public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel@lists.01.org
Subject: Re: [OvmfPkg] Secure Boot issues
Date: Tue, 12 Jun 2018 16:51:49 +0200	[thread overview]
Message-ID: <6583409f-e15f-bc73-d16e-bb59be8f2a2c@gmail.com> (raw)
In-Reply-To: <2660d487-aa83-e92c-c816-dd205470fea3@redhat.com>

Hey Laszlo,


On 12.06.2018 15:59, Laszlo Ersek wrote:
> On 06/12/18 15:12, Philipp Deppenwiese wrote:
>> Hey people,
>>
>> We are experiencing issues with UEFI secure boot enabled
>> on UDK 2018 for the OvmfPkg.
> UDK2018 does not include OvmfPkg; no UDK does, to my knowledge.
I mean the UDK2018 branch of https://github.com/tianocore/edk2/tree/UDK2018
>
>> Reproducible issue:
>>
>> 1) Add following code + files as dxe driver.
>> https://gist.github.com/zaolin/976d0d2ad68bcd05c10ffdb2530341fc
> This looks like a modified copy of (a possibly older version of) my
> EnrollDefaultKeys module. The latest source for that is available from
> the "edk2-20180529gitee3198e672e2-1.fc29" SRPM at
> <https://koji.fedoraproject.org/koji/buildinfo?buildID=1087595>.
Correct, I just moved it into a DXE driver and load certificates from
the FFS.
Do you know if there is a more common/normal/better way for populating
vendor certificates?
>
>> 2) Build OvmfPkg with -DSECURE_BOOT_ENABLE=TRUE
>> 3) Windows 10 boots and crashes in Qemu with a
>> /KMODE_EXCEPTION_NOT_HANDLED./
>>
>> If we don't populate the keys or use Linux in with secure boot turned on
>> everything is totally fine.
> Relative to the EnrollDefaultKeys.c source that I know, your variant
> does not include the certificates as UINT8 arrays in the source code;
> instead it seems to include them in firmware filesystem (FFS) files, and
> to look them up with GetSectionFromAnyFv(). I assume you have some INF
> file changes as well, where you build the certificates as binary blobs
> into DXEFV.
>
> Did you verify that the exact same blobs (and same other arguments) are
> passed to the gRT->SetVariable() calls in your variant?
>
> I've now retested my variant with Windows 10 Enterprise N 2015 LTSB; it
> works as expected.
Thanks for the help. I am going to check if I do something wrong. But I
have ran
the FWTS testsuite and checked the certificates with the mokutil under
Linux, everything
looks fine so far. Also Windows 10 in safe mode with secure boot works
but not the normal mode.

We use the 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISE_S_EVAL_X64
LTSB release for testing.
>
> Thanks,
> Laszlo

Best Regards, Philipp


  reply	other threads:[~2018-06-12 14:51 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-12 13:12 [OvmfPkg] Secure Boot issues Philipp Deppenwiese
2018-06-12 13:59 ` Laszlo Ersek
2018-06-12 14:51   ` Philipp Deppenwiese [this message]
2018-06-12 18:14     ` Laszlo Ersek
2018-06-13 13:45       ` Philipp Deppenwiese
2018-06-13 19:21         ` Laszlo Ersek
2018-06-13 19:41           ` Philipp Deppenwiese
2018-06-13 21:18             ` Laszlo Ersek
2018-06-13 21:25               ` Philipp Deppenwiese
2018-06-14 17:29                 ` Laszlo Ersek
2018-06-18 12:14                   ` Philipp Deppenwiese
2018-06-18 12:30                     ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6583409f-e15f-bc73-d16e-bb59be8f2a2c@gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox