From: "Patrick Rudolph" <patrick.rudolph@9elements.com>
To: devel@edk2.groups.io, gjb@semihalf.com
Subject: Re: [edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables.
Date: Tue, 24 Aug 2021 14:22:08 +0200 [thread overview]
Message-ID: <CALNFmy3NGt=4cN8GfyVNky9Do6qy2EkEyWv9d9pVVFq+JWJw2Q@mail.gmail.com> (raw)
In-Reply-To: <20210802104633.2833333-3-gjb@semihalf.com>
[-- Attachment #1: Type: text/plain, Size: 26977 bytes --]
Hi Grzegorz,
I tried this patch, but I cannot enroll the DBX downloaded from here:
https://uefi.org/revocationlistfile
Is it even possible with current code? Did you test DBX enrollment as well
using the revocation list file?
Regards,
Patrick
On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki <gjb@semihalf.com> wrote:
> This commits add library, which consist functions to
> enrolll Secure Boot keys and initialize Secure Boot
> default variables. Some of the functions was moved
> from SecureBootConfigImpl.c file.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> ---
> SecurityPkg/SecurityPkg.dec
> | 4 +
> SecurityPkg/SecurityPkg.dsc
> | 1 +
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
> | 80 ++++
> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> | 134 ++++++
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> | 482 ++++++++++++++++++++
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
> | 16 +
> 6 files changed, 717 insertions(+)
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
> create mode 100644
> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 8f3710e59f..e30c39f321 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -91,6 +91,10 @@
> ## @libraryclass Provides helper functions related to creation/removal
> Secure Boot variables.
> #
> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h
> +
> + ## @libraryclass Provides support to enroll Secure Boot keys.
> + #
> +
> SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
> [Guids]
> ## Security package token space guid.
> # Include/Guid/SecurityPkgTokenSpace.h
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index 854f250625..99c227dad2 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -71,6 +71,7 @@
>
> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
>
> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
>
> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> +
> SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>
> [LibraryClasses.ARM]
> #
> diff --git
> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
> new file mode 100644
> index 0000000000..a09abd29ce
> --- /dev/null
> +++
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
> @@ -0,0 +1,80 @@
> +## @file
> +# Provides initialization of Secure Boot keys and databases.
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = SecureBootVariableLib
> + MODULE_UNI_FILE = SecureBootVariableLib.uni
> + FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS =
> SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER
> UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required by the
> build tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64 AARCH64
> +#
> +
> +[Sources]
> + SecureBootVariableProvisionLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + DxeServicesLib
> + SecureBootVariableLib
> +
> +[Guids]
> + ## CONSUMES ## Variable:L"SetupMode"
> + ## PRODUCES ## Variable:L"SetupMode"
> + ## CONSUMES ## Variable:L"SecureBoot"
> + ## PRODUCES ## Variable:L"SecureBoot"
> + ## PRODUCES ## Variable:L"PK"
> + ## PRODUCES ## Variable:L"KEK"
> + ## CONSUMES ## Variable:L"PKDefault"
> + ## CONSUMES ## Variable:L"KEKDefault"
> + ## CONSUMES ## Variable:L"dbDefault"
> + ## CONSUMES ## Variable:L"dbxDefault"
> + ## CONSUMES ## Variable:L"dbtDefault"
> + gEfiGlobalVariableGuid
> +
> + ## SOMETIMES_CONSUMES ## Variable:L"DB"
> + ## SOMETIMES_CONSUMES ## Variable:L"DBX"
> + ## SOMETIMES_CONSUMES ## Variable:L"DBT"
> + gEfiImageSecurityDatabaseGuid
> +
> + ## CONSUMES ## Variable:L"SecureBootEnable"
> + ## PRODUCES ## Variable:L"SecureBootEnable"
> + gEfiSecureBootEnableDisableGuid
> +
> + ## CONSUMES ## Variable:L"CustomMode"
> + ## PRODUCES ## Variable:L"CustomMode"
> + gEfiCustomModeEnableGuid
> +
> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
> + gEfiCertX509Guid ## CONSUMES
> + gEfiCertPkcs7Guid ## CONSUMES
> +
> + gDefaultPKFileGuid
> + gDefaultKEKFileGuid
> + gDefaultdbFileGuid
> + gDefaultdbxFileGuid
> + gDefaultdbtFileGuid
> +
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> new file mode 100644
> index 0000000000..ba8009b5cd
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> @@ -0,0 +1,134 @@
> +/** @file
> + Provides a functions to enroll keys based on default values.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
> +
> +/**
> + Sets the content of the 'db' variable based on 'dbDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime()
> and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime()
> and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime()
> and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime()
> and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'PK' variable based on 'PKDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime()
> and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> + VOID
> +);
> +
> +/**
> + Initializes PKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes KEKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitDbDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbtDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitDbtDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbxDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitDbxDefault (
> + IN VOID
> + );
> +#endif
> diff --git
> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> new file mode 100644
> index 0000000000..848f7ce929
> --- /dev/null
> +++
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
> @@ -0,0 +1,482 @@
> +/** @file
> + This library provides functions to set/clear Secure Boot
> + keys and databases.
> +
> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> + Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> + Copyright (c) 2021, Semihalf All rights reserved.<BR>
> + SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +#include <Library/SecureBootVariableProvisionLib.h>
> +
> +/**
> + Enroll a key/certificate based on a default variable.
> +
> + @param[in] VariableName The name of the key/database.
> + @param[in] DefaultName The name of the default variable.
> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the
> variable
> +
> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating
> AuthHeader.
> + @retval EFI_SUCCESS Successful enrollment.
> + @return Error codes from GetTime () and
> SetVariable ().
> +**/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> + IN CHAR16 *VariableName,
> + IN CHAR16 *DefaultName,
> + IN EFI_GUID *VendorGuid
> + )
> +{
> + VOID *Data;
> + UINTN DataSize;
> + EFI_STATUS Status;
> +
> + Status = EFI_SUCCESS;
> +
> + DataSize = 0;
> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data,
> &DataSize);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n",
> DefaultName, Status));
> + return Status;
> + }
> +
> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r",
> Status));
> + return Status;
> + }
> +
> + //
> + // Allocate memory for auth variable
> + //
> + Status = gRT->SetVariable (
> + VariableName,
> + VendorGuid,
> + (EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
> + EFI_VARIABLE_RUNTIME_ACCESS |
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> + DataSize,
> + Data
> + );
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__,
> VariableName,
> + VendorGuid, Status));
> + }
> +
> + if (Data != NULL) {
> + FreePool (Data);
> + }
> +
> + return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +**/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize,
> &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_PK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +**/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize,
> &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> +
> + Status = gRT->SetVariable (
> + EFI_KEK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +**/
> +EFI_STATUS
> +SecureBootInitDbDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize,
> &EfiSig);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DB_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +**/
> +EFI_STATUS
> +SecureBootInitDbxDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize,
> &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DBX_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +**/
> +EFI_STATUS
> +SecureBootInitDbtDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize,
> &EfiSig);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DBT_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Sets the content of the 'db' variable based on 'dbDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime
> () and SetVariable ()
> +**/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE,
> + EFI_DB_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime
> () and SetVariable ()
> +**/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE1,
> + EFI_DBX_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime
> () and SetVariable ()
> +**/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE2,
> + EFI_DBT_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid);
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime
> () and SetVariable ()
> +**/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + EFI_KEK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable
> content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime
> () and SetVariable ()
> +**/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_PLATFORM_KEY_NAME,
> + EFI_PK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid
> + );
> +
> + return Status;
> +}
> diff --git
> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
> new file mode 100644
> index 0000000000..68d928ef30
> --- /dev/null
> +++
> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides
> functions to initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "Provides
> functions to initialize PK, KEK and databases based on default variables."
> +
> --
> 2.25.1
>
>
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 32693 bytes --]
next prev parent reply other threads:[~2021-08-24 12:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-02 10:46 [PATCH v8 00/11] Secure Boot default keys Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 01/11] SecurityPkg: Create SecureBootVariableLib Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables Grzegorz Bernacki
2021-08-24 12:22 ` Patrick Rudolph [this message]
2021-08-24 12:26 ` [edk2-devel] " Grzegorz Bernacki
2021-08-30 12:48 ` Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 03/11] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 04/11] OvmfPkg: " Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 05/11] EmulatorPkg: " Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 07/11] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 08/11] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 09/11] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 10/11] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-08-02 10:46 ` [PATCH v8 11/11] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-08-03 7:29 ` [PATCH v8 00/11] Secure Boot default keys Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALNFmy3NGt=4cN8GfyVNky9Do6qy2EkEyWv9d9pVVFq+JWJw2Q@mail.gmail.com' \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox