From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f179.google.com (mail-qk1-f179.google.com [209.85.222.179]) by mx.groups.io with SMTP id smtpd.web12.18144.1625643374473001526 for ; Wed, 07 Jul 2021 00:36:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=eHTFXV3E; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.222.179, mailfrom: gjb@semihalf.com) Received: by mail-qk1-f179.google.com with SMTP id t19so1034963qkg.7 for ; Wed, 07 Jul 2021 00:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=zkPMAzLFR2IBacSD0OeF+7jPGOCIzE6Ddlw2ilbIfcc=; b=eHTFXV3ERCyQ4lMQ+zbb78bpSMdGUOL4vDGNpHjXfEnWtvJTvqdaDcludWT4AB6GfK iaSEB4+IoxojUv8xzmTQMqLKU88TYONyqzSnnmzUK8SXJLNPwRlfeimQ6+UdprEsMhN/ YQ1ZCFHq7T+aZ8wXOfEo+ibjCvlrJo07079oE9d6VDVQC6UGh15PjEH0Xjm46cjL+pOt bml5PZXzSpT2HNUH+p7FV4ElJ5lnjVgufHfwezfRqhWRaJk1uIg/KmlCEXtjhiEJNSy5 i1vcGG1nq5Pc9//ZPzqO8qPCFb7+3nl5uXFP+1Ey/mqW2ECjD1vQwlK9KbG9OGlmtXSM MT7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=zkPMAzLFR2IBacSD0OeF+7jPGOCIzE6Ddlw2ilbIfcc=; b=qtqyWoUTNDljIYVfnE7ejgIROBCeeM4ocK8dA7AKPSG6Iu/WbPIDwpUtLO+f1bjZy/ 2MwPHwdaJjlPVaSD1EAg1BbkotPOqQax5xLMBLtkqL/DzZCU06zD+dMWZjLrbfkERqgQ iSj6IoHbfA1oT/F7//yAjOtH/QYX+bhVnk68GGQZYgdCoOaCtc89lP0twj2NQ63xHmP7 G2HOSJDa7kxEboZxWa487ZoLAS96i78R5BI1hZU13dJ86uv3KxJMsJOOmgTvHZt8QYXb ECTy7NQBYWY7lb05lo7+VdzRsJKzKsfSmc6XXX38QXPAPJY9bzcJ0bkj21I9zBYebdTf cknQ== X-Gm-Message-State: AOAM5308+CvAn9IOoL/6yh7u4tswKMmNFdTLtcQAnEyTjmW87ZDoxUhc 7skXQtS10HlPLvASCJrMXEL9cwDBGWyFAiLl8PhLjoN2dNvQbg== X-Google-Smtp-Source: ABdhPJz+LdY9RSqD9wBeenQc+XvrxSyUQuo/ac2dtJllTpR12KP8oaVUBYilXWQ+GvrDyaujUhjwJqv4hJzcrpYVYLA= X-Received: by 2002:a05:620a:210b:: with SMTP id l11mr24366890qkl.464.1625643373591; Wed, 07 Jul 2021 00:36:13 -0700 (PDT) MIME-Version: 1.0 References: <20210701091758.1057485-1-gjb@semihalf.com> <007901d772cd$e098a040$a1c9e0c0$@byosoft.com.cn> In-Reply-To: <007901d772cd$e098a040$a1c9e0c0$@byosoft.com.cn> From: "Grzegorz Bernacki" Date: Wed, 7 Jul 2021 09:36:02 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys To: devel@edk2.groups.io, gaoliming@byosoft.com.cn Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer El-Haj-Mahmoud , Sunny Wang , Marcin Wojtas , upstream@semihalf.com, "Yao, Jiewen" , "Wang, Jian J" , "Xu, Min M" , Laszlo Ersek , Sami Mujawar , afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, Thomas Abraham , chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, =?UTF-8?Q?Rados=C5=82aw_Biernacki?= , Pete Batard Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, I created BZ #3481 (https://bugzilla.tianocore.org/show_bug.cgi?id=3D3481)= . Please let me know if I filled it correctly thanks, greg =C5=9Br., 7 lip 2021 o 03:18 gaoliming napisa= =C5=82(a): > > Grzegorz Bernacki: > This is a new feature. Can you submit one BZ > (https://bugzilla.tianocore.org/) for it? Then, I can add it into edk2 > stable tag feature planning. > > Thanks > Liming > > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > > =E5=8F=91=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io =E4=BB=A3=E8=A1=A8 Grzegorz > > Bernacki > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2021=E5=B9=B47=E6=9C=881=E6=97= =A5 17:18 > > =E6=94=B6=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io > > =E6=8A=84=E9=80=81: leif@nuviainc.com; ardb+tianocore@kernel.org; > > Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com; > > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; > > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; > > sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com; > > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; > > thomas.abraham@arm.com; chasel.chiu@intel.com; > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.co= m; > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie= ; > > Grzegorz Bernacki > > =E4=B8=BB=E9=A2=98: [edk2-devel] [PATCH v5 00/10] Secure Boot default = keys > > > > This patchset adds support for initialization of default > > Secure Boot variables based on keys content embedded in > > flash binary. This feature is active only if Secure Boot > > is enabled and DEFAULT_KEY is defined. The patchset > > consist also application to enroll keys from default > > variables and secure boot menu change to allow user > > to reset key content to default values. > > Discussion on design can be found at: > > https://edk2.groups.io/g/rfc/topic/82139806#600 > > > > Built with: > > GCC > > - RISC-V (U500, U540) [requires fixes in dsc to build] > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg, > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32)) > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4) > > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to b= e > built, > > will be post on edk2 maillist later > > > > VS2019 > > - Intel (OvmfPkgX64) > > > > Test with: > > GCC5/RPi4 > > VS2019/OvmfX64 (requires changes to enable feature) > > > > Tests: > > 1. Try to enroll key in incorrect format. > > 2. Enroll with only PKDefault keys specified. > > 3. Enroll with all keys specified. > > 4. Enroll when keys are enrolled. > > 5. Reset keys values. > > 6. Running signed & unsigned app after enrollment. > > > > Changes since v1: > > - change names: > > SecBootVariableLib =3D> SecureBootVariableLib > > SecBootDefaultKeysDxe =3D> SecureBootDefaultKeysDxe > > SecEnrollDefaultKeysApp =3D> EnrollFromDefaultKeysApp > > - change name of function CheckSetupMode to GetSetupMode > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > > - rebase to master > > > > Changes since v2: > > - fix coding style for functions headers in SecureBootVariableLib.h > > - add header to SecureBootDefaultKeys.fdf.inc > > - remove empty line spaces in SecureBootDefaultKeysDxe files > > - revert FAIL macro in EnrollFromDefaultKeysApp > > - remove functions duplicates and add SecureBootVariableLib > > to platforms which used it > > > > Changes since v3: > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib > > - fix typo in guid description > > > > Changes since v4: > > - reorder patches to make it bisectable > > - split commits related to more than one platform > > - move edk2-platform commits to separate patchset > > > > Grzegorz Bernacki (10): > > SecurityPkg: Create library for setting Secure Boot variables. > > ArmVirtPkg: add SecureBootVariableLib class resolution > > OvmfPkg: add SecureBootVariableLib class resolution > > EmulatorPkg: add SecureBootVariableLib class resolution > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. > > ArmPlatformPkg: Create include file for default key content. > > SecurityPkg: Add SecureBootDefaultKeysDxe driver > > SecurityPkg: Add EnrollFromDefaultKeys application. > > SecurityPkg: Add new modules to Security package. > > SecurityPkg: Add option to reset secure boot keys. > > > > SecurityPkg/SecurityPkg.dec > > | 14 + > > ArmVirtPkg/ArmVirt.dsc.inc > > | 1 + > > EmulatorPkg/EmulatorPkg.dsc > > | 1 + > > OvmfPkg/Bhyve/BhyveX64.dsc > > | 1 + > > OvmfPkg/OvmfPkgIa32.dsc > > | 1 + > > OvmfPkg/OvmfPkgIa32X64.dsc > > | 1 + > > OvmfPkg/OvmfPkgX64.dsc > > | 1 + > > SecurityPkg/SecurityPkg.dsc > > | 4 + > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > > | 47 + > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > > | 79 ++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= D > > xe.inf | 2 + > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.inf | 45 + > > SecurityPkg/Include/Library/SecureBootVariableLib.h > > | 251 +++++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= N > > vData.h | 2 + > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= .v > > fr | 6 + > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > | 109 +++ > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > > | 980 ++++++++++++++++++++ > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= I > > mpl.c | 343 ++++--- > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.c | 68 ++ > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > > | 70 ++ > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > > | 16 + > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= S > > trings.uni | 4 + > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.uni | 16 + > > 23 files changed, 1874 insertions(+), 188 deletions(-) > > create mode 100644 > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.inf > > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.= h > > create mode 100644 > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.c > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > > create mode 100644 > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > > create mode 100644 > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > > efaultKeysDxe.uni > > > > -- > > 2.25.1 > > > > > > > > > > > > > > > >=20 > >