From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@linaro.org header.s=google header.b=HGWBvTst;
 spf=pass (domain: linaro.org, ip: 209.85.166.196, mailfrom: ard.biesheuvel@linaro.org)
Received: from mail-it1-f196.google.com (mail-it1-f196.google.com [209.85.166.196])
 by groups.io with SMTP; Tue, 30 Apr 2019 12:42:55 -0700
Received: by mail-it1-f196.google.com with SMTP id w130so6700560itc.5
        for <devel@edk2.groups.io>; Tue, 30 Apr 2019 12:42:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=FYe5K5HB5xrNAZqTj6HRTc+03koADXXpTu+SE5bH8W4=;
        b=HGWBvTstbNz0zxanxz8p3aC75bWMogxOsEpbzPVRt3n9Q5iNG0wajVWfINWHTKeYq/
         pDlpkbIE2GBgIRv2Lxoysf9T4jbleSqntEjq/yWVUiY5rfRVJS4m/rWUzy37rdeZ1MnU
         /TvOLw8uHS9ILX0CYr4jXezfZNlFkmwUSEQjUUY5ZswQlSChOqRh84VGOi9Iq350wkbp
         8UhN7kjx5el6P5a1WVwKNOtAgO9beZmfZgW2euib6QYRYT/94qybvzNoJNmvoGILKxd6
         ANglDVd7qZejsgA52kpxPe8252tGai7sbSIcLf/nwx8fGMeLPdnU92W43RM6xSwrO1bV
         wCjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=FYe5K5HB5xrNAZqTj6HRTc+03koADXXpTu+SE5bH8W4=;
        b=JyWA60orW1NWjs7ODkb/sl+Gk8n0Gzmeo5jkv0+6+zD5dTz4s5oOhlJSMOmIO9R4FW
         QGy1gx0yIBgd5JpILLclqlpCScivAidfuHTdXgPhMvPDAtDfK/h7+qe4uiRTyeG0trWD
         nE+aMNEG5kt6kUmkHGMOHZRbCZSHsnxg6OPWglNi+EWHkhAEaOCFrC7X9fhsx5bEFFPA
         QoGD14KOBabdXf9RbJZa/nSWN400aOWb5P7A6jEJgsDrUX0gU+fimNEtR1QcIYYZj/gR
         3CWcejNXzZM7QorvEETyjjQLtEsWlRa8uOGykGK2k9uGHLoVvwmk2tUy6xC9pWIkiFxK
         PH+g==
X-Gm-Message-State: APjAAAVyQylmIGLdjF+LcGY21mOiRuX1Udu+5yUL517jYIod37EWacJz
	NXZOQvCDG0FxZReeUim9qTltNR9DHPt/+zjyHzRB7MJDd9KWpg==
X-Google-Smtp-Source: APXvYqypiKENlLtTlhioePOawXPgdebgm+SsK46bfMrDHfMgyXZMIGpYsVNkvaEYUt7CrtexjVyeZmwL1bMdI8Rk7dY=
X-Received: by 2002:a24:59c1:: with SMTP id p184mr5519735itb.158.1556653374293;
 Tue, 30 Apr 2019 12:42:54 -0700 (PDT)
MIME-Version: 1.0
References: <20190427005328.27005-1-lersek@redhat.com> <21c64f8b-7b17-31d1-5aa8-a1803ab54e46@redhat.com>
In-Reply-To: <21c64f8b-7b17-31d1-5aa8-a1803ab54e46@redhat.com>
From: "Ard Biesheuvel" <ard.biesheuvel@linaro.org>
Date: Tue, 30 Apr 2019 21:42:41 +0200
Message-ID: <CAKv+Gu_0u9WrSw4aTcAwp1CBip=zpop8xdr-sPbb8JsWy+ohgg@mail.gmail.com>
Subject: Re: [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app
To: edk2-devel-groups-io <devel@edk2.groups.io>, Laszlo Ersek <lersek@redhat.com>
Cc: Anthony Perard <anthony.perard@citrix.com>, Jordan Justen <jordan.l.justen@intel.com>, 
	Julien Grall <julien.grall@arm.com>, Gary Lin <glin@suse.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 30 Apr 2019 at 14:32, Laszlo Ersek <lersek@redhat.com> wrote:
>
> On 04/27/19 02:53, Laszlo Ersek wrote:
> > Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747
> > Repo:     https://github.com/lersek/edk2.git
> > Branch:   enroll_bz_1747
> >
> > Please see the goal / use case in the BZ.
> >
> > Anatomy of the series:
> >
> > - Patch 01 adds the application as-is from RHEL, as the starting point
> >   for upstreaming (preserves continuity).
> >
> > - Patches 02 through 13 clean up various coding style warts, and add
> >   documentation, without functional changes.
> >
> > - Patches 14 through 16 replace the hard-coded Red Hat certificate
> >   (enrolled as PK and 1st KEK) with a certificate read dynamically from
> >   SMBIOS (enrolled the same way), originating from the VMM.
> >
> > I've successfully re-run the Secure Boot Logo Test in Windows HCK, afte=
r
> > enabling SB in the VM-under-test with this application. I'll attach the
> > test log in a separate email (sent in response to this one).
> >
> > Cc: Anthony Perard <anthony.perard@citrix.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Julien Grall <julien.grall@arm.com>
> >
> > Thanks,
> > Laszlo
> >
> > Laszlo Ersek (16):
> >   OvmfPkg: introduce EnrollDefaultKeys application
> >   OvmfPkg/EnrollDefaultKeys: update @file comment blocks
> >   OvmfPkg/EnrollDefaultKeys: refresh INF file
> >   ArmVirtPkg: build EnrollDefaultKeys.efi
> >   OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart
> >   OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes
> >   OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in
> >     identifiers
> >   OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv.
> >     specifiers
> >   OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
> >   OvmfPkg/EnrollDefaultKeys: split out certificate and signature
> >     constants
> >   OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
> >   OvmfPkg/EnrollDefaultKeys: describe functions with leading comment
> >     blocks
> >   OvmfPkg/EnrollDefaultKeys: document the steps of the entry point
> >     function
> >   OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
> >   OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS
> >     table
> >   OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1
> >
> >  ArmVirtPkg/ArmVirt.dsc.inc                      |   1 +
> >  ArmVirtPkg/ArmVirtQemu.dsc                      |   1 +
> >  ArmVirtPkg/ArmVirtQemuKernel.dsc                |   1 +
> >  OvmfPkg/EnrollDefaultKeys/AuthData.c            | 440 ++++++++++++
> >  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 706 ++++++++++++++++=
++++
> >  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h   | 138 ++++
> >  OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |  52 ++
> >  OvmfPkg/Include/Guid/MicrosoftVendor.h          |  55 ++
> >  OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h      |  45 ++
> >  OvmfPkg/OvmfPkg.dec                             |   2 +
> >  OvmfPkg/OvmfPkgIa32.dsc                         |   2 +
> >  OvmfPkg/OvmfPkgIa32X64.dsc                      |   2 +
> >  OvmfPkg/OvmfPkgX64.dsc                          |   2 +
> >  13 files changed, 1447 insertions(+)
> >  create mode 100644 OvmfPkg/EnrollDefaultKeys/AuthData.c
> >  create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> >  create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
> >  create mode 100644 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
> >  create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h
> >  create mode 100644 OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> >
>
> Thank you all for the quick reviews; the series has been pushed as
> commit range 137cbff041fc..9fb2ce2f465d.
>

Unfortunately, it seems we are hitting another potential false
positive with GCC48:

OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c: In function =E2=80=98ShellAp=
pMain=E2=80=99:
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:631:10: error:
=E2=80=98SizeOfPkKek1=E2=80=99 may be used uninitialized in this function
[-Werror=3Dmaybe-uninitialized]
   Status =3D EnrollListOfCerts (
          ^
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c:703:12: error: =E2=80=98PkKek=
1=E2=80=99
may be used uninitialized in this function
[-Werror=3Dmaybe-uninitialized]
   FreePool (PkKek1);

Given the history, I wouldn't mind disabling this warning for GCC48
altogether (assuming it doesn't trigger on other compilers - my CI job
tries GCC48 first IIRC)