From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BD1ED2119FF56 for ; Thu, 13 Dec 2018 02:49:08 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2B60630014DF; Thu, 13 Dec 2018 10:49:08 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-134.rdu2.redhat.com [10.10.120.134]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7BAC35ED21; Thu, 13 Dec 2018 10:49:07 +0000 (UTC) To: "Park, Kyung Min" References: <3658BA65DD26AF4BA909BEB2C6DF6181962783D2@ORSMSX102.amr.corp.intel.com> From: Laszlo Ersek Cc: "edk2-devel@lists.01.org" Message-ID: <8ccd187d-cffb-ef30-2be9-e48f32a85fec@redhat.com> Date: Thu, 13 Dec 2018 11:49:06 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <3658BA65DD26AF4BA909BEB2C6DF6181962783D2@ORSMSX102.amr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Thu, 13 Dec 2018 10:49:08 +0000 (UTC) Subject: Re: Secureboot enable with OVMF X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 X-List-Received-Date: Thu, 13 Dec 2018 10:49:08 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 12/13/18 02:25, Park, Kyung Min wrote: > Hi, > > I'm trying to enable the secureboot with OVMF. I followed the steps as below. > But When I executed LockDown.efi, it gives me an error which says, "Failed to enroll PK: 26". > According to UEFI spec, the 26 means EFI_SECURITY_VIOLATION, but I don't understand why I got this error. > Before I ran the LockDown.efi, the secureboot was disabled by default and the PK key was not enrolled. > > 1. Build OVMF with secureboot enable > https://wiki.ubuntu.com/UEFI/EDK2 Please know that, if you build OVMF with *just* SECURE_BOOT_ENABLE, but without SMM_REQUIRE, then a malicious guest OS may modify the pflash chip with direct hardware access that contains the authenticated UEFI variables. In other words, a malicious guest OS may circumvent Secure Boot. If that's OK for your use case (it could be), then it's OK to use just SECURE_BOOT_ENABLE; but it should be a conscious decision. Regarding SMM_REQUIRE, please see OvmfPkg/README, section "SMM support". > 2. Generate/Execute LockDown.efi to enroll PK/KEK/DB keys > git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git > > I would appreciate any useful information about this error. You'll have to dig into LockDown.efi for that. If you are convinced LockDown.efi does the right thing, then you'll have to add debug messages to the edk2 stack that handles authenticated variables (the variable driver, some SecurityPkg / CryptoPkg libraries, etc). This is usually quite time consuming. As an alternative, you might be able to use "/usr/share/edk2/ovmf/EnrollDefaultKeys.efi", from the "edk2-ovmf" subpackage package, from https://koji.fedoraproject.org/koji/packageinfo?packageID=16183 (You can find the source code in the SRPM.) Thanks, Laszlo