kernel.org>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Gerd Hoffmann <kraxel@redhat.com>;
> Rebecca Cran <rebecca@bsdio.com>; Peter Grehan <grehan@freebsd.org>;
> Boeuf, Sebastien <sebastien.boeuf@intel.com>; Andrew Fish
> <afish@apple.com>; Ni, Ray <ray.ni@intel.com>
> *Subject:* Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot
> Variable Libraries
>
> Hi Jiewen,
>
> Thanks for reading through these patches.
>
> For #1, yes, we implemented these changes in project MU and validated
> them on both our virtual platform
> (https://github.com/microsoft/mu_tiano_platforms) and other
> proprietary hardware platforms. I will leave the acked-by or tested-by
> to others on the MU teams.
>
> For #2, this is just an arbitrary timestamp from a previous date so
> that we can create time based payload without hard dependency on time
> protocol (which could result in potential executing sequence issue). I
> will update comment to avoid confusion in the next round of patch. But
> should you have other suggestions to improve this, please let me know.
>
> Regards,
> Kun
>
> On 6/29/2022 1:50 AM, Yao, Jiewen wrote:
>
> Hi Kun
>
> Thank you to make the redesign.
>
> Overall the patch set looks good to me. Some questions:
>
> 1. Is that from project MU? If so, I would like to see acked-by
> or tested-by from project MU owner. That can give me more
> confidence to accept it. 😊
>
> 2. Is below data from some document? If so, would please add URL?
> Also, why do we have to use this timestamp? What if a
> different timestamp is used?
>
> +// MS Default Time-Based Payload Creation Date
>
> +// This is the date that is used when creating SecureBoot default
> variables.
>
> +// NOTE: This is a placeholder date that doesn't correspond to
> anything else.
>
> +//
>
> +EFI_TIME mDefaultPayloadTimestamp = {
>
> + 15, // Year (2015)
>
> + 8, // Month (Aug)
>
> + 28, // Day (28)
>
> + 0, // Hour
>
> + 0, // Minute
>
> + 0, // Second
>
> + 0, // Pad1
>
> + 0, // Nanosecond
>
> + 0, // Timezone (Dummy value)
>
> + 0, // Daylight (Dummy value)
>
> + 0 // Pad2
>
> +};
>
> *From:* Kun Qin <kuqin12@gmail.com> <mailto:kuqin12@gmail.com>
> *Sent:* Wednesday, June 29, 2022 5:19 AM
> *To:* edk2-devel-groups-io <devel@edk2.groups.io>
> <mailto:devel@edk2.groups.io>; kuqin12@gmail.com
> *Cc:* Yao, Jiewen <jiewen.yao@intel.com>
> <mailto:jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com> <mailto:jian.j.wang@intel.com>; Xu, Min M
> <min.m.xu@intel.com> <mailto:min.m.xu@intel.com>; Sean Brogan
> <sean.brogan@microsoft.com> <mailto:sean.brogan@microsoft.com>;
> Ard Biesheuvel <ardb+tianocore@kernel.org>
> <mailto:ardb+tianocore@kernel.org>; Justen, Jordan L
> <jordan.l.justen@intel.com> <mailto:jordan.l.justen@intel.com>;
> Gerd Hoffmann <kraxel@redhat.com> <mailto:kraxel@redhat.com>;
> Rebecca Cran <rebecca@bsdio.com> <mailto:rebecca@bsdio.com>; Peter
> Grehan <grehan@freebsd.org> <mailto:grehan@freebsd.org>; Boeuf,
> Sebastien <sebastien.boeuf@intel.com>
> <mailto:sebastien.boeuf@intel.com>; Andrew Fish <afish@apple.com>
> <mailto:afish@apple.com>; Ni, Ray <ray.ni@intel.com>
> <mailto:ray.ni@intel.com>
> *Subject:* Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot
> Variable Libraries
>
> Hi SecurityPkg maintainers & reviewers,
>
> I posted this patch series a while back intending to generalize
> the usage of a few interfaces from secure boot libraries. Could
> you please help reviewing them and provide feedback? Any input is
> appreciated.
>
> Regards,
>
> Kun
>
> On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io
> <http://groups.io> <kuqin12=gmail.com@groups.io> wrote:
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
>
> This is a revamp of a previously submitted patch series based
> on top of
> master branch: https://edk2.groups.io/g/devel/message/89507.
> No changes
> added.
>
> Current SecureBootVariableLib provide great support for
> deleting secure
> boot related variables, creating time-based payloads.
>
> However, for secure boot enrollment, the
> SecureBootVariableProvisionLib
> interfaces always assume the changes from variable storage,
> limiting the
> usage, requiring existing platforms to change key
> initialization process
> to adapt to the new methods, as well as bringing in extra
> dependencies
> such as FV protocol, time protocols.
>
> This patch series proposes to update the implementation for
> Secure Boot
> Variable libraries and their consumers to better support the
> related
> variables operations.
>
> Patch v2 branch:
> https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org
> <mailto:ardb%2Btianocore@kernel.org>>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Peter Grehan <grehan@freebsd.org>
> Cc: Sebastien Boeuf <sebastien.boeuf@intel.com>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Ray Ni <ray.ni@intel.com>
>
> Kun Qin (8):
> SecurityPkg: UefiSecureBoot: Definitions of cert and payload
> structures
> SecurityPkg: PlatformPKProtectionLib: Added PK protection
> interface
> SecurityPkg: SecureBootVariableLib: Updated time based
> payload creator
> SecurityPkg: SecureBootVariableProvisionLib: Updated
> implementation
> SecurityPkg: Secure Boot Drivers: Added common header files
> SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
> OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
> EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency
>
> kuqin (3):
> SecurityPkg: SecureBootVariableLib: Updated signature list
> creator
> SecurityPkg: SecureBootVariableLib: Added newly supported
> interfaces
> SecurityPkg: SecureBootVariableLib: Added unit tests
>
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 1 +
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
> | 51 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 486 ++++-
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
> | 36 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
> | 201 ++
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
> | 13 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
> | 2037 ++++++++++++++++++++
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> | 145 +-
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> | 128 +-
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> | 1 +
> EmulatorPkg/EmulatorPkg.dsc
> | 1 +
> OvmfPkg/Bhyve/BhyveX64.dsc
> | 1 +
> OvmfPkg/CloudHv/CloudHvX64.dsc
> | 1 +
> OvmfPkg/IntelTdx/IntelTdxX64.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc
> | 1 +
> OvmfPkg/OvmfPkgX64.dsc
> | 1 +
> SecurityPkg/Include/Library/PlatformPKProtectionLib.h
> | 31 +
> SecurityPkg/Include/Library/SecureBootVariableLib.h
> | 103 +-
> SecurityPkg/Include/UefiSecureBoot.h
> | 94 +
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
> | 36 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> | 14 +-
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
> | 33 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
> | 45 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
> | 25 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
> | 36 +
> SecurityPkg/SecurityPkg.ci.yaml
> | 11 +
> SecurityPkg/SecurityPkg.dec
> | 5 +
> SecurityPkg/SecurityPkg.dsc
> | 2 +
> SecurityPkg/Test/SecurityPkgHostTest.dsc
> | 38 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> | 1 +
> 31 files changed, 3468 insertions(+), 112 deletions(-)
> create mode 100644
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
> create mode 100644
> SecurityPkg/Include/Library/PlatformPKProtectionLib.h
> create mode 100644 SecurityPkg/Include/UefiSecureBoot.h
> create mode 100644
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
> create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc
>
> --
> 2.35.1.windows.2
>
>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 28384 bytes --]
next prev parent reply other threads:[~2022-06-30 0:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <16F848B3160A57C1.5246@groups.io>
2022-06-28 21:18 ` [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-06-29 8:50 ` Yao, Jiewen
2022-06-29 18:06 ` Kun Qin
2022-06-30 0:19 ` Yao, Jiewen
2022-06-30 0:23 ` Kun Qin [this message]
2022-06-13 20:39 Kun Qin
2022-06-30 19:44 ` [edk2-devel] " Michael Kubacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=578e5abd-c22b-ed1f-cbf7-3d2b478f4f36@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox