From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2a00:1450:400c:c09::242; helo=mail-wm0-x242.google.com; envelope-from=zaolin.daisuki@gmail.com; receiver=edk2-devel@lists.01.org Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C4A8E2125582C for ; Tue, 12 Jun 2018 07:51:52 -0700 (PDT) Received: by mail-wm0-x242.google.com with SMTP id l15-v6so15267986wmc.1 for ; Tue, 12 Jun 2018 07:51:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=PkbiJR+HRweWp6lUxD9JRdjglc+JPZfbt9BcS55MsE4=; b=SQX3iZ8UA7nC27he05leagnqr0GMwWVDQwV/P1Ip6vM5KXFh5P1T7mG0HT/XGlRayP Ad1uU4eG+eAZsdlTBGd1Z6rvvr5MWXK5eDKolzOmg8SEkpWbCegqqQrRE5RFj/+ETb0b aHj5Pp/52WiBlEC/MugizC3eXJh499s/2ZFSQSLlCL6RORjvOT/Knb8EK1yZtNfXVwp9 J8dbAPmOXEh0vU/vpGCU/i9ATug8SOqtN0bYP32cjyk/A1dShokgLV54y0LLm9QuEZeV MVcGjXg4TWOlT4ZGADIyX44UxWNDWakmgiO2pd3qiC/7Zl3EEURP80ZPmyzmJJzJ7XWg DkTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=PkbiJR+HRweWp6lUxD9JRdjglc+JPZfbt9BcS55MsE4=; b=NUKhxta7aaFmDLk+yreW6QMhfgLXpSfWzeXwUiN3JjV4jBQIMxrpa2iNnQtTwot2+z AMW7i2fNg9armb93y9gMkZ4qlSSCVQSSpGlSeMP1EBUW2TE/cp89sqYooTS0TlP7wApK JdGeunW/Ad75kh4x6XLfvdRcrbESUM9xpqo0zUTsalIWTxhQLPDSKAw75ruuTM+9ad0i pdvARc17V0E0aut7o6fouYcIFz9W3yAlzXmX44b7RAwaCHxwRcxD0d3AB7evtf/WuiU1 iLv2BoRMb9OVomp6/C/Mq2+MhoPR+jm2i1zwUFARiiV7ux3ssSPJ7C/ToD75HhyrPcw4 Kh/A== X-Gm-Message-State: APt69E3oOwJcKbgUmLoFZaE3bEBbG82BxTY0U5Hg710tfEm1SGDqC2VB 7CO0X6HOrh0vspgjnhapKuAM5zZQ X-Google-Smtp-Source: ADUXVKI8s3oaPxWjItKPTxFW2Jo8IisxlZ6X+jAhu7rcxIOtaklLg76AIcUIk0UN3sOXtgPHEUVpsA== X-Received: by 2002:a1c:ed07:: with SMTP id l7-v6mr495508wmh.139.1528815110982; Tue, 12 Jun 2018 07:51:50 -0700 (PDT) Received: from [172.25.20.218] (b2b-78-94-0-50.unitymedia.biz. [78.94.0.50]) by smtp.gmail.com with ESMTPSA id c201-v6sm1024934wmh.18.2018.06.12.07.51.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jun 2018 07:51:50 -0700 (PDT) To: Laszlo Ersek Cc: edk2-devel@lists.01.org References: <2660d487-aa83-e92c-c816-dd205470fea3@redhat.com> From: Philipp Deppenwiese Message-ID: <6583409f-e15f-bc73-d16e-bb59be8f2a2c@gmail.com> Date: Tue, 12 Jun 2018 16:51:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <2660d487-aa83-e92c-c816-dd205470fea3@redhat.com> Subject: Re: [OvmfPkg] Secure Boot issues X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jun 2018 14:51:53 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Hey Laszlo, On 12.06.2018 15:59, Laszlo Ersek wrote: > On 06/12/18 15:12, Philipp Deppenwiese wrote: >> Hey people, >> >> We are experiencing issues with UEFI secure boot enabled >> on UDK 2018 for the OvmfPkg. > UDK2018 does not include OvmfPkg; no UDK does, to my knowledge. I mean the UDK2018 branch of https://github.com/tianocore/edk2/tree/UDK2018 > >> Reproducible issue: >> >> 1) Add following code + files as dxe driver. >> https://gist.github.com/zaolin/976d0d2ad68bcd05c10ffdb2530341fc > This looks like a modified copy of (a possibly older version of) my > EnrollDefaultKeys module. The latest source for that is available from > the "edk2-20180529gitee3198e672e2-1.fc29" SRPM at > . Correct, I just moved it into a DXE driver and load certificates from the FFS. Do you know if there is a more common/normal/better way for populating vendor certificates? > >> 2) Build OvmfPkg with -DSECURE_BOOT_ENABLE=TRUE >> 3) Windows 10 boots and crashes in Qemu with a >> /KMODE_EXCEPTION_NOT_HANDLED./ >> >> If we don't populate the keys or use Linux in with secure boot turned on >> everything is totally fine. > Relative to the EnrollDefaultKeys.c source that I know, your variant > does not include the certificates as UINT8 arrays in the source code; > instead it seems to include them in firmware filesystem (FFS) files, and > to look them up with GetSectionFromAnyFv(). I assume you have some INF > file changes as well, where you build the certificates as binary blobs > into DXEFV. > > Did you verify that the exact same blobs (and same other arguments) are > passed to the gRT->SetVariable() calls in your variant? > > I've now retested my variant with Windows 10 Enterprise N 2015 LTSB; it > works as expected. Thanks for the help. I am going to check if I do something wrong. But I have ran the FWTS testsuite and checked the certificates with the mokutil under Linux, everything looks fine so far. Also Windows 10 in safe mode with secure boot works but not the normal mode. We use the 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISE_S_EVAL_X64 LTSB release for testing. > > Thanks, > Laszlo Best Regards, Philipp