Re: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Sunny Wang" <Sunny.Wang@arm.com>
To: Grzegorz Bernacki <gjb@semihalf.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "leif@nuviainc.com" <leif@nuviainc.com>,
	"ardb+tianocore@kernel.org" <ardb+tianocore@kernel.org>,
	Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>,
	"mw@semihalf.com" <mw@semihalf.com>,
	"upstream@semihalf.com" <upstream@semihalf.com>,
	"jiewen.yao@intel.com" <jiewen.yao@intel.com>,
	"jian.j.wang@intel.com" <jian.j.wang@intel.com>,
	"min.m.xu@intel.com" <min.m.xu@intel.com>,
	"lersek@redhat.com" <lersek@redhat.com>,
	Sami Mujawar <Sami.Mujawar@arm.com>,
	"afish@apple.com" <afish@apple.com>,
	"ray.ni@intel.com" <ray.ni@intel.com>,
	"jordan.l.justen@intel.com" <jordan.l.justen@intel.com>,
	"rebecca@bsdio.com" <rebecca@bsdio.com>,
	"grehan@freebsd.org" <grehan@freebsd.org>,
	Thomas Abraham <thomas.abraham@arm.com>,
	"chasel.chiu@intel.com" <chasel.chiu@intel.com>,
	"nathaniel.l.desimone@intel.com" <nathaniel.l.desimone@intel.com>,
	"gaoliming@byosoft.com.cn" <gaoliming@byosoft.com.cn>,
	"eric.dong@intel.com" <eric.dong@intel.com>,
	"michael.d.kinney@intel.com" <michael.d.kinney@intel.com>,
	"zailiang.sun@intel.com" <zailiang.sun@intel.com>,
	"yi.qian@intel.com" <yi.qian@intel.com>,
	"graeme@nuviainc.com" <graeme@nuviainc.com>,
	"rad@semihalf.com" <rad@semihalf.com>,
	"pete@akeo.ie" <pete@akeo.ie>, Sunny Wang <Sunny.Wang@arm.com>
Subject: Re: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.
Date: Fri, 9 Jul 2021 09:37:47 +0000	[thread overview]
Message-ID: <DB8PR08MB39936E167D5998BF7A1F59EA85189@DB8PR08MB3993.eurprd08.prod.outlook.com> (raw)
In-Reply-To: <20210701091758.1057485-9-gjb@semihalf.com>

Looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application.

This application allows user to force key enrollment from
Secure Boot default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf |  47 +++++++++
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c   | 109 ++++++++++++++++++++
 2 files changed, 156 insertions(+)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c

diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+#  Enroll PK, KEK, db, dbx from Default variables
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 1.28
+  BASE_NAME                      = EnrollFromDefaultKeysApp
+  FILE_GUID                      = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+  MODULE_TYPE                    = UEFI_APPLICATION
+  VERSION_STRING                 = 0.1
+  ENTRY_POINT                    = UefiMain
+
+[Sources]
+  EnrollFromDefaultKeysApp.c
+
+[Packages]
+  MdeModulePkg/MdeModulePkg.dec
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[Guids]
+  gEfiCertPkcs7Guid
+  gEfiCertSha256Guid
+  gEfiCertX509Guid
+  gEfiCustomModeEnableGuid
+  gEfiGlobalVariableGuid
+  gEfiImageSecurityDatabaseGuid
+  gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+  gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  DebugLib
+  MemoryAllocationLib
+  PrintLib
+  UefiApplicationEntryPoint
+  UefiBootServicesTableLib
+  UefiLib
+  UefiRuntimeServicesTableLib
+  SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..3407c1c4b9
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,109 @@
+/** @file
+  Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h>               // CopyGuid()
+#include <Library/DebugLib.h>                    // ASSERT()
+#include <Library/MemoryAllocationLib.h>         // FreePool()
+#include <Library/PrintLib.h>                    // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h>    // gBS
+#include <Library/UefiLib.h>                     // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+  Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS Status;
+  UINT8      SetupMode;
+
+  Status = GetSetupMode (&SetupMode);
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);
+    return 1;
+  }
+
+  if (SetupMode == USER_MODE) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
+    return 1;
+  }
+
+  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+    return 1;
+  }
+
+  Status = EnrollDbFromDefault ();
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
+    goto error;
+  }
+
+  Status = EnrollDbxFromDefault ();
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
+  }
+
+  Status = EnrollDbtFromDefault ();
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
+  }
+
+  Status = EnrollKEKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
+    goto cleardbs;
+  }
+
+  Status = EnrollPKFromDefault ();
+  if (EFI_ERROR (Status)) {
+    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
+    goto clearKEK;
+  }
+
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    AsciiPrint (
+      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n"
+      );
+  }
+  return 0;
+
+clearKEK:
+  DeleteKEK ();
+
+cleardbs:
+  DeleteDbt ();
+  DeleteDbx ();
+  DeleteDb ();
+
+error:
+  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+  if (EFI_ERROR (Status)) {
+    AsciiPrint (
+      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+      "Please do it manually, otherwise system can be easily compromised\n"
+      );
+  }
+
+  return 1;
+}
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

next prev parent reply	other threads:[~2021-07-09  9:38 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-01  9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
2021-07-01  9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-07-06 11:55   ` Yao, Jiewen
2021-07-09  9:29   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-07-01 10:39   ` Laszlo Ersek
2021-07-09  9:32   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
2021-07-01 10:39   ` Laszlo Ersek
2021-07-09  9:37   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
2021-07-09  9:10   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-07-09  9:12   ` Sunny Wang
2021-07-12 11:45   ` Yao, Jiewen
     [not found]   ` <1691088E46D0B29B.19753@groups.io>
2021-07-12 14:01     ` [edk2-devel] " Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-07-09  9:20   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-09  9:37   ` Sunny Wang [this message]
2021-07-01  9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-07-06 11:57   ` Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-07  1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
2021-07-07  7:36   ` Grzegorz Bernacki
2021-07-09 10:17 ` Sunny Wang
2021-07-09 18:22 ` [edk2-devel] " Sean
2021-07-09 20:03   ` Samer El-Haj-Mahmoud
2021-07-12 12:02     ` Yao, Jiewen
2021-07-13  7:47       ` Grzegorz Bernacki
2021-07-13  7:54         ` Yao, Jiewen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d79ca384 dfblob:3407c1c4b )
 OR (
bs:"SecurityPkg: Add EnrollFromDefaultKeys application." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DB8PR08MB39936E167D5998BF7A1F59EA85189@DB8PR08MB3993.eurprd08.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox