From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io, Sunny Wang <Sunny.Wang@arm.com>
Cc: "gaoliming@byosoft.com.cn" <gaoliming@byosoft.com.cn>,
"leif@nuviainc.com" <leif@nuviainc.com>,
"ardb+tianocore@kernel.org" <ardb+tianocore@kernel.org>,
"Samer El-Haj-Mahmoud" <Samer.El-Haj-Mahmoud@arm.com>,
"Marcin Wojtas" <mw@semihalf.com>,
"upstream@semihalf.com" <upstream@semihalf.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>,
"Laszlo Ersek" <lersek@redhat.com>,
"Sami Mujawar" <Sami.Mujawar@arm.com>,
"afish@apple.com" <afish@apple.com>,
"ray.ni@intel.com" <ray.ni@intel.com>,
"jordan.l.justen@intel.com" <jordan.l.justen@intel.com>,
"rebecca@bsdio.com" <rebecca@bsdio.com>,
"grehan@freebsd.org" <grehan@freebsd.org>,
"Thomas Abraham" <thomas.abraham@arm.com>,
"chasel.chiu@intel.com" <chasel.chiu@intel.com>,
"nathaniel.l.desimone@intel.com" <nathaniel.l.desimone@intel.com>,
"eric.dong@intel.com" <eric.dong@intel.com>,
"michael.d.kinney@intel.com" <michael.d.kinney@intel.com>,
"zailiang.sun@intel.com" <zailiang.sun@intel.com>,
"yi.qian@intel.com" <yi.qian@intel.com>,
"graeme@nuviainc.com" <graeme@nuviainc.com>,
"Radosław Biernacki" <rad@semihalf.com>,
"Pete Batard" <pete@akeo.ie>
Subject: Re: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.
Date: Wed, 23 Jun 2021 12:39:07 +0200 [thread overview]
Message-ID: <CAA2Cew6X+O3zQ5fBFLST4rKAQ2dZvUA2H46ahjwZyMZ8Q4G1DA@mail.gmail.com> (raw)
In-Reply-To: <DB8PR08MB3993FF710B86C045C7C6FA0585089@DB8PR08MB3993.eurprd08.prod.outlook.com>
Hi,
AuthVariableLib must support DXE_DRIVER and UEFI_APPLICATION. Adding
it leads to errors for libraries which are used by AuthVariableLib and
which does not support DXE_DRIVER or UEFI_APPLICATION. This changes
causes a lot of minor changes in another libraries.
The whole problem exists because I wanted to remove a duplicate of
CreateTimeBasedPayload() from PlatformVarCleanupLib. I just leave it
there. This module is not used anyway. I think it can be safely
removed, but I don't want this change to be a part of this patchset.
thanks,
greg
śr., 23 cze 2021 o 05:33 Sunny Wang <Sunny.Wang@arm.com> napisał(a):
>
> Hi Greg,
> Why can't we make AuthVariableLib support DXE_DRIVER?
>
> Best Regards,
> Sunny Wang
>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Monday, June 21, 2021 5:59 PM
> To: devel@edk2.groups.io; Grzegorz Bernacki <gjb@semihalf.com>
> Cc: gaoliming@byosoft.com.cn; leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; Marcin Wojtas <mw@semihalf.com>; upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>; Laszlo Ersek <lersek@redhat.com>; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; Radosław Biernacki <rad@semihalf.com>; Pete Batard <pete@akeo.ie>
> Subject: Re: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.
>
> Hi,
>
> I moved CreateTimeBasedPayload() to AuthVariableLib, but then I cannot
> use it in SecureBootConfigDxe, cause AuthVariableLib does not support
> DXE_DRIVER.
> So:
> - having that function only in AuthVariableLib does not work
> - having that function only in SecureBootVariableLib, causes a lot of
> changes in platform DSCs files and also causes MdeModulePkg to be
> depended on SecurityPkg
>
> Right now I tend to roll back the changes related to
> CreateTimeBasedPayload() and just let the modules to have its own copy
> of that function. What do you think?
> thanks,
> greg
>
> pt., 18 cze 2021 o 10:03 Grzegorz Bernacki via groups.io
> <gjb=semihalf.com@groups.io> napisał(a):
> >
> > Hi,
> >
> > Thanks for the comment, I will move that function to AuthVariableLib.
> > greg
> >
> > czw., 17 cze 2021 o 04:35 gaoliming <gaoliming@byosoft.com.cn> napisał(a):
> > >
> > > Grzegorz:
> > > MdeModulePkg is generic base package. It should not depend on SecurityPkg.
> > >
> > > I agree CreateTimeBasedPayload() is the generic API. It can be shared in
> > > the different modules.
> > > I propose to add it into MdeModulePkg AuthVariableLib.
> > >
> > > Thanks
> > > Liming
> > > > -----邮件原件-----
> > > > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Grzegorz
> > > > Bernacki
> > > > 发送时间: 2021年6月14日 17:43
> > > > 收件人: devel@edk2.groups.io
> > > > 抄送: leif@nuviainc.com; ardb+tianocore@kernel.org;
> > > > Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com;
> > > > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> > > > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com;
> > > > sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com;
> > > > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> > > > thomas.abraham@arm.com; chasel.chiu@intel.com;
> > > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > > > Grzegorz Bernacki <gjb@semihalf.com>
> > > > 主题: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use
> > > > SecureBootVariableLib in PlatformVarCleanupLib.
> > > >
> > > > This commits removes CreateTimeBasedPayload() function from
> > > > PlatformVarCleanupLib and uses exactly the same function from
> > > > SecureBootVariableLib.
> > > >
> > > > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> > > > ---
> > > > MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf |
> > > > 2 +
> > > > MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > > > | 1 +
> > > > MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > > > | 84 --------------------
> > > > 3 files changed, 3 insertions(+), 84 deletions(-)
> > > >
> > > > diff --git
> > > > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > > > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > > > index 8d5db826a0..493d03e1d8 100644
> > > > ---
> > > > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > > > +++
> > > > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > > > @@ -34,6 +34,7 @@
> > > > [Packages]
> > > > MdePkg/MdePkg.dec
> > > > MdeModulePkg/MdeModulePkg.dec
> > > > + SecurityPkg/SecurityPkg.dec
> > > >
> > > > [LibraryClasses]
> > > > UefiBootServicesTableLib
> > > > @@ -44,6 +45,7 @@
> > > > PrintLib
> > > > MemoryAllocationLib
> > > > HiiLib
> > > > + SecureBootVariableLib
> > > >
> > > > [Guids]
> > > > gEfiIfrTianoGuid ## SOMETIMES_PRODUCES ##
> > > > GUID
> > > > diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > > > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > > > index c809a7086b..94fbc7d2a4 100644
> > > > --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > > > +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > > > @@ -18,6 +18,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > #include <Library/MemoryAllocationLib.h>
> > > > #include <Library/HiiLib.h>
> > > > #include <Library/PlatformVarCleanupLib.h>
> > > > +#include <Library/SecureBootVariableLib.h>
> > > >
> > > > #include <Protocol/Variable.h>
> > > > #include <Protocol/VarCheck.h>
> > > > diff --git
> > > > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > > > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > > > index 3875d614bb..204f1e00ad 100644
> > > > --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > > > +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > > > @@ -319,90 +319,6 @@ DestroyUserVariableNode (
> > > > }
> > > > }
> > > >
> > > > -/**
> > > > - Create a time based data payload by concatenating the
> > > > EFI_VARIABLE_AUTHENTICATION_2
> > > > - descriptor with the input data. NO authentication is required in this
> > > > function.
> > > > -
> > > > - @param[in, out] DataSize On input, the size of Data buffer in
> > > > bytes.
> > > > - On output, the size of data
> > > > returned in Data
> > > > - buffer in bytes.
> > > > - @param[in, out] Data On input, Pointer to data buffer to
> > > > be wrapped or
> > > > - pointer to NULL to wrap an
> > > > empty payload.
> > > > - On output, Pointer to the new
> > > > payload date buffer allocated from pool,
> > > > - it's caller's responsibility to free
> > > > the memory after using it.
> > > > -
> > > > - @retval EFI_SUCCESS Create time based payload
> > > > successfully.
> > > > - @retval EFI_OUT_OF_RESOURCES There are not enough memory
> > > > resourses to create time based payload.
> > > > - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> > > > - @retval Others Unexpected error happens.
> > > > -
> > > > -**/
> > > > -EFI_STATUS
> > > > -CreateTimeBasedPayload (
> > > > - IN OUT UINTN *DataSize,
> > > > - IN OUT UINT8 **Data
> > > > - )
> > > > -{
> > > > - EFI_STATUS Status;
> > > > - UINT8 *NewData;
> > > > - UINT8 *Payload;
> > > > - UINTN PayloadSize;
> > > > - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
> > > > - UINTN DescriptorSize;
> > > > - EFI_TIME Time;
> > > > -
> > > > - if (Data == NULL || DataSize == NULL) {
> > > > - return EFI_INVALID_PARAMETER;
> > > > - }
> > > > -
> > > > - //
> > > > - // At user physical presence, the variable does not need to be signed
> > > but
> > > > the
> > > > - // parameters to the SetVariable() call still need to be prepared as
> > > > authenticated
> > > > - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> > > > without certificate
> > > > - // data in it.
> > > > - //
> > > > - Payload = *Data;
> > > > - PayloadSize = *DataSize;
> > > > -
> > > > - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2,
> > > > AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > > > - NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
> > > > - if (NewData == NULL) {
> > > > - return EFI_OUT_OF_RESOURCES;
> > > > - }
> > > > -
> > > > - if ((Payload != NULL) && (PayloadSize != 0)) {
> > > > - CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> > > > - }
> > > > -
> > > > - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> > > > -
> > > > - ZeroMem (&Time, sizeof (EFI_TIME));
> > > > - Status = gRT->GetTime (&Time, NULL);
> > > > - if (EFI_ERROR (Status)) {
> > > > - FreePool (NewData);
> > > > - return Status;
> > > > - }
> > > > - Time.Pad1 = 0;
> > > > - Time.Nanosecond = 0;
> > > > - Time.TimeZone = 0;
> > > > - Time.Daylight = 0;
> > > > - Time.Pad2 = 0;
> > > > - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> > > > -
> > > > - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> > > > (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > > > - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
> > > > - DescriptorData->AuthInfo.Hdr.wCertificateType =
> > > > WIN_CERT_TYPE_EFI_GUID;
> > > > - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> > > > -
> > > > - if (Payload != NULL) {
> > > > - FreePool (Payload);
> > > > - }
> > > > -
> > > > - *DataSize = DescriptorSize + PayloadSize;
> > > > - *Data = NewData;
> > > > - return EFI_SUCCESS;
> > > > -}
> > > > -
> > > > /**
> > > > Create a counter based data payload by concatenating the
> > > > EFI_VARIABLE_AUTHENTICATION
> > > > descriptor with the input data. NO authentication is required in this
> > > > function.
> > > > --
> > > > 2.25.1
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>
>
>
>
>
next prev parent reply other threads:[~2021-06-23 10:39 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 9:42 [PATCH v3 0/8] Secure Boot default keys Grzegorz Bernacki
2021-06-14 9:42 ` [edk2-platforms PATCH v3 1/2] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 1/8] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-06-14 9:43 ` [edk2-platforms PATCH v3 2/2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 2/8] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-22 11:10 ` Laszlo Ersek
2021-06-22 11:31 ` Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 3/8] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-06-15 0:52 ` Yao, Jiewen
[not found] ` <CAA2Cew6kNPJA9tXk6VY0WRstTX3yL7E2D4a7ADrMN8cTMUt3Cw@mail.gmail.com>
[not found] ` <PH0PR11MB488586369E00FB0B00661B368C309@PH0PR11MB4885.namprd11.prod.outlook.com>
[not found] ` <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
2021-06-15 13:39 ` Grzegorz Bernacki
2021-06-15 14:22 ` Yao, Jiewen
2021-06-15 16:46 ` [edk2-devel] " Samer El-Haj-Mahmoud
2021-06-14 9:43 ` [PATCH v3 4/8] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 5/8] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 6/8] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-06-15 18:54 ` [edk2-devel] " Jeremiah Cox
2021-06-16 0:49 ` Yao, Jiewen
2021-06-14 9:43 ` [PATCH v3 7/8] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib Grzegorz Bernacki
2021-06-17 2:34 ` 回复: [edk2-devel] " gaoliming
2021-06-18 8:03 ` Grzegorz Bernacki
[not found] ` <16899E7FCA105CA2.4563@groups.io>
2021-06-21 9:58 ` Grzegorz Bernacki
2021-06-23 3:32 ` Sunny Wang
2021-06-23 10:39 ` Grzegorz Bernacki [this message]
2021-06-24 0:57 ` 回复: " gaoliming
2021-06-25 5:45 ` Grzegorz Bernacki
2021-06-28 2:27 ` 回复: " gaoliming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA2Cew6X+O3zQ5fBFLST4rKAQ2dZvUA2H46ahjwZyMZ8Q4G1DA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox