Re: [PATCH v7 00/11] Secure Boot default keys

["Ard Biesheuvel" <ardb@kernel.org>]

On Fri, 30 Jul 2021 at 12:23, Grzegorz Bernacki <gjb@semihalf.com> wrote:
>
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
>   EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
>   SecBootVariableLib => SecureBootVariableLib
>   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
>   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and  add SecureBootVariableLib
>   to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
>
> Changes since v5:
> - split SecureBootVariableLib into SecureBootVariableLib and
>   SecureBootVariableProvisionLib
>
> Changes since v6:
> - fix problems found by CI
>   - add correct modules to SecurityPkg.dsc
>   - update SecurityPkg.dec
>   - fix coding style issues
>

This still generates CI errors:

https://github.com/tianocore/edk2/pull/1850

Note that you can create PRs against tianocore/edk2 directly from your
own branch, which will result in the CI checks to be performed on the
code, without your branch being merged even if all checks pass (that
requires the push label which only maintainers can set)


> NOTE: edk2-platform has not been changed and v6 platform patches
> are still valid
>
> Grzegorz Bernacki (11):
>   SecurityPkg: Create SecureBootVariableLib.
>   SecurityPkg: Create library for enrolling Secure Boot variables.
>   ArmVirtPkg: add SecureBootVariableLib class resolution
>   OvmfPkg: add SecureBootVariableLib class resolution
>   EmulatorPkg: add SecureBootVariableLib class resolution
>   SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
>   ArmPlatformPkg: Create include file for default key content.
>   SecurityPkg: Add SecureBootDefaultKeysDxe driver
>   SecurityPkg: Add EnrollFromDefaultKeys application.
>   SecurityPkg: Add new modules to Security package.
>   SecurityPkg: Add option to reset secure boot keys.
>
>  SecurityPkg/SecurityPkg.dec                                                             |  22 +
>  ArmVirtPkg/ArmVirt.dsc.inc                                                              |   2 +
>  EmulatorPkg/EmulatorPkg.dsc                                                             |   2 +
>  OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   2 +
>  OvmfPkg/OvmfPkgIa32.dsc                                                                 |   2 +
>  OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   2 +
>  OvmfPkg/OvmfPkgX64.dsc                                                                  |   2 +
>  SecurityPkg/SecurityPkg.dsc                                                             |   9 +-
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  48 ++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  80 +++
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf   |  80 +++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   3 +
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 ++
>  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 153 ++++++
>  SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h                            | 134 +++++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 115 +++++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 510 ++++++++++++++++++++
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c     | 482 ++++++++++++++++++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 344 ++++++-------
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 +++
>  ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc                                            |  70 +++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  17 +
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni   |  16 +
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
>  27 files changed, 2049 insertions(+), 189 deletions(-)
>  create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
>  create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
>  create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
>
> --
> 2.25.1
>