* [PATCH v5 00/10] Secure Boot default keys
@ 2021-07-01 9:17 Grzegorz Bernacki
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
` (12 more replies)
0 siblings, 13 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600
Built with:
GCC
- RISC-V (U500, U540) [requires fixes in dsc to build]
- Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
- ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
will be post on edk2 maillist later
VS2019
- Intel (OvmfPkgX64)
Test with:
GCC5/RPi4
VS2019/OvmfX64 (requires changes to enable feature)
Tests:
1. Try to enroll key in incorrect format.
2. Enroll with only PKDefault keys specified.
3. Enroll with all keys specified.
4. Enroll when keys are enrolled.
5. Reset keys values.
6. Running signed & unsigned app after enrollment.
Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master
Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and add SecureBootVariableLib
to platforms which used it
Changes since v3:
- move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
- leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
- fix typo in guid description
Changes since v4:
- reorder patches to make it bisectable
- split commits related to more than one platform
- move edk2-platform commits to separate patchset
Grzegorz Bernacki (10):
SecurityPkg: Create library for setting Secure Boot variables.
ArmVirtPkg: add SecureBootVariableLib class resolution
OvmfPkg: add SecureBootVariableLib class resolution
EmulatorPkg: add SecureBootVariableLib class resolution
SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
ArmPlatformPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
SecurityPkg/SecurityPkg.dec | 14 +
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
EmulatorPkg/EmulatorPkg.dsc | 1 +
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
SecurityPkg/SecurityPkg.dsc | 4 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 45 +
SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 68 ++
ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +
23 files changed, 1874 insertions(+), 188 deletions(-)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
--
2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-06 11:55 ` Yao, Jiewen
2021-07-09 9:29 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
` (11 subsequent siblings)
12 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
This commits add library, which consist functions related
creation/removal Secure Boot variables. Some of the functions
was moved from SecureBootConfigImpl.c file.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/SecurityPkg.dsc | 1 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
5 files changed, 1327 insertions(+)
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index bd4b810bce..854f250625 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -70,6 +70,7 @@
RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
[LibraryClasses.ARM]
#
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
new file mode 100644
index 0000000000..84367841d5
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -0,0 +1,79 @@
+## @file
+# Provides initialization of Secure Boot keys and databases.
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SecureBootVariableLib
+ MODULE_UNI_FILE = SecureBootVariableLib.uni
+ FILE_GUID = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+
+[Sources]
+ SecureBootVariableLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ DxeServicesLib
+
+[Guids]
+ ## CONSUMES ## Variable:L"SetupMode"
+ ## PRODUCES ## Variable:L"SetupMode"
+ ## CONSUMES ## Variable:L"SecureBoot"
+ ## PRODUCES ## Variable:L"SecureBoot"
+ ## PRODUCES ## Variable:L"PK"
+ ## PRODUCES ## Variable:L"KEK"
+ ## CONSUMES ## Variable:L"PKDefault"
+ ## CONSUMES ## Variable:L"KEKDefault"
+ ## CONSUMES ## Variable:L"dbDefault"
+ ## CONSUMES ## Variable:L"dbxDefault"
+ ## CONSUMES ## Variable:L"dbtDefault"
+ gEfiGlobalVariableGuid
+
+ ## SOMETIMES_CONSUMES ## Variable:L"DB"
+ ## SOMETIMES_CONSUMES ## Variable:L"DBX"
+ ## SOMETIMES_CONSUMES ## Variable:L"DBT"
+ gEfiImageSecurityDatabaseGuid
+
+ ## CONSUMES ## Variable:L"SecureBootEnable"
+ ## PRODUCES ## Variable:L"SecureBootEnable"
+ gEfiSecureBootEnableDisableGuid
+
+ ## CONSUMES ## Variable:L"CustomMode"
+ ## PRODUCES ## Variable:L"CustomMode"
+ gEfiCustomModeEnableGuid
+
+ gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
+ gEfiCertX509Guid ## CONSUMES
+ gEfiCertPkcs7Guid ## CONSUMES
+
+ gDefaultPKFileGuid
+ gDefaultKEKFileGuid
+ gDefaultdbFileGuid
+ gDefaultdbxFileGuid
+ gDefaultdbtFileGuid
+
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
new file mode 100644
index 0000000000..e010667165
--- /dev/null
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -0,0 +1,251 @@
+/** @file
+ Provides a function to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
+#define __SECURE_BOOT_VARIABLE_LIB_H__
+
+/**
+ Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+ CUSTOM_SECURE_BOOT_MODE.
+
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.
+ @return other Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+ IN UINT8 SecureBootMode
+);
+
+/**
+ Fetches the value of SetupMode variable.
+
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output
+
+ @retval other Error codes from GetVariable.
+--*/
+EFI_STATUS
+EFIAPI
+GetSetupMode (
+ OUT UINT8 *SetupMode
+);
+
+/**
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+ descriptor with the input data. NO authentication is required in this function.
+
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.
+ On output, the size of data returned in Data
+ buffer in bytes.
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or
+ pointer to NULL to wrap an empty payload.
+ On output, Pointer to the new payload date buffer allocated from pool,
+ it's caller's responsibility to free the memory when finish using it.
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval Others Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+ IN OUT UINTN *DataSize,
+ IN OUT UINT8 **Data
+);
+
+/**
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'db' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+ VOID
+);
+
+/**
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'dbx' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+ VOID
+);
+
+/**
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'dbt' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+ VOID
+);
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'KEK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+ VOID
+);
+
+/**
+ Sets the content of the 'PK' variable based on 'PKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'PK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+ VOID
+);
+
+/**
+ Initializes PKDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+ IN VOID
+ );
+
+/**
+ Initializes KEKDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbtDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbxDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+ IN VOID
+ );
+#endif
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
new file mode 100644
index 0000000000..f3dafeca6e
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -0,0 +1,980 @@
+/** @file
+ This library provides functions to set/clear Secure Boot
+ keys and databases.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include "Library/DxeServicesLib.h"
+
+/** Creates EFI Signature List structure.
+
+ @param[in] Data A pointer to signature data.
+ @param[in] Size Size of signature data.
+ @param[out] SigList Created Signature List.
+
+ @retval EFI_SUCCESS Signature List was created successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+CreateSigList (
+ IN VOID *Data,
+ IN UINTN Size,
+ OUT EFI_SIGNATURE_LIST **SigList
+ )
+{
+ UINTN SigListSize;
+ EFI_SIGNATURE_LIST *TmpSigList;
+ EFI_SIGNATURE_DATA *SigData;
+
+ //
+ // Allocate data for Signature Database
+ //
+ SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
+ if (TmpSigList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Only gEfiCertX509Guid type is supported
+ //
+ TmpSigList->SignatureListSize = (UINT32)SigListSize;
+ TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
+ TmpSigList->SignatureHeaderSize = 0;
+ CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
+
+ //
+ // Copy key data
+ //
+ SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
+ CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
+ CopyMem (&SigData->SignatureData[0], Data, Size);
+
+ *SigList = TmpSigList;
+
+ return EFI_SUCCESS;
+}
+
+/** Adds new signature list to signature database.
+
+ @param[in] SigLists A pointer to signature database.
+ @param[in] SiglListAppend A signature list to be added.
+ @param[out] *SigListOut Created signature database.
+ @param[out] SigListsSize A size of created signature database.
+
+ @retval EFI_SUCCESS Signature List was added successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+ConcatenateSigList (
+ IN EFI_SIGNATURE_LIST *SigLists,
+ IN EFI_SIGNATURE_LIST *SigListAppend,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN OUT UINTN *SigListsSize
+)
+{
+ EFI_SIGNATURE_LIST *TmpSigList;
+ UINT8 *Offset;
+ UINTN NewSigListsSize;
+
+ NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
+
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
+ if (TmpSigList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ CopyMem (TmpSigList, SigLists, *SigListsSize);
+
+ Offset = (UINT8 *)TmpSigList;
+ Offset += *SigListsSize;
+ CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
+
+ *SigListsSize = NewSigListsSize;
+ *SigListOut = TmpSigList;
+ return EFI_SUCCESS;
+}
+
+/**
+ Create a EFI Signature List with data fetched from section specified as a argument.
+ Found keys are verified using RsaGetPublicKeyFromX509().
+
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID
+ @param[out] SigListsSize A pointer to size of signature list
+ @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_NOT_FOUND Section with key has not been found.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval Others Unexpected error happens.
+
+--*/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+ IN EFI_GUID *KeyFileGuid,
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut
+)
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ EFI_SIGNATURE_LIST *TmpEfiSig;
+ EFI_SIGNATURE_LIST *TmpEfiSig2;
+ EFI_STATUS Status;
+ VOID *Buffer;
+ VOID *RsaPubKey;
+ UINTN Size;
+ UINTN KeyIndex;
+
+
+ KeyIndex = 0;
+ EfiSig = NULL;
+ *SigListsSize = 0;
+ while (1) {
+ Status = GetSectionFromAnyFv (
+ KeyFileGuid,
+ EFI_SECTION_RAW,
+ KeyIndex,
+ &Buffer,
+ &Size
+ );
+
+ if (Status == EFI_SUCCESS) {
+ RsaPubKey = NULL;
+ if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ FreePool(Buffer);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+ //
+ // Concatenate lists if more than one section found
+ //
+ if (KeyIndex == 0) {
+ EfiSig = TmpEfiSig;
+ *SigListsSize = TmpEfiSig->SignatureListSize;
+ } else {
+ ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
+ FreePool (EfiSig);
+ FreePool (TmpEfiSig);
+ EfiSig = TmpEfiSig2;
+ }
+
+ KeyIndex++;
+ FreePool (Buffer);
+ } if (Status == EFI_NOT_FOUND) {
+ break;
+ }
+ };
+
+ if (KeyIndex == 0) {
+ return EFI_NOT_FOUND;
+ }
+
+ *SigListOut = EfiSig;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+ descriptor with the input data. NO authentication is required in this function.
+
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.
+ On output, the size of data returned in Data
+ buffer in bytes.
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or
+ pointer to NULL to wrap an empty payload.
+ On output, Pointer to the new payload date buffer allocated from pool,
+ it's caller's responsibility to free the memory when finish using it.
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval Others Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+ IN OUT UINTN *DataSize,
+ IN OUT UINT8 **Data
+ )
+{
+ EFI_STATUS Status;
+ UINT8 *NewData;
+ UINT8 *Payload;
+ UINTN PayloadSize;
+ EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
+ UINTN DescriptorSize;
+ EFI_TIME Time;
+
+ if (Data == NULL || DataSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // In Setup mode or Custom mode, the variable does not need to be signed but the
+ // parameters to the SetVariable() call still need to be prepared as authenticated
+ // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
+ // data in it.
+ //
+ Payload = *Data;
+ PayloadSize = *DataSize;
+
+ DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
+ if (NewData == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ if ((Payload != NULL) && (PayloadSize != 0)) {
+ CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
+ }
+
+ DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
+
+ ZeroMem (&Time, sizeof (EFI_TIME));
+ Status = gRT->GetTime (&Time, NULL);
+ if (EFI_ERROR (Status)) {
+ FreePool(NewData);
+ return Status;
+ }
+ Time.Pad1 = 0;
+ Time.Nanosecond = 0;
+ Time.TimeZone = 0;
+ Time.Daylight = 0;
+ Time.Pad2 = 0;
+ CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
+
+ DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
+ DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+ CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
+
+ if (Payload != NULL) {
+ FreePool(Payload);
+ }
+
+ *DataSize = DescriptorSize + PayloadSize;
+ *Data = NewData;
+ return EFI_SUCCESS;
+}
+
+/**
+ Internal helper function to delete a Variable given its name and GUID, NO authentication
+ required.
+
+ @param[in] VariableName Name of the Variable.
+ @param[in] VendorGuid GUID of the Variable.
+
+ @retval EFI_SUCCESS Variable deleted successfully.
+ @retval Others The driver failed to start the device.
+
+--*/
+EFI_STATUS
+DeleteVariable (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid
+ )
+{
+ EFI_STATUS Status;
+ VOID* Variable;
+ UINT8 *Data;
+ UINTN DataSize;
+ UINT32 Attr;
+
+ GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
+ if (Variable == NULL) {
+ return EFI_SUCCESS;
+ }
+ FreePool (Variable);
+
+ Data = NULL;
+ DataSize = 0;
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+ Status = CreateTimeBasedPayload (&DataSize, &Data);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ VariableName,
+ VendorGuid,
+ Attr,
+ DataSize,
+ Data
+ );
+ if (Data != NULL) {
+ FreePool (Data);
+ }
+ return Status;
+}
+
+/**
+
+ Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+ CUSTOM_SECURE_BOOT_MODE.
+
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.
+ @return other Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+ IN UINT8 SecureBootMode
+ )
+{
+ return gRT->SetVariable (
+ EFI_CUSTOM_MODE_NAME,
+ &gEfiCustomModeEnableGuid,
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof (UINT8),
+ &SecureBootMode
+ );
+}
+
+
+/**
+ Enroll a key/certificate based on a default variable.
+
+ @param[in] VariableName The name of the key/database.
+ @param[in] DefaultName The name of the default variable.
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable
+
+
+ @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.
+ @retval EFI_SUCCESS Successful enrollment.
+ @return Error codes from GetTime () and SetVariable ().
+--*/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+ IN CHAR16 *VariableName,
+ IN CHAR16 *DefaultName,
+ IN EFI_GUID *VendorGuid
+ )
+{
+ VOID *Data;
+ UINTN DataSize;
+ EFI_STATUS Status;
+
+ Status = EFI_SUCCESS;
+
+ DataSize = 0;
+ Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
+ return Status;
+ }
+
+ CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+ return Status;
+ }
+
+ //
+ // Allocate memory for auth variable
+ //
+ Status = gRT->SetVariable (
+ VariableName,
+ VendorGuid,
+ (EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+ DataSize,
+ Data
+ );
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+ VendorGuid, Status));
+ }
+
+ if (Data != NULL) {
+ FreePool (Data);
+ }
+
+ return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_PK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+
+ Status = gRT->SetVariable (
+ EFI_KEK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DB_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DBX_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DBT_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Fetches the value of SetupMode variable.
+
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output
+
+ @retval other Retval from GetVariable.
+--*/
+EFI_STATUS
+EFIAPI
+GetSetupMode (
+ OUT UINT8 *SetupMode
+)
+{
+ UINTN Size;
+ EFI_STATUS Status;
+
+ Size = sizeof (*SetupMode);
+ Status = gRT->GetVariable (
+ EFI_SETUP_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ NULL,
+ &Size,
+ SetupMode
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE,
+ EFI_DB_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'db' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ EFI_DBX_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'dbx' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE2,
+ EFI_DBT_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid);
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'dbt' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE2,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ EFI_KEK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'KEK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_PLATFORM_KEY_NAME,
+ EFI_PK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Remove the PK variable.
+
+ @retval EFI_SUCCESS Delete PK successfully.
+ @retval Others Could not allow to delete PK.
+
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = DeleteVariable (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid
+ );
+ return Status;
+}
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
new file mode 100644
index 0000000000..2c51e4db53
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
@@ -0,0 +1,16 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
+#string STR_MODULE_DESCRIPTION #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:32 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
` (10 subsequent siblings)
12 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for ArmVirtPkg platform.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index d9abadbe70..11c1f53537 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -168,6 +168,7 @@
#
!if $(SECURE_BOOT_ENABLE) == TRUE
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-07-01 9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:37 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
` (9 subsequent siblings)
12 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for OvmfPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
4 files changed, 4 insertions(+)
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index cbf896e89b..bcc0b2f2f4 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -196,6 +196,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f53efeae79..9225966541 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -204,6 +204,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b3662e17f2..5d53327edb 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -208,6 +208,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 0a237a9058..509acf7926 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -208,6 +208,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 04/10] EmulatorPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (2 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-09 9:10 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
` (8 subsequent siblings)
12 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for EmulatorPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
EmulatorPkg/EmulatorPkg.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 20e5468398..966cc7af01 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -132,6 +132,7 @@
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (3 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-09 9:12 ` Sunny Wang
` (2 more replies)
2021-07-01 9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
` (7 subsequent siblings)
12 siblings, 3 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
This commit removes functions which were added
to SecureBootVariableLib. It also adds dependecy
on that library.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 189 +-------------------
2 files changed, 2 insertions(+), 188 deletions(-)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 573efa6379..30d9cd8025 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -54,6 +54,7 @@
DevicePathLib
FileExplorerLib
PeCoffLib
+ SecureBootVariableLib
[Guids]
## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e82bfe7757..67e5e594ed 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "SecureBootConfigImpl.h"
#include <Library/BaseCryptLib.h>
+#include <Library/SecureBootVariableLib.h>
CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
@@ -237,168 +238,6 @@ SaveSecureBootVariable (
return Status;
}
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-/**
- Internal helper function to delete a Variable given its name and GUID, NO authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
- FreePool (Variable);
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-/**
-
- Set the platform secure boot mode into "Custom" or "Standard" mode.
-
- @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
- CUSTOM_SECURE_BOOT_MODE.
-
- @return EFI_SUCCESS The platform has switched to the special mode successfully.
- @return other Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
- IN UINT8 SecureBootMode
- )
-{
- return gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootMode
- );
-}
-
/**
This code checks if the encode type and key strength of X.509
certificate is qualified.
@@ -646,32 +485,6 @@ ON_EXIT:
return Status;
}
-/**
- Remove the PK variable.
-
- @retval EFI_SUCCESS Delete PK successfully.
- @retval Others Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
- VOID
-)
-{
- EFI_STATUS Status;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = DeleteVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid
- );
- return Status;
-}
-
/**
Enroll a new KEK item from public key storing file (*.pbk).
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (4 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-09 9:20 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
` (6 subsequent siblings)
12 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
This commits add file which can be included by platform Flash
Description File. It allows to specify certificate files, which
will be embedded into binary file. The content of these files
can be used to initialize Secure Boot default keys and databases.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
diff --git a/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
new file mode 100644
index 0000000000..bf4f2d42de
--- /dev/null
+++ b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
@@ -0,0 +1,70 @@
+## @file
+# FDF include file which allows to embed Secure Boot keys
+#
+# Copyright (c) 2021, ARM Limited. All rights reserved.
+# Copyright (c) 2021, Semihalf. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+!if $(DEFAULT_KEYS) == TRUE
+ FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+ !ifdef $(PK_DEFAULT_FILE)
+ SECTION RAW = $(PK_DEFAULT_FILE)
+ !endif
+ SECTION UI = "PK Default"
+ }
+
+ FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+ !ifdef $(KEK_DEFAULT_FILE1)
+ SECTION RAW = $(KEK_DEFAULT_FILE1)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE2)
+ SECTION RAW = $(KEK_DEFAULT_FILE2)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE3)
+ SECTION RAW = $(KEK_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "KEK Default"
+ }
+
+ FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+ !ifdef $(DB_DEFAULT_FILE1)
+ SECTION RAW = $(DB_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE2)
+ SECTION RAW = $(DB_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE3)
+ SECTION RAW = $(DB_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DB Default"
+ }
+
+ FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
+ !ifdef $(DBT_DEFAULT_FILE1)
+ SECTION RAW = $(DBT_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE2)
+ SECTION RAW = $(DBT_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE3)
+ SECTION RAW = $(DBT_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBT Default"
+ }
+
+ FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+ !ifdef $(DBX_DEFAULT_FILE1)
+ SECTION RAW = $(DBX_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE2)
+ SECTION RAW = $(DBX_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE3)
+ SECTION RAW = $(DBX_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBX Default"
+ }
+
+!endif
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (5 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-01 9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
` (5 subsequent siblings)
12 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki, Sunny Wang
This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi
---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 45 +++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 68 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +++++
3 files changed, 129 insertions(+)
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..0af7563a3b
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,45 @@
+## @file
+# Initializes Secure Boot default keys
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SecureBootDefaultKeysDxe
+ FILE_GUID = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+ MODULE_TYPE = DXE_DRIVER
+ ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+[Sources]
+ SecureBootDefaultKeysDxe.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ MemoryAllocationLib
+ UefiDriverEntryPoint
+ DebugLib
+ SecureBootVariableLib
+
+[Guids]
+ ## SOMETIMES_PRODUCES ## Variable:L"PKDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault"
+ ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault"
+ gEfiGlobalVariableGuid
+
+[Depex]
+ gEfiVariableArchProtocolGuid AND
+ gEfiVariableWriteArchProtocolGuid
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..12a18dc352
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,68 @@
+/** @file
+ This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+ The entry point for SecureBootDefaultKeys driver.
+
+ @param[in] ImageHandle The image handle of the driver.
+ @param[in] SystemTable The system table.
+
+ @retval EFI_ALREADY_STARTED The driver already exists in system.
+ @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
+ @retval EFI_SUCCESS All the related protocols are installed on the driver.
+ @retval Others Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+
+ Status = SecureBootInitPKDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+
+ Status = SecureBootInitKEKDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+ Status = SecureBootInitdbDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status));
+ return Status;
+ }
+
+ Status = SecureBootInitdbtDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+ }
+
+ Status = SecureBootInitdbxDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+ }
+
+ return Status;
+}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..2b6cb7f950
--- /dev/null
+++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,16 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Module which initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION #language en-US "This module reads embedded keys and initializes Secure Boot default variables."
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (6 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-09 9:37 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
` (4 subsequent siblings)
12 siblings, 2 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki
This application allows user to force key enrollment from
Secure Boot default variables.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 ++++++++++++++++++++
2 files changed, 156 insertions(+)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+# Enroll PK, KEK, db, dbx from Default variables
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 1.28
+ BASE_NAME = EnrollFromDefaultKeysApp
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = UefiMain
+
+[Sources]
+ EnrollFromDefaultKeysApp.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PrintLib
+ UefiApplicationEntryPoint
+ UefiBootServicesTableLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+ SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..3407c1c4b9
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,109 @@
+/** @file
+ Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+ Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);
+ return 1;
+ }
+
+ if (SetupMode == USER_MODE) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
+ return 1;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+ return 1;
+ }
+
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+ return 0;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+
+ return 1;
+}
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 09/10] SecurityPkg: Add new modules to Security package.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (7 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-06 11:57 ` Yao, Jiewen
2021-07-01 9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
` (3 subsequent siblings)
12 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki, Sunny Wang
This commits adds modules related to initialization and
usage of default Secure Boot key variables to SecurityPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
SecurityPkg/SecurityPkg.dsc | 3 +++
2 files changed, 17 insertions(+)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4001650fa2..e6aab4dce7 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -190,6 +190,20 @@
## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
gTcg2MmSwSmiRegisteredGuid = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
+ ## GUID used to specify section with default PK content
+ gDefaultPKFileGuid = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+ ## GUID used to specify section with default KEK content
+ gDefaultKEKFileGuid = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+ ## GUID used to specify section with default db content
+ gDefaultdbFileGuid = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+ ## GUID used to specify section with default dbx content
+ gDefaultdbxFileGuid = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+ ## GUID used to specify section with default dbt content
+ gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 854f250625..f2f90f49de 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -259,6 +259,9 @@
[Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
+ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultKeys.inf
[Components.IA32, Components.X64, Components.AARCH64]
#
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys.
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (8 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
@ 2021-07-01 9:17 ` Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-07 1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
` (2 subsequent siblings)
12 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-01 9:17 UTC (permalink / raw)
To: devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete,
Grzegorz Bernacki, Sunny Wang
This commit add option which allows reset content of Secure Boot
keys and databases to default variables.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 154 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
5 files changed, 167 insertions(+)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 30d9cd8025..bd8d256dde 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -109,6 +109,7 @@
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiDevicePathProtocolGuid ## PRODUCES
+ gEfiHiiPopupProtocolGuid
[Depex]
gEfiHiiConfigRoutingProtocolGuid AND
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index 6e54a4b0f2..4ecc25efc3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f
+#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010
+
#define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101
#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index fa7e11848c..e4560c592c 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -69,6 +69,12 @@ formset
endif;
endif;
+ text
+ help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
+ text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
+ flags = INTERACTIVE,
+ key = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
+
endform;
//
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 67e5e594ed..47f281873b 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "SecureBootConfigImpl.h"
+#include <Protocol/HiiPopup.h>
#include <Library/BaseCryptLib.h>
#include <Library/SecureBootVariableLib.h>
@@ -4154,6 +4155,132 @@ ON_EXIT:
return Status;
}
+/**
+ This function reinitializes Secure Boot variables with default values.
+
+ @retval EFI_SUCCESS Success to update the signature list page
+ @retval others Fail to delete or enroll signature data.
+**/
+
+STATIC EFI_STATUS
+EFIAPI
+KeyEnrollReset (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = EFI_SUCCESS;
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }
+
+ // Clear all the keys and databases
+ Status = DeleteDb ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbx ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbt ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteKEK ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeletePlatformKey ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
+ return Status;
+ }
+
+ // After PK clear, Setup Mode shall be enabled
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
+ Status));
+ return Status;
+ }
+
+ if (SetupMode == USER_MODE) {
+ DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
+ return EFI_SUCCESS;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
+ Status));
+ return EFI_SUCCESS;
+ }
+
+ // Enroll all the keys from default variables
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"));
+ }
+
+ return Status;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
+ DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
+ }
+ return Status;
+}
+
/**
This function is called to provide results data to the driver.
@@ -4205,6 +4332,8 @@ SecureBootCallback (
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
BOOLEAN GetBrowserDataResult;
ENROLL_KEY_ERROR EnrollKeyErrorCode;
+ EFI_HII_POPUP_PROTOCOL *HiiPopup;
+ EFI_HII_POPUP_SELECTION UserSelection;
Status = EFI_SUCCESS;
SecureBootEnable = NULL;
@@ -4755,6 +4884,31 @@ SecureBootCallback (
FreePool (SetupMode);
}
break;
+ case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
+ {
+ Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ Status = HiiPopup->CreatePopup (
+ HiiPopup,
+ EfiHiiPopupStyleInfo,
+ EfiHiiPopupTypeYesNo,
+ Private->HiiHandle,
+ STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
+ &UserSelection
+ );
+ if (UserSelection == EfiHiiPopupSelectionYes) {
+ Status = KeyEnrollReset ();
+ }
+ //
+ // Update secure boot strings after key reset
+ //
+ if (Status == EFI_SUCCESS) {
+ Status = UpdateSecureBootString (Private);
+ SecureBootExtractConfigFromVariable (Private, IfrNvData);
+ }
+ }
default:
break;
}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index ac783453cc..0d01701de7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"
+#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys with data from default variables"
+#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure Boot Keys"
+#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
+
#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
#string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signature List Form"
--
2.25.1
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
@ 2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:32 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Laszlo Ersek @ 2021-07-01 10:39 UTC (permalink / raw)
To: Grzegorz Bernacki, devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, sami.mujawar, afish,
ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete
On 07/01/21 11:17, Grzegorz Bernacki wrote:
> The edk2 patch
> SecurityPkg: Create library for setting Secure Boot variables.
>
> moves generic functions from SecureBootConfigDxe and places
> them into SecureBootVariableLib. This patch adds SecureBootVariableLib
> mapping for ArmVirtPkg platform.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index d9abadbe70..11c1f53537 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -168,6 +168,7 @@
> #
> !if $(SECURE_BOOT_ENABLE) == TRUE
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>
> # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
@ 2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:37 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Laszlo Ersek @ 2021-07-01 10:39 UTC (permalink / raw)
To: Grzegorz Bernacki, devel
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, sami.mujawar, afish,
ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete
On 07/01/21 11:17, Grzegorz Bernacki wrote:
> The edk2 patch
> SecurityPkg: Create library for setting Secure Boot variables.
>
> moves generic functions from SecureBootConfigDxe and places
> them into SecureBootVariableLib. This patch adds SecureBootVariableLib
> mapping for OvmfPkg.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> 4 files changed, 4 insertions(+)
>
> diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
> index cbf896e89b..bcc0b2f2f4 100644
> --- a/OvmfPkg/Bhyve/BhyveX64.dsc
> +++ b/OvmfPkg/Bhyve/BhyveX64.dsc
> @@ -196,6 +196,7 @@
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> !else
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index f53efeae79..9225966541 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -204,6 +204,7 @@
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> !else
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index b3662e17f2..5d53327edb 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -208,6 +208,7 @@
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> !else
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 0a237a9058..509acf7926 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -208,6 +208,7 @@
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> !else
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
2021-07-01 9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
@ 2021-07-06 11:53 ` Yao, Jiewen
2021-07-09 9:37 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-06 11:53 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>
> Subject: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
>
> This application allows user to force key enrollment from
> Secure Boot default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47
> +++++++++
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109
> ++++++++++++++++++++
> 2 files changed, 156 insertions(+)
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>
> diff --git
> a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> @@ -0,0 +1,47 @@
> +## @file
> +# Enroll PK, KEK, db, dbx from Default variables
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> + INF_VERSION = 1.28
> + BASE_NAME = EnrollFromDefaultKeysApp
> + FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> + MODULE_TYPE = UEFI_APPLICATION
> + VERSION_STRING = 0.1
> + ENTRY_POINT = UefiMain
> +
> +[Sources]
> + EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> + MdeModulePkg/MdeModulePkg.dec
> + MdePkg/MdePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> + gEfiCertPkcs7Guid
> + gEfiCertSha256Guid
> + gEfiCertX509Guid
> + gEfiCustomModeEnableGuid
> + gEfiGlobalVariableGuid
> + gEfiImageSecurityDatabaseGuid
> + gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> + gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + PrintLib
> + UefiApplicationEntryPoint
> + UefiBootServicesTableLib
> + UefiLib
> + UefiRuntimeServicesTableLib
> + SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> new file mode 100644
> index 0000000000..3407c1c4b9
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> @@ -0,0 +1,109 @@
> +/** @file
> + Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h> //
> gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h> //
> EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h> // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h> // CopyGuid()
> +#include <Library/DebugLib.h> // ASSERT()
> +#include <Library/MemoryAllocationLib.h> // FreePool()
> +#include <Library/PrintLib.h> // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h> // gBS
> +#include <Library/UefiLib.h> // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +/**
> + Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> + IN EFI_HANDLE ImageHandle,
> + IN EFI_SYSTEM_TABLE *SystemTable
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 SetupMode;
> +
> + Status = GetSetupMode (&SetupMode);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode
> variable: %r\n", Status);
> + return 1;
> + }
> +
> + if (SetupMode == USER_MODE) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
> + return 1;
> + }
> +
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set
> CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> + return 1;
> + }
> +
> + Status = EnrollDbFromDefault ();
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
> + goto error;
> + }
> +
> + Status = EnrollDbxFromDefault ();
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
> + }
> +
> + Status = EnrollDbtFromDefault ();
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
> + }
> +
> + Status = EnrollKEKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
> + goto cleardbs;
> + }
> +
> + Status = EnrollPKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
> + goto clearKEK;
> + }
> +
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint (
> + "EnrollFromDefaultKeysApp: Cannot set CustomMode to
> STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n"
> + );
> + }
> + return 0;
> +
> +clearKEK:
> + DeleteKEK ();
> +
> +cleardbs:
> + DeleteDbt ();
> + DeleteDbx ();
> + DeleteDb ();
> +
> +error:
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + AsciiPrint (
> + "EnrollFromDefaultKeysApp: Cannot set CustomMode to
> STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n"
> + );
> + }
> +
> + return 1;
> +}
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver
2021-07-01 9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
@ 2021-07-06 11:53 ` Yao, Jiewen
0 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-06 11:53 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Sunny Wang
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>; Sunny Wang <sunny.wang@arm.com>
> Subject: [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver
>
> This driver initializes default Secure Boot keys and databases
> based on keys embedded in flash.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
> Reviewed-by: Pete Batard <pete@akeo.ie>
> Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi
> ---
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.inf | 45 +++++++++++++
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.c | 68 ++++++++++++++++++++
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.uni | 16 +++++
> 3 files changed, 129 insertions(+)
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.inf
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.c
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.uni
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
> new file mode 100644
> index 0000000000..0af7563a3b
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
> @@ -0,0 +1,45 @@
> +## @file
> +# Initializes Secure Boot default keys
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = SecureBootDefaultKeysDxe
> + FILE_GUID = C937FCB7-25AC-4376-89A2-4EA8B317DE83
> + MODULE_TYPE = DXE_DRIVER
> + ENTRY_POINT = SecureBootDefaultKeysEntryPoint
> +
> +#
> +# VALID_ARCHITECTURES = IA32 X64 AARCH64
> +#
> +[Sources]
> + SecureBootDefaultKeysDxe.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + MemoryAllocationLib
> + UefiDriverEntryPoint
> + DebugLib
> + SecureBootVariableLib
> +
> +[Guids]
> + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault"
> + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault"
> + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault"
> + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault"
> + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault"
> + gEfiGlobalVariableGuid
> +
> +[Depex]
> + gEfiVariableArchProtocolGuid AND
> + gEfiVariableWriteArchProtocolGuid
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
> new file mode 100644
> index 0000000000..12a18dc352
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
> @@ -0,0 +1,68 @@
> +/** @file
> + This driver init default Secure Boot variables
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiBootServicesTableLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +/**
> + The entry point for SecureBootDefaultKeys driver.
> +
> + @param[in] ImageHandle The image handle of the driver.
> + @param[in] SystemTable The system table.
> +
> + @retval EFI_ALREADY_STARTED The driver already exists in system.
> + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of
> resources.
> + @retval EFI_SUCCESS All the related protocols are installed on the
> driver.
> + @retval Others Fail to get the SecureBootEnable variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SecureBootDefaultKeysEntryPoint (
> + IN EFI_HANDLE ImageHandle,
> + IN EFI_SYSTEM_TABLE *SystemTable
> + )
> +{
> + EFI_STATUS Status;
> +
> + Status = SecureBootInitPKDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n",
> __FUNCTION__, Status));
> + return Status;
> + }
> +
> + Status = SecureBootInitKEKDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n",
> __FUNCTION__, Status));
> + return Status;
> + }
> + Status = SecureBootInitdbDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n",
> __FUNCTION__, Status));
> + return Status;
> + }
> +
> + Status = SecureBootInitdbtDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
> + }
> +
> + Status = SecureBootInitdbxDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
> + }
> +
> + return Status;
> +}
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> new file mode 100644
> index 0000000000..2b6cb7f950
> --- /dev/null
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +// Provides the capability to intialize Secure Boot default variables
> +//
> +// Module which initializes Secure boot default variables.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Module which
> initializes Secure boot default variables"
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "This module reads
> embedded keys and initializes Secure Boot default variables."
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys.
2021-07-01 9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
@ 2021-07-06 11:53 ` Yao, Jiewen
0 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-06 11:53 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Sunny Wang
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>; Sunny Wang <sunny.wang@arm.com>
> Subject: [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys.
>
> This commit add option which allows reset content of Secure Boot
> keys and databases to default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
> Reviewed-by: Pete Batard <pete@akeo.ie>
> Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
> ---
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf | 1 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNv
> Data.h | 2 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
> | 6 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c | 154 ++++++++++++++++++++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri
> ngs.uni | 4 +
> 5 files changed, 167 insertions(+)
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> index 30d9cd8025..bd8d256dde 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> @@ -109,6 +109,7 @@
> [Protocols]
> gEfiHiiConfigAccessProtocolGuid ## PRODUCES
> gEfiDevicePathProtocolGuid ## PRODUCES
> + gEfiHiiPopupProtocolGuid
>
> [Depex]
> gEfiHiiConfigRoutingProtocolGuid AND
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h
> index 6e54a4b0f2..4ecc25efc3 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h
> @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f
>
> +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010
> +
> #define KEY_SECURE_BOOT_OPTION 0x1100
> #define KEY_SECURE_BOOT_PK_OPTION 0x1101
> #define KEY_SECURE_BOOT_KEK_OPTION 0x1102
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr
> index fa7e11848c..e4560c592c 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr
> @@ -69,6 +69,12 @@ formset
> endif;
> endif;
>
> + text
> + help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
> + text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
> + flags = INTERACTIVE,
> + key = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
> +
> endform;
>
> //
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> index 67e5e594ed..47f281873b 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> **/
>
> #include "SecureBootConfigImpl.h"
> +#include <Protocol/HiiPopup.h>
> #include <Library/BaseCryptLib.h>
> #include <Library/SecureBootVariableLib.h>
>
> @@ -4154,6 +4155,132 @@ ON_EXIT:
> return Status;
> }
>
> +/**
> + This function reinitializes Secure Boot variables with default values.
> +
> + @retval EFI_SUCCESS Success to update the signature list page
> + @retval others Fail to delete or enroll signature data.
> +**/
> +
> +STATIC EFI_STATUS
> +EFIAPI
> +KeyEnrollReset (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 SetupMode;
> +
> + Status = EFI_SUCCESS;
> +
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR(Status)) {
> + return Status;
> + }
> +
> + // Clear all the keys and databases
> + Status = DeleteDb ();
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
> + return Status;
> + }
> +
> + Status = DeleteDbx ();
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
> + return Status;
> + }
> +
> + Status = DeleteDbt ();
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
> + return Status;
> + }
> +
> + Status = DeleteKEK ();
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
> + return Status;
> + }
> +
> + Status = DeletePlatformKey ();
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
> + return Status;
> + }
> +
> + // After PK clear, Setup Mode shall be enabled
> + Status = GetSetupMode (&SetupMode);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
> + Status));
> + return Status;
> + }
> +
> + if (SetupMode == USER_MODE) {
> + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
> + return EFI_SUCCESS;
> + }
> +
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot set
> CUSTOM_SECURE_BOOT_MODE: %r\n",
> + Status));
> + return EFI_SUCCESS;
> + }
> +
> + // Enroll all the keys from default variables
> + Status = EnrollDbFromDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
> + goto error;
> + }
> +
> + Status = EnrollDbxFromDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
> + }
> +
> + Status = EnrollDbtFromDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
> + }
> +
> + Status = EnrollKEKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
> + goto cleardbs;
> + }
> +
> + Status = EnrollPKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
> + goto clearKEK;
> + }
> +
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to
> STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n"));
> + }
> +
> + return Status;
> +
> +clearKEK:
> + DeleteKEK ();
> +
> +cleardbs:
> + DeleteDbt ();
> + DeleteDbx ();
> + DeleteDb ();
> +
> +error:
> + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS)
> {
> + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
> + }
> + return Status;
> +}
> +
> /**
> This function is called to provide results data to the driver.
>
> @@ -4205,6 +4332,8 @@ SecureBootCallback (
> SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
> BOOLEAN GetBrowserDataResult;
> ENROLL_KEY_ERROR EnrollKeyErrorCode;
> + EFI_HII_POPUP_PROTOCOL *HiiPopup;
> + EFI_HII_POPUP_SELECTION UserSelection;
>
> Status = EFI_SUCCESS;
> SecureBootEnable = NULL;
> @@ -4755,6 +4884,31 @@ SecureBootCallback (
> FreePool (SetupMode);
> }
> break;
> + case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
> + {
> + Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **)
> &HiiPopup);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> + Status = HiiPopup->CreatePopup (
> + HiiPopup,
> + EfiHiiPopupStyleInfo,
> + EfiHiiPopupTypeYesNo,
> + Private->HiiHandle,
> + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
> + &UserSelection
> + );
> + if (UserSelection == EfiHiiPopupSelectionYes) {
> + Status = KeyEnrollReset ();
> + }
> + //
> + // Update secure boot strings after key reset
> + //
> + if (Status == EFI_SUCCESS) {
> + Status = UpdateSecureBootString (Private);
> + SecureBootExtractConfigFromVariable (Private, IfrNvData);
> + }
> + }
> default:
> break;
> }
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni
> index ac783453cc..0d01701de7 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni
> @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure
> Boot"
> #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the
> Secure Boot feature after platform reset"
>
> +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll
> keys with data from default variables"
> +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure
> Boot Keys"
> +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot
> Keys & databases will be initialized from defaults.\n Are you sure?"
> +
> #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll
> Signature"
> #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete
> Signature"
> #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete
> Signature List Form"
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables.
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
@ 2021-07-06 11:55 ` Yao, Jiewen
2021-07-09 9:29 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-06 11:55 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>
> Subject: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot
> variables.
>
> This commits add library, which consist functions related
> creation/removal Secure Boot variables. Some of the functions
> was moved from SecureBootConfigImpl.c file.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> SecurityPkg/SecurityPkg.dsc | 1 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
> SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980
> ++++++++++++++++++++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
> 5 files changed, 1327 insertions(+)
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index bd4b810bce..854f250625 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -70,6 +70,7 @@
> RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
>
> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo
> gRecordLib.inf
>
> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM
> emoryLibNull.inf
> +
> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBoot
> VariableLib.inf
>
> [LibraryClasses.ARM]
> #
> diff --git
> a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> new file mode 100644
> index 0000000000..84367841d5
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> @@ -0,0 +1,79 @@
> +## @file
> +# Provides initialization of Secure Boot keys and databases.
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +#
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> + INF_VERSION = 0x00010005
> + BASE_NAME = SecureBootVariableLib
> + MODULE_UNI_FILE = SecureBootVariableLib.uni
> + FILE_GUID = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
> + MODULE_TYPE = DXE_DRIVER
> + VERSION_STRING = 1.0
> + LIBRARY_CLASS = SecureBootVariableLib|DXE_DRIVER
> DXE_RUNTIME_DRIVER UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required by the build
> tools.
> +#
> +# VALID_ARCHITECTURES = IA32 X64 AARCH64
> +#
> +
> +[Sources]
> + SecureBootVariableLib.c
> +
> +[Packages]
> + MdePkg/MdePkg.dec
> + MdeModulePkg/MdeModulePkg.dec
> + SecurityPkg/SecurityPkg.dec
> + CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + BaseCryptLib
> + DxeServicesLib
> +
> +[Guids]
> + ## CONSUMES ## Variable:L"SetupMode"
> + ## PRODUCES ## Variable:L"SetupMode"
> + ## CONSUMES ## Variable:L"SecureBoot"
> + ## PRODUCES ## Variable:L"SecureBoot"
> + ## PRODUCES ## Variable:L"PK"
> + ## PRODUCES ## Variable:L"KEK"
> + ## CONSUMES ## Variable:L"PKDefault"
> + ## CONSUMES ## Variable:L"KEKDefault"
> + ## CONSUMES ## Variable:L"dbDefault"
> + ## CONSUMES ## Variable:L"dbxDefault"
> + ## CONSUMES ## Variable:L"dbtDefault"
> + gEfiGlobalVariableGuid
> +
> + ## SOMETIMES_CONSUMES ## Variable:L"DB"
> + ## SOMETIMES_CONSUMES ## Variable:L"DBX"
> + ## SOMETIMES_CONSUMES ## Variable:L"DBT"
> + gEfiImageSecurityDatabaseGuid
> +
> + ## CONSUMES ## Variable:L"SecureBootEnable"
> + ## PRODUCES ## Variable:L"SecureBootEnable"
> + gEfiSecureBootEnableDisableGuid
> +
> + ## CONSUMES ## Variable:L"CustomMode"
> + ## PRODUCES ## Variable:L"CustomMode"
> + gEfiCustomModeEnableGuid
> +
> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
> + gEfiCertX509Guid ## CONSUMES
> + gEfiCertPkcs7Guid ## CONSUMES
> +
> + gDefaultPKFileGuid
> + gDefaultKEKFileGuid
> + gDefaultdbFileGuid
> + gDefaultdbxFileGuid
> + gDefaultdbtFileGuid
> +
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h
> b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> new file mode 100644
> index 0000000000..e010667165
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> @@ -0,0 +1,251 @@
> +/** @file
> + Provides a function to enroll keys based on default values.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
> +#define __SECURE_BOOT_VARIABLE_LIB_H__
> +
> +/**
> + Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> + @param[in] SecureBootMode New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> + CUSTOM_SECURE_BOOT_MODE.
> +
> + @return EFI_SUCCESS The platform has switched to the special mode
> successfully.
> + @return other Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> + IN UINT8 SecureBootMode
> +);
> +
> +/**
> + Fetches the value of SetupMode variable.
> +
> + @param[out] SetupMode Pointer to UINT8 for SetupMode output
> +
> + @retval other Error codes from GetVariable.
> +--*/
> +EFI_STATUS
> +EFIAPI
> +GetSetupMode (
> + OUT UINT8 *SetupMode
> +);
> +
> +/**
> + Create a time based data payload by concatenating the
> EFI_VARIABLE_AUTHENTICATION_2
> + descriptor with the input data. NO authentication is required in this function.
> +
> + @param[in, out] DataSize On input, the size of Data buffer in bytes.
> + On output, the size of data returned in Data
> + buffer in bytes.
> + @param[in, out] Data On input, Pointer to data buffer to be wrapped
> or
> + pointer to NULL to wrap an empty payload.
> + On output, Pointer to the new payload date buffer allocated
> from pool,
> + it's caller's responsibility to free the memory when finish
> using it.
> +
> + @retval EFI_SUCCESS Create time based payload successfully.
> + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources
> to create time based payload.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval Others Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> + IN OUT UINTN *DataSize,
> + IN OUT UINT8 **Data
> +);
> +
> +/**
> + Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> + VOID
> +);
> +
> +/**
> + Clears the content of the 'db' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> + VOID
> +);
> +
> +/**
> + Clears the content of the 'dbx' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> + VOID
> +);
> +
> +/**
> + Clears the content of the 'dbt' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> + VOID
> +);
> +
> +/**
> + Clears the content of the 'KEK' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> + VOID
> +);
> +
> +/**
> + Sets the content of the 'PK' variable based on 'PKDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> + VOID
> +);
> +
> +/**
> + Clears the content of the 'PK' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2(), GetTime() and
> SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> + VOID
> +);
> +
> +/**
> + Initializes PKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes KEKDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbtDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> + IN VOID
> + );
> +
> +/**
> + Initializes dbxDefault variable with data from FFS section.
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> + IN VOID
> + );
> +#endif
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> new file mode 100644
> index 0000000000..f3dafeca6e
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> @@ -0,0 +1,980 @@
> +/** @file
> + This library provides functions to set/clear Secure Boot
> + keys and databases.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +#include "Library/DxeServicesLib.h"
> +
> +/** Creates EFI Signature List structure.
> +
> + @param[in] Data A pointer to signature data.
> + @param[in] Size Size of signature data.
> + @param[out] SigList Created Signature List.
> +
> + @retval EFI_SUCCESS Signature List was created successfully.
> + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +CreateSigList (
> + IN VOID *Data,
> + IN UINTN Size,
> + OUT EFI_SIGNATURE_LIST **SigList
> + )
> +{
> + UINTN SigListSize;
> + EFI_SIGNATURE_LIST *TmpSigList;
> + EFI_SIGNATURE_DATA *SigData;
> +
> + //
> + // Allocate data for Signature Database
> + //
> + SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1
> + Size;
> + TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
> + if (TmpSigList == NULL) {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + //
> + // Only gEfiCertX509Guid type is supported
> + //
> + TmpSigList->SignatureListSize = (UINT32)SigListSize;
> + TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 +
> Size);
> + TmpSigList->SignatureHeaderSize = 0;
> + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
> +
> + //
> + // Copy key data
> + //
> + SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
> + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
> + CopyMem (&SigData->SignatureData[0], Data, Size);
> +
> + *SigList = TmpSigList;
> +
> + return EFI_SUCCESS;
> +}
> +
> +/** Adds new signature list to signature database.
> +
> + @param[in] SigLists A pointer to signature database.
> + @param[in] SiglListAppend A signature list to be added.
> + @param[out] *SigListOut Created signature database.
> + @param[out] SigListsSize A size of created signature database.
> +
> + @retval EFI_SUCCESS Signature List was added successfully.
> + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
> +--*/
> +STATIC
> +EFI_STATUS
> +ConcatenateSigList (
> + IN EFI_SIGNATURE_LIST *SigLists,
> + IN EFI_SIGNATURE_LIST *SigListAppend,
> + OUT EFI_SIGNATURE_LIST **SigListOut,
> + IN OUT UINTN *SigListsSize
> +)
> +{
> + EFI_SIGNATURE_LIST *TmpSigList;
> + UINT8 *Offset;
> + UINTN NewSigListsSize;
> +
> + NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
> +
> + TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
> + if (TmpSigList == NULL) {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + CopyMem (TmpSigList, SigLists, *SigListsSize);
> +
> + Offset = (UINT8 *)TmpSigList;
> + Offset += *SigListsSize;
> + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
> +
> + *SigListsSize = NewSigListsSize;
> + *SigListOut = TmpSigList;
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Create a EFI Signature List with data fetched from section specified as a
> argument.
> + Found keys are verified using RsaGetPublicKeyFromX509().
> +
> + @param[in] KeyFileGuid A pointer to to the FFS filename GUID
> + @param[out] SigListsSize A pointer to size of signature list
> + @param[out] SigListsOut a pointer to a callee-allocated buffer with
> signature lists
> +
> + @retval EFI_SUCCESS Create time based payload successfully.
> + @retval EFI_NOT_FOUND Section with key has not been found.
> + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
> + @retval Others Unexpected error happens.
> +
> +--*/
> +STATIC
> +EFI_STATUS
> +SecureBootFetchData (
> + IN EFI_GUID *KeyFileGuid,
> + OUT UINTN *SigListsSize,
> + OUT EFI_SIGNATURE_LIST **SigListOut
> +)
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + EFI_SIGNATURE_LIST *TmpEfiSig;
> + EFI_SIGNATURE_LIST *TmpEfiSig2;
> + EFI_STATUS Status;
> + VOID *Buffer;
> + VOID *RsaPubKey;
> + UINTN Size;
> + UINTN KeyIndex;
> +
> +
> + KeyIndex = 0;
> + EfiSig = NULL;
> + *SigListsSize = 0;
> + while (1) {
> + Status = GetSectionFromAnyFv (
> + KeyFileGuid,
> + EFI_SECTION_RAW,
> + KeyIndex,
> + &Buffer,
> + &Size
> + );
> +
> + if (Status == EFI_SUCCESS) {
> + RsaPubKey = NULL;
> + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
> + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,
> KeyIndex));
> + if (EfiSig != NULL) {
> + FreePool(EfiSig);
> + }
> + FreePool(Buffer);
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + Status = CreateSigList (Buffer, Size, &TmpEfiSig);
> +
> + //
> + // Concatenate lists if more than one section found
> + //
> + if (KeyIndex == 0) {
> + EfiSig = TmpEfiSig;
> + *SigListsSize = TmpEfiSig->SignatureListSize;
> + } else {
> + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
> + FreePool (EfiSig);
> + FreePool (TmpEfiSig);
> + EfiSig = TmpEfiSig2;
> + }
> +
> + KeyIndex++;
> + FreePool (Buffer);
> + } if (Status == EFI_NOT_FOUND) {
> + break;
> + }
> + };
> +
> + if (KeyIndex == 0) {
> + return EFI_NOT_FOUND;
> + }
> +
> + *SigListOut = EfiSig;
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Create a time based data payload by concatenating the
> EFI_VARIABLE_AUTHENTICATION_2
> + descriptor with the input data. NO authentication is required in this function.
> +
> + @param[in, out] DataSize On input, the size of Data buffer in bytes.
> + On output, the size of data returned in Data
> + buffer in bytes.
> + @param[in, out] Data On input, Pointer to data buffer to be wrapped
> or
> + pointer to NULL to wrap an empty payload.
> + On output, Pointer to the new payload date buffer allocated
> from pool,
> + it's caller's responsibility to free the memory when finish
> using it.
> +
> + @retval EFI_SUCCESS Create time based payload successfully.
> + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources
> to create time based payload.
> + @retval EFI_INVALID_PARAMETER The parameter is invalid.
> + @retval Others Unexpected error happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> + IN OUT UINTN *DataSize,
> + IN OUT UINT8 **Data
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 *NewData;
> + UINT8 *Payload;
> + UINTN PayloadSize;
> + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
> + UINTN DescriptorSize;
> + EFI_TIME Time;
> +
> + if (Data == NULL || DataSize == NULL) {
> + return EFI_INVALID_PARAMETER;
> + }
> +
> + //
> + // In Setup mode or Custom mode, the variable does not need to be signed
> but the
> + // parameters to the SetVariable() call still need to be prepared as
> authenticated
> + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> + // data in it.
> + //
> + Payload = *Data;
> + PayloadSize = *DataSize;
> +
> + DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)
> + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> + NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> + if (NewData == NULL) {
> + return EFI_OUT_OF_RESOURCES;
> + }
> +
> + if ((Payload != NULL) && (PayloadSize != 0)) {
> + CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> + }
> +
> + DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> +
> + ZeroMem (&Time, sizeof (EFI_TIME));
> + Status = gRT->GetTime (&Time, NULL);
> + if (EFI_ERROR (Status)) {
> + FreePool(NewData);
> + return Status;
> + }
> + Time.Pad1 = 0;
> + Time.Nanosecond = 0;
> + Time.TimeZone = 0;
> + Time.Daylight = 0;
> + Time.Pad2 = 0;
> + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> +
> + DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
> + DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
> + DescriptorData->AuthInfo.Hdr.wCertificateType =
> WIN_CERT_TYPE_EFI_GUID;
> + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> +
> + if (Payload != NULL) {
> + FreePool(Payload);
> + }
> +
> + *DataSize = DescriptorSize + PayloadSize;
> + *Data = NewData;
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Internal helper function to delete a Variable given its name and GUID, NO
> authentication
> + required.
> +
> + @param[in] VariableName Name of the Variable.
> + @param[in] VendorGuid GUID of the Variable.
> +
> + @retval EFI_SUCCESS Variable deleted successfully.
> + @retval Others The driver failed to start the device.
> +
> +--*/
> +EFI_STATUS
> +DeleteVariable (
> + IN CHAR16 *VariableName,
> + IN EFI_GUID *VendorGuid
> + )
> +{
> + EFI_STATUS Status;
> + VOID* Variable;
> + UINT8 *Data;
> + UINTN DataSize;
> + UINT32 Attr;
> +
> + GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> + if (Variable == NULL) {
> + return EFI_SUCCESS;
> + }
> + FreePool (Variable);
> +
> + Data = NULL;
> + DataSize = 0;
> + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS
> + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> + Status = CreateTimeBasedPayload (&DataSize, &Data);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r",
> Status));
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + VariableName,
> + VendorGuid,
> + Attr,
> + DataSize,
> + Data
> + );
> + if (Data != NULL) {
> + FreePool (Data);
> + }
> + return Status;
> +}
> +
> +/**
> +
> + Set the platform secure boot mode into "Custom" or "Standard" mode.
> +
> + @param[in] SecureBootMode New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> + CUSTOM_SECURE_BOOT_MODE.
> +
> + @return EFI_SUCCESS The platform has switched to the special mode
> successfully.
> + @return other Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> + IN UINT8 SecureBootMode
> + )
> +{
> + return gRT->SetVariable (
> + EFI_CUSTOM_MODE_NAME,
> + &gEfiCustomModeEnableGuid,
> + EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + sizeof (UINT8),
> + &SecureBootMode
> + );
> +}
> +
> +
> +/**
> + Enroll a key/certificate based on a default variable.
> +
> + @param[in] VariableName The name of the key/database.
> + @param[in] DefaultName The name of the default variable.
> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the
> variable
> +
> +
> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating
> AuthHeader.
> + @retval EFI_SUCCESS Successful enrollment.
> + @return Error codes from GetTime () and SetVariable ().
> +--*/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> + IN CHAR16 *VariableName,
> + IN CHAR16 *DefaultName,
> + IN EFI_GUID *VendorGuid
> + )
> +{
> + VOID *Data;
> + UINTN DataSize;
> + EFI_STATUS Status;
> +
> + Status = EFI_SUCCESS;
> +
> + DataSize = 0;
> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data,
> &DataSize);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName,
> Status));
> + return Status;
> + }
> +
> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r",
> Status));
> + return Status;
> + }
> +
> + //
> + // Allocate memory for auth variable
> + //
> + Status = gRT->SetVariable (
> + VariableName,
> + VendorGuid,
> + (EFI_VARIABLE_NON_VOLATILE |
> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
> + EFI_VARIABLE_RUNTIME_ACCESS |
> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
> + DataSize,
> + Data
> + );
> +
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__,
> VariableName,
> + VendorGuid, Status));
> + }
> +
> + if (Data != NULL) {
> + FreePool (Data);
> + }
> +
> + return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_PK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_PK_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> +
> + Status = gRT->SetVariable (
> + EFI_KEK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_KEK_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DB_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DB_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Content for %s not found\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DBX_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DBX_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> + @retval EFI_SUCCESS Variable was initialized successfully.
> + @retval EFI_UNSUPPORTED Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> + IN VOID
> + )
> +{
> + EFI_SIGNATURE_LIST *EfiSig;
> + UINTN SigListsSize;
> + EFI_STATUS Status;
> + UINT8 *Data;
> + UINTN DataSize;
> +
> + //
> + // Check if variable exists, if so do not change it
> + //
> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME,
> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> + if (Status == EFI_SUCCESS) {
> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> + FreePool (Data);
> + return EFI_UNSUPPORTED;
> + }
> +
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + return Status;
> + }
> +
> + //
> + // Variable does not exist, can be initialized
> + //
> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = gRT->SetVariable (
> + EFI_DBT_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid,
> + EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> + SigListsSize,
> + (VOID *)EfiSig
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_INFO, "Failed to set %s\n",
> EFI_DBT_DEFAULT_VARIABLE_NAME));
> + }
> +
> + FreePool (EfiSig);
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Fetches the value of SetupMode variable.
> +
> + @param[out] SetupMode Pointer to UINT8 for SetupMode output
> +
> + @retval other Retval from GetVariable.
> +--*/
> +EFI_STATUS
> +EFIAPI
> +GetSetupMode (
> + OUT UINT8 *SetupMode
> +)
> +{
> + UINTN Size;
> + EFI_STATUS Status;
> +
> + Size = sizeof (*SetupMode);
> + Status = gRT->GetVariable (
> + EFI_SETUP_MODE_NAME,
> + &gEfiGlobalVariableGuid,
> + NULL,
> + &Size,
> + SetupMode
> + );
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + return EFI_SUCCESS;
> +}
> +
> +/**
> + Sets the content of the 'db' variable based on 'dbDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE,
> + EFI_DB_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Clears the content of the 'db' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = DeleteVariable (
> + EFI_IMAGE_SECURITY_DATABASE,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE1,
> + EFI_DBX_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Clears the content of the 'dbx' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = DeleteVariable (
> + EFI_IMAGE_SECURITY_DATABASE1,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_IMAGE_SECURITY_DATABASE2,
> + EFI_DBT_DEFAULT_VARIABLE_NAME,
> + &gEfiImageSecurityDatabaseGuid);
> +
> + return Status;
> +}
> +
> +/**
> + Clears the content of the 'dbt' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = DeleteVariable (
> + EFI_IMAGE_SECURITY_DATABASE2,
> + &gEfiImageSecurityDatabaseGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + EFI_KEK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Clears the content of the 'KEK' variable.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = DeleteVariable (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + &gEfiGlobalVariableGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
> +
> + @retval EFI_OUT_OF_RESOURCES If memory allocation for
> EFI_VARIABLE_AUTHENTICATION_2 fails
> + while VendorGuid is NULL.
> + @retval other Errors from GetVariable2 (), GetTime () and
> SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = EnrollFromDefault (
> + EFI_PLATFORM_KEY_NAME,
> + EFI_PK_DEFAULT_VARIABLE_NAME,
> + &gEfiGlobalVariableGuid
> + );
> +
> + return Status;
> +}
> +
> +/**
> + Remove the PK variable.
> +
> + @retval EFI_SUCCESS Delete PK successfully.
> + @retval Others Could not allow to delete PK.
> +
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> + VOID
> +)
> +{
> + EFI_STATUS Status;
> +
> + Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + return Status;
> + }
> +
> + Status = DeleteVariable (
> + EFI_PLATFORM_KEY_NAME,
> + &gEfiGlobalVariableGuid
> + );
> + return Status;
> +}
> diff --git
> a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> new file mode 100644
> index 0000000000..2c51e4db53
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT #language en-US "Provides function to
> initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION #language en-US "Provides function
> to initialize PK, KEK and databases based on default variables."
> +
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 09/10] SecurityPkg: Add new modules to Security package.
2021-07-01 9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
@ 2021-07-06 11:57 ` Yao, Jiewen
0 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-06 11:57 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
sami.mujawar@arm.com, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Sunny Wang
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>; Sunny Wang <sunny.wang@arm.com>
> Subject: [PATCH v5 09/10] SecurityPkg: Add new modules to Security package.
>
> This commits adds modules related to initialization and
> usage of default Secure Boot key variables to SecurityPkg.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
> Reviewed-by: Pete Batard <pete@akeo.ie>
> Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
> ---
> SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
> SecurityPkg/SecurityPkg.dsc | 3 +++
> 2 files changed, 17 insertions(+)
>
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 4001650fa2..e6aab4dce7 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -190,6 +190,20 @@
> ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
> gTcg2MmSwSmiRegisteredGuid = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a,
> 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }
>
> + ## GUID used to specify section with default PK content
> + gDefaultPKFileGuid = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4,
> 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
> +
> + ## GUID used to specify section with default KEK content
> + gDefaultKEKFileGuid = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52,
> 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
> +
> + ## GUID used to specify section with default db content
> + gDefaultdbFileGuid = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc,
> 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
> +
> + ## GUID used to specify section with default dbx content
> + gDefaultdbxFileGuid = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35,
> 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
> +
> + ## GUID used to specify section with default dbt content
> + gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb,
> 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }
>
> [Ppis]
> ## The PPI GUID for that TPM physical presence should be locked.
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
> index 854f250625..f2f90f49de 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -259,6 +259,9 @@
>
> [Components.IA32, Components.X64, Components.ARM,
> Components.AARCH64]
> SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> + SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
> +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultK
> eys.inf
>
> [Components.IA32, Components.X64, Components.AARCH64]
> #
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (9 preceding siblings ...)
2021-07-01 9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
@ 2021-07-07 1:17 ` gaoliming
2021-07-07 7:36 ` Grzegorz Bernacki
2021-07-09 10:17 ` Sunny Wang
2021-07-09 18:22 ` [edk2-devel] " Sean
12 siblings, 1 reply; 35+ messages in thread
From: gaoliming @ 2021-07-07 1:17 UTC (permalink / raw)
To: devel, gjb
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, eric.dong, michael.d.kinney,
zailiang.sun, yi.qian, graeme, rad, pete
Grzegorz Bernacki:
This is a new feature. Can you submit one BZ
(https://bugzilla.tianocore.org/) for it? Then, I can add it into edk2
stable tag feature planning.
Thanks
Liming
> -----邮件原件-----
> 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Grzegorz
> Bernacki
> 发送时间: 2021年7月1日 17:18
> 收件人: devel@edk2.groups.io
> 抄送: leif@nuviainc.com; ardb+tianocore@kernel.org;
> Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com;
> mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com;
> sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com;
> jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> thomas.abraham@arm.com; chasel.chiu@intel.com;
> nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> Grzegorz Bernacki <gjb@semihalf.com>
> 主题: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
>
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
> SecBootVariableLib => SecureBootVariableLib
> SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and add SecureBootVariableLib
> to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
>
> Grzegorz Bernacki (10):
> SecurityPkg: Create library for setting Secure Boot variables.
> ArmVirtPkg: add SecureBootVariableLib class resolution
> OvmfPkg: add SecureBootVariableLib class resolution
> EmulatorPkg: add SecureBootVariableLib class resolution
> SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> ArmPlatformPkg: Create include file for default key content.
> SecurityPkg: Add SecureBootDefaultKeysDxe driver
> SecurityPkg: Add EnrollFromDefaultKeys application.
> SecurityPkg: Add new modules to Security package.
> SecurityPkg: Add option to reset secure boot keys.
>
> SecurityPkg/SecurityPkg.dec
> | 14 +
> ArmVirtPkg/ArmVirt.dsc.inc
> | 1 +
> EmulatorPkg/EmulatorPkg.dsc
> | 1 +
> OvmfPkg/Bhyve/BhyveX64.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32.dsc
> | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc
> | 1 +
> OvmfPkg/OvmfPkgX64.dsc
> | 1 +
> SecurityPkg/SecurityPkg.dsc
> | 4 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> | 47 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> | 79 ++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD
> xe.inf | 2 +
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf | 45 +
> SecurityPkg/Include/Library/SecureBootVariableLib.h
> | 251 +++++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigN
> vData.h | 2 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.v
> fr | 6 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 109 +++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 980 ++++++++++++++++++++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c | 343 ++++---
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c | 68 ++
> ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> | 70 ++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> | 16 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni | 4 +
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni | 16 +
> 23 files changed, 1874 insertions(+), 188 deletions(-)
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
> create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
>
> --
> 2.25.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-07 1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
@ 2021-07-07 7:36 ` Grzegorz Bernacki
0 siblings, 0 replies; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-07 7:36 UTC (permalink / raw)
To: devel, gaoliming
Cc: leif, ardb+tianocore, Samer El-Haj-Mahmoud, Sunny Wang,
Marcin Wojtas, upstream, Yao, Jiewen, Wang, Jian J, Xu, Min M,
Laszlo Ersek, Sami Mujawar, afish, ray.ni, jordan.l.justen,
rebecca, grehan, Thomas Abraham, chasel.chiu,
nathaniel.l.desimone, eric.dong, michael.d.kinney, zailiang.sun,
yi.qian, graeme, Radosław Biernacki, Pete Batard
Hi,
I created BZ #3481 (https://bugzilla.tianocore.org/show_bug.cgi?id=3481).
Please let me know if I filled it correctly
thanks,
greg
śr., 7 lip 2021 o 03:18 gaoliming <gaoliming@byosoft.com.cn> napisał(a):
>
> Grzegorz Bernacki:
> This is a new feature. Can you submit one BZ
> (https://bugzilla.tianocore.org/) for it? Then, I can add it into edk2
> stable tag feature planning.
>
> Thanks
> Liming
> > -----邮件原件-----
> > 发件人: devel@edk2.groups.io <devel@edk2.groups.io> 代表 Grzegorz
> > Bernacki
> > 发送时间: 2021年7月1日 17:18
> > 收件人: devel@edk2.groups.io
> > 抄送: leif@nuviainc.com; ardb+tianocore@kernel.org;
> > Samer.El-Haj-Mahmoud@arm.com; sunny.Wang@arm.com;
> > mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com;
> > jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com;
> > sami.mujawar@arm.com; afish@apple.com; ray.ni@intel.com;
> > jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org;
> > thomas.abraham@arm.com; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie;
> > Grzegorz Bernacki <gjb@semihalf.com>
> > 主题: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> >
> > This patchset adds support for initialization of default
> > Secure Boot variables based on keys content embedded in
> > flash binary. This feature is active only if Secure Boot
> > is enabled and DEFAULT_KEY is defined. The patchset
> > consist also application to enroll keys from default
> > variables and secure boot menu change to allow user
> > to reset key content to default values.
> > Discussion on design can be found at:
> > https://edk2.groups.io/g/rfc/topic/82139806#600
> >
> > Built with:
> > GCC
> > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> >
> > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> built,
> > will be post on edk2 maillist later
> >
> > VS2019
> > - Intel (OvmfPkgX64)
> >
> > Test with:
> > GCC5/RPi4
> > VS2019/OvmfX64 (requires changes to enable feature)
> >
> > Tests:
> > 1. Try to enroll key in incorrect format.
> > 2. Enroll with only PKDefault keys specified.
> > 3. Enroll with all keys specified.
> > 4. Enroll when keys are enrolled.
> > 5. Reset keys values.
> > 6. Running signed & unsigned app after enrollment.
> >
> > Changes since v1:
> > - change names:
> > SecBootVariableLib => SecureBootVariableLib
> > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Changes since v2:
> > - fix coding style for functions headers in SecureBootVariableLib.h
> > - add header to SecureBootDefaultKeys.fdf.inc
> > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > - revert FAIL macro in EnrollFromDefaultKeysApp
> > - remove functions duplicates and add SecureBootVariableLib
> > to platforms which used it
> >
> > Changes since v3:
> > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > - fix typo in guid description
> >
> > Changes since v4:
> > - reorder patches to make it bisectable
> > - split commits related to more than one platform
> > - move edk2-platform commits to separate patchset
> >
> > Grzegorz Bernacki (10):
> > SecurityPkg: Create library for setting Secure Boot variables.
> > ArmVirtPkg: add SecureBootVariableLib class resolution
> > OvmfPkg: add SecureBootVariableLib class resolution
> > EmulatorPkg: add SecureBootVariableLib class resolution
> > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > ArmPlatformPkg: Create include file for default key content.
> > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > SecurityPkg: Add EnrollFromDefaultKeys application.
> > SecurityPkg: Add new modules to Security package.
> > SecurityPkg: Add option to reset secure boot keys.
> >
> > SecurityPkg/SecurityPkg.dec
> > | 14 +
> > ArmVirtPkg/ArmVirt.dsc.inc
> > | 1 +
> > EmulatorPkg/EmulatorPkg.dsc
> > | 1 +
> > OvmfPkg/Bhyve/BhyveX64.dsc
> > | 1 +
> > OvmfPkg/OvmfPkgIa32.dsc
> > | 1 +
> > OvmfPkg/OvmfPkgIa32X64.dsc
> > | 1 +
> > OvmfPkg/OvmfPkgX64.dsc
> > | 1 +
> > SecurityPkg/SecurityPkg.dsc
> > | 4 +
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > | 47 +
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > | 79 ++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD
> > xe.inf | 2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf | 45 +
> > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > | 251 +++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigN
> > vData.h | 2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.v
> > fr | 6 +
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > | 109 +++
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > | 980 ++++++++++++++++++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c | 343 ++++---
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c | 68 ++
> > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > | 70 ++
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > | 16 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > trings.uni | 4 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni | 16 +
> > 23 files changed, 1874 insertions(+), 188 deletions(-)
> > create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf
> > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c
> > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni
> >
> > --
> > 2.25.1
> >
> >
> >
> >
> >
>
>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 04/10] EmulatorPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
@ 2021-07-09 9:10 ` Sunny Wang
0 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:10 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 04/10] EmulatorPkg: add SecureBootVariableLib class resolution
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for EmulatorPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
EmulatorPkg/EmulatorPkg.dsc | 1 +
1 file changed, 1 insertion(+)
diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 20e5468398..966cc7af01 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -132,6 +132,7 @@
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
2021-07-01 9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
@ 2021-07-09 9:12 ` Sunny Wang
2021-07-12 11:45 ` Yao, Jiewen
[not found] ` <1691088E46D0B29B.19753@groups.io>
2 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:12 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
This commit removes functions which were added
to SecureBootVariableLib. It also adds dependecy
on that library.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 189 +-------------------
2 files changed, 2 insertions(+), 188 deletions(-)
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 573efa6379..30d9cd8025 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -54,6 +54,7 @@
DevicePathLib
FileExplorerLib
PeCoffLib
+ SecureBootVariableLib
[Guids]
## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index e82bfe7757..67e5e594ed 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "SecureBootConfigImpl.h"
#include <Library/BaseCryptLib.h>
+#include <Library/SecureBootVariableLib.h>
CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
@@ -237,168 +238,6 @@ SaveSecureBootVariable (
return Status;
}
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-/**
- Internal helper function to delete a Variable given its name and GUID, NO authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
- FreePool (Variable);
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-/**
-
- Set the platform secure boot mode into "Custom" or "Standard" mode.
-
- @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
- CUSTOM_SECURE_BOOT_MODE.
-
- @return EFI_SUCCESS The platform has switched to the special mode successfully.
- @return other Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
- IN UINT8 SecureBootMode
- )
-{
- return gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootMode
- );
-}
-
/**
This code checks if the encode type and key strength of X.509
certificate is qualified.
@@ -646,32 +485,6 @@ ON_EXIT:
return Status;
}
-/**
- Remove the PK variable.
-
- @retval EFI_SUCCESS Delete PK successfully.
- @retval Others Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
- VOID
-)
-{
- EFI_STATUS Status;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = DeleteVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid
- );
- return Status;
-}
-
/**
Enroll a new KEK item from public key storing file (*.pbk).
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content.
2021-07-01 9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
@ 2021-07-09 9:20 ` Sunny Wang
0 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:20 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content.
This commits add file which can be included by platform Flash
Description File. It allows to specify certificate files, which
will be embedded into binary file. The content of these files
can be used to initialize Secure Boot default keys and databases.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
diff --git a/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
new file mode 100644
index 0000000000..bf4f2d42de
--- /dev/null
+++ b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
@@ -0,0 +1,70 @@
+## @file
+# FDF include file which allows to embed Secure Boot keys
+#
+# Copyright (c) 2021, ARM Limited. All rights reserved.
+# Copyright (c) 2021, Semihalf. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+
+!if $(DEFAULT_KEYS) == TRUE
+ FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
+ !ifdef $(PK_DEFAULT_FILE)
+ SECTION RAW = $(PK_DEFAULT_FILE)
+ !endif
+ SECTION UI = "PK Default"
+ }
+
+ FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
+ !ifdef $(KEK_DEFAULT_FILE1)
+ SECTION RAW = $(KEK_DEFAULT_FILE1)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE2)
+ SECTION RAW = $(KEK_DEFAULT_FILE2)
+ !endif
+ !ifdef $(KEK_DEFAULT_FILE3)
+ SECTION RAW = $(KEK_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "KEK Default"
+ }
+
+ FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
+ !ifdef $(DB_DEFAULT_FILE1)
+ SECTION RAW = $(DB_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE2)
+ SECTION RAW = $(DB_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DB_DEFAULT_FILE3)
+ SECTION RAW = $(DB_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DB Default"
+ }
+
+ FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 {
+ !ifdef $(DBT_DEFAULT_FILE1)
+ SECTION RAW = $(DBT_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE2)
+ SECTION RAW = $(DBT_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBT_DEFAULT_FILE3)
+ SECTION RAW = $(DBT_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBT Default"
+ }
+
+ FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
+ !ifdef $(DBX_DEFAULT_FILE1)
+ SECTION RAW = $(DBX_DEFAULT_FILE1)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE2)
+ SECTION RAW = $(DBX_DEFAULT_FILE2)
+ !endif
+ !ifdef $(DBX_DEFAULT_FILE3)
+ SECTION RAW = $(DBX_DEFAULT_FILE3)
+ !endif
+ SECTION UI = "DBX Default"
+ }
+
+!endif
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables.
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-07-06 11:55 ` Yao, Jiewen
@ 2021-07-09 9:29 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:29 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, Sunny Wang, pete@akeo.ie
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables.
This commits add library, which consist functions related
creation/removal Secure Boot variables. Some of the functions
was moved from SecureBootConfigImpl.c file.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/SecurityPkg.dsc | 1 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
5 files changed, 1327 insertions(+)
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index bd4b810bce..854f250625 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -70,6 +70,7 @@
RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
[LibraryClasses.ARM]
#
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
new file mode 100644
index 0000000000..84367841d5
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
@@ -0,0 +1,79 @@
+## @file
+# Provides initialization of Secure Boot keys and databases.
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = SecureBootVariableLib
+ MODULE_UNI_FILE = SecureBootVariableLib.uni
+ FILE_GUID = D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = SecureBootVariableLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+
+[Sources]
+ SecureBootVariableLib.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+ CryptoPkg/CryptoPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ BaseCryptLib
+ DxeServicesLib
+
+[Guids]
+ ## CONSUMES ## Variable:L"SetupMode"
+ ## PRODUCES ## Variable:L"SetupMode"
+ ## CONSUMES ## Variable:L"SecureBoot"
+ ## PRODUCES ## Variable:L"SecureBoot"
+ ## PRODUCES ## Variable:L"PK"
+ ## PRODUCES ## Variable:L"KEK"
+ ## CONSUMES ## Variable:L"PKDefault"
+ ## CONSUMES ## Variable:L"KEKDefault"
+ ## CONSUMES ## Variable:L"dbDefault"
+ ## CONSUMES ## Variable:L"dbxDefault"
+ ## CONSUMES ## Variable:L"dbtDefault"
+ gEfiGlobalVariableGuid
+
+ ## SOMETIMES_CONSUMES ## Variable:L"DB"
+ ## SOMETIMES_CONSUMES ## Variable:L"DBX"
+ ## SOMETIMES_CONSUMES ## Variable:L"DBT"
+ gEfiImageSecurityDatabaseGuid
+
+ ## CONSUMES ## Variable:L"SecureBootEnable"
+ ## PRODUCES ## Variable:L"SecureBootEnable"
+ gEfiSecureBootEnableDisableGuid
+
+ ## CONSUMES ## Variable:L"CustomMode"
+ ## PRODUCES ## Variable:L"CustomMode"
+ gEfiCustomModeEnableGuid
+
+ gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
+ gEfiCertX509Guid ## CONSUMES
+ gEfiCertPkcs7Guid ## CONSUMES
+
+ gDefaultPKFileGuid
+ gDefaultKEKFileGuid
+ gDefaultdbFileGuid
+ gDefaultdbxFileGuid
+ gDefaultdbtFileGuid
+
diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h
new file mode 100644
index 0000000000..e010667165
--- /dev/null
+++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
@@ -0,0 +1,251 @@
+/** @file
+ Provides a function to enroll keys based on default values.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
+#define __SECURE_BOOT_VARIABLE_LIB_H__
+
+/**
+ Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+ CUSTOM_SECURE_BOOT_MODE.
+
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.
+ @return other Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+ IN UINT8 SecureBootMode
+);
+
+/**
+ Fetches the value of SetupMode variable.
+
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output
+
+ @retval other Error codes from GetVariable.
+--*/
+EFI_STATUS
+EFIAPI
+GetSetupMode (
+ OUT UINT8 *SetupMode
+);
+
+/**
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+ descriptor with the input data. NO authentication is required in this function.
+
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.
+ On output, the size of data returned in Data
+ buffer in bytes.
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or
+ pointer to NULL to wrap an empty payload.
+ On output, Pointer to the new payload date buffer allocated from pool,
+ it's caller's responsibility to free the memory when finish using it.
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval Others Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+ IN OUT UINTN *DataSize,
+ IN OUT UINT8 **Data
+);
+
+/**
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'db' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+ VOID
+);
+
+/**
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'dbx' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+ VOID
+);
+
+/**
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'dbt' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+ VOID
+);
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'KEK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+ VOID
+);
+
+/**
+ Sets the content of the 'PK' variable based on 'PKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+ VOID
+);
+
+/**
+ Clears the content of the 'PK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2(), GetTime() and SetVariable()
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+ VOID
+);
+
+/**
+ Initializes PKDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+ IN VOID
+ );
+
+/**
+ Initializes KEKDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbtDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+ IN VOID
+ );
+
+/**
+ Initializes dbxDefault variable with data from FFS section.
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+ IN VOID
+ );
+#endif
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
new file mode 100644
index 0000000000..f3dafeca6e
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
@@ -0,0 +1,980 @@
+/** @file
+ This library provides functions to set/clear Secure Boot
+ keys and databases.
+
+Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/GlobalVariable.h>
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseCryptLib.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/UefiLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+#include "Library/DxeServicesLib.h"
+
+/** Creates EFI Signature List structure.
+
+ @param[in] Data A pointer to signature data.
+ @param[in] Size Size of signature data.
+ @param[out] SigList Created Signature List.
+
+ @retval EFI_SUCCESS Signature List was created successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+CreateSigList (
+ IN VOID *Data,
+ IN UINTN Size,
+ OUT EFI_SIGNATURE_LIST **SigList
+ )
+{
+ UINTN SigListSize;
+ EFI_SIGNATURE_LIST *TmpSigList;
+ EFI_SIGNATURE_DATA *SigData;
+
+ //
+ // Allocate data for Signature Database
+ //
+ SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
+ if (TmpSigList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ //
+ // Only gEfiCertX509Guid type is supported
+ //
+ TmpSigList->SignatureListSize = (UINT32)SigListSize;
+ TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
+ TmpSigList->SignatureHeaderSize = 0;
+ CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
+
+ //
+ // Copy key data
+ //
+ SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
+ CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
+ CopyMem (&SigData->SignatureData[0], Data, Size);
+
+ *SigList = TmpSigList;
+
+ return EFI_SUCCESS;
+}
+
+/** Adds new signature list to signature database.
+
+ @param[in] SigLists A pointer to signature database.
+ @param[in] SiglListAppend A signature list to be added.
+ @param[out] *SigListOut Created signature database.
+ @param[out] SigListsSize A size of created signature database.
+
+ @retval EFI_SUCCESS Signature List was added successfully.
+ @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
+--*/
+STATIC
+EFI_STATUS
+ConcatenateSigList (
+ IN EFI_SIGNATURE_LIST *SigLists,
+ IN EFI_SIGNATURE_LIST *SigListAppend,
+ OUT EFI_SIGNATURE_LIST **SigListOut,
+ IN OUT UINTN *SigListsSize
+)
+{
+ EFI_SIGNATURE_LIST *TmpSigList;
+ UINT8 *Offset;
+ UINTN NewSigListsSize;
+
+ NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
+
+ TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
+ if (TmpSigList == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ CopyMem (TmpSigList, SigLists, *SigListsSize);
+
+ Offset = (UINT8 *)TmpSigList;
+ Offset += *SigListsSize;
+ CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
+
+ *SigListsSize = NewSigListsSize;
+ *SigListOut = TmpSigList;
+ return EFI_SUCCESS;
+}
+
+/**
+ Create a EFI Signature List with data fetched from section specified as a argument.
+ Found keys are verified using RsaGetPublicKeyFromX509().
+
+ @param[in] KeyFileGuid A pointer to to the FFS filename GUID
+ @param[out] SigListsSize A pointer to size of signature list
+ @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_NOT_FOUND Section with key has not been found.
+ @retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
+ @retval Others Unexpected error happens.
+
+--*/
+STATIC
+EFI_STATUS
+SecureBootFetchData (
+ IN EFI_GUID *KeyFileGuid,
+ OUT UINTN *SigListsSize,
+ OUT EFI_SIGNATURE_LIST **SigListOut
+)
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ EFI_SIGNATURE_LIST *TmpEfiSig;
+ EFI_SIGNATURE_LIST *TmpEfiSig2;
+ EFI_STATUS Status;
+ VOID *Buffer;
+ VOID *RsaPubKey;
+ UINTN Size;
+ UINTN KeyIndex;
+
+
+ KeyIndex = 0;
+ EfiSig = NULL;
+ *SigListsSize = 0;
+ while (1) {
+ Status = GetSectionFromAnyFv (
+ KeyFileGuid,
+ EFI_SECTION_RAW,
+ KeyIndex,
+ &Buffer,
+ &Size
+ );
+
+ if (Status == EFI_SUCCESS) {
+ RsaPubKey = NULL;
+ if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
+ DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
+ if (EfiSig != NULL) {
+ FreePool(EfiSig);
+ }
+ FreePool(Buffer);
+ return EFI_INVALID_PARAMETER;
+ }
+
+ Status = CreateSigList (Buffer, Size, &TmpEfiSig);
+
+ //
+ // Concatenate lists if more than one section found
+ //
+ if (KeyIndex == 0) {
+ EfiSig = TmpEfiSig;
+ *SigListsSize = TmpEfiSig->SignatureListSize;
+ } else {
+ ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
+ FreePool (EfiSig);
+ FreePool (TmpEfiSig);
+ EfiSig = TmpEfiSig2;
+ }
+
+ KeyIndex++;
+ FreePool (Buffer);
+ } if (Status == EFI_NOT_FOUND) {
+ break;
+ }
+ };
+
+ if (KeyIndex == 0) {
+ return EFI_NOT_FOUND;
+ }
+
+ *SigListOut = EfiSig;
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
+ descriptor with the input data. NO authentication is required in this function.
+
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.
+ On output, the size of data returned in Data
+ buffer in bytes.
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or
+ pointer to NULL to wrap an empty payload.
+ On output, Pointer to the new payload date buffer allocated from pool,
+ it's caller's responsibility to free the memory when finish using it.
+
+ @retval EFI_SUCCESS Create time based payload successfully.
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.
+ @retval Others Unexpected error happens.
+
+--*/
+EFI_STATUS
+CreateTimeBasedPayload (
+ IN OUT UINTN *DataSize,
+ IN OUT UINT8 **Data
+ )
+{
+ EFI_STATUS Status;
+ UINT8 *NewData;
+ UINT8 *Payload;
+ UINTN PayloadSize;
+ EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
+ UINTN DescriptorSize;
+ EFI_TIME Time;
+
+ if (Data == NULL || DataSize == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // In Setup mode or Custom mode, the variable does not need to be signed but the
+ // parameters to the SetVariable() call still need to be prepared as authenticated
+ // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
+ // data in it.
+ //
+ Payload = *Data;
+ PayloadSize = *DataSize;
+
+ DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
+ if (NewData == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ if ((Payload != NULL) && (PayloadSize != 0)) {
+ CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
+ }
+
+ DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
+
+ ZeroMem (&Time, sizeof (EFI_TIME));
+ Status = gRT->GetTime (&Time, NULL);
+ if (EFI_ERROR (Status)) {
+ FreePool(NewData);
+ return Status;
+ }
+ Time.Pad1 = 0;
+ Time.Nanosecond = 0;
+ Time.TimeZone = 0;
+ Time.Daylight = 0;
+ Time.Pad2 = 0;
+ CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
+
+ DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
+ DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
+ DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
+ CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
+
+ if (Payload != NULL) {
+ FreePool(Payload);
+ }
+
+ *DataSize = DescriptorSize + PayloadSize;
+ *Data = NewData;
+ return EFI_SUCCESS;
+}
+
+/**
+ Internal helper function to delete a Variable given its name and GUID, NO authentication
+ required.
+
+ @param[in] VariableName Name of the Variable.
+ @param[in] VendorGuid GUID of the Variable.
+
+ @retval EFI_SUCCESS Variable deleted successfully.
+ @retval Others The driver failed to start the device.
+
+--*/
+EFI_STATUS
+DeleteVariable (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid
+ )
+{
+ EFI_STATUS Status;
+ VOID* Variable;
+ UINT8 *Data;
+ UINTN DataSize;
+ UINT32 Attr;
+
+ GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
+ if (Variable == NULL) {
+ return EFI_SUCCESS;
+ }
+ FreePool (Variable);
+
+ Data = NULL;
+ DataSize = 0;
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+ Status = CreateTimeBasedPayload (&DataSize, &Data);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ VariableName,
+ VendorGuid,
+ Attr,
+ DataSize,
+ Data
+ );
+ if (Data != NULL) {
+ FreePool (Data);
+ }
+ return Status;
+}
+
+/**
+
+ Set the platform secure boot mode into "Custom" or "Standard" mode.
+
+ @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
+ CUSTOM_SECURE_BOOT_MODE.
+
+ @return EFI_SUCCESS The platform has switched to the special mode successfully.
+ @return other Fail to operate the secure boot mode.
+
+--*/
+EFI_STATUS
+SetSecureBootMode (
+ IN UINT8 SecureBootMode
+ )
+{
+ return gRT->SetVariable (
+ EFI_CUSTOM_MODE_NAME,
+ &gEfiCustomModeEnableGuid,
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof (UINT8),
+ &SecureBootMode
+ );
+}
+
+
+/**
+ Enroll a key/certificate based on a default variable.
+
+ @param[in] VariableName The name of the key/database.
+ @param[in] DefaultName The name of the default variable.
+ @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable
+
+
+ @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.
+ @retval EFI_SUCCESS Successful enrollment.
+ @return Error codes from GetTime () and SetVariable ().
+--*/
+STATIC
+EFI_STATUS
+EnrollFromDefault (
+ IN CHAR16 *VariableName,
+ IN CHAR16 *DefaultName,
+ IN EFI_GUID *VendorGuid
+ )
+{
+ VOID *Data;
+ UINTN DataSize;
+ EFI_STATUS Status;
+
+ Status = EFI_SUCCESS;
+
+ DataSize = 0;
+ Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
+ return Status;
+ }
+
+ CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
+ return Status;
+ }
+
+ //
+ // Allocate memory for auth variable
+ //
+ Status = gRT->SetVariable (
+ VariableName,
+ VendorGuid,
+ (EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
+ DataSize,
+ Data
+ );
+
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
+ VendorGuid, Status));
+ }
+
+ if (Data != NULL) {
+ FreePool (Data);
+ }
+
+ return Status;
+}
+
+/** Initializes PKDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitPKDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_PK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes KEKDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitKEKDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+
+ Status = gRT->SetVariable (
+ EFI_KEK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DB_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbxDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbxDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DBX_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return Status;
+}
+
+/** Initializes dbtDefault variable with data from FFS section.
+
+
+ @retval EFI_SUCCESS Variable was initialized successfully.
+ @retval EFI_UNSUPPORTED Variable already exists.
+--*/
+EFI_STATUS
+SecureBootInitdbtDefault (
+ IN VOID
+ )
+{
+ EFI_SIGNATURE_LIST *EfiSig;
+ UINTN SigListsSize;
+ EFI_STATUS Status;
+ UINT8 *Data;
+ UINTN DataSize;
+
+ //
+ // Check if variable exists, if so do not change it
+ //
+ Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
+ if (Status == EFI_SUCCESS) {
+ DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+ FreePool (Data);
+ return EFI_UNSUPPORTED;
+ }
+
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ return Status;
+ }
+
+ //
+ // Variable does not exist, can be initialized
+ //
+ DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+
+ Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = gRT->SetVariable (
+ EFI_DBT_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ SigListsSize,
+ (VOID *)EfiSig
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
+ }
+
+ FreePool (EfiSig);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Fetches the value of SetupMode variable.
+
+ @param[out] SetupMode Pointer to UINT8 for SetupMode output
+
+ @retval other Retval from GetVariable.
+--*/
+EFI_STATUS
+EFIAPI
+GetSetupMode (
+ OUT UINT8 *SetupMode
+)
+{
+ UINTN Size;
+ EFI_STATUS Status;
+
+ Size = sizeof (*SetupMode);
+ Status = gRT->GetVariable (
+ EFI_SETUP_MODE_NAME,
+ &gEfiGlobalVariableGuid,
+ NULL,
+ &Size,
+ SetupMode
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ return EFI_SUCCESS;
+}
+
+/**
+ Sets the content of the 'db' variable based on 'dbDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE,
+ EFI_DB_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'db' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDb (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbxFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ EFI_DBX_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'dbx' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbx (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollDbtFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_IMAGE_SECURITY_DATABASE2,
+ EFI_DBT_DEFAULT_VARIABLE_NAME,
+ &gEfiImageSecurityDatabaseGuid);
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'dbt' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteDbt (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_IMAGE_SECURITY_DATABASE2,
+ &gEfiImageSecurityDatabaseGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollKEKFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ EFI_KEK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Clears the content of the 'KEK' variable.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+DeleteKEK (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = DeleteVariable (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
+
+ @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
+ while VendorGuid is NULL.
+ @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
+--*/
+EFI_STATUS
+EFIAPI
+EnrollPKFromDefault (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = EnrollFromDefault (
+ EFI_PLATFORM_KEY_NAME,
+ EFI_PK_DEFAULT_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid
+ );
+
+ return Status;
+}
+
+/**
+ Remove the PK variable.
+
+ @retval EFI_SUCCESS Delete PK successfully.
+ @retval Others Could not allow to delete PK.
+
+--*/
+EFI_STATUS
+EFIAPI
+DeletePlatformKey (
+ VOID
+)
+{
+ EFI_STATUS Status;
+
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ Status = DeleteVariable (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid
+ );
+ return Status;
+}
diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
new file mode 100644
index 0000000000..2c51e4db53
--- /dev/null
+++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
@@ -0,0 +1,16 @@
+// /** @file
+//
+// Provides initialization of Secure Boot keys and databases.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
+#string STR_MODULE_DESCRIPTION #language en-US "Provides function to initialize PK, KEK and databases based on default variables."
+
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
@ 2021-07-09 9:32 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:32 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for ArmVirtPkg platform.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index d9abadbe70..11c1f53537 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -168,6 +168,7 @@
#
!if $(SECURE_BOOT_ENABLE) == TRUE
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
2021-07-01 9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
@ 2021-07-09 9:37 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:37 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
The edk2 patch
SecurityPkg: Create library for setting Secure Boot variables.
moves generic functions from SecureBootConfigDxe and places
them into SecureBootVariableLib. This patch adds SecureBootVariableLib
mapping for OvmfPkg.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
4 files changed, 4 insertions(+)
diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index cbf896e89b..bcc0b2f2f4 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -196,6 +196,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index f53efeae79..9225966541 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -204,6 +204,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index b3662e17f2..5d53327edb 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -208,6 +208,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 0a237a9058..509acf7926 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -208,6 +208,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
2021-07-01 9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
@ 2021-07-09 9:37 ` Sunny Wang
1 sibling, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 9:37 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com,
lersek@redhat.com, Sami Mujawar, afish@apple.com,
ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com,
grehan@freebsd.org, Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Sunny Wang
Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
This application allows user to force key enrollment from
Secure Boot default variables.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 ++++++++++++++++++++
2 files changed, 156 insertions(+)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+# Enroll PK, KEK, db, dbx from Default variables
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 1.28
+ BASE_NAME = EnrollFromDefaultKeysApp
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = UefiMain
+
+[Sources]
+ EnrollFromDefaultKeysApp.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PrintLib
+ UefiApplicationEntryPoint
+ UefiBootServicesTableLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+ SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..3407c1c4b9
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,109 @@
+/** @file
+ Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+ Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);
+ return 1;
+ }
+
+ if (SetupMode == USER_MODE) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
+ return 1;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+ return 1;
+ }
+
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+ return 0;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ AsciiPrint (
+ "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"
+ );
+ }
+
+ return 1;
+}
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH v5 00/10] Secure Boot default keys
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (10 preceding siblings ...)
2021-07-07 1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
@ 2021-07-09 10:17 ` Sunny Wang
2021-07-09 18:22 ` [edk2-devel] " Sean
12 siblings, 0 replies; 35+ messages in thread
From: Sunny Wang @ 2021-07-09 10:17 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io, leif@nuviainc.com,
ardb+tianocore@kernel.org, ray.ni@intel.com, jiewen.yao@intel.com
Cc: Samer El-Haj-Mahmoud, mw@semihalf.com, upstream@semihalf.com,
jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com,
Sami Mujawar, afish@apple.com, jordan.l.justen@intel.com,
rebecca@bsdio.com, grehan@freebsd.org, Thomas Abraham,
chasel.chiu@intel.com, nathaniel.l.desimone@intel.com,
gaoliming@byosoft.com.cn, eric.dong@intel.com,
michael.d.kinney@intel.com, zailiang.sun@intel.com,
yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com,
pete@akeo.ie, Sunny Wang
Reviewed whole series.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
We still need matintainers to review the patches below:
[PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
[PATCH v5 04/10] EmulatorPkg: add SecureBootVariableLib class resolution
[PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
[PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content.
Thanks,
Sunny Wang
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 00/10] Secure Boot default keys
This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600
Built with:
GCC
- RISC-V (U500, U540) [requires fixes in dsc to build]
- Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
- ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
will be post on edk2 maillist later
VS2019
- Intel (OvmfPkgX64)
Test with:
GCC5/RPi4
VS2019/OvmfX64 (requires changes to enable feature)
Tests:
1. Try to enroll key in incorrect format.
2. Enroll with only PKDefault keys specified.
3. Enroll with all keys specified.
4. Enroll when keys are enrolled.
5. Reset keys values.
6. Running signed & unsigned app after enrollment.
Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master
Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and add SecureBootVariableLib
to platforms which used it
Changes since v3:
- move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
- leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
- fix typo in guid description
Changes since v4:
- reorder patches to make it bisectable
- split commits related to more than one platform
- move edk2-platform commits to separate patchset
Grzegorz Bernacki (10):
SecurityPkg: Create library for setting Secure Boot variables.
ArmVirtPkg: add SecureBootVariableLib class resolution
OvmfPkg: add SecureBootVariableLib class resolution
EmulatorPkg: add SecureBootVariableLib class resolution
SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
ArmPlatformPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
SecurityPkg/SecurityPkg.dec | 14 +
ArmVirtPkg/ArmVirt.dsc.inc | 1 +
EmulatorPkg/EmulatorPkg.dsc | 1 +
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
SecurityPkg/SecurityPkg.dsc | 4 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 45 +
SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 68 ++
ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +
23 files changed, 1874 insertions(+), 188 deletions(-)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
` (11 preceding siblings ...)
2021-07-09 10:17 ` Sunny Wang
@ 2021-07-09 18:22 ` Sean
2021-07-09 20:03 ` Samer El-Haj-Mahmoud
12 siblings, 1 reply; 35+ messages in thread
From: Sean @ 2021-07-09 18:22 UTC (permalink / raw)
To: devel, gjb
Cc: leif, ardb+tianocore, Samer.El-Haj-Mahmoud, sunny.Wang, mw,
upstream, jiewen.yao, jian.j.wang, min.m.xu, lersek, sami.mujawar,
afish, ray.ni, jordan.l.justen, rebecca, grehan, thomas.abraham,
chasel.chiu, nathaniel.l.desimone, gaoliming, eric.dong,
michael.d.kinney, zailiang.sun, yi.qian, graeme, rad, pete
Grzegorz,
It is a little late to the party to provide broad feedback (given you
are on v5) but i'll do it anyway and if anything resonates maybe you can
make a few changes.
This patchset (for modules/libraries in SecurityPkg) does not resolve a
major issue within the SecurityPkg design today. Not that it has to,
but when creating new abstractions/APIs it would be ideal this problem.
The SecurityPkg modules and libraries today mix platform
policy/assumptions with generic data manipulation and specification
defined behavior.
For example the new SecureBootVariableLib. This library contains
functions that load default keys from flash (platform), delete the SB
databases (platform policy), as well as helper functions for creating
variable auth payloads, sig lists, etc (spec defined data manipulation).
If this library was refactored into two libraries (a pure data
manipulation library and platform lib) it would significantly improve
the usefulness of this library (to me and i suspect many other consumers
of edk2).
1. Reduce the number of forks or instances other consumers would need.
Other consumers of edk2 could use the data manipulation lib without
taking on the burden of the platform config stuff that may or may not
apply to their platform. Other consumers might also then help maintain
this library because they would be using it in their platform.
2. A data manipulation library could be easily unit tested using the
host based unit test framework. This would provide significantly higher
confidence in code and changes and most likely reduce quality issues.
3. A platform lib would make clear the platform requirements for using
the modules and applications and allow platform maintainers to focus on
this API and dependencies.
Anyway, given how long and tedious the edk2 contribution process is and
that you already have most of the SecurityPkg RBs I can understand if
this unwelcome feedback.
Thanks
Sean
On 7/1/2021 2:17 AM, Grzegorz Bernacki wrote:
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
> SecBootVariableLib => SecureBootVariableLib
> SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and add SecureBootVariableLib
> to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
>
> Grzegorz Bernacki (10):
> SecurityPkg: Create library for setting Secure Boot variables.
> ArmVirtPkg: add SecureBootVariableLib class resolution
> OvmfPkg: add SecureBootVariableLib class resolution
> EmulatorPkg: add SecureBootVariableLib class resolution
> SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> ArmPlatformPkg: Create include file for default key content.
> SecurityPkg: Add SecureBootDefaultKeysDxe driver
> SecurityPkg: Add EnrollFromDefaultKeys application.
> SecurityPkg: Add new modules to Security package.
> SecurityPkg: Add option to reset secure boot keys.
>
> SecurityPkg/SecurityPkg.dec | 14 +
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> EmulatorPkg/EmulatorPkg.dsc | 1 +
> OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> SecurityPkg/SecurityPkg.dsc | 4 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 45 +
> SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 +++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 68 ++
> ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +
> 23 files changed, 1874 insertions(+), 188 deletions(-)
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-09 18:22 ` [edk2-devel] " Sean
@ 2021-07-09 20:03 ` Samer El-Haj-Mahmoud
2021-07-12 12:02 ` Yao, Jiewen
0 siblings, 1 reply; 35+ messages in thread
From: Samer El-Haj-Mahmoud @ 2021-07-09 20:03 UTC (permalink / raw)
To: devel@edk2.groups.io, spbrogan@outlook.com, gjb@semihalf.com
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Sunny Wang,
mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com,
jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com,
Sami Mujawar, afish@apple.com, ray.ni@intel.com,
jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org,
Thomas Abraham, chasel.chiu@intel.com,
nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn,
eric.dong@intel.com, michael.d.kinney@intel.com,
zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com,
rad@semihalf.com, pete@akeo.ie, Samer El-Haj-Mahmoud
Sean,
Thanks for the feedback. As you say, this is a design concern in SecurityPkg today, and the improvement you are suggesting is welcomed, especially for systems that rely on EDK2 (and lack a commercial FW solution). Considering that this patch series is at v5, and has accumulated enough reviews since RFC/v1 was sent to the list in April/May, is it possible to proceed with the current revision, and consider the feedback you suggested in future improvements to SecurityPkg?
Thanks,
--Samer
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean via
> groups.io
> Sent: Friday, July 9, 2021 2:23 PM
> To: devel@edk2.groups.io; gjb@semihalf.com
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> pete@akeo.ie
> Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
>
> Grzegorz,
>
> It is a little late to the party to provide broad feedback (given you
> are on v5) but i'll do it anyway and if anything resonates maybe you can
> make a few changes.
>
>
> This patchset (for modules/libraries in SecurityPkg) does not resolve a
> major issue within the SecurityPkg design today. Not that it has to,
> but when creating new abstractions/APIs it would be ideal this problem.
> The SecurityPkg modules and libraries today mix platform
> policy/assumptions with generic data manipulation and specification
> defined behavior.
>
> For example the new SecureBootVariableLib. This library contains
> functions that load default keys from flash (platform), delete the SB
> databases (platform policy), as well as helper functions for creating
> variable auth payloads, sig lists, etc (spec defined data manipulation).
> If this library was refactored into two libraries (a pure data
> manipulation library and platform lib) it would significantly improve
> the usefulness of this library (to me and i suspect many other consumers
> of edk2).
>
> 1. Reduce the number of forks or instances other consumers would need.
> Other consumers of edk2 could use the data manipulation lib without
> taking on the burden of the platform config stuff that may or may not
> apply to their platform. Other consumers might also then help maintain
> this library because they would be using it in their platform.
>
> 2. A data manipulation library could be easily unit tested using the
> host based unit test framework. This would provide significantly higher
> confidence in code and changes and most likely reduce quality issues.
>
> 3. A platform lib would make clear the platform requirements for using
> the modules and applications and allow platform maintainers to focus on
> this API and dependencies.
>
> Anyway, given how long and tedious the edk2 contribution process is and
> that you already have most of the SecurityPkg RBs I can understand if
> this unwelcome feedback.
>
> Thanks
> Sean
>
>
>
>
> On 7/1/2021 2:17 AM, Grzegorz Bernacki wrote:
> > This patchset adds support for initialization of default
> > Secure Boot variables based on keys content embedded in
> > flash binary. This feature is active only if Secure Boot
> > is enabled and DEFAULT_KEY is defined. The patchset
> > consist also application to enroll keys from default
> > variables and secure boot menu change to allow user
> > to reset key content to default values.
> > Discussion on design can be found at:
> > https://edk2.groups.io/g/rfc/topic/82139806#600
> >
> > Built with:
> > GCC
> > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> >
> > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> built,
> > will be post on edk2 maillist later
> >
> > VS2019
> > - Intel (OvmfPkgX64)
> >
> > Test with:
> > GCC5/RPi4
> > VS2019/OvmfX64 (requires changes to enable feature)
> >
> > Tests:
> > 1. Try to enroll key in incorrect format.
> > 2. Enroll with only PKDefault keys specified.
> > 3. Enroll with all keys specified.
> > 4. Enroll when keys are enrolled.
> > 5. Reset keys values.
> > 6. Running signed & unsigned app after enrollment.
> >
> > Changes since v1:
> > - change names:
> > SecBootVariableLib => SecureBootVariableLib
> > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Changes since v2:
> > - fix coding style for functions headers in SecureBootVariableLib.h
> > - add header to SecureBootDefaultKeys.fdf.inc
> > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > - revert FAIL macro in EnrollFromDefaultKeysApp
> > - remove functions duplicates and add SecureBootVariableLib
> > to platforms which used it
> >
> > Changes since v3:
> > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > - fix typo in guid description
> >
> > Changes since v4:
> > - reorder patches to make it bisectable
> > - split commits related to more than one platform
> > - move edk2-platform commits to separate patchset
> >
> > Grzegorz Bernacki (10):
> > SecurityPkg: Create library for setting Secure Boot variables.
> > ArmVirtPkg: add SecureBootVariableLib class resolution
> > OvmfPkg: add SecureBootVariableLib class resolution
> > EmulatorPkg: add SecureBootVariableLib class resolution
> > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > ArmPlatformPkg: Create include file for default key content.
> > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > SecurityPkg: Add EnrollFromDefaultKeys application.
> > SecurityPkg: Add new modules to Security package.
> > SecurityPkg: Add option to reset secure boot keys.
> >
> > SecurityPkg/SecurityPkg.dec | 14 +
> > ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> > EmulatorPkg/EmulatorPkg.dsc | 1 +
> > OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > SecurityPkg/SecurityPkg.dsc | 4 +
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> | 47 +
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> | 79 ++
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gDxe.inf | 2 +
> >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.inf | 45 +
> > SecurityPkg/Include/Library/SecureBootVariableLib.h |
> 251 +++++
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gNvData.h | 2 +
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> g.vfr | 6 +
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 109 +++
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 980 ++++++++++++++++++++
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gImpl.c | 343 ++++---
> >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.c | 68 ++
> > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc |
> 70 ++
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> | 16 +
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> gStrings.uni | 4 +
> >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.uni | 16 +
> > 23 files changed, 1874 insertions(+), 188 deletions(-)
> > create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.inf
> > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.c
> > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> DefaultKeysDxe.uni
> >
>
>
>
>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
2021-07-01 9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-07-09 9:12 ` Sunny Wang
@ 2021-07-12 11:45 ` Yao, Jiewen
[not found] ` <1691088E46D0B29B.19753@groups.io>
2 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-12 11:45 UTC (permalink / raw)
To: Grzegorz Bernacki, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, Sunny Wang, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
Sami Mujawar, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, Thomas Abraham,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie
Signed-off-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Thursday, July 1, 2021 5:18 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>;
> mw@semihalf.com; upstream@semihalf.com; Yao, Jiewen
> <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> <min.m.xu@intel.com>; lersek@redhat.com; Sami Mujawar
> <Sami.Mujawar@arm.com>; afish@apple.com; Ni, Ray <ray.ni@intel.com>;
> Justen, Jordan L <jordan.l.justen@intel.com>; rebecca@bsdio.com;
> grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>
> Subject: [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from
> SecureBootConfigDxe.
>
> This commit removes functions which were added
> to SecureBootVariableLib. It also adds dependecy
> on that library.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf | 1 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c | 189 +-------------------
> 2 files changed, 2 insertions(+), 188 deletions(-)
>
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> index 573efa6379..30d9cd8025 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf
> @@ -54,6 +54,7 @@
> DevicePathLib
> FileExplorerLib
> PeCoffLib
> + SecureBootVariableLib
>
> [Guids]
> ## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
> diff --git
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> index e82bfe7757..67e5e594ed 100644
> ---
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> +++
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>
> #include "SecureBootConfigImpl.h"
> #include <Library/BaseCryptLib.h>
> +#include <Library/SecureBootVariableLib.h>
>
> CHAR16 mSecureBootStorageName[] =
> L"SECUREBOOT_CONFIGURATION";
>
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (
> return Status;
> }
>
> -/**
> - Create a time based data payload by concatenating the
> EFI_VARIABLE_AUTHENTICATION_2
> - descriptor with the input data. NO authentication is required in this function.
> -
> - @param[in, out] DataSize On input, the size of Data buffer in bytes.
> - On output, the size of data returned in Data
> - buffer in bytes.
> - @param[in, out] Data On input, Pointer to data buffer to be wrapped or
> - pointer to NULL to wrap an empty payload.
> - On output, Pointer to the new payload date buffer allocated
> from pool,
> - it's caller's responsibility to free the memory when finish
> using it.
> -
> - @retval EFI_SUCCESS Create time based payload successfully.
> - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources
> to create time based payload.
> - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> - @retval Others Unexpected error happens.
> -
> -**/
> -EFI_STATUS
> -CreateTimeBasedPayload (
> - IN OUT UINTN *DataSize,
> - IN OUT UINT8 **Data
> - )
> -{
> - EFI_STATUS Status;
> - UINT8 *NewData;
> - UINT8 *Payload;
> - UINTN PayloadSize;
> - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
> - UINTN DescriptorSize;
> - EFI_TIME Time;
> -
> - if (Data == NULL || DataSize == NULL) {
> - return EFI_INVALID_PARAMETER;
> - }
> -
> - //
> - // In Setup mode or Custom mode, the variable does not need to be signed but
> the
> - // parameters to the SetVariable() call still need to be prepared as
> authenticated
> - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> without certificate
> - // data in it.
> - //
> - Payload = *Data;
> - PayloadSize = *DataSize;
> -
> - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)
> + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> - if (NewData == NULL) {
> - return EFI_OUT_OF_RESOURCES;
> - }
> -
> - if ((Payload != NULL) && (PayloadSize != 0)) {
> - CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> - }
> -
> - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> -
> - ZeroMem (&Time, sizeof (EFI_TIME));
> - Status = gRT->GetTime (&Time, NULL);
> - if (EFI_ERROR (Status)) {
> - FreePool(NewData);
> - return Status;
> - }
> - Time.Pad1 = 0;
> - Time.Nanosecond = 0;
> - Time.TimeZone = 0;
> - Time.Daylight = 0;
> - Time.Pad2 = 0;
> - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> -
> - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> (WIN_CERTIFICATE_UEFI_GUID, CertData);
> - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
> - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
> - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> -
> - if (Payload != NULL) {
> - FreePool(Payload);
> - }
> -
> - *DataSize = DescriptorSize + PayloadSize;
> - *Data = NewData;
> - return EFI_SUCCESS;
> -}
> -
> -/**
> - Internal helper function to delete a Variable given its name and GUID, NO
> authentication
> - required.
> -
> - @param[in] VariableName Name of the Variable.
> - @param[in] VendorGuid GUID of the Variable.
> -
> - @retval EFI_SUCCESS Variable deleted successfully.
> - @retval Others The driver failed to start the device.
> -
> -**/
> -EFI_STATUS
> -DeleteVariable (
> - IN CHAR16 *VariableName,
> - IN EFI_GUID *VendorGuid
> - )
> -{
> - EFI_STATUS Status;
> - VOID* Variable;
> - UINT8 *Data;
> - UINTN DataSize;
> - UINT32 Attr;
> -
> - GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> - if (Variable == NULL) {
> - return EFI_SUCCESS;
> - }
> - FreePool (Variable);
> -
> - Data = NULL;
> - DataSize = 0;
> - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
> EFI_VARIABLE_BOOTSERVICE_ACCESS
> - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> -
> - Status = CreateTimeBasedPayload (&DataSize, &Data);
> - if (EFI_ERROR (Status)) {
> - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
> - return Status;
> - }
> -
> - Status = gRT->SetVariable (
> - VariableName,
> - VendorGuid,
> - Attr,
> - DataSize,
> - Data
> - );
> - if (Data != NULL) {
> - FreePool (Data);
> - }
> - return Status;
> -}
> -
> -/**
> -
> - Set the platform secure boot mode into "Custom" or "Standard" mode.
> -
> - @param[in] SecureBootMode New secure boot mode:
> STANDARD_SECURE_BOOT_MODE or
> - CUSTOM_SECURE_BOOT_MODE.
> -
> - @return EFI_SUCCESS The platform has switched to the special mode
> successfully.
> - @return other Fail to operate the secure boot mode.
> -
> -**/
> -EFI_STATUS
> -SetSecureBootMode (
> - IN UINT8 SecureBootMode
> - )
> -{
> - return gRT->SetVariable (
> - EFI_CUSTOM_MODE_NAME,
> - &gEfiCustomModeEnableGuid,
> - EFI_VARIABLE_NON_VOLATILE |
> EFI_VARIABLE_BOOTSERVICE_ACCESS,
> - sizeof (UINT8),
> - &SecureBootMode
> - );
> -}
> -
> /**
> This code checks if the encode type and key strength of X.509
> certificate is qualified.
> @@ -646,32 +485,6 @@ ON_EXIT:
> return Status;
> }
>
> -/**
> - Remove the PK variable.
> -
> - @retval EFI_SUCCESS Delete PK successfully.
> - @retval Others Could not allow to delete PK.
> -
> -**/
> -EFI_STATUS
> -DeletePlatformKey (
> - VOID
> -)
> -{
> - EFI_STATUS Status;
> -
> - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> - if (EFI_ERROR (Status)) {
> - return Status;
> - }
> -
> - Status = DeleteVariable (
> - EFI_PLATFORM_KEY_NAME,
> - &gEfiGlobalVariableGuid
> - );
> - return Status;
> -}
> -
> /**
> Enroll a new KEK item from public key storing file (*.pbk).
>
> --
> 2.25.1
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-09 20:03 ` Samer El-Haj-Mahmoud
@ 2021-07-12 12:02 ` Yao, Jiewen
2021-07-13 7:47 ` Grzegorz Bernacki
0 siblings, 1 reply; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-12 12:02 UTC (permalink / raw)
To: Samer El-Haj-Mahmoud, devel@edk2.groups.io, spbrogan@outlook.com,
gjb@semihalf.com
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Sunny Wang,
mw@semihalf.com, upstream@semihalf.com, Wang, Jian J, Xu, Min M,
lersek@redhat.com, Sami Mujawar, afish@apple.com, Ni, Ray,
Justen, Jordan L, rebecca@bsdio.com, grehan@freebsd.org,
Thomas Abraham, Chiu, Chasel, Desimone, Nathaniel L,
gaoliming@byosoft.com.cn, Dong, Eric, Kinney, Michael D,
Sun, Zailiang, Qian, Yi, graeme@nuviainc.com, rad@semihalf.com,
pete@akeo.ie
I think Sean's feedback is a great idea to split the platform part from core part.
Even a simple split would be helpful. How about below:
1) SecureBootVariableLib: SetSecureBootMode(), GetSetupMode(), CreateTimeBasedPayload(), DeleteDb(), DeleteDbx(), DeleteDbt(), DeleteKEK(), DeletePlatformKey()
2) SecureBootVariableProvisionLib: EnrollDbFromDefault(), EnrollDbxFromDefault(), EnrollDbtFromDefault(), EnrollKEKFromDefault(), EnrollPKFromDefault(), SecureBootInitPKDefault(), SecureBootInitKEKDefault(), SecureBootInitdbDefault(), SecureBootInitdbtDefault(), SecureBootInitdbxDefault(),
Other minor feedback, the name of SecureBootInitdbDefault() should be SecureBootInitDbDefault() - capital D in Db.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> Sent: Saturday, July 10, 2021 4:03 AM
> To: devel@edk2.groups.io; spbrogan@outlook.com; gjb@semihalf.com
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang
> <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; Yao,
> Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min
> M <min.m.xu@intel.com>; lersek@redhat.com; Sami Mujawar
> <Sami.Mujawar@arm.com>; afish@apple.com; Ni, Ray <ray.ni@intel.com>;
> Justen, Jordan L <jordan.l.justen@intel.com>; rebecca@bsdio.com;
> grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Samer El-Haj-
> Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> Subject: RE: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
>
> Sean,
>
> Thanks for the feedback. As you say, this is a design concern in SecurityPkg
> today, and the improvement you are suggesting is welcomed, especially for
> systems that rely on EDK2 (and lack a commercial FW solution). Considering that
> this patch series is at v5, and has accumulated enough reviews since RFC/v1 was
> sent to the list in April/May, is it possible to proceed with the current revision,
> and consider the feedback you suggested in future improvements to SecurityPkg?
>
> Thanks,
> --Samer
>
>
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean via
> > groups.io
> > Sent: Friday, July 9, 2021 2:23 PM
> > To: devel@edk2.groups.io; gjb@semihalf.com
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> > pete@akeo.ie
> > Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> >
> > Grzegorz,
> >
> > It is a little late to the party to provide broad feedback (given you
> > are on v5) but i'll do it anyway and if anything resonates maybe you can
> > make a few changes.
> >
> >
> > This patchset (for modules/libraries in SecurityPkg) does not resolve a
> > major issue within the SecurityPkg design today. Not that it has to,
> > but when creating new abstractions/APIs it would be ideal this problem.
> > The SecurityPkg modules and libraries today mix platform
> > policy/assumptions with generic data manipulation and specification
> > defined behavior.
> >
> > For example the new SecureBootVariableLib. This library contains
> > functions that load default keys from flash (platform), delete the SB
> > databases (platform policy), as well as helper functions for creating
> > variable auth payloads, sig lists, etc (spec defined data manipulation).
> > If this library was refactored into two libraries (a pure data
> > manipulation library and platform lib) it would significantly improve
> > the usefulness of this library (to me and i suspect many other consumers
> > of edk2).
> >
> > 1. Reduce the number of forks or instances other consumers would need.
> > Other consumers of edk2 could use the data manipulation lib without
> > taking on the burden of the platform config stuff that may or may not
> > apply to their platform. Other consumers might also then help maintain
> > this library because they would be using it in their platform.
> >
> > 2. A data manipulation library could be easily unit tested using the
> > host based unit test framework. This would provide significantly higher
> > confidence in code and changes and most likely reduce quality issues.
> >
> > 3. A platform lib would make clear the platform requirements for using
> > the modules and applications and allow platform maintainers to focus on
> > this API and dependencies.
> >
> > Anyway, given how long and tedious the edk2 contribution process is and
> > that you already have most of the SecurityPkg RBs I can understand if
> > this unwelcome feedback.
> >
> > Thanks
> > Sean
> >
> >
> >
> >
> > On 7/1/2021 2:17 AM, Grzegorz Bernacki wrote:
> > > This patchset adds support for initialization of default
> > > Secure Boot variables based on keys content embedded in
> > > flash binary. This feature is active only if Secure Boot
> > > is enabled and DEFAULT_KEY is defined. The patchset
> > > consist also application to enroll keys from default
> > > variables and secure boot menu change to allow user
> > > to reset key content to default values.
> > > Discussion on design can be found at:
> > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > >
> > > Built with:
> > > GCC
> > > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> > >
> > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> > built,
> > > will be post on edk2 maillist later
> > >
> > > VS2019
> > > - Intel (OvmfPkgX64)
> > >
> > > Test with:
> > > GCC5/RPi4
> > > VS2019/OvmfX64 (requires changes to enable feature)
> > >
> > > Tests:
> > > 1. Try to enroll key in incorrect format.
> > > 2. Enroll with only PKDefault keys specified.
> > > 3. Enroll with all keys specified.
> > > 4. Enroll when keys are enrolled.
> > > 5. Reset keys values.
> > > 6. Running signed & unsigned app after enrollment.
> > >
> > > Changes since v1:
> > > - change names:
> > > SecBootVariableLib => SecureBootVariableLib
> > > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > - change name of function CheckSetupMode to GetSetupMode
> > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > - rebase to master
> > >
> > > Changes since v2:
> > > - fix coding style for functions headers in SecureBootVariableLib.h
> > > - add header to SecureBootDefaultKeys.fdf.inc
> > > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > > - revert FAIL macro in EnrollFromDefaultKeysApp
> > > - remove functions duplicates and add SecureBootVariableLib
> > > to platforms which used it
> > >
> > > Changes since v3:
> > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > > - fix typo in guid description
> > >
> > > Changes since v4:
> > > - reorder patches to make it bisectable
> > > - split commits related to more than one platform
> > > - move edk2-platform commits to separate patchset
> > >
> > > Grzegorz Bernacki (10):
> > > SecurityPkg: Create library for setting Secure Boot variables.
> > > ArmVirtPkg: add SecureBootVariableLib class resolution
> > > OvmfPkg: add SecureBootVariableLib class resolution
> > > EmulatorPkg: add SecureBootVariableLib class resolution
> > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > > ArmPlatformPkg: Create include file for default key content.
> > > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > SecurityPkg: Add EnrollFromDefaultKeys application.
> > > SecurityPkg: Add new modules to Security package.
> > > SecurityPkg: Add option to reset secure boot keys.
> > >
> > > SecurityPkg/SecurityPkg.dec | 14 +
> > > ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> > > EmulatorPkg/EmulatorPkg.dsc | 1 +
> > > OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> > > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > > SecurityPkg/SecurityPkg.dsc | 4 +
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > | 47 +
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > | 79 ++
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gDxe.inf | 2 +
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.inf | 45 +
> > > SecurityPkg/Include/Library/SecureBootVariableLib.h |
> > 251 +++++
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gNvData.h | 2 +
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > g.vfr | 6 +
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > | 109 +++
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > | 980 ++++++++++++++++++++
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gImpl.c | 343 ++++---
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.c | 68 ++
> > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc |
> > 70 ++
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > | 16 +
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > gStrings.uni | 4 +
> > >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.uni | 16 +
> > > 23 files changed, 1874 insertions(+), 188 deletions(-)
> > > create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.inf
> > > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.c
> > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > > create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > DefaultKeysDxe.uni
> > >
> >
> >
> >
> >
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended recipient,
> please notify the sender immediately and do not disclose the contents to any
> other person, use it for any purpose, or store or copy the information in any
> medium. Thank you.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
[not found] ` <1691088E46D0B29B.19753@groups.io>
@ 2021-07-12 14:01 ` Yao, Jiewen
0 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-12 14:01 UTC (permalink / raw)
To: devel@edk2.groups.io, Yao, Jiewen, Grzegorz Bernacki
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer El-Haj-Mahmoud, Sunny Wang, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
Sami Mujawar, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, Thomas Abraham,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie
Sorry. My mistake.
It should be Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Monday, July 12, 2021 7:46 PM
> To: Grzegorz Bernacki <gjb@semihalf.com>; devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>;
> mw@semihalf.com; upstream@semihalf.com; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> afish@apple.com; Ni, Ray <ray.ni@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; rebecca@bsdio.com; grehan@freebsd.org;
> Thomas Abraham <thomas.abraham@arm.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie
> Subject: Re: [edk2-devel] [PATCH v5 05/10] SecurityPkg: Remove duplicated
> functions from SecureBootConfigDxe.
>
> Signed-off-by: Jiewen Yao <Jiewen.yao@intel.com>
>
> > -----Original Message-----
> > From: Grzegorz Bernacki <gjb@semihalf.com>
> > Sent: Thursday, July 1, 2021 5:18 PM
> > To: devel@edk2.groups.io
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>;
> > mw@semihalf.com; upstream@semihalf.com; Yao, Jiewen
> > <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min M
> > <min.m.xu@intel.com>; lersek@redhat.com; Sami Mujawar
> > <Sami.Mujawar@arm.com>; afish@apple.com; Ni, Ray <ray.ni@intel.com>;
> > Justen, Jordan L <jordan.l.justen@intel.com>; rebecca@bsdio.com;
> > grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; Chiu,
> > Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> > <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
> Sun,
> > Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> > <gjb@semihalf.com>
> > Subject: [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from
> > SecureBootConfigDxe.
> >
> > This commit removes functions which were added
> > to SecureBootVariableLib. It also adds dependecy
> > on that library.
> >
> > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> > ---
> >
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> > e.inf | 1 +
> >
> >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> > pl.c | 189 +-------------------
> > 2 files changed, 2 insertions(+), 188 deletions(-)
> >
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf
> > index 573efa6379..30d9cd8025 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf
> > @@ -54,6 +54,7 @@
> > DevicePathLib
> > FileExplorerLib
> > PeCoffLib
> > + SecureBootVariableLib
> >
> > [Guids]
> > ## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
> > diff --git
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c
> > index e82bfe7757..67e5e594ed 100644
> > ---
> >
> a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c
> > +++
> >
> b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c
> > @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > #include "SecureBootConfigImpl.h"
> > #include <Library/BaseCryptLib.h>
> > +#include <Library/SecureBootVariableLib.h>
> >
> > CHAR16 mSecureBootStorageName[] =
> > L"SECUREBOOT_CONFIGURATION";
> >
> > @@ -237,168 +238,6 @@ SaveSecureBootVariable (
> > return Status;
> > }
> >
> > -/**
> > - Create a time based data payload by concatenating the
> > EFI_VARIABLE_AUTHENTICATION_2
> > - descriptor with the input data. NO authentication is required in this function.
> > -
> > - @param[in, out] DataSize On input, the size of Data buffer in bytes.
> > - On output, the size of data returned in Data
> > - buffer in bytes.
> > - @param[in, out] Data On input, Pointer to data buffer to be wrapped
> or
> > - pointer to NULL to wrap an empty payload.
> > - On output, Pointer to the new payload date buffer
> allocated
> > from pool,
> > - it's caller's responsibility to free the memory when finish
> > using it.
> > -
> > - @retval EFI_SUCCESS Create time based payload successfully.
> > - @retval EFI_OUT_OF_RESOURCES There are not enough memory
> resources
> > to create time based payload.
> > - @retval EFI_INVALID_PARAMETER The parameter is invalid.
> > - @retval Others Unexpected error happens.
> > -
> > -**/
> > -EFI_STATUS
> > -CreateTimeBasedPayload (
> > - IN OUT UINTN *DataSize,
> > - IN OUT UINT8 **Data
> > - )
> > -{
> > - EFI_STATUS Status;
> > - UINT8 *NewData;
> > - UINT8 *Payload;
> > - UINTN PayloadSize;
> > - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
> > - UINTN DescriptorSize;
> > - EFI_TIME Time;
> > -
> > - if (Data == NULL || DataSize == NULL) {
> > - return EFI_INVALID_PARAMETER;
> > - }
> > -
> > - //
> > - // In Setup mode or Custom mode, the variable does not need to be signed
> but
> > the
> > - // parameters to the SetVariable() call still need to be prepared as
> > authenticated
> > - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor
> > without certificate
> > - // data in it.
> > - //
> > - Payload = *Data;
> > - PayloadSize = *DataSize;
> > -
> > - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2,
> AuthInfo)
> > + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
> > - if (NewData == NULL) {
> > - return EFI_OUT_OF_RESOURCES;
> > - }
> > -
> > - if ((Payload != NULL) && (PayloadSize != 0)) {
> > - CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
> > - }
> > -
> > - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
> > -
> > - ZeroMem (&Time, sizeof (EFI_TIME));
> > - Status = gRT->GetTime (&Time, NULL);
> > - if (EFI_ERROR (Status)) {
> > - FreePool(NewData);
> > - return Status;
> > - }
> > - Time.Pad1 = 0;
> > - Time.Nanosecond = 0;
> > - Time.TimeZone = 0;
> > - Time.Daylight = 0;
> > - Time.Pad2 = 0;
> > - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
> > -
> > - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF
> > (WIN_CERTIFICATE_UEFI_GUID, CertData);
> > - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
> > - DescriptorData->AuthInfo.Hdr.wCertificateType =
> WIN_CERT_TYPE_EFI_GUID;
> > - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
> > -
> > - if (Payload != NULL) {
> > - FreePool(Payload);
> > - }
> > -
> > - *DataSize = DescriptorSize + PayloadSize;
> > - *Data = NewData;
> > - return EFI_SUCCESS;
> > -}
> > -
> > -/**
> > - Internal helper function to delete a Variable given its name and GUID, NO
> > authentication
> > - required.
> > -
> > - @param[in] VariableName Name of the Variable.
> > - @param[in] VendorGuid GUID of the Variable.
> > -
> > - @retval EFI_SUCCESS Variable deleted successfully.
> > - @retval Others The driver failed to start the device.
> > -
> > -**/
> > -EFI_STATUS
> > -DeleteVariable (
> > - IN CHAR16 *VariableName,
> > - IN EFI_GUID *VendorGuid
> > - )
> > -{
> > - EFI_STATUS Status;
> > - VOID* Variable;
> > - UINT8 *Data;
> > - UINTN DataSize;
> > - UINT32 Attr;
> > -
> > - GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
> > - if (Variable == NULL) {
> > - return EFI_SUCCESS;
> > - }
> > - FreePool (Variable);
> > -
> > - Data = NULL;
> > - DataSize = 0;
> > - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
> |
> > EFI_VARIABLE_BOOTSERVICE_ACCESS
> > - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> > -
> > - Status = CreateTimeBasedPayload (&DataSize, &Data);
> > - if (EFI_ERROR (Status)) {
> > - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r",
> Status));
> > - return Status;
> > - }
> > -
> > - Status = gRT->SetVariable (
> > - VariableName,
> > - VendorGuid,
> > - Attr,
> > - DataSize,
> > - Data
> > - );
> > - if (Data != NULL) {
> > - FreePool (Data);
> > - }
> > - return Status;
> > -}
> > -
> > -/**
> > -
> > - Set the platform secure boot mode into "Custom" or "Standard" mode.
> > -
> > - @param[in] SecureBootMode New secure boot mode:
> > STANDARD_SECURE_BOOT_MODE or
> > - CUSTOM_SECURE_BOOT_MODE.
> > -
> > - @return EFI_SUCCESS The platform has switched to the special
> mode
> > successfully.
> > - @return other Fail to operate the secure boot mode.
> > -
> > -**/
> > -EFI_STATUS
> > -SetSecureBootMode (
> > - IN UINT8 SecureBootMode
> > - )
> > -{
> > - return gRT->SetVariable (
> > - EFI_CUSTOM_MODE_NAME,
> > - &gEfiCustomModeEnableGuid,
> > - EFI_VARIABLE_NON_VOLATILE |
> > EFI_VARIABLE_BOOTSERVICE_ACCESS,
> > - sizeof (UINT8),
> > - &SecureBootMode
> > - );
> > -}
> > -
> > /**
> > This code checks if the encode type and key strength of X.509
> > certificate is qualified.
> > @@ -646,32 +485,6 @@ ON_EXIT:
> > return Status;
> > }
> >
> > -/**
> > - Remove the PK variable.
> > -
> > - @retval EFI_SUCCESS Delete PK successfully.
> > - @retval Others Could not allow to delete PK.
> > -
> > -**/
> > -EFI_STATUS
> > -DeletePlatformKey (
> > - VOID
> > -)
> > -{
> > - EFI_STATUS Status;
> > -
> > - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> > - if (EFI_ERROR (Status)) {
> > - return Status;
> > - }
> > -
> > - Status = DeleteVariable (
> > - EFI_PLATFORM_KEY_NAME,
> > - &gEfiGlobalVariableGuid
> > - );
> > - return Status;
> > -}
> > -
> > /**
> > Enroll a new KEK item from public key storing file (*.pbk).
> >
> > --
> > 2.25.1
>
>
>
>
>
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-12 12:02 ` Yao, Jiewen
@ 2021-07-13 7:47 ` Grzegorz Bernacki
2021-07-13 7:54 ` Yao, Jiewen
0 siblings, 1 reply; 35+ messages in thread
From: Grzegorz Bernacki @ 2021-07-13 7:47 UTC (permalink / raw)
To: Yao, Jiewen
Cc: Samer El-Haj-Mahmoud, devel@edk2.groups.io, spbrogan@outlook.com,
leif@nuviainc.com, ardb+tianocore@kernel.org, Sunny Wang,
mw@semihalf.com, upstream@semihalf.com, Wang, Jian J, Xu, Min M,
lersek@redhat.com, Sami Mujawar, afish@apple.com, Ni, Ray,
Justen, Jordan L, rebecca@bsdio.com, grehan@freebsd.org,
Thomas Abraham, Chiu, Chasel, Desimone, Nathaniel L,
gaoliming@byosoft.com.cn, Dong, Eric, Kinney, Michael D,
Sun, Zailiang, Qian, Yi, graeme@nuviainc.com, rad@semihalf.com,
pete@akeo.ie
Hi Jiewen,
I think it is a good idea to split it this way. Please let me prepare
next version of the patch.
thanks,
greg
pon., 12 lip 2021 o 14:02 Yao, Jiewen <jiewen.yao@intel.com> napisał(a):
>
> I think Sean's feedback is a great idea to split the platform part from core part.
>
> Even a simple split would be helpful. How about below:
> 1) SecureBootVariableLib: SetSecureBootMode(), GetSetupMode(), CreateTimeBasedPayload(), DeleteDb(), DeleteDbx(), DeleteDbt(), DeleteKEK(), DeletePlatformKey()
>
> 2) SecureBootVariableProvisionLib: EnrollDbFromDefault(), EnrollDbxFromDefault(), EnrollDbtFromDefault(), EnrollKEKFromDefault(), EnrollPKFromDefault(), SecureBootInitPKDefault(), SecureBootInitKEKDefault(), SecureBootInitdbDefault(), SecureBootInitdbtDefault(), SecureBootInitdbxDefault(),
>
> Other minor feedback, the name of SecureBootInitdbDefault() should be SecureBootInitDbDefault() - capital D in Db.
>
>
>
>
> Thank you
> Yao Jiewen
>
>
> > -----Original Message-----
> > From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > Sent: Saturday, July 10, 2021 4:03 AM
> > To: devel@edk2.groups.io; spbrogan@outlook.com; gjb@semihalf.com
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang
> > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; Yao,
> > Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu, Min
> > M <min.m.xu@intel.com>; lersek@redhat.com; Sami Mujawar
> > <Sami.Mujawar@arm.com>; afish@apple.com; Ni, Ray <ray.ni@intel.com>;
> > Justen, Jordan L <jordan.l.justen@intel.com>; rebecca@bsdio.com;
> > grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; Chiu,
> > Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> > <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> > Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Samer El-Haj-
> > Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > Subject: RE: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> >
> > Sean,
> >
> > Thanks for the feedback. As you say, this is a design concern in SecurityPkg
> > today, and the improvement you are suggesting is welcomed, especially for
> > systems that rely on EDK2 (and lack a commercial FW solution). Considering that
> > this patch series is at v5, and has accumulated enough reviews since RFC/v1 was
> > sent to the list in April/May, is it possible to proceed with the current revision,
> > and consider the feedback you suggested in future improvements to SecurityPkg?
> >
> > Thanks,
> > --Samer
> >
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean via
> > > groups.io
> > > Sent: Friday, July 9, 2021 2:23 PM
> > > To: devel@edk2.groups.io; gjb@semihalf.com
> > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud
> > > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> > > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > > eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com;
> > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> > > pete@akeo.ie
> > > Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> > >
> > > Grzegorz,
> > >
> > > It is a little late to the party to provide broad feedback (given you
> > > are on v5) but i'll do it anyway and if anything resonates maybe you can
> > > make a few changes.
> > >
> > >
> > > This patchset (for modules/libraries in SecurityPkg) does not resolve a
> > > major issue within the SecurityPkg design today. Not that it has to,
> > > but when creating new abstractions/APIs it would be ideal this problem.
> > > The SecurityPkg modules and libraries today mix platform
> > > policy/assumptions with generic data manipulation and specification
> > > defined behavior.
> > >
> > > For example the new SecureBootVariableLib. This library contains
> > > functions that load default keys from flash (platform), delete the SB
> > > databases (platform policy), as well as helper functions for creating
> > > variable auth payloads, sig lists, etc (spec defined data manipulation).
> > > If this library was refactored into two libraries (a pure data
> > > manipulation library and platform lib) it would significantly improve
> > > the usefulness of this library (to me and i suspect many other consumers
> > > of edk2).
> > >
> > > 1. Reduce the number of forks or instances other consumers would need.
> > > Other consumers of edk2 could use the data manipulation lib without
> > > taking on the burden of the platform config stuff that may or may not
> > > apply to their platform. Other consumers might also then help maintain
> > > this library because they would be using it in their platform.
> > >
> > > 2. A data manipulation library could be easily unit tested using the
> > > host based unit test framework. This would provide significantly higher
> > > confidence in code and changes and most likely reduce quality issues.
> > >
> > > 3. A platform lib would make clear the platform requirements for using
> > > the modules and applications and allow platform maintainers to focus on
> > > this API and dependencies.
> > >
> > > Anyway, given how long and tedious the edk2 contribution process is and
> > > that you already have most of the SecurityPkg RBs I can understand if
> > > this unwelcome feedback.
> > >
> > > Thanks
> > > Sean
> > >
> > >
> > >
> > >
> > > On 7/1/2021 2:17 AM, Grzegorz Bernacki wrote:
> > > > This patchset adds support for initialization of default
> > > > Secure Boot variables based on keys content embedded in
> > > > flash binary. This feature is active only if Secure Boot
> > > > is enabled and DEFAULT_KEY is defined. The patchset
> > > > consist also application to enroll keys from default
> > > > variables and secure boot menu change to allow user
> > > > to reset key content to default values.
> > > > Discussion on design can be found at:
> > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > >
> > > > Built with:
> > > > GCC
> > > > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> > > >
> > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> > > built,
> > > > will be post on edk2 maillist later
> > > >
> > > > VS2019
> > > > - Intel (OvmfPkgX64)
> > > >
> > > > Test with:
> > > > GCC5/RPi4
> > > > VS2019/OvmfX64 (requires changes to enable feature)
> > > >
> > > > Tests:
> > > > 1. Try to enroll key in incorrect format.
> > > > 2. Enroll with only PKDefault keys specified.
> > > > 3. Enroll with all keys specified.
> > > > 4. Enroll when keys are enrolled.
> > > > 5. Reset keys values.
> > > > 6. Running signed & unsigned app after enrollment.
> > > >
> > > > Changes since v1:
> > > > - change names:
> > > > SecBootVariableLib => SecureBootVariableLib
> > > > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > - change name of function CheckSetupMode to GetSetupMode
> > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > - rebase to master
> > > >
> > > > Changes since v2:
> > > > - fix coding style for functions headers in SecureBootVariableLib.h
> > > > - add header to SecureBootDefaultKeys.fdf.inc
> > > > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > > > - revert FAIL macro in EnrollFromDefaultKeysApp
> > > > - remove functions duplicates and add SecureBootVariableLib
> > > > to platforms which used it
> > > >
> > > > Changes since v3:
> > > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > > > - fix typo in guid description
> > > >
> > > > Changes since v4:
> > > > - reorder patches to make it bisectable
> > > > - split commits related to more than one platform
> > > > - move edk2-platform commits to separate patchset
> > > >
> > > > Grzegorz Bernacki (10):
> > > > SecurityPkg: Create library for setting Secure Boot variables.
> > > > ArmVirtPkg: add SecureBootVariableLib class resolution
> > > > OvmfPkg: add SecureBootVariableLib class resolution
> > > > EmulatorPkg: add SecureBootVariableLib class resolution
> > > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > > > ArmPlatformPkg: Create include file for default key content.
> > > > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > > SecurityPkg: Add EnrollFromDefaultKeys application.
> > > > SecurityPkg: Add new modules to Security package.
> > > > SecurityPkg: Add option to reset secure boot keys.
> > > >
> > > > SecurityPkg/SecurityPkg.dec | 14 +
> > > > ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> > > > EmulatorPkg/EmulatorPkg.dsc | 1 +
> > > > OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> > > > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > > > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > > > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > > > SecurityPkg/SecurityPkg.dsc | 4 +
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > | 47 +
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > | 79 ++
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gDxe.inf | 2 +
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.inf | 45 +
> > > > SecurityPkg/Include/Library/SecureBootVariableLib.h |
> > > 251 +++++
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gNvData.h | 2 +
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > g.vfr | 6 +
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > | 109 +++
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > | 980 ++++++++++++++++++++
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gImpl.c | 343 ++++---
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.c | 68 ++
> > > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc |
> > > 70 ++
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > | 16 +
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > gStrings.uni | 4 +
> > > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.uni | 16 +
> > > > 23 files changed, 1874 insertions(+), 188 deletions(-)
> > > > create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > > create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.inf
> > > > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > > create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.c
> > > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > > > create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > > create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > DefaultKeysDxe.uni
> > > >
> > >
> > >
> > >
> > >
> >
> > IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended recipient,
> > please notify the sender immediately and do not disclose the contents to any
> > other person, use it for any purpose, or store or copy the information in any
> > medium. Thank you.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
2021-07-13 7:47 ` Grzegorz Bernacki
@ 2021-07-13 7:54 ` Yao, Jiewen
0 siblings, 0 replies; 35+ messages in thread
From: Yao, Jiewen @ 2021-07-13 7:54 UTC (permalink / raw)
To: devel@edk2.groups.io, gjb@semihalf.com
Cc: Samer El-Haj-Mahmoud, spbrogan@outlook.com, leif@nuviainc.com,
ardb+tianocore@kernel.org, Sunny Wang, mw@semihalf.com,
upstream@semihalf.com, Wang, Jian J, Xu, Min M, lersek@redhat.com,
Sami Mujawar, afish@apple.com, Ni, Ray, Justen, Jordan L,
rebecca@bsdio.com, grehan@freebsd.org, Thomas Abraham,
Chiu, Chasel, Desimone, Nathaniel L, gaoliming@byosoft.com.cn,
Dong, Eric, Kinney, Michael D, Sun, Zailiang, Qian, Yi,
graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Yao, Jiewen
Appreciate your help on that.
Thank you
Yao Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Grzegorz
> Bernacki
> Sent: Tuesday, July 13, 2021 3:48 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>
> Cc: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>;
> devel@edk2.groups.io; spbrogan@outlook.com; leif@nuviainc.com;
> ardb+tianocore@kernel.org; Sunny Wang <Sunny.Wang@arm.com>;
> mw@semihalf.com; upstream@semihalf.com; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> afish@apple.com; Ni, Ray <ray.ni@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; rebecca@bsdio.com; grehan@freebsd.org;
> Thomas Abraham <thomas.abraham@arm.com>; Chiu, Chasel
> <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie
> Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
>
> Hi Jiewen,
>
> I think it is a good idea to split it this way. Please let me prepare
> next version of the patch.
> thanks,
> greg
>
> pon., 12 lip 2021 o 14:02 Yao, Jiewen <jiewen.yao@intel.com> napisał(a):
> >
> > I think Sean's feedback is a great idea to split the platform part from core part.
> >
> > Even a simple split would be helpful. How about below:
> > 1) SecureBootVariableLib: SetSecureBootMode(), GetSetupMode(),
> CreateTimeBasedPayload(), DeleteDb(), DeleteDbx(), DeleteDbt(), DeleteKEK(),
> DeletePlatformKey()
> >
> > 2) SecureBootVariableProvisionLib: EnrollDbFromDefault(),
> EnrollDbxFromDefault(), EnrollDbtFromDefault(), EnrollKEKFromDefault(),
> EnrollPKFromDefault(), SecureBootInitPKDefault(), SecureBootInitKEKDefault(),
> SecureBootInitdbDefault(), SecureBootInitdbtDefault(),
> SecureBootInitdbxDefault(),
> >
> > Other minor feedback, the name of SecureBootInitdbDefault() should be
> SecureBootInitDbDefault() - capital D in Db.
> >
> >
> >
> >
> > Thank you
> > Yao Jiewen
> >
> >
> > > -----Original Message-----
> > > From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > > Sent: Saturday, July 10, 2021 4:03 AM
> > > To: devel@edk2.groups.io; spbrogan@outlook.com; gjb@semihalf.com
> > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Sunny Wang
> > > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> Yao,
> > > Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Xu,
> Min
> > > M <min.m.xu@intel.com>; lersek@redhat.com; Sami Mujawar
> > > <Sami.Mujawar@arm.com>; afish@apple.com; Ni, Ray <ray.ni@intel.com>;
> > > Justen, Jordan L <jordan.l.justen@intel.com>; rebecca@bsdio.com;
> > > grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; Chiu,
> > > Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> > > <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> > > <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
> Sun,
> > > Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> > > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Samer El-Haj-
> > > Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
> > > Subject: RE: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> > >
> > > Sean,
> > >
> > > Thanks for the feedback. As you say, this is a design concern in SecurityPkg
> > > today, and the improvement you are suggesting is welcomed, especially for
> > > systems that rely on EDK2 (and lack a commercial FW solution). Considering
> that
> > > this patch series is at v5, and has accumulated enough reviews since RFC/v1
> was
> > > sent to the list in April/May, is it possible to proceed with the current revision,
> > > and consider the feedback you suggested in future improvements to
> SecurityPkg?
> > >
> > > Thanks,
> > > --Samer
> > >
> > >
> > > > -----Original Message-----
> > > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Sean
> via
> > > > groups.io
> > > > Sent: Friday, July 9, 2021 2:23 PM
> > > > To: devel@edk2.groups.io; gjb@semihalf.com
> > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-
> Mahmoud
> > > > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang
> > > > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com;
> > > > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com;
> > > > lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>;
> > > > afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com;
> > > > rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham
> > > > <thomas.abraham@arm.com>; chasel.chiu@intel.com;
> > > > nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn;
> > > > eric.dong@intel.com; michael.d.kinney@intel.com;
> zailiang.sun@intel.com;
> > > > yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com;
> > > > pete@akeo.ie
> > > > Subject: Re: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys
> > > >
> > > > Grzegorz,
> > > >
> > > > It is a little late to the party to provide broad feedback (given you
> > > > are on v5) but i'll do it anyway and if anything resonates maybe you can
> > > > make a few changes.
> > > >
> > > >
> > > > This patchset (for modules/libraries in SecurityPkg) does not resolve a
> > > > major issue within the SecurityPkg design today. Not that it has to,
> > > > but when creating new abstractions/APIs it would be ideal this problem.
> > > > The SecurityPkg modules and libraries today mix platform
> > > > policy/assumptions with generic data manipulation and specification
> > > > defined behavior.
> > > >
> > > > For example the new SecureBootVariableLib. This library contains
> > > > functions that load default keys from flash (platform), delete the SB
> > > > databases (platform policy), as well as helper functions for creating
> > > > variable auth payloads, sig lists, etc (spec defined data manipulation).
> > > > If this library was refactored into two libraries (a pure data
> > > > manipulation library and platform lib) it would significantly improve
> > > > the usefulness of this library (to me and i suspect many other consumers
> > > > of edk2).
> > > >
> > > > 1. Reduce the number of forks or instances other consumers would need.
> > > > Other consumers of edk2 could use the data manipulation lib without
> > > > taking on the burden of the platform config stuff that may or may not
> > > > apply to their platform. Other consumers might also then help maintain
> > > > this library because they would be using it in their platform.
> > > >
> > > > 2. A data manipulation library could be easily unit tested using the
> > > > host based unit test framework. This would provide significantly higher
> > > > confidence in code and changes and most likely reduce quality issues.
> > > >
> > > > 3. A platform lib would make clear the platform requirements for using
> > > > the modules and applications and allow platform maintainers to focus on
> > > > this API and dependencies.
> > > >
> > > > Anyway, given how long and tedious the edk2 contribution process is and
> > > > that you already have most of the SecurityPkg RBs I can understand if
> > > > this unwelcome feedback.
> > > >
> > > > Thanks
> > > > Sean
> > > >
> > > >
> > > >
> > > >
> > > > On 7/1/2021 2:17 AM, Grzegorz Bernacki wrote:
> > > > > This patchset adds support for initialization of default
> > > > > Secure Boot variables based on keys content embedded in
> > > > > flash binary. This feature is active only if Secure Boot
> > > > > is enabled and DEFAULT_KEY is defined. The patchset
> > > > > consist also application to enroll keys from default
> > > > > variables and secure boot menu change to allow user
> > > > > to reset key content to default values.
> > > > > Discussion on design can be found at:
> > > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > > >
> > > > > Built with:
> > > > > GCC
> > > > > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > > > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > > > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > > > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> > > > >
> > > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> > > > built,
> > > > > will be post on edk2 maillist later
> > > > >
> > > > > VS2019
> > > > > - Intel (OvmfPkgX64)
> > > > >
> > > > > Test with:
> > > > > GCC5/RPi4
> > > > > VS2019/OvmfX64 (requires changes to enable feature)
> > > > >
> > > > > Tests:
> > > > > 1. Try to enroll key in incorrect format.
> > > > > 2. Enroll with only PKDefault keys specified.
> > > > > 3. Enroll with all keys specified.
> > > > > 4. Enroll when keys are enrolled.
> > > > > 5. Reset keys values.
> > > > > 6. Running signed & unsigned app after enrollment.
> > > > >
> > > > > Changes since v1:
> > > > > - change names:
> > > > > SecBootVariableLib => SecureBootVariableLib
> > > > > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > > > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > > - change name of function CheckSetupMode to GetSetupMode
> > > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > > - rebase to master
> > > > >
> > > > > Changes since v2:
> > > > > - fix coding style for functions headers in SecureBootVariableLib.h
> > > > > - add header to SecureBootDefaultKeys.fdf.inc
> > > > > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > > > > - revert FAIL macro in EnrollFromDefaultKeysApp
> > > > > - remove functions duplicates and add SecureBootVariableLib
> > > > > to platforms which used it
> > > > >
> > > > > Changes since v3:
> > > > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > > > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > > > > - fix typo in guid description
> > > > >
> > > > > Changes since v4:
> > > > > - reorder patches to make it bisectable
> > > > > - split commits related to more than one platform
> > > > > - move edk2-platform commits to separate patchset
> > > > >
> > > > > Grzegorz Bernacki (10):
> > > > > SecurityPkg: Create library for setting Secure Boot variables.
> > > > > ArmVirtPkg: add SecureBootVariableLib class resolution
> > > > > OvmfPkg: add SecureBootVariableLib class resolution
> > > > > EmulatorPkg: add SecureBootVariableLib class resolution
> > > > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > > > > ArmPlatformPkg: Create include file for default key content.
> > > > > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > > > SecurityPkg: Add EnrollFromDefaultKeys application.
> > > > > SecurityPkg: Add new modules to Security package.
> > > > > SecurityPkg: Add option to reset secure boot keys.
> > > > >
> > > > > SecurityPkg/SecurityPkg.dec | 14 +
> > > > > ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> > > > > EmulatorPkg/EmulatorPkg.dsc | 1 +
> > > > > OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> > > > > OvmfPkg/OvmfPkgIa32.dsc | 1 +
> > > > > OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> > > > > OvmfPkg/OvmfPkgX64.dsc | 1 +
> > > > > SecurityPkg/SecurityPkg.dsc | 4 +
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > | 47 +
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > > | 79 ++
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gDxe.inf | 2 +
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.inf | 45 +
> > > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> |
> > > > 251 +++++
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gNvData.h | 2 +
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > g.vfr | 6 +
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > | 109 +++
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > | 980 ++++++++++++++++++++
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gImpl.c | 343 ++++---
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.c | 68 ++
> > > > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> |
> > > > 70 ++
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > > | 16 +
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gStrings.uni | 4 +
> > > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.uni | 16 +
> > > > > 23 files changed, 1874 insertions(+), 188 deletions(-)
> > > > > create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > > > create mode 100644
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.inf
> > > > > create mode 100644
> SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > > > create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > > create mode 100644
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.c
> > > > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > > > create mode 100644
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.uni
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > IMPORTANT NOTICE: The contents of this email and any attachments are
> > > confidential and may also be privileged. If you are not the intended recipient,
> > > please notify the sender immediately and do not disclose the contents to any
> > > other person, use it for any purpose, or store or copy the information in any
> > > medium. Thank you.
>
>
>
>
^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2021-07-13 7:54 UTC | newest]
Thread overview: 35+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-07-01 9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
2021-07-01 9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-07-06 11:55 ` Yao, Jiewen
2021-07-09 9:29 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:32 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
2021-07-01 10:39 ` Laszlo Ersek
2021-07-09 9:37 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
2021-07-09 9:10 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-07-09 9:12 ` Sunny Wang
2021-07-12 11:45 ` Yao, Jiewen
[not found] ` <1691088E46D0B29B.19753@groups.io>
2021-07-12 14:01 ` [edk2-devel] " Yao, Jiewen
2021-07-01 9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-07-09 9:20 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-01 9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-09 9:37 ` Sunny Wang
2021-07-01 9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-07-06 11:57 ` Yao, Jiewen
2021-07-01 9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-07-06 11:53 ` Yao, Jiewen
2021-07-07 1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
2021-07-07 7:36 ` Grzegorz Bernacki
2021-07-09 10:17 ` Sunny Wang
2021-07-09 18:22 ` [edk2-devel] " Sean
2021-07-09 20:03 ` Samer El-Haj-Mahmoud
2021-07-12 12:02 ` Yao, Jiewen
2021-07-13 7:47 ` Grzegorz Bernacki
2021-07-13 7:54 ` Yao, Jiewen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox