From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR03-DB5-obe.outbound.protection.outlook.com (EUR03-DB5-obe.outbound.protection.outlook.com [40.107.4.83]) by mx.groups.io with SMTP id smtpd.web10.5603.1622795426293700641 for ; Fri, 04 Jun 2021 01:30:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=MBm6LY1U; spf=pass (domain: arm.com, ip: 40.107.4.83, mailfrom: sunny.wang@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=97KdL72++l2Bu4eF8Ku9HFC/Mb/ApuC5theZEi2M/Js=; b=MBm6LY1UZmdF2dLg4SNGx8ad0TP5ukN5/HwbW1Fv9kBX8BfSZ1fei/Qy0HcMG48BkTQ61qf0ankgxZ5eamop+V6SUhgH2azOVpWGq3KbKwARl7Vqj53FvxjlgJYEMz1zqLYoxnIL4XV8/sB+T2S8PA+ggNAlOmCHbXFSWiiIxg8= Received: from AM6PR08CA0039.eurprd08.prod.outlook.com (2603:10a6:20b:c0::27) by HE1PR0801MB1660.eurprd08.prod.outlook.com (2603:10a6:3:89::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21; Fri, 4 Jun 2021 08:30:22 +0000 Received: from VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:c0:cafe::36) by AM6PR08CA0039.outlook.office365.com (2603:10a6:20b:c0::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.22 via Frontend Transport; Fri, 4 Jun 2021 08:30:21 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT043.mail.protection.outlook.com (10.152.19.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.21 via Frontend Transport; Fri, 4 Jun 2021 08:30:21 +0000 Received: ("Tessian outbound 836922dda4f1:v93"); Fri, 04 Jun 2021 08:30:20 +0000 X-CR-MTA-TID: 64aa7808 Received: from a245144d3aef.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 96334623-6DCE-4305-8EAE-07FB39DE7834.1; Fri, 04 Jun 2021 08:30:14 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a245144d3aef.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 04 Jun 2021 08:30:14 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aUfmyJEIFjw+iMRb1FYn16gNswIW9K3+oy0jubybxKwN9885YR5COOQNeowUtAo5FQg5IXyWQK7mt8IpNO7MVINHQ5tOEeZP2rfrt1UOV3PTOCIIwtNN0hS/RTI7W0KKrzdaeo5FyrJ5qHGmaAxyETVqITDpCo7XYfPsDtLSc5k9By/cFnoMEHbnMxnisb78WdyZk4RaClxrSfcoI8iQwt+YTrL42QujbV5ZWQrDs4Xe4ngMSvlzuh/Fii9Ehk3FZV4VfcTyy4ooKwlLD32gLeO4kQnhy0XyCrVPDRph5CqSqTcHfGmryNfFtTnNNml8+3s4rC38pJFwTpWdeL4hfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=97KdL72++l2Bu4eF8Ku9HFC/Mb/ApuC5theZEi2M/Js=; b=VlZPmMUjPfcRnw5VTUEobYmjdqDN39S6hqXENWzaawleAVPtM1EeP/LxjFWuIAXCHGH1uA3RDabuWoVOm9ayQ7IQaZyq8zJLVlkj0lMybgchPYntnxmusPfTIbE6i8CQFjZMRM5VWqME6ShQb7AiNhj0TxPOhkJDzGLgsi47TrSHPovKqYoyMelEv+kc+xhvAKH9RCOxtR/7QqWXqpl025pXOcbqzhYD12KIuU4SYlmFKecdY/IBx7JHZqZAlBNJEWMlSFx9c5cTj7p81zwyG6DYX9p32Bc7eKzDHRDvlWjKIUVc6sVv4WkcU4/oVY7iyJz4yFxECfPT53WhTPeuVw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=97KdL72++l2Bu4eF8Ku9HFC/Mb/ApuC5theZEi2M/Js=; b=MBm6LY1UZmdF2dLg4SNGx8ad0TP5ukN5/HwbW1Fv9kBX8BfSZ1fei/Qy0HcMG48BkTQ61qf0ankgxZ5eamop+V6SUhgH2azOVpWGq3KbKwARl7Vqj53FvxjlgJYEMz1zqLYoxnIL4XV8/sB+T2S8PA+ggNAlOmCHbXFSWiiIxg8= Received: from DB8PR08MB3993.eurprd08.prod.outlook.com (2603:10a6:10:ad::26) by DB9PR08MB6763.eurprd08.prod.outlook.com (2603:10a6:10:2af::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.20; Fri, 4 Jun 2021 08:30:13 +0000 Received: from DB8PR08MB3993.eurprd08.prod.outlook.com ([fe80::9154:9191:b8a3:388c]) by DB8PR08MB3993.eurprd08.prod.outlook.com ([fe80::9154:9191:b8a3:388c%7]) with mapi id 15.20.4195.024; Fri, 4 Jun 2021 08:30:13 +0000 From: "Sunny Wang" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , Samer El-Haj-Mahmoud , "mw@semihalf.com" , "upstream@semihalf.com" , "jiewen.yao@intel.com" , "jian.j.wang@intel.com" , "min.m.xu@intel.com" , "lersek@redhat.com" , Sunny Wang Subject: Re: [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys. Thread-Topic: [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys. Thread-Index: AQHXVufeF1vjDGEfpEihoM+ANeHBOKsDiQVA Date: Fri, 4 Jun 2021 08:30:13 +0000 Message-ID: References: <20210601131229.630611-1-gjb@semihalf.com> <20210601131229.630611-8-gjb@semihalf.com> In-Reply-To: <20210601131229.630611-8-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: A02DA926F8671041A81099088CE92A22.0 x-checkrecipientchecked: true Authentication-Results-Original: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=arm.com; x-originating-ip: [36.226.217.156] x-ms-publictraffictype: Email X-MS-Office365-Filtering-Correlation-Id: c548a582-34ab-4bae-9106-08d92732fdfe x-ms-traffictypediagnostic: DB9PR08MB6763:|HE1PR0801MB1660: x-ms-exchange-transport-forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true nodisclaimer: true x-ms-oob-tlc-oobclassifiers: OLM:33;OLM:2150; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: gbZIIuuuIOM/S73G6Juin79w/LOWOySP7kG94mA9X3N7blrcok8L3wf0F7xltf+gdoCmvtdNMaIKW0WnYcNsnu84lelEPwgHkJqoieIgjuKEwoSoX6naZCYasVk+1nz44STEnPKogDUQ/UwOZd+5cICHnScFPp4m+af8sCWhpVJ5tikZ7xCxRvmwtjYclmoKc4bamo6qsdn18Fc8OMFkr1JDr4g95dtGwNcJYqknmO/l68mGspEBmQ6HQD6CAxGpPa1KRMTUQe+aYNKCN6K2BORPL70rLrqEgXp0xPgrRqNEVd5oCeYEdVuVZysSrFGzxeR5VPwqYshfKr6qtn5fdoER+TbMPPtZk58Mg8R1Ue2+nlqzpvL7H4BqID9Qcm61nAJiENKG/zxjTB6LV/o3y//UeJyDp3xyDPNyUUX4zdjwINawZmSvlZbvUlIsLxJbYjuiSiLs+iUuoCqTwRTh9Gn6t/4Y1NtVFNLD3AD7QbRd08TUa7fjUZU8gUxn7rsAKuDCUsLc3Z7cKC8dpM1j1yFz1vz02nYaByOXiDTArkphhENT++0oB5lEmwo+ktDTV+8iezl1m0XwXwgFY6wCMZPtkGOxqiIOhSID4LM6AQI= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR08MB3993.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(376002)(39860400002)(396003)(366004)(136003)(54906003)(2906002)(110136005)(53546011)(52536014)(66446008)(66556008)(66476007)(6506007)(64756008)(9686003)(55016002)(7696005)(5660300002)(76116006)(66946007)(478600001)(86362001)(8676002)(7416002)(15650500001)(8936002)(33656002)(316002)(4326008)(38100700002)(83380400001)(71200400001)(26005)(122000001)(186003);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?c2xl8sN4HAL5Kf3EpDdqxhAaUJNHY6qMeTGt1IbSVDsgCoITRqffhy2pmWwd?= =?us-ascii?Q?kZvG0RWZFwhMYkOGaTJ2WgZoAQm5QAAkbmp9oDRJJhAjdFnQ950u+DFpowbE?= =?us-ascii?Q?lVOAV0NCM6NITy7bRNVQVtF1lH6OxRlbXMi9GR87BFifehTXQ+cR46FksPrw?= =?us-ascii?Q?pa2rNlO4Gq2J/AecFEkUVFjqX+pK+9BgGtYR+0j+yyu95U6V8O1//+GDsygx?= =?us-ascii?Q?//sPT4zIURsgnzMMaIdKwZMyfuJG4k5kz0jobO8i+mQ1hNEJ1x1tKOEkN/yP?= =?us-ascii?Q?ar1SmSyq3auFq8Bs9tBKzH0vfH+1VkfScXMzOLn+YXStx5ZzapM2l8vaNDRf?= =?us-ascii?Q?pp8c/tONIe/Of0qbgKB1EINB2ONOmaVf1vk3Nem1GX2GzYA+yibdC+ULn/Se?= =?us-ascii?Q?H7DcKDhPYz49YPL+54BYzHTZZCh+tErUQAO6tpk8jiIoqOu9z3cFh4RvjWnu?= =?us-ascii?Q?PExgqbVw7Oc8z9qmvZKOf3KbLUEgPiXZzdA7j6NdcCFABDBqlQTOTQ3vQ8dg?= =?us-ascii?Q?DsXB4n0/blHmvkpKdoNLpswf+Lq4axvkBVqwxxnK9v7i3kon7X/nbyef8Tpy?= =?us-ascii?Q?B+llIw6UJtrMb8BI2A1G6s6DSprJxDY4SQAjRR6AWnNF/xHxhEIgHhHjW+1u?= =?us-ascii?Q?2LYeUUHkJ975cR5C2dA6bMY80aCk6OJc4LxxJw9Lie1r0dopbHkZRtRmAddd?= =?us-ascii?Q?nOE+pefGxSPdP+9PBu2RkmBi0subQmF69/KKhQC9rZ084P5VJ+2cOehjLUKJ?= =?us-ascii?Q?VDyViRW2es7EHuSQmtlJeFbYEZrmTd17w6lBb3i2ArWpmOSbBixgWcm6rB0B?= =?us-ascii?Q?9ueIz+a8EpPqzNBIVl2RQ0uuWoxwC0oi/7nYqfVmgNPwkdozj3Usmp0jWR/Q?= =?us-ascii?Q?lvs69dWxBn091Fmb70x3dI1h8vgA9wwedJjeiK5Ua5v5Qr9dGixJBfrT/gX+?= =?us-ascii?Q?cRpvl3S+ibmw1hbNk/ksVVJvEPCgQCOm11wmfi3RxR9IyRNblyGLC0XLOJBi?= =?us-ascii?Q?ov5OTjxPsvd2L6uoBKGXtbTq7rhAI+LL/Jp9CT3vNS9n3v51r3WEydAQesK4?= =?us-ascii?Q?9aC56GtRfUP/BxKognNfjmamSM256a6K4S1CDeU9Vi4+Z44L5h8Q4NumfGiD?= =?us-ascii?Q?ap3UTi13KJlUJvlFQjW1xis2AvU9QBu745kWAtMt3E+4U8Y2vyVoiRYGtU5U?= =?us-ascii?Q?HL+4Zv4LHHwtXopoipVnvpDq/65HnJ3NsnhlOYQl59WhUZ1jnDwUYqFA72L0?= =?us-ascii?Q?U6iR35HzMgaupmUa1Xvqt7Nl2Vec1EmD4/M3BaIYWFzg4I7BXCMFTkAw+kAN?= =?us-ascii?Q?0onYxVsEgsEGDPV0MxO2SJNU?= MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6763 Original-Authentication-Results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=arm.com; Return-Path: Sunny.Wang@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: a9adde65-f01e-4679-1041-08d92732f940 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: sObBxVa7OMMMzF9SXfDCyZbZcYCQaUm12JR74QxsmQwWLj6OxN+KHcVF4kj68fol50jkC83kSX5SoTXO7R/aUNAGb1G2GPlDvVBjuTKAVjFbQO2fLzjVqIAYPl2L+q+VqCHmD8VK96EL53ngFlX/wFa4upVsDzuLV19soZrniyrhlrAQduFh4RlZT7ubPRhvXOXkgpyWtHm0xG3Odoa6nLrTfBt9wiZHam9yAQStSyuE12TbP3tyIM/E07ceqL9GO0MbP1/NVtIE7v0YHRmmT4h3Hek0Say9rWcx0blhqcbJtA3l41C1Wy8fxrdpDyaKOVkQcZbvyPz9i2nXWiyyci1Y/rpLYI8Zf/u0Z7z5zKWOkjzBAVRNfBUreFUpNPbKIlPy1nuy94VZxKnTWRp7GpF71EVzyMz4d5EbOayuFI4U/ipGliQpleeUPsdib+mgii/tDEkWThB1P7c2EmhbuWlrMcIAbvt9lbR/YwlhEBS8NtruitX7NI5Nae26snmsU5j/eYCuUlx2E3DUSMhYGs3HV+IryiXBUx2jj/nvtHrn4Ep3eN45QK+BLCvw0jcwh+zWi+3vWQwfXv1nnDvyjJBPuG0PfTwzfv5zwfNunePkAO8VzFc/tnhkUo5iLxOselIWfVri9UT6rCn+vX1d+/5/pkMZUNpH6QRZRPnAcUI= X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(39860400002)(136003)(376002)(346002)(396003)(46966006)(36840700001)(478600001)(54906003)(2906002)(356005)(81166007)(70586007)(26005)(36860700001)(8936002)(83380400001)(55016002)(8676002)(336012)(70206006)(86362001)(52536014)(316002)(186003)(53546011)(4326008)(9686003)(5660300002)(82310400003)(6506007)(47076005)(15650500001)(110136005)(82740400003)(33656002)(7696005);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2021 08:30:21.1093 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c548a582-34ab-4bae-9106-08d92732fdfe X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1660 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Internally reviewed this patch before sending the edk2 mailing list and Gre= g already addressed all my comments, so It looks good to me. Reviewed-by: Sunny Wang -----Original Message----- From: Grzegorz Bernacki Sent: Tuesday, June 1, 2021 9:12 PM To: devel@edk2.groups.io Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud ; Sunny Wang ; mw@semihalf.co= m; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.= m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki Subject: [PATCH v2 6/6] SecurityPkg: Add option to reset secure boot keys. This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvDa= ta.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr= | 6 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 154 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri= ngs.uni | 4 + 5 files changed, 167 insertions(+) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 30d9cd8025..bd8d256dde 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -109,6 +109,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiPopupProtocolGuid [Depex] gEfiHiiConfigRoutingProtocolGuid AND diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index 6e54a4b0f2..4ecc25efc3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index fa7e11848c..e4560c592c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -69,6 +69,12 @@ formset endif; endif; + text + help =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), + text =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_RESET_TO_DEFAULT; + endform; // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 67e5e594ed..47f281873b 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "SecureBootConfigImpl.h" +#include #include #include @@ -4154,6 +4155,132 @@ ON_EXIT: return Status; } +/** + This function reinitializes Secure Boot variables with default values. + + @retval EFI_SUCCESS Success to update the signature list pag= e + @retval others Fail to delete or enroll signature data. +**/ + +STATIC EFI_STATUS +EFIAPI +KeyEnrollReset ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D EFI_SUCCESS; + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR(Status)) { + return Status; + } + + // Clear all the keys and databases + Status =3D DeleteDb (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbx (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbt (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); + return Status; + } + + Status =3D DeleteKEK (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); + return Status; + } + + Status =3D DeletePlatformKey (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); + return Status; + } + + // After PK clear, Setup Mode shall be enabled + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", + Status)); + return Status; + } + + if (SetupMode =3D=3D USER_MODE) { + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); + return EFI_SUCCESS; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", + Status)); + return EFI_SUCCESS; + } + + // Enroll all the keys from default variables + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MO= DE\n" + "Please do it manually, otherwise system can be easily compromised\n= ")); + } + + return Status; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) !=3D EFI_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); + } + return Status; +} + /** This function is called to provide results data to the driver. @@ -4205,6 +4332,8 @@ SecureBootCallback ( SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; BOOLEAN GetBrowserDataResult; ENROLL_KEY_ERROR EnrollKeyErrorCode; + EFI_HII_POPUP_PROTOCOL *HiiPopup; + EFI_HII_POPUP_SELECTION UserSelection; Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -4755,6 +4884,31 @@ SecureBootCallback ( FreePool (SetupMode); } break; + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: + { + Status =3D gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VO= ID **) &HiiPopup); + if (EFI_ERROR (Status)) { + return Status; + } + Status =3D HiiPopup->CreatePopup ( + HiiPopup, + EfiHiiPopupStyleInfo, + EfiHiiPopupTypeYesNo, + Private->HiiHandle, + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), + &UserSelection + ); + if (UserSelection =3D=3D EfiHiiPopupSelectionYes) { + Status =3D KeyEnrollReset (); + } + // + // Update secure boot strings after key reset + // + if (Status =3D=3D EFI_SUCCESS) { + Status =3D UpdateSecureBootString (Private); + SecureBootExtractConfigFromVariable (Private, IfrNvData); + } + } default: break; } diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index ac783453cc..0d01701de7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure= Boot" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable= the Secure Boot feature after platform reset" +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys wi= th data from default variables" +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure B= oot Keys" +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Ke= ys & databases will be initialized from defaults.\n Are you sure?" + #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signatu= re" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signatu= re" #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signatu= re List Form" -- 2.25.1 IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in = any medium. Thank you.