From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by mx.groups.io with SMTP id smtpd.web10.2054.1627975772554330659
 for <devel@edk2.groups.io>;
 Tue, 03 Aug 2021 00:29:32 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@kernel.org header.s=k20201202 header.b=P1jdAmUL;
 spf=pass (domain: kernel.org, ip: 198.145.29.99, mailfrom: ardb@kernel.org)
Received: by mail.kernel.org (Postfix) with ESMTPSA id 8B20560ED6
	for <devel@edk2.groups.io>; Tue,  3 Aug 2021 07:29:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1627975771;
	bh=nT+0ppkckEcz4W3Wr7CkthEq79FmqVNgl5fsVuD7qKM=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=P1jdAmULAP43pvsWrfn/j3SgGWaiME7pO+a8Pfn7XEOzecEi5uDbiwcT6mLa3ZTvU
	 nS7AO14VxSG79moKiBdk8qd599sCNIqpvAvVGOjVvDVGlcdhaYrLQmEF23bCbk8eih
	 YxcjOizvq6mzvNlZWYDhpQXgX4BXTGzkz15wpmjgotdmfHuUgCVCKACktRr2MiPsYw
	 NsdIUj7y/bgMg3g0RqF7aaEc+v9BntVmfpGgf2p6RCcK6qqPFW0Et1mmMhIs37ozxw
	 LP+HZ5JOg0Ao22eZs5BHDZ7QqgBBW9n4V8LNLTyaRaZH0ciMd2QXNc3p7P4UyoAA5Q
	 Qk1LE+oN5+srg==
Received: by mail-oo1-f53.google.com with SMTP id 13-20020a4ae1ad0000b029024b19a4d98eso4990446ooy.5
        for <devel@edk2.groups.io>; Tue, 03 Aug 2021 00:29:31 -0700 (PDT)
X-Gm-Message-State: AOAM53136zTL22gFTpvEyaYyZIezjQuHNCEZokGrganAc6j9ecTG/cbk
	HjHV0aeYbiC1kyzXhHZjVUnVG1yhypx986s4BC8=
X-Google-Smtp-Source: ABdhPJw2njg4wfCUcpeSX3WC9pdIhz5llBq71BXKWMB6h6Ls8s7bND8kcHofDOy1sS13vZZtlek+aQOofq549UBBo9U=
X-Received: by 2002:a4a:334f:: with SMTP id q76mr153273ooq.41.1627975770892;
 Tue, 03 Aug 2021 00:29:30 -0700 (PDT)
MIME-Version: 1.0
References: <20210802104633.2833333-1-gjb@semihalf.com>
In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com>
From: "Ard Biesheuvel" <ardb@kernel.org>
Date: Tue, 3 Aug 2021 09:29:19 +0200
X-Gmail-Original-Message-ID: <CAMj1kXHze4RXTPSLfqe6=bqFYujYLdvm-vxThHDPgo02ufzd4w@mail.gmail.com>
Message-ID: <CAMj1kXHze4RXTPSLfqe6=bqFYujYLdvm-vxThHDPgo02ufzd4w@mail.gmail.com>
Subject: Re: [PATCH v8 00/11] Secure Boot default keys
To: Grzegorz Bernacki <gjb@semihalf.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>, Leif Lindholm <leif@nuviainc.com>, 
	Ard Biesheuvel <ardb+tianocore@kernel.org>, 
	Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>, Sunny Wang <sunny.Wang@arm.com>, 
	Marcin Wojtas <mw@semihalf.com>, upstream@semihalf.com, Jiewen Yao <jiewen.yao@intel.com>, 
	Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>, 
	Laszlo Ersek <lersek@redhat.com>, Sami Mujawar <sami.mujawar@arm.com>, Andrew Fish <afish@apple.com>, 
	Ray Ni <ray.ni@intel.com>, Jordan Justen <jordan.l.justen@intel.com>, 
	Rebecca Cran <rebecca@bsdio.com>, Peter Grehan <grehan@freebsd.org>, 
	Thomas Abraham <thomas.abraham@arm.com>, Chasel Chiu <chasel.chiu@intel.com>, 
	Nate DeSimone <nathaniel.l.desimone@intel.com>, 
	"Liming Gao (Byosoft address)" <gaoliming@byosoft.com.cn>, Eric Dong <eric.dong@intel.com>, 
	Michael Kinney <michael.d.kinney@intel.com>, "Sun, Zailiang" <zailiang.sun@intel.com>, 
	"Qian, Yi" <yi.qian@intel.com>, Graeme Gregory <graeme@nuviainc.com>, 
	Radoslaw Biernacki <rad@semihalf.com>, Peter Batard <pete@akeo.ie>
Content-Type: text/plain; charset="UTF-8"

On Mon, 2 Aug 2021 at 12:47, Grzegorz Bernacki <gjb@semihalf.com> wrote:
>
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
>   EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
>   SecBootVariableLib => SecureBootVariableLib
>   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
>   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and  add SecureBootVariableLib
>   to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
>
> Changes since v5:
> - split SecureBootVariableLib into SecureBootVariableLib and
>   SecureBootVariableProvisionLib
>
> Changes since v6:
> - fix problems found by CI
>   - add correct modules to SecurityPkg.dsc
>   - update SecurityPkg.dec
>   - fix coding style issues
>
> Changes since v7:
> - fix coding style issues
>

v8 merged as #1850

Thanks all

> NOTE: edk2-platform has not been changed and v6 platform patches
> are still valid
>
> Grzegorz Bernacki (11):
>   SecurityPkg: Create SecureBootVariableLib.
>   SecurityPkg: Create library for enrolling Secure Boot variables.
>   ArmVirtPkg: add SecureBootVariableLib class resolution
>   OvmfPkg: add SecureBootVariableLib class resolution
>   EmulatorPkg: add SecureBootVariableLib class resolution
>   SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
>   ArmPlatformPkg: Create include file for default key content.
>   SecurityPkg: Add SecureBootDefaultKeysDxe driver
>   SecurityPkg: Add EnrollFromDefaultKeys application.
>   SecurityPkg: Add new modules to Security package.
>   SecurityPkg: Add option to reset secure boot keys.
>
>  SecurityPkg/SecurityPkg.dec                                                             |  22 +
>  ArmVirtPkg/ArmVirt.dsc.inc                                                              |   2 +
>  EmulatorPkg/EmulatorPkg.dsc                                                             |   2 +
>  OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   2 +
>  OvmfPkg/OvmfPkgIa32.dsc                                                                 |   2 +
>  OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   2 +
>  OvmfPkg/OvmfPkgX64.dsc                                                                  |   2 +
>  SecurityPkg/SecurityPkg.dsc                                                             |   9 +-
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  48 ++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  80 +++
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf   |  80 +++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   3 +
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 ++
>  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 153 ++++++
>  SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h                            | 134 +++++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 115 +++++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 510 ++++++++++++++++++++
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c     | 482 ++++++++++++++++++
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++++-------
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 +++
>  ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc                                            |  70 +++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  17 +
>  SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni   |  16 +
>  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
>  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
>  27 files changed, 2048 insertions(+), 189 deletions(-)
>  create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
>  create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
>  create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
>  create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>  create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>  create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
>
> --
> 2.25.1
>