From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: [PATCH] SecurityPkg: Don't Verify the enrolled PK in setup mode To: devel@edk2.groups.io From: derek.lin2@hpe.com X-Originating-Location: Singapore, SG (15.211.153.74) X-Originating-Platform: Windows Chrome 75 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 01 Jul 2019 22:25:08 -0700 Message-ID: <7564.1562045108414671150@groups.io> X-Groupsio-MsgNum: 43150 Content-Type: multipart/mixed; boundary="7Tu5FkoJB83V14VML6KV" --7Tu5FkoJB83V14VML6KV Content-Type: multipart/alternative; boundary="2vmOlU3wZ3e2R9b1oXbO" --2vmOlU3wZ3e2R9b1oXbO Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Patch is attached from group.io. Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in setup = mode doesn't need to verify the PK. Below is the sentence about it in UEFI spec ``` 3. If the firmware is in setup mode and the variable is one of: - The global PK variable; - The global KEK variable; - The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or - The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID, then the firmware implementation shall consider the checks in the followin= g steps 4 and 5 to have passed, and proceed with updating the variable value as outlined belo= w. ``` The step 4 is to verify the signature and the step 5 is to verify the cert= . After this change, when system is in Setup mode, setting a PK does not req= uire authenticated variable descriptor. Signed-off-by: Derek Lin Signed-off-by: cinnamon shia --2vmOlU3wZ3e2R9b1oXbO Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
Patch is attached from group.io.
Since ECR785, which is added UEFI 2.3.1 errata A, enrolling a PK in s= etup mode doesn't need to verify the PK.
Below is the sentence about it in UEFI spec
```
3. If the firmware is in setup mode and the variable is one of:
- The global PK variable;
- The global KEK variable;
- The "db" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID; or
- The "dbx" variable with GUID EFI_IMAGE_SECURITY_DATABASE_GUID,
then the firmware implementation shall consider the checks in the fol= lowing steps 4 and 5 to
have passed, and proceed with updating the variable value as outlined= below.
```
The step 4 is to verify the signature and the step 5 is to verify the= cert.
 
After this change, when system is in Setup mode, setting a PK does no= t require authenticated variable descriptor.
 
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Signed-off-by: cinnamon shia <cinnamon.shia@hpe.com>
 
--2vmOlU3wZ3e2R9b1oXbO-- --7Tu5FkoJB83V14VML6KV Content-Type: application/octet-stream; name="0001-SecurityPkg-Don-t-Verify-the-enrolled-PK-in-setup-mo.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="0001-SecurityPkg-Don-t-Verify-the-enrolled-PK-in-setup-mo.patch" RnJvbSA0MzMzZjA3OGYzZDA2YTkzMzJiZjcyMjBhMTExMmI0ODJhMTY3MWZlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBEZXJlayBMaW4gPGRlcmVrLmxpbjJAaHBlLmNvbT4KRGF0ZTog VHVlLCAyIEp1bCAyMDE5IDExOjAwOjUxICswODAwClN1YmplY3Q6IFtQQVRDSF0gU2VjdXJpdHlQ a2c6IERvbid0IFZlcmlmeSB0aGUgZW5yb2xsZWQgUEsgaW4gc2V0dXAgbW9kZQoKU2luY2UgRUNS Nzg1LCB3aGljaCBpcyBhZGRlZCBVRUZJIDIuMy4xIGVycmF0YSBBLCBlbnJvbGxpbmcgYSBQSwpp biBzZXR1cCBtb2RlIGRvZXNuJ3QgbmVlZCB0byB2ZXJpZnkgdGhlIFBLLgpCZWxvdyBpcyB0aGUg c2VudGVuY2UgYWJvdXQgaXQgaW4gVUVGSSBzcGVjCmBgYAozLiBJZiB0aGUgZmlybXdhcmUgaXMg aW4gc2V0dXAgbW9kZSBhbmQgdGhlIHZhcmlhYmxlIGlzIG9uZSBvZjoKLSBUaGUgZ2xvYmFsIFBL IHZhcmlhYmxlOwotIFRoZSBnbG9iYWwgS0VLIHZhcmlhYmxlOwotIFRoZSAiZGIiIHZhcmlhYmxl IHdpdGggR1VJRCBFRklfSU1BR0VfU0VDVVJJVFlfREFUQUJBU0VfR1VJRDsgb3IKLSBUaGUgImRi eCIgdmFyaWFibGUgd2l0aCBHVUlEIEVGSV9JTUFHRV9TRUNVUklUWV9EQVRBQkFTRV9HVUlELAp0 aGVuIHRoZSBmaXJtd2FyZSBpbXBsZW1lbnRhdGlvbiBzaGFsbCBjb25zaWRlciB0aGUgY2hlY2tz IGluIHRoZSBmb2xsb3dpbmcKc3RlcHMgNCBhbmQgNSB0byBoYXZlIHBhc3NlZCwgYW5kIHByb2Nl ZWQgd2l0aCB1cGRhdGluZyB0aGUgdmFyaWFibGUgdmFsdWUKYXMgb3V0bGluZWQgYmVsb3cuCmBg YApUaGUgc3RlcCA0IGlzIHRvIHZlcmlmeSB0aGUgc2lnbmF0dXJlIGFuZCB0aGUgc3RlcCA1IGlz IHRvIHZlcmlmeSB0aGUgY2VydC4KCkFmdGVyIHRoaXMgY2hhbmdlLCB3aGVuIHN5c3RlbSBpcyBp biBTZXR1cCBtb2RlLCBzZXR0aW5nIGEgUEsgZG9lcyBub3QgcmVxdWlyZQphdXRoZW50aWNhdGVk IHZhcmlhYmxlIGRlc2NyaXB0b3IuCgpTaWduZWQtb2ZmLWJ5OiBEZXJlayBMaW4gPGRlcmVrLmxp bjJAaHBlLmNvbT4KU2lnbmVkLW9mZi1ieTogY2lubmFtb24gc2hpYSA8Y2lubmFtb24uc2hpYUBo cGUuY29tPgotLS0KIC4uLi9MaWJyYXJ5L0F1dGhWYXJpYWJsZUxpYi9BdXRoU2VydmljZS5jICAg ICAgfCAxOCArKystLS0tLS0tLS0tLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMo KyksIDE1IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL1NlY3VyaXR5UGtnL0xpYnJhcnkvQXV0 aFZhcmlhYmxlTGliL0F1dGhTZXJ2aWNlLmMgYi9TZWN1cml0eVBrZy9MaWJyYXJ5L0F1dGhWYXJp YWJsZUxpYi9BdXRoU2VydmljZS5jCmluZGV4IDQ4NmRmNTViZWQuLjMwMzQ3ZTIwODkgMTAwNjQ0 Ci0tLSBhL1NlY3VyaXR5UGtnL0xpYnJhcnkvQXV0aFZhcmlhYmxlTGliL0F1dGhTZXJ2aWNlLmMK KysrIGIvU2VjdXJpdHlQa2cvTGlicmFyeS9BdXRoVmFyaWFibGVMaWIvQXV0aFNlcnZpY2UuYwpA QCAtMTksNiArMTksNyBAQAogICB0byB2ZXJpZnkgdGhlIHNpZ25hdHVyZS4NCiANCiBDb3B5cmln aHQgKGMpIDIwMDkgLSAyMDE5LCBJbnRlbCBDb3Jwb3JhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZl ZC48QlI+DQorKEMpIENvcHlyaWdodCAyMDE5IEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIERl dmVsb3BtZW50IExQPEJSPg0KIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBCU0QtMi1DbGF1c2Ut UGF0ZW50DQogDQogKiovDQpAQCAtNTgzLDcgKzU4NCw3IEBAIFByb2Nlc3NWYXJXaXRoUGsgKAog ICAvLyBJbml0IHN0YXRlIG9mIERlbC4gU3RhdGUgbWF5IGNoYW5nZSBkdWUgdG8gc2VjdXJlIGNo ZWNrDQogICAvLw0KICAgRGVsID0gRkFMU0U7DQotICBpZiAoKEluQ3VzdG9tTW9kZSgpICYmIFVz ZXJQaHlzaWNhbFByZXNlbnQoKSkgfHwgKG1QbGF0Zm9ybU1vZGUgPT0gU0VUVVBfTU9ERSAmJiAh SXNQaykpIHsNCisgIGlmICgoSW5DdXN0b21Nb2RlKCkgJiYgVXNlclBoeXNpY2FsUHJlc2VudCgp KSB8fCAobVBsYXRmb3JtTW9kZSA9PSBTRVRVUF9NT0RFKSkgew0KICAgICBQYXlsb2FkID0gKFVJ TlQ4ICopIERhdGEgKyBBVVRISU5GTzJfU0laRSAoRGF0YSk7DQogICAgIFBheWxvYWRTaXplID0g RGF0YVNpemUgLSBBVVRISU5GTzJfU0laRSAoRGF0YSk7DQogICAgIGlmIChQYXlsb2FkU2l6ZSA9 PSAwKSB7DQpAQCAtNjEwLDcgKzYxMSw3IEBAIFByb2Nlc3NWYXJXaXRoUGsgKAogICAgIGlmICgo bVBsYXRmb3JtTW9kZSAhPSBTRVRVUF9NT0RFKSB8fCBJc1BrKSB7DQogICAgICAgU3RhdHVzID0g VmVuZG9yS2V5SXNNb2RpZmllZCAoKTsNCiAgICAgfQ0KLSAgfSBlbHNlIGlmIChtUGxhdGZvcm1N b2RlID09IFVTRVJfTU9ERSkgew0KKyAgfSBlbHNlIHsNCiAgICAgLy8NCiAgICAgLy8gVmVyaWZ5 IGFnYWluc3QgWDUwOSBDZXJ0IGluIFBLIGRhdGFiYXNlLg0KICAgICAvLw0KQEAgLTYyMywxOSAr NjI0LDYgQEAgUHJvY2Vzc1ZhcldpdGhQayAoCiAgICAgICAgICAgICAgICBBdXRoVmFyVHlwZVBr LA0KICAgICAgICAgICAgICAgICZEZWwNCiAgICAgICAgICAgICAgICApOw0KLSAgfSBlbHNlIHsN Ci0gICAgLy8NCi0gICAgLy8gVmVyaWZ5IGFnYWluc3QgdGhlIGNlcnRpZmljYXRlIGluIGRhdGEg cGF5bG9hZC4NCi0gICAgLy8NCi0gICAgU3RhdHVzID0gVmVyaWZ5VGltZUJhc2VkUGF5bG9hZEFu ZFVwZGF0ZSAoDQotICAgICAgICAgICAgICAgVmFyaWFibGVOYW1lLA0KLSAgICAgICAgICAgICAg IFZlbmRvckd1aWQsDQotICAgICAgICAgICAgICAgRGF0YSwNCi0gICAgICAgICAgICAgICBEYXRh U2l6ZSwNCi0gICAgICAgICAgICAgICBBdHRyaWJ1dGVzLA0KLSAgICAgICAgICAgICAgIEF1dGhW YXJUeXBlUGF5bG9hZCwNCi0gICAgICAgICAgICAgICAmRGVsDQotICAgICAgICAgICAgICAgKTsN CiAgIH0NCiANCiAgIGlmICghRUZJX0VSUk9SKFN0YXR1cykgJiYgSXNQaykgew0KLS0gCjIuMjAu MS53aW5kb3dzLjEKCg== --7Tu5FkoJB83V14VML6KV--