Re: [PATCH 0/4] Show test key info on front page

From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>
Subject: Re: [PATCH 0/4] Show test key info on front page
Date: Mon, 10 Oct 2016 03:43:37 +0000	[thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386A07ED@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <E92EE9817A31E24EB0585FDF735412F564820E2D@ORSMSX113.amr.corp.intel.com>

Hi Mike
That is a good idea, which we did consider that before.

However, the problem is: Only Platform know which key is recovery key and which key is capsule update key.

The SecurityPkg only knows it is RSA2048SHA256 key or PKCS7 cert, it does not know what is the purpose.
It is also legal that a platform is choose another instance besides PKCS7 or RSA2048SHA256, such as SM2, which is a Chinese algo, for recovery or capsule update.

What we want to show in the UI is the "purpose" of key, not the "algorithm" of the key.
PlatformPkg knows the former, while SecurityPkg knows the latter.

Please let me know your thought.

Thank you
Yao Jiewen

From: Kinney, Michael D
Sent: Monday, October 10, 2016 1:25 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; edk2-devel@lists.01.org; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [edk2] [PATCH 0/4] Show test key info on front page

Jiewen,

It does not make sense to put the check for use of test keys into a platform specific
library that requires every platform to implement that logic. The real consumers of these
keys are the section extraction libs in the SecurityPkg.  Can we move these checks into
those libraries?

Mike

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Jiewen Yao
> Sent: Sunday, October 9, 2016 4:58 AM
> To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> Subject: [edk2] [PATCH 0/4] Show test key info on front page
>
> This series patch supports to show the test key information
> on the front page.
> PcdTestKeyUsed is added to MdeModulePkg.
>
> This PCD can be set by platform to indicate if there is any
> test key used in current BIOS, such as recovery key,
> or capsule update key.
> Then the generic UI may consume this PCD to show warning information.
>
> Jiewen Yao (4):
>   MdeModulePkg/dec: Add PcdTestKeyUsed PCD.
>   MdeModulePkg/UiApp: Show test key warning info in FrontPage.
>   QuarkPlatformPkg/Bds: Produce PcdTestKeyUsed.
>   Vlv2TbleDevicePkg/Bds: Produce PcdTestKeyUsed.
>
>  MdeModulePkg/Application/UiApp/FrontPageCustomizedUi.c                     | 34
> ++++++++++++++++++++
>  MdeModulePkg/Application/UiApp/FrontPageStrings.uni                        |  8
> ++++-
>  MdeModulePkg/Application/UiApp/UiApp.inf                                   |  3 +-
>  MdeModulePkg/MdeModulePkg.dec                                              | 11
> +++++++
>  QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.c      | 11
> +++++++
>  QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManager.h      |  5 +++
>  QuarkPlatformPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf |  1 +
>  Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.c                     | 11
> +++++++
>  Vlv2TbltDevicePkg/Library/PlatformBdsLib/BdsPlatform.h                     |  5 +++
>  Vlv2TbltDevicePkg/Library/PlatformBdsLib/PlatformBdsLib.inf                |  2 ++
>  10 files changed, 89 insertions(+), 2 deletions(-)
>
> --
> 2.7.4.windows.1
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
> https://lists.01.org/mailman/listinfo/edk2-devel