From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.92.42.106])
 by mx.groups.io with SMTP id smtpd.web11.39001.1674625901928840458
 for <devel@edk2.groups.io>;
 Tue, 24 Jan 2023 21:51:42 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@outlook.com header.s=selector1 header.b=o6DyBYrC;
 spf=pass (domain: outlook.com, ip: 40.92.42.106, mailfrom: spbrogan@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Vk8Jntq4r3NgWiJdvTx1M2rrzjt0O23ghHC8z8sbMC7s8NnfDwuuSlotgIsIzVH7uZVxnPsRcyyNS6Ei3Yv9Qf4q6qvRypg47SdhfdA9j8JAKFGuWDoUhXY4isT2fNDc7NkKA9YFBrDfyH8XdkMobkYFheDNJTE+TCMZ8Su/JWMzjcgn6lr0o4XVBduxeXWYvYS1KNzWOhOaOQlhhtW4iB5PQrCbC0ciho6z5nQbadsRTvztphs2IRWjtJoJvQDPe8E1cdfliS9h7b2dn1VGDdavO5C0hxnR6dnZ4Mnhw3Lxa11YNoAoX3qeieYHiLuAkbh7drxfs2Ecmo5rGGAc0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=tSGZHEsMYb6Z1eeGsxFZ2iGpeex4oZEShOL8OkCQmyA=;
 b=IILE2c9PkVltDQhiZvOaO8hw8i3HOY5tVkJ8R5Dkhr5pvoeSnU7lfszCMsTpNGpRTRtTccsHzPLjaCcFAK8HSwIiKQnWpsaqkRpdEvHcKfMcQoiI4wvbekTqyaCrZs7WbVs7+FXM0X+pqQ+BWYzhDltr6pNgzMGwPEPalBV/+EeCFuAzY7C9Kl2UavLQm3DEVxnW61hW3tuvrpTBf8hJgaN62yCXWKKxywBZUepyrcrD6FO10M8VO9w8ZaQCZ/Zuf3k0r8b9b7lHHhAMrXRDuVvaboFO73n8XGvb36SfmRUCjPxjHjrEn3aQt64n7Cmwv9SWjA1oL7BA4N9uq0qGSQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=tSGZHEsMYb6Z1eeGsxFZ2iGpeex4oZEShOL8OkCQmyA=;
 b=o6DyBYrCWsboovEIquwBDWg/nWxFwuaB7SjdoKME2rXNyuEMju1XVNpJKcX0dMh1UNRcBeYSQkPoFGC3Tgyk10M7uad3G2RTSc4l/8IWxFDHaS1CQma2PtqWgevDl74fX/SayYdNQ1GGw+1rgTgP9JUg9oBtW6fJCsXZ30Q7qYwmkzIqm6jeKQAFDjHZatY+zKcibPTQYbGogvlWjzwptelNwPhh5/i2TDqKExRQjjl2Zu2vlyA3INjvDEWxi2x2s5i1G48u/VWfyYNPmqMOBRTS9GpHZENNi3Bya/ikKCgoSlRBg/SZq4qtupUUFuvBK+m+jAFAWd46binHJu1Agw==
Received: from BY3PR19MB4900.namprd19.prod.outlook.com (2603:10b6:a03:354::11)
 by BLAPR19MB4529.namprd19.prod.outlook.com (2603:10b6:208:29a::10) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.21; Wed, 25 Jan
 2023 05:51:40 +0000
Received: from BY3PR19MB4900.namprd19.prod.outlook.com
 ([fe80::dbe5:112f:db31:2409]) by BY3PR19MB4900.namprd19.prod.outlook.com
 ([fe80::dbe5:112f:db31:2409%5]) with mapi id 15.20.6002.033; Wed, 25 Jan 2023
 05:51:40 +0000
Message-ID: 
 <BY3PR19MB49006A3AAB1E04381A5FC2BDC8CE9@BY3PR19MB4900.namprd19.prod.outlook.com>
Date: Tue, 24 Jan 2023 21:51:37 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.1
Subject: Re: [edk2-devel] [PATCH v1 0/4] Don't require self-signed PK in setup mode
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
 "jiewen.yao@intel.com" <jiewen.yao@intel.com>, Jan Bobek
 <jbobek@nvidia.com>, Sean Brogan <sean.brogan@microsoft.com>
Cc: Laszlo Ersek <lersek@redhat.com>
References: <20230120225835.42733-1-jbobek@nvidia.com>
 <MW4PR11MB5872ADE7F30774B295F07EFA8CC89@MW4PR11MB5872.namprd11.prod.outlook.com>
From: "Sean" <spbrogan@outlook.com>
In-Reply-To: <MW4PR11MB5872ADE7F30774B295F07EFA8CC89@MW4PR11MB5872.namprd11.prod.outlook.com>
X-TMN: [7kQ/ko+qP9qTCurzx/Tc5pklraz+9YiM]
X-ClientProxiedBy: MW2PR16CA0055.namprd16.prod.outlook.com
 (2603:10b6:907:1::32) To BY3PR19MB4900.namprd19.prod.outlook.com
 (2603:10b6:a03:354::11)
Return-Path: spbrogan@outlook.com
X-Microsoft-Original-Message-ID: 
 <12c833ee-c42c-fae3-63e9-f80b6948cf6a@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BY3PR19MB4900:EE_|BLAPR19MB4529:EE_
X-MS-Office365-Filtering-Correlation-Id: fac41caf-c1ba-498f-98ff-08dafe983a5d
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	NWej30/fYP5hcdrDcfSFzu3O6sCbGZt/IPcSNRmn73/jo7Z0TXHkgCqcBzj6uPkRnMRa2b2B7m9xqdPB24Cjqk8WgIfzVL+rJE6a9W5K4ik0p7B1c3rAdeNW8+DC89ubCFxzWlntnvJC3UFecvYvJpHCwinkLN/PSCIeoO49H8aqgbLRFLAUGIUap2oHO8u9dOIrdggkmAFRIhX0wnf5U0hhZUXPDHF4419keT9PN/yw2Vf4BRAuVsAGPLbBr+vrSo91LwktlqWojiexc4n3zfj7C8F9wJEnum7RTMPkUbssr3LdKiAbVpkrjgrVhyjD9tffa80AaWcj6vRnTOfR45/KgVm7CGskUEATEurv9XAznXuWRy8EsVVloYat1Gcq3dmRRTtJFcIAob19rZlZsEd9Z/YNGer6SsUT/C2/gIQUJ3cWym5y/Rle8TYJisTkdARRTfJjOmHg8PcYq3bn9vj8A0Wx8+jfHnpAU0NNJovsJtuJmKhu4FxhKRiInh3Zq17qZkeve7ND9c7QMWdNiCB+p9SWslMyDRw+F2V8dgxmP/57X/DStzXG8b9PWesD5K8knE/ovs6Rwt0vHFqsoQpFQ2UlkAhb6Pp/TQTtCHun5HLqBrAuoFNwHiAinOarp+cS02H/mQpjuIsPHMfxrn+lY+cu8WMqzoOBzTqSEbEbD9qYASj5zoarnkJ9aHPwIeRLf7okQAaavFoi/54s0Q==
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?utf-8?B?TDM1ZkJSWm8vcnJqcnJBVkpwUlJjT3piTmhsZXcvQzA2dUlSU3J3YWlsK1cv?=
 =?utf-8?B?cXU3bVEvMnhYQ01VSkxTajIxWGFYVTN2OFg0WWtBRm01UVRMTUZYd0RTRkJQ?=
 =?utf-8?B?WTJNN214dHZIdXRRNEsrVzRvQ3JmVEdCUXNML3hvSFA3V050TU56bUNuQVhH?=
 =?utf-8?B?S3RaNzAySFU1L1I1NVVsVXQ0YWdqc29Kc3NwYlJpbU1KalZxUnRGWUhsc1Ar?=
 =?utf-8?B?QWhkTmNaWld3amQzNnl6OWNvU3dBQklLV3VPWExZZ2t3M1pIWnk0ZUxuQmZY?=
 =?utf-8?B?Rzl1RlE3U25UZlhmbVh0R0c2Q0V2QkFXY3pQeUtsQ3pObndIaFZZOHdCVzJR?=
 =?utf-8?B?U3ZIbjY5U2tqUXUyeEw5Qm96ZmsycllGT01HRkM5SnljOCtwV21MSG9LVlZX?=
 =?utf-8?B?NExuTGNUaUNCVkNzRnk1YWVTdEgvVkRsRlJsdmVlK1doZlJ1cnJnbVJuSHhV?=
 =?utf-8?B?QnN3enFuVkNreStaS1lHckFGODlWdU1rcEg3d1BOTElEanBWQlV1U08wTHJ1?=
 =?utf-8?B?MzdNeTYxaWkvdDNHUXRHOWxObml1c25yYi85TTY2RDMzQ2dNU2dyM0RwaDlq?=
 =?utf-8?B?TW16TXdHQTRVbWNCSVVzZHo2TXd0dm9veklGSUswZE5XZGdURE1BTUkxdTJJ?=
 =?utf-8?B?Q211ZWx0Vm9oVkUzbk9Cd2Zyc1VnNWEzaGE5VjRtUkpiUW9ta1hkd3BWbFE0?=
 =?utf-8?B?NDNxdDk1TlVNYnRVUEFJcVlVTEo3VUdhL2oxWmtQN1QvMHg2dldlZU56anQ4?=
 =?utf-8?B?TzlqUS8zVEowYmVGSUgvV0NSbHpjRE5QWXBDdDNFN3dWOGZmYy9EaC9EYlpV?=
 =?utf-8?B?blJieEthdzBrK3dFVmJRc1RqUFphUGo1U0dOYUI3R3ZxZkFVa3hSekdYMk1l?=
 =?utf-8?B?elJRL05wcGcvMlFVdUszb1RMSmx6TTNSYmxrQTFPc29iQnJNZTQ1UE5QMGk4?=
 =?utf-8?B?UkJ5MHh0enBwUkl6cUR1UDRWRkhEZ251eS93eXNia0RWSEt2b3JheU1xZnhu?=
 =?utf-8?B?d3lLbFF5US9neWx5cnNCa0hMZEd3K01LK21LTGtFNkRXa3VvVnE5QVVhTmdY?=
 =?utf-8?B?UVZTeWZhYUpaZGNuZFBzNks2SkhxUHBqUWpFVGRKa0RVbjBrRHlFdTQxb25L?=
 =?utf-8?B?K1hzOGV6Ym80UTRTMTJMajMzZFVOOFZubFhJeVZ5MnZRQmwrNlVUTFRlOVY5?=
 =?utf-8?B?dTcvYTBsbVNFT0E0Znk2d0FiMEl0Rk15RVQwaHFtSjhtb0xIOUtGRHJyVzk4?=
 =?utf-8?B?RXZyRmNCRVVQWVJ6TlhqcURVcFBDeXU1TC9iQ3dyL29CRHpCT0sxYW5UMnUy?=
 =?utf-8?B?ejhUenRhaWFYQU5PVmVteUovbit5bFlGWGllb1paWU0veVVaMnFzcUhwTFhO?=
 =?utf-8?B?dm9OWjZCMWNhUVQyaVgyaHBzRkhDRGZrYjUrUy9MQzZzZCtVT1FneE0vclpC?=
 =?utf-8?B?SndpTkg4YVBjUCswRTVaTHp3ODA5NjU0YjNMSzU1K3pwdzJBbFBjc2N0RXVt?=
 =?utf-8?B?Ly8vd0cxLzRNZzhmWFFSRWNoQ0VLSHJDd2JzR29qT2EvRmRKYzZMeWZabDNu?=
 =?utf-8?B?VlVVbjBodU9VYm95Q2Vnc2N0K3FRWlYyVGdHcG5EQjlPam1sS3l3SUVrK01H?=
 =?utf-8?B?bmNDYW5zVmJmaWdlVGZsbGc2UW40M0xWdHlKWE1aV3RwR3FWcFdjSXphSFlk?=
 =?utf-8?B?bTUzTXZIVHRqUW5yNFJjdWFYdnN6S3FoazJKcUhPWGJQNTBNcXFqd1ZRPT0=?=
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fac41caf-c1ba-498f-98ff-08dafe983a5d
X-MS-Exchange-CrossTenant-AuthSource: BY3PR19MB4900.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jan 2023 05:51:40.0760
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4529
Content-Type: multipart/alternative;
 boundary="------------5adWPvZfAvfdSCS1RoaUYHs3"
Content-Language: en-US

--------------5adWPvZfAvfdSCS1RoaUYHs3
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Jan,

 From looking over the patch 1/4 email i have a concern.

In AuthService.c on the conditional change you made.  Aren't we losing a 
case where we are evaluating a nonPK payload signed by the PK?  Given 
the system is in SetupMode that means there is no PK but is this the 
conditional path that is used when installing Secure boot keys in 
reverse (DBX,DX,KEK,PK) order?

Is there testing you have done?  This code should be pretty easy to do 
host based unit testing on.  Any chance you have authored that to 
confirm use cases are not unexpectedly impacted?  Example of host based 
unit test of library is here: 
edk2/SecurityPkg/Library/SecureBootVariableLib/UnitTest at master · 
tianocore/edk2 (github.com) 
<https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/SecureBootVariableLib/UnitTest>


Thanks

Sean




On 1/22/2023 10:13 PM, Yao, Jiewen wrote:
> Hi Sean
> I would like to hear your feedback, since it is a little different from the original MSFT patch.
>
> Would you please take a look?
>
> Thank you
> Yao, Jiewen
>
>> -----Original Message-----
>> From: Jan Bobek<jbobek@nvidia.com>
>> Sent: Saturday, January 21, 2023 6:59 AM
>> To:devel@edk2.groups.io
>> Cc: Jan Bobek<jbobek@nvidia.com>; Laszlo Ersek<lersek@redhat.com>; Yao,
>> Jiewen<jiewen.yao@intel.com>
>> Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode
>>
>> Hi all,
>>
>> I'm sending out v1 of my patch series that addresses a UEFI spec
>> non-compliance when enrolling PK in setup mode. Additional info can be
>> found in bugzilla [1]; the changes are split into 4 patches as
>> suggested by Laszlo Ersek in comment #4.
>>
>> I've based my work on the patch by Matthew Carlson; I've credited him
>> with co-authorship of the first patch even though in the end I decided
>> to do the implementation a bit differently.
>>
>> Comments & reviews welcome!
>>
>> Cheers,
>> -Jan
>>
>> References:
>> 1.https://bugzilla.tianocore.org/show_bug.cgi?id=2506
>>
>> Jan Bobek (4):
>>    SecurityPkg: limit verification of enrolled PK in setup mode
>>    OvmfPkg: require self-signed PK when secure boot is enabled
>>    ArmVirtPkg: require self-signed PK when secure boot is enabled
>>    SecurityPkg: don't require PK to be self-signed by default
>>
>>   SecurityPkg/SecurityPkg.dec                             | 7 +++++++
>>   ArmVirtPkg/ArmVirtCloudHv.dsc                           | 4 ++++
>>   ArmVirtPkg/ArmVirtQemu.dsc                              | 4 ++++
>>   ArmVirtPkg/ArmVirtQemuKernel.dsc                        | 4 ++++
>>   OvmfPkg/Bhyve/BhyveX64.dsc                              | 3 +++
>>   OvmfPkg/CloudHv/CloudHvX64.dsc                          | 3 +++
>>   OvmfPkg/IntelTdx/IntelTdxX64.dsc                        | 3 +++
>>   OvmfPkg/Microvm/MicrovmX64.dsc                          | 3 +++
>>   OvmfPkg/OvmfPkgIa32.dsc                                 | 3 +++
>>   OvmfPkg/OvmfPkgIa32X64.dsc                              | 3 +++
>>   OvmfPkg/OvmfPkgX64.dsc                                  | 3 +++
>>   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
>>   SecurityPkg/Library/AuthVariableLib/AuthService.c       | 9 +++++++--
>>   13 files changed, 50 insertions(+), 2 deletions(-)
>>
>> --
>> 2.30.2
>
>
> 
>
>

--------------5adWPvZfAvfdSCS1RoaUYHs3
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    <p>Jan,</p>
    <p>From looking over the patch 1/4 email i have a concern. <br>
    </p>
    <p>In AuthService.c on the conditional change you made.&nbsp; Aren't we
      losing a case where we are evaluating a nonPK payload signed by
      the PK?&nbsp; Given the system is in SetupMode that means there is no
      PK but is this the conditional path that is used when installing
      Secure boot keys in reverse (DBX,DX,KEK,PK) order?</p>
    <p>Is there testing you have done?&nbsp; This code should be pretty easy
      to do host based unit testing on.&nbsp; Any chance you have authored
      that to confirm use cases are not unexpectedly impacted?&nbsp; Example
      of host based unit test of library is here: <a href="https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/SecureBootVariableLib/UnitTest">edk2/SecurityPkg/Library/SecureBootVariableLib/UnitTest
        at master · tianocore/edk2 (github.com)</a></p>
    <p><br>
    </p>
    <p>Thanks</p>
    <p>Sean</p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 1/22/2023 10:13 PM, Yao, Jiewen
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:MW4PR11MB5872ADE7F30774B295F07EFA8CC89@MW4PR11MB5872.namprd11.prod.outlook.com">
      <pre class="moz-quote-pre" wrap="">Hi Sean
I would like to hear your feedback, since it is a little different from the original MSFT patch.

Would you please take a look?

Thank you
Yao, Jiewen

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">-----Original Message-----
From: Jan Bobek <a class="moz-txt-link-rfc2396E" href="mailto:jbobek@nvidia.com">&lt;jbobek@nvidia.com&gt;</a>
Sent: Saturday, January 21, 2023 6:59 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>
Cc: Jan Bobek <a class="moz-txt-link-rfc2396E" href="mailto:jbobek@nvidia.com">&lt;jbobek@nvidia.com&gt;</a>; Laszlo Ersek <a class="moz-txt-link-rfc2396E" href="mailto:lersek@redhat.com">&lt;lersek@redhat.com&gt;</a>; Yao,
Jiewen <a class="moz-txt-link-rfc2396E" href="mailto:jiewen.yao@intel.com">&lt;jiewen.yao@intel.com&gt;</a>
Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode

Hi all,

I'm sending out v1 of my patch series that addresses a UEFI spec
non-compliance when enrolling PK in setup mode. Additional info can be
found in bugzilla [1]; the changes are split into 4 patches as
suggested by Laszlo Ersek in comment #4.

I've based my work on the patch by Matthew Carlson; I've credited him
with co-authorship of the first patch even though in the end I decided
to do the implementation a bit differently.

Comments &amp; reviews welcome!

Cheers,
-Jan

References:
1. <a class="moz-txt-link-freetext" href="https://bugzilla.tianocore.org/show_bug.cgi?id=2506">https://bugzilla.tianocore.org/show_bug.cgi?id=2506</a>

Jan Bobek (4):
  SecurityPkg: limit verification of enrolled PK in setup mode
  OvmfPkg: require self-signed PK when secure boot is enabled
  ArmVirtPkg: require self-signed PK when secure boot is enabled
  SecurityPkg: don't require PK to be self-signed by default

 SecurityPkg/SecurityPkg.dec                             | 7 +++++++
 ArmVirtPkg/ArmVirtCloudHv.dsc                           | 4 ++++
 ArmVirtPkg/ArmVirtQemu.dsc                              | 4 ++++
 ArmVirtPkg/ArmVirtQemuKernel.dsc                        | 4 ++++
 OvmfPkg/Bhyve/BhyveX64.dsc                              | 3 +++
 OvmfPkg/CloudHv/CloudHvX64.dsc                          | 3 +++
 OvmfPkg/IntelTdx/IntelTdxX64.dsc                        | 3 +++
 OvmfPkg/Microvm/MicrovmX64.dsc                          | 3 +++
 OvmfPkg/OvmfPkgIa32.dsc                                 | 3 +++
 OvmfPkg/OvmfPkgIa32X64.dsc                              | 3 +++
 OvmfPkg/OvmfPkgX64.dsc                                  | 3 +++
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
 SecurityPkg/Library/AuthVariableLib/AuthService.c       | 9 +++++++--
 13 files changed, 50 insertions(+), 2 deletions(-)

--
2.30.2
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">





</pre>
    </blockquote>
  </body>
</html>

--------------5adWPvZfAvfdSCS1RoaUYHs3--