From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170])
 by mx.groups.io with SMTP id smtpd.web09.9274.1623764384247536949
 for <devel@edk2.groups.io>;
 Tue, 15 Jun 2021 06:39:44 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=ZyDWtdlh;
 spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.222.170, mailfrom: gjb@semihalf.com)
Received: by mail-qk1-f170.google.com with SMTP id u30so41925851qke.7
        for <devel@edk2.groups.io>; Tue, 15 Jun 2021 06:39:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=semihalf-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :content-transfer-encoding;
        bh=GlcEd4gDagIfQ/1kG9Ru5xVbhK+fttaCf2b0/lgnisw=;
        b=ZyDWtdlhTKMqp6JfoXSI07y+fePUuU6Xq5HppFByWACyXYstmSMrdauzFOXQ3/wPLk
         NbKQIy87t7Su1oIKu8TqNXdBDdFr1RleG945LOGJx6M/xIrQFS+9R0IltTjoZ3EIcsSO
         0re9te8WCks83QkRXlUgGc0DFENShve1m5eKeS5Dwa5fFX4YXwU5NMlw0n+3Fw5/32pS
         OCu+/quyQHcUOQOYTRvSnMOuTKrAvHqKpNjxXtaQ3aeE5RmOaL3W8xLq35HPT1SUBFaq
         hbBUNlHrefICYKT+2Ubf2W1xlMiD1pB7ALCHxBScOlZCp1SzD0/2ismhaGrS2vdmIYj6
         w/zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:content-transfer-encoding;
        bh=GlcEd4gDagIfQ/1kG9Ru5xVbhK+fttaCf2b0/lgnisw=;
        b=a8i/t8nbPDO733TbBBl96i/ykRS409XnLRVOHkeskuuS+KemQ97FuPgFCsSfx1hikX
         4SjeoFbgA8IxfO6O65tQyh7N3NfnC+S9iNFBF0sayU1SulrYxAXplSWY1lag7DmaE7ky
         aBvtjkrlo8nSSQ3N6GKMJXHtvS/esGvC7JJkHpHxbEmkZG+6KbeI1eIbV68Bb+6qZZaB
         L6EtDcYDSyVrLeCrt5qZhiJfZ00z3BJfMTZkgPifVVm0GwRG0Ai4h9wz8XPm1R5r4yaW
         2zXjP4TlIrceuE261Fn+uirOCxblicSm1vray/xYQ1lQQyCvJ2I6Dz2CNGRdflFP0aIb
         fJ9g==
X-Gm-Message-State: AOAM533vWEoCkrSVYJTv0XgGOIx41R3yOIRbEZX2jg2NjepKhILtUwLa
	gaKWZxyjPACCQfJmG4I+jzTj8gnF8l3vvkippzg8Zw==
X-Google-Smtp-Source: ABdhPJx1gmzUR3fJBexZxNcWRjXp0i+EMJprIJTf582xsf+SXddGuBB96R5DeEvg23tSoY0MP+0uLtWz78DDoD9C2IY=
X-Received: by 2002:a37:bf81:: with SMTP id p123mr22450535qkf.40.1623764383324;
 Tue, 15 Jun 2021 06:39:43 -0700 (PDT)
MIME-Version: 1.0
References: <20210614094308.2314345-1-gjb@semihalf.com> <20210614094308.2314345-6-gjb@semihalf.com>
 <PH0PR11MB48857B1EE003912485F5AAA48C309@PH0PR11MB4885.namprd11.prod.outlook.com>
 <CAA2Cew6kNPJA9tXk6VY0WRstTX3yL7E2D4a7ADrMN8cTMUt3Cw@mail.gmail.com>
 <PH0PR11MB488586369E00FB0B00661B368C309@PH0PR11MB4885.namprd11.prod.outlook.com>
 <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
In-Reply-To: <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
From: "Grzegorz Bernacki" <gjb@semihalf.com>
Date: Tue, 15 Jun 2021 15:39:32 +0200
Message-ID: <CAA2Cew6asV9cu4mN_CJeSSx+K6M3=OGZmsjnwQ=PsVQ3HmfMMA@mail.gmail.com>
Subject: Re: [PATCH v3 3/8] SecurityPkg: Create include file for default key content.
To: "Yao, Jiewen" <jiewen.yao@intel.com>, devel@edk2.groups.io
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Adding edk-devel group back in the loop...
I removed it by mistake.

greg

wt., 15 cze 2021 o 14:16 Grzegorz Bernacki <gjb@semihalf.com> napisa=C5=82(=
a):
>
> It was the original design, but it was changed when RFC was reviewed.
> Please see:
> https://edk2.groups.io/g/rfc/topic/edk2_devel_rfc_secure/82139806
>
> I think that having an include file is better than duplicating the
> snippet in many platform files. If someone wants to use 1 key, then
> the include file can still be used. Of course, if someone wants to use
> more, then they must add entries in platform FDF, but still I like the
> idea of include file.
>
> thanks,
> greg
>
> wt., 15 cze 2021 o 13:59 Yao, Jiewen <jiewen.yao@intel.com> napisa=C5=82(=
a):
> >
> > I think it is platform policy to decide how many keys. (it could be 1 o=
r 3 or 10).
> >
> > I recommend to move this to a platform fdf.
> >
> > Thank you
> > Yao Jiewen
> >
> >
> > > -----Original Message-----
> > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > Sent: Tuesday, June 15, 2021 7:07 PM
> > > To: Yao, Jiewen <jiewen.yao@intel.com>
> > > Subject: Re: [PATCH v3 3/8] SecurityPkg: Create include file for defa=
ult key
> > > content.
> > >
> > > Hi,
> > >
> > > Thanks for your comments.
> > > The idea was to allow the user to specify more than one key. One can
> > > use not only Microsoft or Canonical keys, but also generate new keys
> > > and use them.
> > > I can move the include file to another directory, but which place is
> > > the best for it. I thought that since the rest of the functionality i=
s
> > > placed in SecurityPkg, I should also place that file there.
> > > thanks,
> > > greg
> > >
> > >
> > > wt., 15 cze 2021 o 02:52 Yao, Jiewen <jiewen.yao@intel.com> napisa=C5=
=82(a):
> > > >
> > > > Hi
> > > > I am not sure why we hardcode 3 items for each.
> > > >
> > > > Can we move this fdf to platform pkg, instead of security pkg ?
> > > >
> > > > Thank you
> > > > Yao Jiewen
> > > >
> > > > > -----Original Message-----
> > > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Sent: Monday, June 14, 2021 5:43 PM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, =
Jian
> > > J
> > > > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> > > > > <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> > > > > rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com;
> > > Chiu,
> > > > > Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > > > > <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong,=
 Eric
> > > > > <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.=
com>;
> > > Sun,
> > > > > Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > > > > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz
> > > Bernacki
> > > > > <gjb@semihalf.com>
> > > > > Subject: [PATCH v3 3/8] SecurityPkg: Create include file for defa=
ult key
> > > content.
> > > > >
> > > > > This commits add file which can be included by platform Flash
> > > > > Description File. It allows to specify certificate files, which
> > > > > will be embedded into binary file. The content of these files
> > > > > can be used to initialize Secure Boot default keys and databases.
> > > > >
> > > > > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > ---
> > > > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc | 70 +++++++++++++++++=
+++
> > > > >  1 file changed, 70 insertions(+)
> > > > >  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > >
> > > > > diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > new file mode 100644
> > > > > index 0000000000..bf4f2d42de
> > > > > --- /dev/null
> > > > > +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > > @@ -0,0 +1,70 @@
> > > > > +## @file
> > > > > +# FDF include file which allows to embed Secure Boot keys
> > > > > +#
> > > > > +#  Copyright (c) 2021, ARM Limited. All rights reserved.
> > > > > +#  Copyright (c) 2021, Semihalf. All rights reserved.
> > > > > +#
> > > > > +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > > +#
> > > > > +
> > > > > +!if $(DEFAULT_KEYS) =3D=3D TRUE
> > > > > +  FILE FREEFORM =3D 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
> > > > > +  !ifdef $(PK_DEFAULT_FILE)
> > > > > +    SECTION RAW =3D $(PK_DEFAULT_FILE)
> > > > > +  !endif
> > > > > +    SECTION UI =3D "PK Default"
> > > > > +  }
> > > > > +
> > > > > +  FILE FREEFORM =3D 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
> > > > > +  !ifdef $(KEK_DEFAULT_FILE1)
> > > > > +    SECTION RAW =3D $(KEK_DEFAULT_FILE1)
> > > > > +  !endif
> > > > > +  !ifdef $(KEK_DEFAULT_FILE2)
> > > > > +    SECTION RAW =3D $(KEK_DEFAULT_FILE2)
> > > > > +  !endif
> > > > > +  !ifdef $(KEK_DEFAULT_FILE3)
> > > > > +    SECTION RAW =3D $(KEK_DEFAULT_FILE3)
> > > > > +  !endif
> > > > > +    SECTION UI =3D "KEK Default"
> > > > > +  }
> > > > > +
> > > > > +  FILE FREEFORM =3D c491d352-7623-4843-accc-2791a7574421 {
> > > > > +  !ifdef $(DB_DEFAULT_FILE1)
> > > > > +    SECTION RAW =3D $(DB_DEFAULT_FILE1)
> > > > > +  !endif
> > > > > +  !ifdef $(DB_DEFAULT_FILE2)
> > > > > +    SECTION RAW =3D $(DB_DEFAULT_FILE2)
> > > > > +  !endif
> > > > > +  !ifdef $(DB_DEFAULT_FILE3)
> > > > > +    SECTION RAW =3D $(DB_DEFAULT_FILE3)
> > > > > +  !endif
> > > > > +    SECTION UI =3D "DB Default"
> > > > > +  }
> > > > > +
> > > > > +  FILE FREEFORM =3D 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
> > > > > +  !ifdef $(DBT_DEFAULT_FILE1)
> > > > > +    SECTION RAW =3D $(DBT_DEFAULT_FILE1)
> > > > > +  !endif
> > > > > +  !ifdef $(DBT_DEFAULT_FILE2)
> > > > > +    SECTION RAW =3D $(DBT_DEFAULT_FILE2)
> > > > > +  !endif
> > > > > +  !ifdef $(DBT_DEFAULT_FILE3)
> > > > > +    SECTION RAW =3D $(DBT_DEFAULT_FILE3)
> > > > > +  !endif
> > > > > +    SECTION UI =3D "DBT Default"
> > > > > +  }
> > > > > +
> > > > > +  FILE FREEFORM =3D 5740766a-718e-4dc0-9935-c36f7d3f884f {
> > > > > +  !ifdef $(DBX_DEFAULT_FILE1)
> > > > > +    SECTION RAW =3D $(DBX_DEFAULT_FILE1)
> > > > > +  !endif
> > > > > +  !ifdef $(DBX_DEFAULT_FILE2)
> > > > > +    SECTION RAW =3D $(DBX_DEFAULT_FILE2)
> > > > > +  !endif
> > > > > +  !ifdef $(DBX_DEFAULT_FILE3)
> > > > > +    SECTION RAW =3D $(DBX_DEFAULT_FILE3)
> > > > > +  !endif
> > > > > +    SECTION UI =3D "DBX Default"
> > > > > +  }
> > > > > +
> > > > > +!endif
> > > > > --
> > > > > 2.25.1
> > > >