Re: [edk2-devel] [PATCH v1 0/4] Don't require self-signed PK in setup mode

["Sean" <spbrogan@outlook.com>]

[-- Attachment #1: Type: text/plain, Size: 3258 bytes --]

Jan,

 From looking over the patch 1/4 email i have a concern.

In AuthService.c on the conditional change you made.  Aren't we losing a 
case where we are evaluating a nonPK payload signed by the PK?  Given 
the system is in SetupMode that means there is no PK but is this the 
conditional path that is used when installing Secure boot keys in 
reverse (DBX,DX,KEK,PK) order?

Is there testing you have done?  This code should be pretty easy to do 
host based unit testing on.  Any chance you have authored that to 
confirm use cases are not unexpectedly impacted?  Example of host based 
unit test of library is here: 
edk2/SecurityPkg/Library/SecureBootVariableLib/UnitTest at master · 
tianocore/edk2 (github.com) 
<https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/SecureBootVariableLib/UnitTest>


Thanks

Sean




On 1/22/2023 10:13 PM, Yao, Jiewen wrote:
> Hi Sean
> I would like to hear your feedback, since it is a little different from the original MSFT patch.
>
> Would you please take a look?
>
> Thank you
> Yao, Jiewen
>
>> -----Original Message-----
>> From: Jan Bobek<jbobek@nvidia.com>
>> Sent: Saturday, January 21, 2023 6:59 AM
>> To:devel@edk2.groups.io
>> Cc: Jan Bobek<jbobek@nvidia.com>; Laszlo Ersek<lersek@redhat.com>; Yao,
>> Jiewen<jiewen.yao@intel.com>
>> Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode
>>
>> Hi all,
>>
>> I'm sending out v1 of my patch series that addresses a UEFI spec
>> non-compliance when enrolling PK in setup mode. Additional info can be
>> found in bugzilla [1]; the changes are split into 4 patches as
>> suggested by Laszlo Ersek in comment #4.
>>
>> I've based my work on the patch by Matthew Carlson; I've credited him
>> with co-authorship of the first patch even though in the end I decided
>> to do the implementation a bit differently.
>>
>> Comments & reviews welcome!
>>
>> Cheers,
>> -Jan
>>
>> References:
>> 1.https://bugzilla.tianocore.org/show_bug.cgi?id=2506
>>
>> Jan Bobek (4):
>>    SecurityPkg: limit verification of enrolled PK in setup mode
>>    OvmfPkg: require self-signed PK when secure boot is enabled
>>    ArmVirtPkg: require self-signed PK when secure boot is enabled
>>    SecurityPkg: don't require PK to be self-signed by default
>>
>>   SecurityPkg/SecurityPkg.dec                             | 7 +++++++
>>   ArmVirtPkg/ArmVirtCloudHv.dsc                           | 4 ++++
>>   ArmVirtPkg/ArmVirtQemu.dsc                              | 4 ++++
>>   ArmVirtPkg/ArmVirtQemuKernel.dsc                        | 4 ++++
>>   OvmfPkg/Bhyve/BhyveX64.dsc                              | 3 +++
>>   OvmfPkg/CloudHv/CloudHvX64.dsc                          | 3 +++
>>   OvmfPkg/IntelTdx/IntelTdxX64.dsc                        | 3 +++
>>   OvmfPkg/Microvm/MicrovmX64.dsc                          | 3 +++
>>   OvmfPkg/OvmfPkgIa32.dsc                                 | 3 +++
>>   OvmfPkg/OvmfPkgIa32X64.dsc                              | 3 +++
>>   OvmfPkg/OvmfPkgX64.dsc                                  | 3 +++
>>   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
>>   SecurityPkg/Library/AuthVariableLib/AuthService.c       | 9 +++++++--
>>   13 files changed, 50 insertions(+), 2 deletions(-)
>>
>> --
>> 2.30.2
>
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 4292 bytes --]