From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=HGWBvTst; spf=pass (domain: linaro.org, ip: 209.85.166.196, mailfrom: ard.biesheuvel@linaro.org) Received: from mail-it1-f196.google.com (mail-it1-f196.google.com [209.85.166.196]) by groups.io with SMTP; Tue, 30 Apr 2019 12:42:55 -0700 Received: by mail-it1-f196.google.com with SMTP id w130so6700560itc.5 for ; Tue, 30 Apr 2019 12:42:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=FYe5K5HB5xrNAZqTj6HRTc+03koADXXpTu+SE5bH8W4=; b=HGWBvTstbNz0zxanxz8p3aC75bWMogxOsEpbzPVRt3n9Q5iNG0wajVWfINWHTKeYq/ pDlpkbIE2GBgIRv2Lxoysf9T4jbleSqntEjq/yWVUiY5rfRVJS4m/rWUzy37rdeZ1MnU /TvOLw8uHS9ILX0CYr4jXezfZNlFkmwUSEQjUUY5ZswQlSChOqRh84VGOi9Iq350wkbp 8UhN7kjx5el6P5a1WVwKNOtAgO9beZmfZgW2euib6QYRYT/94qybvzNoJNmvoGILKxd6 ANglDVd7qZejsgA52kpxPe8252tGai7sbSIcLf/nwx8fGMeLPdnU92W43RM6xSwrO1bV wCjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=FYe5K5HB5xrNAZqTj6HRTc+03koADXXpTu+SE5bH8W4=; b=JyWA60orW1NWjs7ODkb/sl+Gk8n0Gzmeo5jkv0+6+zD5dTz4s5oOhlJSMOmIO9R4FW QGy1gx0yIBgd5JpILLclqlpCScivAidfuHTdXgPhMvPDAtDfK/h7+qe4uiRTyeG0trWD nE+aMNEG5kt6kUmkHGMOHZRbCZSHsnxg6OPWglNi+EWHkhAEaOCFrC7X9fhsx5bEFFPA QoGD14KOBabdXf9RbJZa/nSWN400aOWb5P7A6jEJgsDrUX0gU+fimNEtR1QcIYYZj/gR 3CWcejNXzZM7QorvEETyjjQLtEsWlRa8uOGykGK2k9uGHLoVvwmk2tUy6xC9pWIkiFxK PH+g== X-Gm-Message-State: APjAAAVyQylmIGLdjF+LcGY21mOiRuX1Udu+5yUL517jYIod37EWacJz NXZOQvCDG0FxZReeUim9qTltNR9DHPt/+zjyHzRB7MJDd9KWpg== X-Google-Smtp-Source: APXvYqypiKENlLtTlhioePOawXPgdebgm+SsK46bfMrDHfMgyXZMIGpYsVNkvaEYUt7CrtexjVyeZmwL1bMdI8Rk7dY= X-Received: by 2002:a24:59c1:: with SMTP id p184mr5519735itb.158.1556653374293; Tue, 30 Apr 2019 12:42:54 -0700 (PDT) MIME-Version: 1.0 References: <20190427005328.27005-1-lersek@redhat.com> <21c64f8b-7b17-31d1-5aa8-a1803ab54e46@redhat.com> In-Reply-To: <21c64f8b-7b17-31d1-5aa8-a1803ab54e46@redhat.com> From: "Ard Biesheuvel" Date: Tue, 30 Apr 2019 21:42:41 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app To: edk2-devel-groups-io , Laszlo Ersek Cc: Anthony Perard , Jordan Justen , Julien Grall , Gary Lin Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 30 Apr 2019 at 14:32, Laszlo Ersek wrote: > > On 04/27/19 02:53, Laszlo Ersek wrote: > > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 > > Repo: https://github.com/lersek/edk2.git > > Branch: enroll_bz_1747 > > > > Please see the goal / use case in the BZ. > > > > Anatomy of the series: > > > > - Patch 01 adds the application as-is from RHEL, as the starting point > > for upstreaming (preserves continuity). > > > > - Patches 02 through 13 clean up various coding style warts, and add > > documentation, without functional changes. > > > > - Patches 14 through 16 replace the hard-coded Red Hat certificate > > (enrolled as PK and 1st KEK) with a certificate read dynamically from > > SMBIOS (enrolled the same way), originating from the VMM. > > > > I've successfully re-run the Secure Boot Logo Test in Windows HCK, afte= r > > enabling SB in the VM-under-test with this application. I'll attach the > > test log in a separate email (sent in response to this one). > > > > Cc: Anthony Perard > > Cc: Ard Biesheuvel > > Cc: Jordan Justen > > Cc: Julien Grall > > > > Thanks, > > Laszlo > > > > Laszlo Ersek (16): > > OvmfPkg: introduce EnrollDefaultKeys application > > OvmfPkg/EnrollDefaultKeys: update @file comment blocks > > OvmfPkg/EnrollDefaultKeys: refresh INF file > > ArmVirtPkg: build EnrollDefaultKeys.efi > > OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart > > OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes > > OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in > > identifiers > > OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. > > specifiers > > OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file > > OvmfPkg/EnrollDefaultKeys: split out certificate and signature > > constants > > OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID > > OvmfPkg/EnrollDefaultKeys: describe functions with leading comment > > blocks > > OvmfPkg/EnrollDefaultKeys: document the steps of the entry point > > function > > OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID > > OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS > > table > > OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 > > > > ArmVirtPkg/ArmVirt.dsc.inc | 1 + > > ArmVirtPkg/ArmVirtQemu.dsc | 1 + > > ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + > > OvmfPkg/EnrollDefaultKeys/AuthData.c | 440 ++++++++++++ > > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 706 ++++++++++++++++= ++++ > > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 138 ++++ > > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 52 ++ > > OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++ > > OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++ > > OvmfPkg/OvmfPkg.dec | 2 + > > OvmfPkg/OvmfPkgIa32.dsc | 2 + > > OvmfPkg/OvmfPkgIa32X64.dsc | 2 + > > OvmfPkg/OvmfPkgX64.dsc | 2 + > > 13 files changed, 1447 insertions(+) > > create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c > > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h > > create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf > > create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h > > create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h > > > > Thank you all for the quick reviews; the series has been pushed as > commit range 137cbff041fc..9fb2ce2f465d. > Unfortunately, it seems we are hitting another potential false positive with GCC48: OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c: In function =E2=80=98ShellAp= pMain=E2=80=99: OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:631:10: error: =E2=80=98SizeOfPkKek1=E2=80=99 may be used uninitialized in this function [-Werror=3Dmaybe-uninitialized] Status =3D EnrollListOfCerts ( ^ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:703:12: error: =E2=80=98PkKek= 1=E2=80=99 may be used uninitialized in this function [-Werror=3Dmaybe-uninitialized] FreePool (PkKek1); Given the history, I wouldn't mind disabling this warning for GCC48 altogether (assuming it doesn't trigger on other compilers - my CI job tries GCC48 first IIRC)