Re: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver

["Sunny Wang" <Sunny.Wang@arm.com>]

Internally reviewed this patch before sending the edk2 mailing list and It looks good to me. Please also address Pete's good catches/comments.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver

This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   | 69 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +++++
 3 files changed, 132 insertions(+)
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..27345eab2e
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,46 @@
+## @file
+#  Initializes Secure Boot default keys
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+  INF_VERSION = 0x00010005
+  BASE_NAME   = SecureBootDefaultKeysDxe
+  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+  MODULE_TYPE = DXE_DRIVER
+  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+[Sources]
+  SecureBootDefaultKeysDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  MemoryAllocationLib
+  UefiDriverEntryPoint
+  DebugLib
+  SecureBootVariableLib
+
+[Guids]
+  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
+  gEfiGlobalVariableGuid
+
+[Depex]
+  gEfiVariableArchProtocolGuid      AND
+  gEfiVariableWriteArchProtocolGuid
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..0928489e15
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,69 @@
+/** @file
+  This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+  The entry point for SecureBootDefaultKeys driver.
+
+  @param[in]  ImageHandle        The image handle of the driver.
+  @param[in]  SystemTable        The system table.
+
+  @retval EFI_ALREADY_STARTED    The driver already exists in system.
+  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack of resources.
+  @retval EFI_SUCCESS            All the related protocols are installed on the driver.
+  @retval Others                 Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+  IN EFI_HANDLE          ImageHandle,
+  IN EFI_SYSTEM_TABLE    *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+
+  Status = SecureBootInitPKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitKEKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+  Status = SecureBootInitdbDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitdbtDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+  }
+
+  Status = SecureBootInitdbxDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+  }
+
+  return Status;
+}
+
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..30f03aee5d
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Module which initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
+
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.