From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web11.1901.1600458083236372361 for ; Fri, 18 Sep 2020 12:41:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=jnN5bPD+; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: divneil.r.wadhawan@intel.com) IronPort-SDR: IH2uDwagW5IJGVF9X1n801w+6PFyGtcnk9WbS37wcc0LdDqfVVqytJ2NG1086Td/TEaz/g5e1w N28Z8Cldb30A== X-IronPort-AV: E=McAfee;i="6000,8403,9748"; a="157418309" X-IronPort-AV: E=Sophos;i="5.77,274,1596524400"; d="scan'208,217";a="157418309" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Sep 2020 12:41:16 -0700 IronPort-SDR: Cn5dbiNORh7pHDLs3U3klCCB0KK2ypne4Of5Sikr1G9vx1h03znSuRnkvAV7tOOX1F3PPAzyRX E2Os6Cn4mkfg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,274,1596524400"; d="scan'208,217";a="452883729" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga004.jf.intel.com with ESMTP; 18 Sep 2020 12:41:15 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 18 Sep 2020 12:41:15 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5 via Frontend Transport; Fri, 18 Sep 2020 12:41:15 -0700 Received: from NAM04-BN3-obe.outbound.protection.outlook.com (104.47.46.59) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1713.5; Fri, 18 Sep 2020 12:41:15 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GbWPg4B7/gtk7OZnTkCOuLIbFSlOZyaO8ZgMYkcUp+eZ8RLI+MyT3fvtmahaH3MyfaOhHpjhbw3oCOLFtq+8JqkDKj5yRhKhSbzUJsZdnJFWw23m4XTuM3MR/0U/gPMNiYXx7IcfIvwY98m0181SurJjLFa+IfEUIP7WXg38tU4fd3ZTos5GdQew8SZu/S1AgL1Lx1RqHVjnH5jpaA15N5/5TlHkUhAXdSS8wwSd9vz39AX0tva00e6V2MJPTAGmZWQFPWBMU1dfyZBFG+yLdM6dMW6jwTnScnuxxfAu1kfyQtAlD9aCGJWxWeF6fQQmvIH5QsyFE01wTQdIbFZQ+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=55D3CUe9rdlFg9vc7KK7rBvZ8aD5S0aoRaWC2zpEEc8=; b=JU6ZEf2AeEkgM8x8uLKVlNMRCEWGgjm4G7vv/FDlMuemKBGdHbOjCx1XoJbEoEh7lgwUsk+5xAktaGMML7F3qPu2U5/y8uyJHTO/q4VhPu9rGYeDoH9t6k2Wv7aQzLdUoQyTmxadVbcx6DyREWDP5jwHCcvjplGUBoufW5zngiIuxBVryJz5jzk55ovyH0QU3dnkoIuyTh44Kdv2PW5qIJx8nOuR9OAyYEHXZWkHU1wA0G6to4dHTYrE88QTXAobjjQWiEcMrd9mhuyNBAwgkbkjOyog0SEU+sL5vIUgxNLUndeHxE1NTkwZa3TD+pZI6gijdXXJ0dl84HCbjpIXKg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=55D3CUe9rdlFg9vc7KK7rBvZ8aD5S0aoRaWC2zpEEc8=; b=jnN5bPD+tUTHbwvEQN43DsckfsHlc5daRIasadkC5ugeIS1YeNKMXv2JTkqbba8LkfsjuNdrz9PakjxFE+WbEBzadt4KNvwc/Kdk8ATxhcczAmo/0NctJuN2Dr3B8vkvGsvibi/D1xb13HuexE0ouIRICvd4jTVA3yQx/IdIdxc= Received: from DM6PR11MB4315.namprd11.prod.outlook.com (2603:10b6:5:201::28) by DM6PR11MB2554.namprd11.prod.outlook.com (2603:10b6:5:c8::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Fri, 18 Sep 2020 19:41:11 +0000 Received: from DM6PR11MB4315.namprd11.prod.outlook.com ([fe80::4c5c:c6d0:dfd3:1e45]) by DM6PR11MB4315.namprd11.prod.outlook.com ([fe80::4c5c:c6d0:dfd3:1e45%4]) with mapi id 15.20.3370.019; Fri, 18 Sep 2020 19:41:11 +0000 From: "Wadhawan, Divneil R" To: "devel@edk2.groups.io" , "Wadhawan, Divneil R" , "Ni, Ray" CC: gaoliming , 'Andrew Fish' , "Justen, Jordan L" , "Kinney, Michael D" , "Wadhawan, Divneil R" Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Thread-Topic: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Thread-Index: AdaMQS9sqEhJ/RVOQYWR22UtRyYHlAAgXCCgAABlWnAAAbCaMAA5kd/AAABiu/AAEB2wkA== Date: Fri, 18 Sep 2020 19:41:11 +0000 Message-ID: References: <1635DEE2A50DFCCF.13985@groups.io> In-Reply-To: <1635DEE2A50DFCCF.13985@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [106.200.250.114] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f8c255fb-3ba1-452b-e5dc-08d85c0acc44 x-ms-traffictypediagnostic: DM6PR11MB2554: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: IfvjAtUh4fLP3F80ToL3ZFJXpWV7fBgBMMv9lx0BgXPPUdmEAiyWRsaHcWKF7IJqx/WTcJPOyxG5d6ERxWVrzmCP/PdZgvS7SwZ1E4v29NUJgMjbwwijDbdbOGlAXlDZCZOTVAyzVhMwsa6bb7WkjWxBWXYvgoC/jp8kafFDY9IvhdFxexwRlSy8BY+kDIIAmGXlbGZiUzDz8FaAOJIZZopxIyAYiU8PZzlOAbaL7LCSlh/XkwQaLK8s+4RLAhjkWSussiPzEL4WThJIWzJQbqX1KJMoIAbA70O6F67+CNA7k7A1Gtzy1w1j3F6zRFb77j+ouJP0LwAa6zxE9P5MouujIR0oGa7U82XkExifhwMU9sOV0bvo4KFSaDCf385oTSWfHegAYkqobW70kmJ1Bp3QOSf5k6TZV5lfM8wemwvduruJmEEsunp6tyzmsa7LuYd8IUxOUEi/ZKDsNigChA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB4315.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(39860400002)(376002)(396003)(366004)(136003)(83380400001)(8676002)(5660300002)(7696005)(86362001)(52536014)(166002)(6506007)(53546011)(26005)(9686003)(2906002)(54906003)(55016002)(110136005)(107886003)(478600001)(33656002)(76116006)(6636002)(76236003)(316002)(66476007)(66556008)(186003)(71200400001)(9326002)(8936002)(64756008)(66946007)(966005)(66446008)(4326008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: bQps6aUvYbB/LBtOPLPmu2l8k3F+9C6oXSdjsvgSIIdDNhT0URjJis7RgHAVjbnZPaNq5f05U23/Bqh0n7emgFDjqfyORIBqAj16u6N+3CFXVpvWkbytNjQu0lisK6zHmy8TjFszVkPWOKjSc9dVmO9+x5Z0mFb7rHEt8pWMjQdTr7uKuyyXPWDS6Ga6Wm7g+aVU07dh3CBN1vm5K1WEvOoYdJ3LoOLv+00NXYe2dgzrMQyibmV1AEaTZVx4xRFXr0QchwBnJIKwCuLTrou/uTbnX3ne2CbzpKdjRZ3/s9ombtLdfEK/x+6WlQsBQpGOLwrp+m1CUNnL6Rc/LSIZ1QQL9sALpyS7/LrSYfqjBSREDQk+LmbKyUyLssupmlnt2rlO8OaYhqlZNCFqofM5B8zrVAZsWeUg4HVKcbzLngPY8pcByOYl36RbM7IQEhYoMrSkVif8NxpqN6UMg1F2EM620LEKWV9PMiqjnOErNaMMMltjNqQRQQUYdB3QTKDK5eWszWOqSvYnORP5UjPCRTnuwzT816gmgRDbedQTjYukUl0IvGTGLPJWG56BvjpTTGg48NftBRCSoplvyI7p6uCYgHSLsAKgfOby6bvF3qcEsi4hS9TGfHiz0CnLEee3H74dpAOtU2OgB0OT9Jbfqg== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB4315.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f8c255fb-3ba1-452b-e5dc-08d85c0acc44 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 19:41:11.7442 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: EjcKcnAZc0Vv+5tlgjXllE4i184NJD3r+sUO0DIpA0SgL1qIXgVcQfYZzlSz1QIEOUvk0awUDSoJ64TJHC7yNbiQ9XnI4pEha82N/S5P/nk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2554 Return-Path: divneil.r.wadhawan@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_DM6PR11MB43159429F794B02F1D492F21CB3F0DM6PR11MB4315namp_" --_000_DM6PR11MB43159429F794B02F1D492F21CB3F0DM6PR11MB4315namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [L= ibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pul= l/942 Regards, Divneil From: devel@edk2.groups.io On Behalf Of Wadhawan, D= ivneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray ; devel@edk2.groups.io Cc: gaoliming ; 'Andrew Fish' ;= Justen, Jordan L ; Kinney, Michael D ; Wadhawan, Divneil R Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray > Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io Cc: gaoliming >;= 'Andrew Fish' >; Justen, Jordan L = >; Kinney, Mich= ael D > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated= patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io Cc: gaoliming >;= 'Andrew Fish' >; Justen, Jordan L = >; Kinney, Mich= ael D > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot Reviewed-by: Ray Ni > From: Wadhawan, Divneil R > Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray >; devel@edk2.groups= .io Cc: gaoliming >;= 'Andrew Fish' >; Justen, Jordan L = >; Kinney, Mich= ael D >; Wadh= awan, Divneil R > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=3Dtrue * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, uns= igned gives an Access denied) 1. SECURE_BOOT_ENABLE=3Dfalse (default case) * Secure Boot Configuration menu is not visible (Same as existing defa= ult case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/sho= w_bug.cgi?id=3D2949 in a day or too. The script generates the full key hierarchy that makes it easy to test thi= s patch. The patch in BZ requires modifications as per Mike's comment, so, you can = skip the patches in BZ for now. Regards, Divneil From: Ni, Ray > Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R >; devel@edk2.groups.io Cc: gaoliming >;= 'Andrew Fish' >; Justen, Jordan L = >; Kinney, Mich= ael D > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secur= e Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure b= oot? Thanks, Ray From: Wadhawan, Divneil R > Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io Cc: Ni, Ray >; gaoliming >; 'Andrew Fish' >; Justen, Jordan L >; Kinney, Michael D >; Wadhawan, Divneil R > Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Bo= ot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan > --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE =3D FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE DEFINE NETWORK_ISCSI_ENABLE =3D FALSE + DEFINE SECURE_BOOT_ENABLE =3D FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/= CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasure= mentLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi= bNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSec= ureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLi= bNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.= inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, Lib= raryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIV= ER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATIO= N] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificati= onLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.i= nf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigD= xe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA =3D { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE #Signature: gEfiVariableGuid =3D # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, = 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid =3D + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, = 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariable= Size) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) =3D 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride =3D UI MdeModulePkg/Application/UiA= pp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 --_000_DM6PR11MB43159429F794B02F1D492F21CB3F0DM6PR11MB4315namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Ray,

 

I saw that a patch merged few hours ago before my p= atch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable buil= d to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942

 

Regards,

Divneil

 

From: devel@edk2.groups.io <devel@edk2.gr= oups.io> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <a= fish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kin= ney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <= divneil.r.wadhawan@intel.com>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support fo= r Secure Boot

 

Hi Ray,

 

Thanks for your help.

I see the patch is merged now. :)

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoli= ming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <micha= el.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support fo= r Secure Boot

 

Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941

 

If it succeeds, the patch will be merged automatica= lly.

If it fails, please check the specific failure mess= age and provide updated patch.

 

Thanks,

Ray

 

From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoli= ming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <micha= el.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support fo= r Secure Boot

 

Reviewed-by: Ray Ni <ray.ni@intel.com>

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.co= m>; devel@edk2.groups.io
Cc: gaoliming <gaoli= ming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <micha= el.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support fo= r Secure Boot

 

Hi Ray,

 

Yes, I have tested the following:

 

  1. SECURE_BOOT_ENABLE=3Dtrue
  • Key Enrollment (PK, KEK, db) via custom mode
  • Ex= ecution of unit test shell application (signed one works okay, unsigned giv= es an Access denied)

 

  1. SECURE_BOOT_ENABLE=3Dfalse (default case)
  • Secure Boot Configuration menu is not visible (Same as existing defa= ult case)
  • Execution of Unit Test Application (Signed/U= nsigned both works okay)

 

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2949 in a day or too.=

The script generates the full key hierarchy that ma= kes it easy to test this patch.

The patch in BZ requires modifications as per Mike&= #8217;s comment, so, you can skip the patches in BZ for now.

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoli= ming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <micha= el.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support fo= r Secure Boot

 

Divneil,

Just want to double confirm: did you test the secur= e boot and non-secure boot?

 

Thanks,

Ray

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io
Cc: Ni, Ray <
ray.ni@intel.co= m>; gaoliming <gaolim= ing@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <micha= el.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Se= cure Boot

 

SECURE_BOOT_ENABLE feature flag is introduced to en= able Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" fo= r enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images<= /o:p>

 

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>

---

EmulatorPkg/EmulatorPkg.dsc | 37 ++++++++++++++++++= +++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)

 

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/Emulator= Pkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE  &= nbsp;    =3D FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FA= LSE

   DEFINE NETWORK_ISCSI_ENABLE  = ;   =3D FALSE

+  DEFINE SECURE_BOOT_ENABLE   =     =3D FALSE

 

 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBo= xNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Li= brary/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf<= /p>

   TpmMeasurementLib|MdeModulePkg/Library= /TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVa= riableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCh= eckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortL= ib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib= /UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileH= andleLib/UefiFileHandleLib.inf

 

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib= /IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/Ope= nsslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/Platf= ormSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVar= iableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVa= riableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/Sec= PeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/B= asePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTi= merLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuL= ib/DxeEmuLib.inf

 

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.= common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib= /BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib= /RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryC= lasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses= .common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHob= Lib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcd= Lib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmw= areFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmw= areBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmw= areVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVa= riableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysic= alPresence|TRUE

+!endif

 

   gEmulatorPkgTokenSpaceGuid.PcdEmu= MemorySize|L"64!64"

 

@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf<= o:p>

   MdeModulePkg/Core/RuntimeDxe/RuntimeDx= e.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbS= ervicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/Secu= rityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/Secu= rityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+      NULL|SecurityPkg/Li= brary/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.i= nf

   MdeModulePkg/Universal/MemoryTest/Null= MemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/Platform= SmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf

 

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+  SecurityPkg/VariableAuthenticated/SecureBoo= tConfigDxe/SecureBootConfigDxe.inf

+!endif

 

   MdeModulePkg/Universal/Variable/R= untimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/Emulator= Pkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA =3D {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x= 00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE<= /p>

   #Signature: gEfiVariableGuid =3D<= /o:p>

   #  { 0xddcf3616, 0x3275, 0x4164, = { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x= 64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0x= fe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid = = =3D

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa= 1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0= x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0= x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSp= aceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_= HEADER) =3D 0xBFB8

   # This can speed up the Variable Dispa= tch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride =3D UI = MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuA= pp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/Dr= iverSampleDxe.inf

 

+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootCo= nfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2

--_000_DM6PR11MB43159429F794B02F1D492F21CB3F0DM6PR11MB4315namp_--