Re: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys

["Ard Biesheuvel" <ardb@kernel.org>]

On Wed, 28 Jul 2021 at 09:44, gaoliming <gaoliming@byosoft.com.cn> wrote:
>
> Sunny:
>   Yes. This patch set is ready to be merged.
>
> Samer:
>   Would you help merge this patch set?
>

I can pick it up if you could please create the release notes entry? Thanks.

> Thanks
> Liming
> > -----邮件原件-----
> > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Sunny Wang
> > 发送时间: 2021年7月21日 11:41
> > 收件人: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>;
> > devel@edk2.groups.io; gjb@semihalf.com; Ard Biesheuvel
> > <ardb+tianocore@kernel.org>; gaoliming@byosoft.com.cn; ray.ni@intel.com
> > 抄送: leif@nuviainc.com; mw@semihalf.com; upstream@semihalf.com;
> > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > afish@apple.com; jordan.l.justen@intel.com; rebecca@bsdio.com;
> > grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>;
> > chasel.chiu@intel.com; nathaniel.l.desimone@intel.com;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Sunny Wang <Sunny.Wang@arm.com>
> > 主题: Re: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> >
> > Ard, Liming, Ray, Thanks for your review for ArmVirtPkg, ArmPlatformPkg,
> and
> > EmulatorPkg patches.
> >
> > As for the patch for Intel Platforms below, it is in another series for
> > edk2-platforms.
> >      - [edk2-platforms PATCH v6 1/4] Intel Platforms: add
> > SecureBootVariableLib class resolution
> > https://edk2.groups.io/g/devel/message/77781
> >
> > Therefore, I think this series already got all the necessary Reviewed-By
> and
> > Acked-By of all parts and is ready to be pushed now.
> >
> > Best Regards,
> > Sunny Wang
> >
> > -----Original Message-----
> > From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > Sent: Friday, July 16, 2021 8:00 PM
> > To: devel@edk2.groups.io; gjb@semihalf.com
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang
> > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > Subject: RE: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> >
> > The v6 of this series seems to have all the necessary Reviewed-By (and
> some
> > Tested-By) of all parts, except the following platform specific parts.
> Could we
> > get help from maintainers to review these please?
> >
> > Much appreciated!
> >
> > - ArmVirtPkg : https://edk2.groups.io/g/devel/message/77772
> > - ArmPlatformPkg: https://edk2.groups.io/g/devel/message/77775
> > - EmulatorPkg: https://edk2.groups.io/g/devel/message/77773
> > - Intel Platforms (Platform/Intel/QuarkPlatformPkg,
> > Platform/Intel/MinPlatformPkg, Platform/Intel/Vlv2TbltDevicePkg):
> > https://edk2.groups.io/g/devel/message/77781
> >
> > Thanks,
> > --Samer
> >
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
> > > Grzegorz Bernacki via groups.io
> > > Sent: Wednesday, July 14, 2021 8:30 AM
> > > To: devel@edk2.groups.io
> > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer
> > El-Haj-Mahmoud
> > > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> > > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> > > pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
> > > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> > >
> > > This patchset adds support for initialization of default
> > > Secure Boot variables based on keys content embedded in
> > > flash binary. This feature is active only if Secure Boot
> > > is enabled and DEFAULT_KEY is defined. The patchset
> > > consist also application to enroll keys from default
> > > variables and secure boot menu change to allow user
> > > to reset key content to default values.
> > > Discussion on design can be found at:
> > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > >
> > > Built with:
> > > GCC
> > > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > >   EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> > >
> > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> > built,
> > > will be post on edk2 maillist later
> > >
> > > VS2019
> > > - Intel (OvmfPkgX64)
> > >
> > > Test with:
> > > GCC5/RPi4
> > > VS2019/OvmfX64 (requires changes to enable feature)
> > >
> > > Tests:
> > > 1. Try to enroll key in incorrect format.
> > > 2. Enroll with only PKDefault keys specified.
> > > 3. Enroll with all keys specified.
> > > 4. Enroll when keys are enrolled.
> > > 5. Reset keys values.
> > > 6. Running signed & unsigned app after enrollment.
> > >
> > > Changes since v1:
> > > - change names:
> > >   SecBootVariableLib => SecureBootVariableLib
> > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > - change name of function CheckSetupMode to GetSetupMode
> > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > - rebase to master
> > >
> > > Changes since v2:
> > > - fix coding style for functions headers in SecureBootVariableLib.h
> > > - add header to SecureBootDefaultKeys.fdf.inc
> > > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > > - revert FAIL macro in EnrollFromDefaultKeysApp
> > > - remove functions duplicates and  add SecureBootVariableLib
> > >   to platforms which used it
> > >
> > > Changes since v3:
> > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > > - fix typo in guid description
> > >
> > > Changes since v4:
> > > - reorder patches to make it bisectable
> > > - split commits related to more than one platform
> > > - move edk2-platform commits to separate patchset
> > >
> > > Changes since v5:
> > > - split SecureBootVariableLib into SecureBootVariableLib and
> > >   SecureBootVariableProvisionLib
> > >
> > > Grzegorz Bernacki (11):
> > >   SecurityPkg: Create SecureBootVariableLib.
> > >   SecurityPkg: Create library for enrolling Secure Boot variables.
> > >   ArmVirtPkg: add SecureBootVariableLib class resolution
> > >   OvmfPkg: add SecureBootVariableLib class resolution
> > >   EmulatorPkg: add SecureBootVariableLib class resolution
> > >   SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > >   ArmPlatformPkg: Create include file for default key content.
> > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > >   SecurityPkg: Add new modules to Security package.
> > >   SecurityPkg: Add option to reset secure boot keys.
> > >
> > >  SecurityPkg/SecurityPkg.dec
> > |  14 +
> > >  ArmVirtPkg/ArmVirt.dsc.inc
> > |   2 +
> > >  EmulatorPkg/EmulatorPkg.dsc
> > |   2 +
> > >  OvmfPkg/Bhyve/BhyveX64.dsc
> > |   2 +
> > >  OvmfPkg/OvmfPkgIa32.dsc
> > |   2 +
> > >  OvmfPkg/OvmfPkgIa32X64.dsc
> > |   2 +
> > >  OvmfPkg/OvmfPkgX64.dsc
> > |   2 +
> > >  SecurityPkg/SecurityPkg.dsc
> > |   5 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > |  48 ++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > |  80 +++
> > >
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.inf   |  80 +++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gDxe.inf           |   3 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.inf |  46 ++
> > >  SecurityPkg/Include/Library/SecureBootVariableLib.h
> > | 153
> > > ++++++
> > >  SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> > > | 134 +++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gNvData.h          |   2 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > g.vfr              |   6 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > | 110 +++++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > | 511 ++++++++++++++++++++
> > >
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.c     | 491 +++++++++++++++++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gImpl.c            | 344 ++++++-------
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.c   |  69 +++
> > >  ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > |  70
> > > +++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > |  17 +
> > >
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.uni   |  16 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gStrings.uni       |   4 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.uni |  16 +
> > >  27 files changed, 2043 insertions(+), 188 deletions(-)
> > >  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > >  create mode 100644
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.inf
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.inf
> > >  create mode 100644
> > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > >  create mode 100644
> > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> > >  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > >  create mode 100644
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.c
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.c
> > >  create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > >  create mode 100644
> > >
> > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > visionLib.uni
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.uni
> > >
> > > --
> > > 2.25.1
> > >
> > >
> > >
> > >
> > >
> >
> >
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended
> recipient,
> > please notify the sender immediately and do not disclose the contents to
> any
> > other person, use it for any purpose, or store or copy the information in
> any
> > medium. Thank you.
> >
> >
> >
> >
>
>
>
>
>
> 
>
>