From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>, devel@edk2.groups.io
Subject: Re: [PATCH v3 3/8] SecurityPkg: Create include file for default key content.
Date: Tue, 15 Jun 2021 15:39:32 +0200 [thread overview]
Message-ID: <CAA2Cew6asV9cu4mN_CJeSSx+K6M3=OGZmsjnwQ=PsVQ3HmfMMA@mail.gmail.com> (raw)
In-Reply-To: <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
Hi,
Adding edk-devel group back in the loop...
I removed it by mistake.
greg
wt., 15 cze 2021 o 14:16 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
>
> It was the original design, but it was changed when RFC was reviewed.
> Please see:
> https://edk2.groups.io/g/rfc/topic/edk2_devel_rfc_secure/82139806
>
> I think that having an include file is better than duplicating the
> snippet in many platform files. If someone wants to use 1 key, then
> the include file can still be used. Of course, if someone wants to use
> more, then they must add entries in platform FDF, but still I like the
> idea of include file.
>
> thanks,
> greg
>
> wt., 15 cze 2021 o 13:59 Yao, Jiewen <jiewen.yao@intel.com> napisał(a):
> >
> > I think it is platform policy to decide how many keys. (it could be 1 or 3 or 10).
> >
> > I recommend to move this to a platform fdf.
> >
> > Thank you
> > Yao Jiewen
> >
> >
> > > -----Original Message-----
> > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > Sent: Tuesday, June 15, 2021 7:07 PM
> > > To: Yao, Jiewen <jiewen.yao@intel.com>
> > > Subject: Re: [PATCH v3 3/8] SecurityPkg: Create include file for default key
> > > content.
> > >
> > > Hi,
> > >
> > > Thanks for your comments.
> > > The idea was to allow the user to specify more than one key. One can
> > > use not only Microsoft or Canonical keys, but also generate new keys
> > > and use them.
> > > I can move the include file to another directory, but which place is
> > > the best for it. I thought that since the rest of the functionality is
> > > placed in SecurityPkg, I should also place that file there.
> > > thanks,
> > > greg
> > >
> > >
> > > wt., 15 cze 2021 o 02:52 Yao, Jiewen <jiewen.yao@intel.com> napisał(a):
> > > >
> > > > Hi
> > > > I am not sure why we hardcode 3 items for each.
> > > >
> > > > Can we move this fdf to platform pkg, instead of security pkg ?
> > > >
> > > > Thank you
> > > > Yao Jiewen
> > > >
> > > > > -----Original Message-----
> > > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Sent: Monday, June 14, 2021 5:43 PM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian
> > > J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> > > > > <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> > > > > rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com;
> > > Chiu,
> > > > > Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > > > > <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> > > > > <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
> > > Sun,
> > > > > Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > > > > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz
> > > Bernacki
> > > > > <gjb@semihalf.com>
> > > > > Subject: [PATCH v3 3/8] SecurityPkg: Create include file for default key
> > > content.
> > > > >
> > > > > This commits add file which can be included by platform Flash
> > > > > Description File. It allows to specify certificate files, which
> > > > > will be embedded into binary file. The content of these files
> > > > > can be used to initialize Secure Boot default keys and databases.
> > > > >
> > > > > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > ---
> > > > > SecurityPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++
> > > > > 1 file changed, 70 insertions(+)
> > > > > create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > >
> > > > > diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > new file mode 100644
> > > > > index 0000000000..bf4f2d42de
> > > > > --- /dev/null
> > > > > +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > @@ -0,0 +1,70 @@
> > > > > +## @file
> > > > > +# FDF include file which allows to embed Secure Boot keys
> > > > > +#
> > > > > +# Copyright (c) 2021, ARM Limited. All rights reserved.
> > > > > +# Copyright (c) 2021, Semihalf. All rights reserved.
> > > > > +#
> > > > > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +#
> > > > > +
> > > > > +!if $(DEFAULT_KEYS) == TRUE
> > > > > + FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
> > > > > + !ifdef $(PK_DEFAULT_FILE)
> > > > > + SECTION RAW = $(PK_DEFAULT_FILE)
> > > > > + !endif
> > > > > + SECTION UI = "PK Default"
> > > > > + }
> > > > > +
> > > > > + FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
> > > > > + !ifdef $(KEK_DEFAULT_FILE1)
> > > > > + SECTION RAW = $(KEK_DEFAULT_FILE1)
> > > > > + !endif
> > > > > + !ifdef $(KEK_DEFAULT_FILE2)
> > > > > + SECTION RAW = $(KEK_DEFAULT_FILE2)
> > > > > + !endif
> > > > > + !ifdef $(KEK_DEFAULT_FILE3)
> > > > > + SECTION RAW = $(KEK_DEFAULT_FILE3)
> > > > > + !endif
> > > > > + SECTION UI = "KEK Default"
> > > > > + }
> > > > > +
> > > > > + FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
> > > > > + !ifdef $(DB_DEFAULT_FILE1)
> > > > > + SECTION RAW = $(DB_DEFAULT_FILE1)
> > > > > + !endif
> > > > > + !ifdef $(DB_DEFAULT_FILE2)
> > > > > + SECTION RAW = $(DB_DEFAULT_FILE2)
> > > > > + !endif
> > > > > + !ifdef $(DB_DEFAULT_FILE3)
> > > > > + SECTION RAW = $(DB_DEFAULT_FILE3)
> > > > > + !endif
> > > > > + SECTION UI = "DB Default"
> > > > > + }
> > > > > +
> > > > > + FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
> > > > > + !ifdef $(DBT_DEFAULT_FILE1)
> > > > > + SECTION RAW = $(DBT_DEFAULT_FILE1)
> > > > > + !endif
> > > > > + !ifdef $(DBT_DEFAULT_FILE2)
> > > > > + SECTION RAW = $(DBT_DEFAULT_FILE2)
> > > > > + !endif
> > > > > + !ifdef $(DBT_DEFAULT_FILE3)
> > > > > + SECTION RAW = $(DBT_DEFAULT_FILE3)
> > > > > + !endif
> > > > > + SECTION UI = "DBT Default"
> > > > > + }
> > > > > +
> > > > > + FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
> > > > > + !ifdef $(DBX_DEFAULT_FILE1)
> > > > > + SECTION RAW = $(DBX_DEFAULT_FILE1)
> > > > > + !endif
> > > > > + !ifdef $(DBX_DEFAULT_FILE2)
> > > > > + SECTION RAW = $(DBX_DEFAULT_FILE2)
> > > > > + !endif
> > > > > + !ifdef $(DBX_DEFAULT_FILE3)
> > > > > + SECTION RAW = $(DBX_DEFAULT_FILE3)
> > > > > + !endif
> > > > > + SECTION UI = "DBX Default"
> > > > > + }
> > > > > +
> > > > > +!endif
> > > > > --
> > > > > 2.25.1
> > > >
next prev parent reply other threads:[~2021-06-15 13:39 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 9:42 [PATCH v3 0/8] Secure Boot default keys Grzegorz Bernacki
2021-06-14 9:42 ` [edk2-platforms PATCH v3 1/2] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 1/8] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-06-14 9:43 ` [edk2-platforms PATCH v3 2/2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 2/8] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-22 11:10 ` Laszlo Ersek
2021-06-22 11:31 ` Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 3/8] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-06-15 0:52 ` Yao, Jiewen
[not found] ` <CAA2Cew6kNPJA9tXk6VY0WRstTX3yL7E2D4a7ADrMN8cTMUt3Cw@mail.gmail.com>
[not found] ` <PH0PR11MB488586369E00FB0B00661B368C309@PH0PR11MB4885.namprd11.prod.outlook.com>
[not found] ` <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
2021-06-15 13:39 ` Grzegorz Bernacki [this message]
2021-06-15 14:22 ` Yao, Jiewen
2021-06-15 16:46 ` [edk2-devel] " Samer El-Haj-Mahmoud
2021-06-14 9:43 ` [PATCH v3 4/8] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 5/8] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 6/8] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-06-15 18:54 ` [edk2-devel] " Jeremiah Cox
2021-06-16 0:49 ` Yao, Jiewen
2021-06-14 9:43 ` [PATCH v3 7/8] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-06-14 9:43 ` [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib Grzegorz Bernacki
2021-06-17 2:34 ` 回复: [edk2-devel] " gaoliming
2021-06-18 8:03 ` Grzegorz Bernacki
[not found] ` <16899E7FCA105CA2.4563@groups.io>
2021-06-21 9:58 ` Grzegorz Bernacki
2021-06-23 3:32 ` Sunny Wang
2021-06-23 10:39 ` Grzegorz Bernacki
2021-06-24 0:57 ` 回复: " gaoliming
2021-06-25 5:45 ` Grzegorz Bernacki
2021-06-28 2:27 ` 回复: " gaoliming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA2Cew6asV9cu4mN_CJeSSx+K6M3=OGZmsjnwQ=PsVQ3HmfMMA@mail.gmail.com' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox