* [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot @ 2020-09-16 15:53 Wadhawan, Divneil R 2020-09-17 7:19 ` Ni, Ray 0 siblings, 1 reply; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-16 15:53 UTC (permalink / raw) To: devel@edk2.groups.io Cc: Ni, Ray, gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 5871 bytes --] SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 12994 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-16 15:53 [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Wadhawan, Divneil R @ 2020-09-17 7:19 ` Ni, Ray 2020-09-17 7:43 ` Wadhawan, Divneil R 0 siblings, 1 reply; 11+ messages in thread From: Ni, Ray @ 2020-09-17 7:19 UTC (permalink / raw) To: Wadhawan, Divneil R, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D [-- Attachment #1: Type: text/plain, Size: 6491 bytes --] Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io Cc: Ni, Ray <ray.ni@intel.com>; gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 14479 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-17 7:19 ` Ni, Ray @ 2020-09-17 7:43 ` Wadhawan, Divneil R 2020-09-17 8:18 ` Ni, Ray 0 siblings, 1 reply; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-17 7:43 UTC (permalink / raw) To: Ni, Ray, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 7935 bytes --] Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 22750 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-17 7:43 ` Wadhawan, Divneil R @ 2020-09-17 8:18 ` Ni, Ray 2020-09-18 11:47 ` Ni, Ray 0 siblings, 1 reply; 11+ messages in thread From: Ni, Ray @ 2020-09-17 8:18 UTC (permalink / raw) To: Wadhawan, Divneil R, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D [-- Attachment #1: Type: text/plain, Size: 8655 bytes --] Reviewed-by: Ray Ni <ray.ni@intel.com> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 29421 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-17 8:18 ` Ni, Ray @ 2020-09-18 11:47 ` Ni, Ray 2020-09-18 11:58 ` Wadhawan, Divneil R [not found] ` <1635DEE2A50DFCCF.13985@groups.io> 0 siblings, 2 replies; 11+ messages in thread From: Ni, Ray @ 2020-09-18 11:47 UTC (permalink / raw) To: Wadhawan, Divneil R, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D [-- Attachment #1: Type: text/plain, Size: 9563 bytes --] Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 31212 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-18 11:47 ` Ni, Ray @ 2020-09-18 11:58 ` Wadhawan, Divneil R [not found] ` <1635DEE2A50DFCCF.13985@groups.io> 1 sibling, 0 replies; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-18 11:58 UTC (permalink / raw) To: Ni, Ray, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 10254 bytes --] Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com> Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 32417 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
[parent not found: <1635DEE2A50DFCCF.13985@groups.io>]
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot [not found] ` <1635DEE2A50DFCCF.13985@groups.io> @ 2020-09-18 19:41 ` Wadhawan, Divneil R 2020-09-19 0:01 ` Ni, Ray 0 siblings, 1 reply; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-18 19:41 UTC (permalink / raw) To: devel@edk2.groups.io, Wadhawan, Divneil R, Ni, Ray Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 11249 bytes --] Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942 Regards, Divneil From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 34439 bytes --] ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-18 19:41 ` Wadhawan, Divneil R @ 2020-09-19 0:01 ` Ni, Ray 2020-09-19 5:34 ` Wadhawan, Divneil R 0 siblings, 1 reply; 11+ messages in thread From: Ni, Ray @ 2020-09-19 0:01 UTC (permalink / raw) To: Wadhawan, Divneil R, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 12362 bytes --] It’s very strange that the build test cannot detect this. To follow today’s process, you need to send another patch for review. ________________________________ 发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> 发送时间: Saturday, September 19, 2020 3:41:11 AM 收件人: devel@edk2.groups.io <devel@edk2.groups.io>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, Ray <ray.ni@intel.com> 抄送: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> 主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942 Regards, Divneil From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: 1. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) 1. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 22617 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-19 0:01 ` Ni, Ray @ 2020-09-19 5:34 ` Wadhawan, Divneil R 2020-09-21 0:48 ` 回复: " gaoliming 0 siblings, 1 reply; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-19 5:34 UTC (permalink / raw) To: Ni, Ray, devel@edk2.groups.io Cc: gaoliming, 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 13594 bytes --] The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg. If you can help with the steps to add a configuration in CI, I can work on that. From: Ni, Ray <ray.ni@intel.com> Sent: Saturday, September 19, 2020 5:31 AM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot It’s very strange that the build test cannot detect this. To follow today’s process, you need to send another patch for review. ________________________________ 发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> 发送时间: Saturday, September 19, 2020 3:41:11 AM 收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> 抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> 主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942 Regards, Divneil From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: A. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) B. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 36610 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* 回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-19 5:34 ` Wadhawan, Divneil R @ 2020-09-21 0:48 ` gaoliming 2020-09-21 7:27 ` Wadhawan, Divneil R 0 siblings, 1 reply; 11+ messages in thread From: gaoliming @ 2020-09-21 0:48 UTC (permalink / raw) To: devel, divneil.r.wadhawan, 'Ni, Ray' Cc: 'Andrew Fish', 'Justen, Jordan L', 'Kinney, Michael D' [-- Attachment #1: Type: text/plain, Size: 14736 bytes --] Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request. Thanks Liming 发件人: bounce+27952+65409+4905953+8761045@groups.io <bounce+27952+65409+4905953+8761045@groups.io> 代表 Wadhawan, Divneil R 发送时间: 2020年9月19日 13:34 收件人: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io 抄送: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com> 主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg. If you can help with the steps to add a configuration in CI, I can work on that. From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > Sent: Saturday, September 19, 2020 5:31 AM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot It’s very strange that the build test cannot detect this. To follow today’s process, you need to send another patch for review. _____ 发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 发送时间: Saturday, September 19, 2020 3:41:11 AM 收件人: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 抄送: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942 Regards, Divneil From: devel@edk2.groups.io <mailto:devel@edk2.groups.io> <devel@edk2.groups.io <mailto:devel@edk2.groups.io> > On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com <mailto:ray.ni@intel.com> > From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: A. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) B. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> > Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io <mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 47430 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 2020-09-21 0:48 ` 回复: " gaoliming @ 2020-09-21 7:27 ` Wadhawan, Divneil R 0 siblings, 0 replies; 11+ messages in thread From: Wadhawan, Divneil R @ 2020-09-21 7:27 UTC (permalink / raw) To: devel@edk2.groups.io, gaoliming@byosoft.com.cn, Ni, Ray Cc: 'Andrew Fish', Justen, Jordan L, Kinney, Michael D, Wadhawan, Divneil R [-- Attachment #1: Type: text/plain, Size: 15430 bytes --] Hi Liming, Here’s the bz: https://bugzilla.tianocore.org/show_bug.cgi?id=2979 Regards, Divneil From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming Sent: Monday, September 21, 2020 6:19 AM To: devel@edk2.groups.io; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, Ray <ray.ni@intel.com> Cc: 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com> Subject: 回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request. Thanks Liming 发件人: bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io> <bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io>> 代表 Wadhawan, Divneil R 发送时间: 2020年9月19日 13:34 收件人: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> 抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> 主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg. If you can help with the steps to add a configuration in CI, I can work on that. From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Saturday, September 19, 2020 5:31 AM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot It’s very strange that the build test cannot detect this. To follow today’s process, you need to send another patch for review. ________________________________ 发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> 发送时间: Saturday, September 19, 2020 3:41:11 AM 收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> 抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> 主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib. This caused the EmulatorPkg Secure boot enable build to fail. I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942 Regards, Divneil From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Wadhawan, Divneil R Sent: Friday, September 18, 2020 5:28 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Thanks for your help. I see the patch is merged now. :) Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Friday, September 18, 2020 5:17 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, pull request is created: https://github.com/tianocore/edk2/pull/941 If it succeeds, the patch will be merged automatically. If it fails, please check the specific failure message and provide updated patch. Thanks, Ray From: Ni, Ray Sent: Thursday, September 17, 2020 4:19 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>> From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Thursday, September 17, 2020 3:43 PM To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Hi Ray, Yes, I have tested the following: A. SECURE_BOOT_ENABLE=true * Key Enrollment (PK, KEK, db) via custom mode * Execution of unit test shell application (signed one works okay, unsigned gives an Access denied) B. SECURE_BOOT_ENABLE=false (default case) * Secure Boot Configuration menu is not visible (Same as existing default case) * Execution of Unit Test Application (Signed/Unsigned both works okay) I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too. The script generates the full key hierarchy that makes it easy to test this patch. The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now. Regards, Divneil From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>> Sent: Thursday, September 17, 2020 12:49 PM To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>> Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Divneil, Just want to double confirm: did you test the secure boot and non-secure boot? Thanks, Ray From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Sent: Wednesday, September 16, 2020 11:53 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot. The following gets enabled with this patch: o Secure Boot Menu in "Device Manager" for enrolling keys o Storage space for Authenticated Variables o Authenticated execution of 3rd party images Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>> --- EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++-- EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++ 2 files changed, 49 insertions(+), 2 deletions(-) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 86a6271735..c6e25c745e 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -32,6 +32,7 @@ DEFINE NETWORK_TLS_ENABLE = FALSE DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE DEFINE NETWORK_ISCSI_ENABLE = FALSE + DEFINE SECURE_BOOT_ENABLE = FALSE [SkuIds] 0|DEFAULT @@ -106,12 +107,20 @@ LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf - AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf + PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf + AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +!else + AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf +!endif + [LibraryClasses.common.SEC] PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf @@ -162,6 +171,16 @@ TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf +[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf +!endif + +[LibraryClasses.common.DXE_RUNTIME_DRIVER] +!if $(SECURE_BOOT_ENABLE) == TRUE + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf +!endif + [LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION] HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -190,6 +209,10 @@ gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000 gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd" +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 + gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE +!endif gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64" @@ -306,7 +329,14 @@ EmulatorPkg/ResetRuntimeDxe/Reset.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf - MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf + + MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { + <LibraryClasses> +!if $(SECURE_BOOT_ENABLE) == TRUE + NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf +!endif + } + MdeModulePkg/Universal/EbcDxe/EbcDxe.inf MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf EmulatorPkg/EmuThunkDxe/EmuThunk.inf @@ -315,6 +345,9 @@ EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf EmulatorPkg/TimerDxe/Timer.inf +!if $(SECURE_BOOT_ENABLE) == TRUE + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { <LibraryClasses> diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf index 295f6f1db8..b256aa9397 100644 --- a/EmulatorPkg/EmulatorPkg.fdf +++ b/EmulatorPkg/EmulatorPkg.fdf @@ -46,10 +46,17 @@ DATA = { # Blockmap[1]: End 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ## This is the VARIABLE_STORE_HEADER +!if $(SECURE_BOOT_ENABLE) == FALSE #Signature: gEfiVariableGuid = # { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }} 0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41, 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d, +!else + # Signature: gEfiAuthenticatedVariableGuid = + # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }} + 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43, + 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92, +!endif #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8 # This can speed up the Variable Dispatch a bit. 0xB8, 0xBF, 0x00, 0x00, @@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf +# +# Secure Boot Key Enroll +# +!if $(SECURE_BOOT_ENABLE) == TRUE +INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +!endif + # # Network stack drivers # -- 2.24.1.windows.2 [-- Attachment #2: Type: text/html, Size: 56603 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-09-21 7:27 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-09-16 15:53 [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot Wadhawan, Divneil R 2020-09-17 7:19 ` Ni, Ray 2020-09-17 7:43 ` Wadhawan, Divneil R 2020-09-17 8:18 ` Ni, Ray 2020-09-18 11:47 ` Ni, Ray 2020-09-18 11:58 ` Wadhawan, Divneil R [not found] ` <1635DEE2A50DFCCF.13985@groups.io> 2020-09-18 19:41 ` Wadhawan, Divneil R 2020-09-19 0:01 ` Ni, Ray 2020-09-19 5:34 ` Wadhawan, Divneil R 2020-09-21 0:48 ` 回复: " gaoliming 2020-09-21 7:27 ` Wadhawan, Divneil R
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox