From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by mx.groups.io with SMTP id smtpd.web09.7000.1627548857392454004 for ; Thu, 29 Jul 2021 01:54:17 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=KFXXeZsn; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.219.51, mailfrom: gjb@semihalf.com) Received: by mail-qv1-f51.google.com with SMTP id m12so2397803qvt.1 for ; Thu, 29 Jul 2021 01:54:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=DkmShcKsYm8Bqg20XKwau3ywB0bFw+YsQJCSQAQ4XrY=; b=KFXXeZsnW83NfatlsEXvfNGYV0m50tyFVIqLEKX9LRUuUZundreI/8hP/6wbTJciOr Lll4+236O0E/9yoS4NkPiWVC7uYBq6zXWE/Fpesvh1bRSJ8pMi9UvaYtWJ93ipaoT060 EdYhkuFlU0fW/KRlYO9Y392I5RpH7tDTPDXRBK/JxbwptoXQHvodbTedOIwHv2vjk5Cq mOCBOawYiI1ztu6bdJ2P7dBWN7Unlku8Hm8Gf29dLatMPCiFcvkBNZibtM4UP7KRYgn+ l9k5udbEqXbSvNwKRHyxJUjdACHjQ5Wta9brbxEcClJXdduYr1uQemErbQYF9V49L0Kl otwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=DkmShcKsYm8Bqg20XKwau3ywB0bFw+YsQJCSQAQ4XrY=; b=I/Fgd7k4nzfYGGOgl3FJ38r6hWs6TLxB6Ts9aQXnnhwLR/nBO4+80r0vOYHcRmCfMG dtIBLFoPnwcyS3O3Cd4r4cTBeMiWkODr8O75j5qz3psSdbrtQ8VG6d6VkGWCpelmg43p wdx4/YUtiRNu7CXpL+CPDOo7tbdcx6LJlhELC+XnjDd0IVx9NP13js9UECZLktGfB7jw yOASWhTMEzD5VK+IBXPMFtGseeL9t0DkkQdEz7HPntiaANs/yqQI3A0JyjUqXYb1MCoE 1LVp9i693GGrKBg61eAGF0ly+nFn+RmM9pzVgvRC251Hbbw6bn1MQEkR5+nxTYTVLELL fGEg== X-Gm-Message-State: AOAM5307JN7/aUC0uvoR0oPFgIDCBDOy8iaV0Q7tZamhIvNXaau99hPU OZ5PD6u9lJLyk7MygcpAIBwZvUPtosIDZwYw57/z8g== X-Google-Smtp-Source: ABdhPJx4+u9Z7aMBjgbST2pWZ2jGxPAToydnvFSrQBUuir0r08UroAB0bkmiIoY2utVHOSUVw3qrIL5Fv94dT9jOK0I= X-Received: by 2002:a05:6214:29e9:: with SMTP id jv9mr4354217qvb.18.1627548856515; Thu, 29 Jul 2021 01:54:16 -0700 (PDT) MIME-Version: 1.0 References: <20210714122952.1340890-1-gjb@semihalf.com> <020201d78384$57add210$07097630$@byosoft.com.cn> In-Reply-To: From: "Grzegorz Bernacki" Date: Thu, 29 Jul 2021 10:54:05 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys To: Ard Biesheuvel Cc: edk2-devel-groups-io , "Liming Gao (Byosoft address)" , Sunny Wang , Samer El-Haj-Mahmoud , Ard Biesheuvel , Ray Ni , Leif Lindholm , Marcin Wojtas , upstream@semihalf.com, Jiewen Yao , Jian J Wang , Min Xu , Laszlo Ersek , Sami Mujawar , Andrew Fish , Jordan Justen , Rebecca Cran , Peter Grehan , Thomas Abraham , Chasel Chiu , Nate DeSimone , Eric Dong , Michael Kinney , "Sun, Zailiang" , "Qian, Yi" , Graeme Gregory , Radoslaw Biernacki , Peter Batard Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, I will make the fixes and send a new version soon. thanks, greg =C5=9Br., 28 lip 2021 o 13:07 Ard Biesheuvel napisa=C5= =82(a): > > On Wed, 28 Jul 2021 at 12:39, Ard Biesheuvel wrote: > > > > On Wed, 28 Jul 2021 at 09:44, gaoliming wro= te: > > > > > > Sunny: > > > Yes. This patch set is ready to be merged. > > > > > > Samer: > > > Would you help merge this patch set? > > > > > > > I can pick it up if you could please create the release notes entry? T= hanks. > > > > Submitted here: > > https://github.com/tianocore/edk2/pull/1839 > > and failed with some errors. Could someone please diagnose/fix and submi= t a v7? > > > > > Thanks > > > Liming > > > > -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- > > > > =E5=8F=91=E4=BB=B6=E4=BA=BA: devel@edk2.groups.io =E4=BB=A3=E8=A1=A8 Sunny Wang > > > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2021=E5=B9=B47=E6=9C=8821=E6= = =97=A5 11:41 > > > > =E6=94=B6=E4=BB=B6=E4=BA=BA: Samer El-Haj-Mahmoud ; > > > > devel@edk2.groups.io; gjb@semihalf.com; Ard Biesheuvel > > > > ; gaoliming@byosoft.com.cn; ray.ni@inte= l.com > > > > =E6=8A=84=E9=80=81: leif@nuviainc.com; mw@semihalf.com; upstream@s= emihalf.com; > > > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > > > > lersek@redhat.com; Sami Mujawar ; > > > > afish@apple.com; jordan.l.justen@intel.com; rebecca@bsdio.com; > > > > grehan@freebsd.org; Thomas Abraham ; > > > > chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; > > > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@inte= l.com; > > > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@ake= o.ie; > > > > Sunny Wang > > > > =E4=B8=BB=E9=A2=98: Re: [edk2-devel] [PATCH v6 00/11] Secure Boot = default keys > > > > > > > > Ard, Liming, Ray, Thanks for your review for ArmVirtPkg, ArmPlatfo= rmPkg, > > > and > > > > EmulatorPkg patches. > > > > > > > > As for the patch for Intel Platforms below, it is in another serie= s for > > > > edk2-platforms. > > > > - [edk2-platforms PATCH v6 1/4] Intel Platforms: add > > > > SecureBootVariableLib class resolution > > > > https://edk2.groups.io/g/devel/message/77781 > > > > > > > > Therefore, I think this series already got all the necessary Revie= wed-By > > > and > > > > Acked-By of all parts and is ready to be pushed now. > > > > > > > > Best Regards, > > > > Sunny Wang > > > > > > > > -----Original Message----- > > > > From: Samer El-Haj-Mahmoud > > > > Sent: Friday, July 16, 2021 8:00 PM > > > > To: devel@edk2.groups.io; gjb@semihalf.com > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang > > > > ; mw@semihalf.com; upstream@semihalf.com; > > > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > > > > lersek@redhat.com; Sami Mujawar ; > > > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; > > > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham > > > > ; chasel.chiu@intel.com; > > > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > > > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@inte= l.com; > > > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@ake= o.ie; > > > > Samer El-Haj-Mahmoud > > > > Subject: RE: [edk2-devel] [PATCH v6 00/11] Secure Boot default key= s > > > > > > > > The v6 of this series seems to have all the necessary Reviewed-By = (and > > > some > > > > Tested-By) of all parts, except the following platform specific pa= rts. > > > Could we > > > > get help from maintainers to review these please? > > > > > > > > Much appreciated! > > > > > > > > - ArmVirtPkg : https://edk2.groups.io/g/devel/message/77772 > > > > - ArmPlatformPkg: https://edk2.groups.io/g/devel/message/77775 > > > > - EmulatorPkg: https://edk2.groups.io/g/devel/message/77773 > > > > - Intel Platforms (Platform/Intel/QuarkPlatformPkg, > > > > Platform/Intel/MinPlatformPkg, Platform/Intel/Vlv2TbltDevicePkg): > > > > https://edk2.groups.io/g/devel/message/77781 > > > > > > > > Thanks, > > > > --Samer > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: devel@edk2.groups.io On Behalf Of > > > > > Grzegorz Bernacki via groups.io > > > > > Sent: Wednesday, July 14, 2021 8:30 AM > > > > > To: devel@edk2.groups.io > > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer > > > > El-Haj-Mahmoud > > > > > ; Sunny Wang > > > > > ; mw@semihalf.com; upstream@semihalf.com; > > > > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > > > > > lersek@redhat.com; Sami Mujawar ; > > > > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; > > > > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham > > > > > ; chasel.chiu@intel.com; > > > > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; > > > > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@in= tel.com; > > > > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; > > > > > pete@akeo.ie; Grzegorz Bernacki > > > > > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys > > > > > > > > > > This patchset adds support for initialization of default > > > > > Secure Boot variables based on keys content embedded in > > > > > flash binary. This feature is active only if Secure Boot > > > > > is enabled and DEFAULT_KEY is defined. The patchset > > > > > consist also application to enroll keys from default > > > > > variables and secure boot menu change to allow user > > > > > to reset key content to default values. > > > > > Discussion on design can be found at: > > > > > https://edk2.groups.io/g/rfc/topic/82139806#600 > > > > > > > > > > Built with: > > > > > GCC > > > > > - RISC-V (U500, U540) [requires fixes in dsc to build] > > > > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg, > > > > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32)) > > > > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4) > > > > > > > > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixe= s to be > > > > built, > > > > > will be post on edk2 maillist later > > > > > > > > > > VS2019 > > > > > - Intel (OvmfPkgX64) > > > > > > > > > > Test with: > > > > > GCC5/RPi4 > > > > > VS2019/OvmfX64 (requires changes to enable feature) > > > > > > > > > > Tests: > > > > > 1. Try to enroll key in incorrect format. > > > > > 2. Enroll with only PKDefault keys specified. > > > > > 3. Enroll with all keys specified. > > > > > 4. Enroll when keys are enrolled. > > > > > 5. Reset keys values. > > > > > 6. Running signed & unsigned app after enrollment. > > > > > > > > > > Changes since v1: > > > > > - change names: > > > > > SecBootVariableLib =3D> SecureBootVariableLib > > > > > SecBootDefaultKeysDxe =3D> SecureBootDefaultKeysDxe > > > > > SecEnrollDefaultKeysApp =3D> EnrollFromDefaultKeysApp > > > > > - change name of function CheckSetupMode to GetSetupMode > > > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > > > > > - rebase to master > > > > > > > > > > Changes since v2: > > > > > - fix coding style for functions headers in SecureBootVariableLi= b.h > > > > > - add header to SecureBootDefaultKeys.fdf.inc > > > > > - remove empty line spaces in SecureBootDefaultKeysDxe files > > > > > - revert FAIL macro in EnrollFromDefaultKeysApp > > > > > - remove functions duplicates and add SecureBootVariableLib > > > > > to platforms which used it > > > > > > > > > > Changes since v3: > > > > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg > > > > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanu= pLib > > > > > - fix typo in guid description > > > > > > > > > > Changes since v4: > > > > > - reorder patches to make it bisectable > > > > > - split commits related to more than one platform > > > > > - move edk2-platform commits to separate patchset > > > > > > > > > > Changes since v5: > > > > > - split SecureBootVariableLib into SecureBootVariableLib and > > > > > SecureBootVariableProvisionLib > > > > > > > > > > Grzegorz Bernacki (11): > > > > > SecurityPkg: Create SecureBootVariableLib. > > > > > SecurityPkg: Create library for enrolling Secure Boot variable= s. > > > > > ArmVirtPkg: add SecureBootVariableLib class resolution > > > > > OvmfPkg: add SecureBootVariableLib class resolution > > > > > EmulatorPkg: add SecureBootVariableLib class resolution > > > > > SecurityPkg: Remove duplicated functions from SecureBootConfig= Dxe. > > > > > ArmPlatformPkg: Create include file for default key content. > > > > > SecurityPkg: Add SecureBootDefaultKeysDxe driver > > > > > SecurityPkg: Add EnrollFromDefaultKeys application. > > > > > SecurityPkg: Add new modules to Security package. > > > > > SecurityPkg: Add option to reset secure boot keys. > > > > > > > > > > SecurityPkg/SecurityPkg.dec > > > > | 14 + > > > > > ArmVirtPkg/ArmVirt.dsc.inc > > > > | 2 + > > > > > EmulatorPkg/EmulatorPkg.dsc > > > > | 2 + > > > > > OvmfPkg/Bhyve/BhyveX64.dsc > > > > | 2 + > > > > > OvmfPkg/OvmfPkgIa32.dsc > > > > | 2 + > > > > > OvmfPkg/OvmfPkgIa32X64.dsc > > > > | 2 + > > > > > OvmfPkg/OvmfPkgX64.dsc > > > > | 2 + > > > > > SecurityPkg/SecurityPkg.dsc > > > > | 5 + > > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.i= nf > > > > > | 48 ++ > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .inf > > > > > | 80 +++ > > > > > > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.inf | 80 +++ > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot= Confi > > > > > gDxe.inf | 3 + > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.inf | 46 ++ > > > > > SecurityPkg/Include/Library/SecureBootVariableLib.h > > > > | 153 > > > > > ++++++ > > > > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > > > > > | 134 +++++ > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot= Confi > > > > > gNvData.h | 2 + > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot= Confi > > > > > g.vfr | 6 + > > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > > > > | 110 +++++ > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .c > > > > > | 511 ++++++++++++++++++++ > > > > > > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.c | 491 +++++++++++++++++++ > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot= Confi > > > > > gImpl.c | 344 ++++++------- > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.c | 69 +++ > > > > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > > > > | 70 > > > > > +++ > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .uni > > > > > | 17 + > > > > > > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.uni | 16 + > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoot= Confi > > > > > gStrings.uni | 4 + > > > > > > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.uni | 16 + > > > > > 27 files changed, 2043 insertions(+), 188 deletions(-) > > > > > create mode 100644 > > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.in= f > > > > > create mode 100644 > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.= inf > > > > > create mode 100644 > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.inf > > > > > create mode 100644 > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.inf > > > > > create mode 100644 > > > > SecurityPkg/Include/Library/SecureBootVariableLib.h > > > > > create mode 100644 > > > > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > > > > > create mode 100644 > > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > > > > > create mode 100644 > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.= c > > > > > create mode 100644 > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.c > > > > > create mode 100644 > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.c > > > > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > > > > > create mode 100644 > > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.= uni > > > > > create mode 100644 > > > > > > > > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= blePro > > > > > visionLib.uni > > > > > create mode 100644 > > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Secur= eBoot > > > > > DefaultKeysDxe.uni > > > > > > > > > > -- > > > > > 2.25.1 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > IMPORTANT NOTICE: The contents of this email and any attachments a= re > > > > confidential and may also be privileged. If you are not the intend= ed > > > recipient, > > > > please notify the sender immediately and do not disclose the conte= nts to > > > any > > > > other person, use it for any purpose, or store or copy the informa= tion in > > > any > > > > medium. Thank you. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >=20 > > > > > >