From: "Kun Qin" <kuqin12@gmail.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>, kuqin12@gmail.com
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Jordan Justen <jordan.l.justen@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>,
Rebecca Cran <rebecca@bsdio.com>,
Peter Grehan <grehan@freebsd.org>,
Sebastien Boeuf <sebastien.boeuf@intel.com>,
Andrew Fish <afish@apple.com>, Ray Ni <ray.ni@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Date: Tue, 28 Jun 2022 14:18:39 -0700 [thread overview]
Message-ID: <CABhrWrQaLp2UPiMmUXThMODVe7+Hn=0JqXqmj=_zvgNioJ8y1Q@mail.gmail.com> (raw)
In-Reply-To: <16F848B3160A57C1.5246@groups.io>
[-- Attachment #1: Type: text/plain, Size: 6702 bytes --]
Hi SecurityPkg maintainers & reviewers,
I posted this patch series a while back intending to generalize the usage
of a few interfaces from secure boot libraries. Could you please help
reviewing them and provide feedback? Any input is appreciated.
Regards,
Kun
On Mon, Jun 13, 2022 at 1:39 PM Kun Qin via groups.io <kuqin12=
gmail.com@groups.io> wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
>
> This is a revamp of a previously submitted patch series based on top of
> master branch: https://edk2.groups.io/g/devel/message/89507. No changes
> added.
>
> Current SecureBootVariableLib provide great support for deleting secure
> boot related variables, creating time-based payloads.
>
> However, for secure boot enrollment, the SecureBootVariableProvisionLib
> interfaces always assume the changes from variable storage, limiting the
> usage, requiring existing platforms to change key initialization process
> to adapt to the new methods, as well as bringing in extra dependencies
> such as FV protocol, time protocols.
>
> This patch series proposes to update the implementation for Secure Boot
> Variable libraries and their consumers to better support the related
> variables operations.
>
> Patch v2 branch:
> https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Min Xu <min.m.xu@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Gerd Hoffmann <kraxel@redhat.com>
> Cc: Rebecca Cran <rebecca@bsdio.com>
> Cc: Peter Grehan <grehan@freebsd.org>
> Cc: Sebastien Boeuf <sebastien.boeuf@intel.com>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Ray Ni <ray.ni@intel.com>
>
> Kun Qin (8):
> SecurityPkg: UefiSecureBoot: Definitions of cert and payload
> structures
> SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
> SecurityPkg: SecureBootVariableLib: Updated time based payload creator
> SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
> SecurityPkg: Secure Boot Drivers: Added common header files
> SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
> OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
> EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency
>
> kuqin (3):
> SecurityPkg: SecureBootVariableLib: Updated signature list creator
> SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
> SecurityPkg: SecureBootVariableLib: Added unit tests
>
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 1 +
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
> | 51 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 486 ++++-
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
> | 36 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
> | 201 ++
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
> | 13 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
> | 2037 ++++++++++++++++++++
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> | 145 +-
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
> | 128 +-
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> | 1 +
> EmulatorPkg/EmulatorPkg.dsc
> | 1 +
> OvmfPkg/Bhyve/BhyveX64.dsc
> | 1 +
> OvmfPkg/CloudHv/CloudHvX64.dsc
> | 1 +
> OvmfPkg/IntelTdx/IntelTdxX64.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc
> | 1 +
> OvmfPkg/OvmfPkgX64.dsc
> | 1 +
> SecurityPkg/Include/Library/PlatformPKProtectionLib.h
> | 31 +
> SecurityPkg/Include/Library/SecureBootVariableLib.h
> | 103 +-
> SecurityPkg/Include/UefiSecureBoot.h
> | 94 +
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
> | 36 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> | 14 +-
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
> | 33 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
> | 45 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
> | 25 +
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
> | 36 +
> SecurityPkg/SecurityPkg.ci.yaml
> | 11 +
> SecurityPkg/SecurityPkg.dec
> | 5 +
> SecurityPkg/SecurityPkg.dsc
> | 2 +
> SecurityPkg/Test/SecurityPkgHostTest.dsc
> | 38 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> | 1 +
> 31 files changed, 3468 insertions(+), 112 deletions(-)
> create mode 100644
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
> create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h
> create mode 100644 SecurityPkg/Include/UefiSecureBoot.h
> create mode 100644
> SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
> create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc
>
> --
> 2.35.1.windows.2
>
>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 9852 bytes --]
next parent reply other threads:[~2022-06-28 21:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <16F848B3160A57C1.5246@groups.io>
2022-06-28 21:18 ` Kun Qin [this message]
2022-06-29 8:50 ` [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries Yao, Jiewen
2022-06-29 18:06 ` Kun Qin
2022-06-30 0:19 ` Yao, Jiewen
2022-06-30 0:23 ` Kun Qin
2022-06-13 20:39 Kun Qin
2022-06-30 19:44 ` [edk2-devel] " Michael Kubacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABhrWrQaLp2UPiMmUXThMODVe7+Hn=0JqXqmj=_zvgNioJ8y1Q@mail.gmail.com' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox