public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Grzegorz Bernacki" <gjb@semihalf.com>
To: devel@edk2.groups.io, gaoliming@byosoft.com.cn
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
	"Samer El-Haj-Mahmoud" <Samer.El-Haj-Mahmoud@arm.com>,
	"Sunny Wang" <sunny.Wang@arm.com>,
	"Marcin Wojtas" <mw@semihalf.com>,
	upstream@semihalf.com, "Yao, Jiewen" <jiewen.yao@intel.com>,
	"Wang, Jian J" <jian.j.wang@intel.com>,
	"Xu, Min M" <min.m.xu@intel.com>,
	"Laszlo Ersek" <lersek@redhat.com>,
	sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com,
	jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org,
	thomas.abraham@arm.com, chasel.chiu@intel.com,
	nathaniel.l.desimone@intel.com, eric.dong@intel.com,
	michael.d.kinney@intel.com, zailiang.sun@intel.com,
	yi.qian@intel.com, graeme@nuviainc.com,
	"Radosław Biernacki" <rad@semihalf.com>,
	"Pete Batard" <pete@akeo.ie>
Subject: Re: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.
Date: Fri, 18 Jun 2021 10:03:19 +0200	[thread overview]
Message-ID: <CAA2Cew7k5Z0aEnXAPj47mT8byN7RCojvHON3AXz0sL3A4P_Hxw@mail.gmail.com> (raw)
In-Reply-To: <005b01d76321$4a8500a0$df8f01e0$@byosoft.com.cn>

Hi,

Thanks for the comment, I will move that function to AuthVariableLib.
greg

czw., 17 cze 2021 o 04:35 gaoliming <gaoliming@byosoft.com.cn> napisał(a):
>
> Grzegorz:
>   MdeModulePkg is generic base package. It should not depend on SecurityPkg.
>
>   I agree CreateTimeBasedPayload() is the generic API. It can be shared in
> the different modules.
>   I propose to add it into MdeModulePkg AuthVariableLib.
>
> Thanks
> Liming
> > -----邮件原件-----
> > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Grzegorz
> > Bernacki
> > 发送时间: 2021年6月14日 17:43
> > 收件人: devel@edk2.groups.io
> > 抄送: leif@nuviainc.com; ardb+tianocore@kernel.org;
> > Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com;
> > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com;
> > sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com;
> > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> > thomas.abraham@arm.com; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Grzegorz Bernacki <gjb@semihalf.com>
> > 主题: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use
> > SecureBootVariableLib in PlatformVarCleanupLib.
> >
> > This commits removes CreateTimeBasedPayload() function from
> > PlatformVarCleanupLib and uses exactly the same function from
> > SecureBootVariableLib.
> >
> > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> > ---
> >  MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf |
> > 2 +
> >  MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > |  1 +
> >  MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > | 84 --------------------
> >  3 files changed, 3 insertions(+), 84 deletions(-)
> >
> > diff --git
> > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > index 8d5db826a0..493d03e1d8 100644
> > ---
> > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > +++
> > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
> > @@ -34,6 +34,7 @@
> >  [Packages]
> >    MdePkg/MdePkg.dec
> >    MdeModulePkg/MdeModulePkg.dec
> > +  SecurityPkg/SecurityPkg.dec
> >
> >  [LibraryClasses]
> >    UefiBootServicesTableLib
> > @@ -44,6 +45,7 @@
> >    PrintLib
> >    MemoryAllocationLib
> >    HiiLib
> > +  SecureBootVariableLib
> >
> >  [Guids]
> >    gEfiIfrTianoGuid                  ## SOMETIMES_PRODUCES   ##
> > GUID
> > diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > index c809a7086b..94fbc7d2a4 100644
> > --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
> > @@ -18,6 +18,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #include <Library/MemoryAllocationLib.h>
> >  #include <Library/HiiLib.h>
> >  #include <Library/PlatformVarCleanupLib.h>
> > +#include <Library/SecureBootVariableLib.h>
> >
> >  #include <Protocol/Variable.h>
> >  #include <Protocol/VarCheck.h>
> > diff --git
> > a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > index 3875d614bb..204f1e00ad 100644
> > --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
> > @@ -319,90 +319,6 @@ DestroyUserVariableNode (
> >    }
> >  }
> >
> > -/**
> > -  Create a time based data payload by concatenating the
> > EFI_VARIABLE_AUTHENTICATION_2
> > -  descriptor with the input data. NO authentication is required in this
> > function.
> > -
> > -  @param[in, out] DataSize          On input, the size of Data buffer in
> > bytes.
> > -                                    On output, the size of data
> > returned in Data
> > -                                    buffer in bytes.
> > -  @param[in, out] Data              On input, Pointer to data buffer to
> > be wrapped or
> > -                                    pointer to NULL to wrap an
> > empty payload.
> > -                                    On output, Pointer to the new
> > payload date buffer allocated from pool,
> > -                                    it's caller's responsibility to free
> > the memory after using it.
> > -
> > -  @retval EFI_SUCCESS               Create time based payload
> > successfully.
> > -  @retval EFI_OUT_OF_RESOURCES      There are not enough memory
> > resourses to create time based payload.
> > -  @retval EFI_INVALID_PARAMETER     The parameter is invalid.
> > -  @retval Others                    Unexpected error happens.
> > -
> > -**/
> > -EFI_STATUS
> > -CreateTimeBasedPayload (
> > -  IN OUT UINTN      *DataSize,
> > -  IN OUT UINT8      **Data
> > -  )
> > -{
> > -  EFI_STATUS                        Status;
> > -  UINT8                             *NewData;
> > -  UINT8                             *Payload;
> > -  UINTN                             PayloadSize;
> > -  EFI_VARIABLE_AUTHENTICATION_2     *DescriptorData;
> > -  UINTN                             DescriptorSize;
> > -  EFI_TIME                          Time;
> > -
> > -  if (Data == NULL || DataSize == NULL) {
> > -    return EFI_INVALID_PARAMETER;
> > -  }
> > -
> > -  //
> > -  // At user physical presence, the variable does not need to be signed
> but
> > the
> > -  // parameters to the SetVariable() call still need to be prepared as
> > authenticated
> > -  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> > without certificate
> > -  // data in it.
> > -  //
> > -  Payload     = *Data;
> > -  PayloadSize = *DataSize;
> > -
> > -  DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2,
> > AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > -  NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
> > -  if (NewData == NULL) {
> > -    return EFI_OUT_OF_RESOURCES;
> > -  }
> > -
> > -  if ((Payload != NULL) && (PayloadSize != 0)) {
> > -    CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> > -  }
> > -
> > -  DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> > -
> > -  ZeroMem (&Time, sizeof (EFI_TIME));
> > -  Status = gRT->GetTime (&Time, NULL);
> > -  if (EFI_ERROR (Status)) {
> > -    FreePool (NewData);
> > -    return Status;
> > -  }
> > -  Time.Pad1       = 0;
> > -  Time.Nanosecond = 0;
> > -  Time.TimeZone   = 0;
> > -  Time.Daylight   = 0;
> > -  Time.Pad2       = 0;
> > -  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> > -
> > -  DescriptorData->AuthInfo.Hdr.dwLength         = OFFSET_OF
> > (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > -  DescriptorData->AuthInfo.Hdr.wRevision        = 0x0200;
> > -  DescriptorData->AuthInfo.Hdr.wCertificateType =
> > WIN_CERT_TYPE_EFI_GUID;
> > -  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> > -
> > -  if (Payload != NULL) {
> > -    FreePool (Payload);
> > -  }
> > -
> > -  *DataSize = DescriptorSize + PayloadSize;
> > -  *Data     = NewData;
> > -  return EFI_SUCCESS;
> > -}
> > -
> >  /**
> >    Create a counter based data payload by concatenating the
> > EFI_VARIABLE_AUTHENTICATION
> >    descriptor with the input data. NO authentication is required in this
> > function.
> > --
> > 2.25.1
> >
> >
> >
> >
> >
>
>
>
>
>
> 
>
>

  reply	other threads:[~2021-06-18  8:03 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-14  9:42 [PATCH v3 0/8] Secure Boot default keys Grzegorz Bernacki
2021-06-14  9:42 ` [edk2-platforms PATCH v3 1/2] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 1/8] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-06-14  9:43 ` [edk2-platforms PATCH v3 2/2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 2/8] Platforms: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-06-22 11:10   ` Laszlo Ersek
2021-06-22 11:31     ` Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 3/8] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-06-15  0:52   ` Yao, Jiewen
     [not found]     ` <CAA2Cew6kNPJA9tXk6VY0WRstTX3yL7E2D4a7ADrMN8cTMUt3Cw@mail.gmail.com>
     [not found]       ` <PH0PR11MB488586369E00FB0B00661B368C309@PH0PR11MB4885.namprd11.prod.outlook.com>
     [not found]         ` <CAA2Cew4kT1aS6Q6X=KUBHb=Gx+JGgwer6DpL12NToxT1dGsP6g@mail.gmail.com>
2021-06-15 13:39           ` Grzegorz Bernacki
2021-06-15 14:22             ` Yao, Jiewen
2021-06-15 16:46               ` [edk2-devel] " Samer El-Haj-Mahmoud
2021-06-14  9:43 ` [PATCH v3 4/8] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 5/8] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 6/8] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-06-15 18:54   ` [edk2-devel] " Jeremiah Cox
2021-06-16  0:49     ` Yao, Jiewen
2021-06-14  9:43 ` [PATCH v3 7/8] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-06-14  9:43 ` [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib Grzegorz Bernacki
2021-06-17  2:34   ` 回复: [edk2-devel] " gaoliming
2021-06-18  8:03     ` Grzegorz Bernacki [this message]
     [not found]     ` <16899E7FCA105CA2.4563@groups.io>
2021-06-21  9:58       ` Grzegorz Bernacki
2021-06-23  3:32         ` Sunny Wang
2021-06-23 10:39           ` Grzegorz Bernacki
2021-06-24  0:57             ` 回复: " gaoliming
2021-06-25  5:45               ` Grzegorz Bernacki
2021-06-28  2:27                 ` 回复: " gaoliming

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA2Cew7k5Z0aEnXAPj47mT8byN7RCojvHON3AXz0sL3A4P_Hxw@mail.gmail.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox