public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Sunny Wang" <Sunny.Wang@arm.com>
To: Grzegorz Bernacki <gjb@semihalf.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	"leif@nuviainc.com" <leif@nuviainc.com>,
	"ardb+tianocore@kernel.org" <ardb+tianocore@kernel.org>,
	"ray.ni@intel.com" <ray.ni@intel.com>,
	"jiewen.yao@intel.com" <jiewen.yao@intel.com>
Cc: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>,
	"mw@semihalf.com" <mw@semihalf.com>,
	"upstream@semihalf.com" <upstream@semihalf.com>,
	"jian.j.wang@intel.com" <jian.j.wang@intel.com>,
	"min.m.xu@intel.com" <min.m.xu@intel.com>,
	"lersek@redhat.com" <lersek@redhat.com>,
	Sami Mujawar <Sami.Mujawar@arm.com>,
	"afish@apple.com" <afish@apple.com>,
	"jordan.l.justen@intel.com" <jordan.l.justen@intel.com>,
	"rebecca@bsdio.com" <rebecca@bsdio.com>,
	"grehan@freebsd.org" <grehan@freebsd.org>,
	Thomas Abraham <thomas.abraham@arm.com>,
	"chasel.chiu@intel.com" <chasel.chiu@intel.com>,
	"nathaniel.l.desimone@intel.com" <nathaniel.l.desimone@intel.com>,
	"gaoliming@byosoft.com.cn" <gaoliming@byosoft.com.cn>,
	"eric.dong@intel.com" <eric.dong@intel.com>,
	"michael.d.kinney@intel.com" <michael.d.kinney@intel.com>,
	"zailiang.sun@intel.com" <zailiang.sun@intel.com>,
	"yi.qian@intel.com" <yi.qian@intel.com>,
	"graeme@nuviainc.com" <graeme@nuviainc.com>,
	"rad@semihalf.com" <rad@semihalf.com>,
	"pete@akeo.ie" <pete@akeo.ie>, Sunny Wang <Sunny.Wang@arm.com>
Subject: Re: [PATCH v5 00/10] Secure Boot default keys
Date: Fri, 9 Jul 2021 10:17:09 +0000	[thread overview]
Message-ID: <DB8PR08MB399375469EA67E65649E641085189@DB8PR08MB3993.eurprd08.prod.outlook.com> (raw)
In-Reply-To: <20210701091758.1057485-1-gjb@semihalf.com>

Reviewed whole series.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>

We still need matintainers to review the patches below:
[PATCH v5 03/10] OvmfPkg: add SecureBootVariableLib class resolution
[PATCH v5 04/10] EmulatorPkg: add SecureBootVariableLib class resolution
[PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
[PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content.

Thanks,
Sunny Wang

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Thursday, July 1, 2021 5:18 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Sami Mujawar <Sami.Mujawar@arm.com>; afish@apple.com; ray.ni@intel.com; jordan.l.justen@intel.com; rebecca@bsdio.com; grehan@freebsd.org; Thomas Abraham <thomas.abraham@arm.com>; chasel.chiu@intel.com; nathaniel.l.desimone@intel.com; gaoliming@byosoft.com.cn; eric.dong@intel.com; michael.d.kinney@intel.com; zailiang.sun@intel.com; yi.qian@intel.com; graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v5 00/10] Secure Boot default keys

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

Built with:
GCC
- RISC-V (U500, U540) [requires fixes in dsc to build]
- Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
  EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
- ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)

RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
will be post on edk2 maillist later

VS2019
- Intel (OvmfPkgX64)

Test with:
GCC5/RPi4
VS2019/OvmfX64 (requires changes to enable feature)

Tests:
1. Try to enroll key in incorrect format.
2. Enroll with only PKDefault keys specified.
3. Enroll with all keys specified.
4. Enroll when keys are enrolled.
5. Reset keys values.
6. Running signed & unsigned app after enrollment.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and  add SecureBootVariableLib
  to platforms which used it

Changes since v3:
- move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
- leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
- fix typo in guid description

Changes since v4:
- reorder patches to make it bisectable
- split commits related to more than one platform
- move edk2-platform commits to separate patchset

Grzegorz Bernacki (10):
  SecurityPkg: Create library for setting Secure Boot variables.
  ArmVirtPkg: add SecureBootVariableLib class resolution
  OvmfPkg: add SecureBootVariableLib class resolution
  EmulatorPkg: add SecureBootVariableLib class resolution
  SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
  ArmPlatformPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 ArmVirtPkg/ArmVirt.dsc.inc                                                              |   1 +
 EmulatorPkg/EmulatorPkg.dsc                                                             |   1 +
 OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgIa32.dsc                                                                 |   1 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgX64.dsc                                                                  |   1 +
 SecurityPkg/SecurityPkg.dsc                                                             |   4 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  45 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 251 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 109 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 980 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  68 ++
 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc                                            |  70 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
 23 files changed, 1874 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

  parent reply	other threads:[~2021-07-09 10:17 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-01  9:17 [PATCH v5 00/10] Secure Boot default keys Grzegorz Bernacki
2021-07-01  9:17 ` [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-07-06 11:55   ` Yao, Jiewen
2021-07-09  9:29   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 02/10] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-07-01 10:39   ` Laszlo Ersek
2021-07-09  9:32   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 03/10] OvmfPkg: " Grzegorz Bernacki
2021-07-01 10:39   ` Laszlo Ersek
2021-07-09  9:37   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 04/10] EmulatorPkg: " Grzegorz Bernacki
2021-07-09  9:10   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 05/10] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-07-09  9:12   ` Sunny Wang
2021-07-12 11:45   ` Yao, Jiewen
     [not found]   ` <1691088E46D0B29B.19753@groups.io>
2021-07-12 14:01     ` [edk2-devel] " Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 06/10] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-07-09  9:20   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 07/10] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-09  9:37   ` Sunny Wang
2021-07-01  9:17 ` [PATCH v5 09/10] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-07-06 11:57   ` Yao, Jiewen
2021-07-01  9:17 ` [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-07-06 11:53   ` Yao, Jiewen
2021-07-07  1:17 ` 回复: [edk2-devel] [PATCH v5 00/10] Secure Boot default keys gaoliming
2021-07-07  7:36   ` Grzegorz Bernacki
2021-07-09 10:17 ` Sunny Wang [this message]
2021-07-09 18:22 ` Sean
2021-07-09 20:03   ` Samer El-Haj-Mahmoud
2021-07-12 12:02     ` Yao, Jiewen
2021-07-13  7:47       ` Grzegorz Bernacki
2021-07-13  7:54         ` Yao, Jiewen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DB8PR08MB399375469EA67E65649E641085189@DB8PR08MB3993.eurprd08.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox