[edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 5871 bytes --]

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE
 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif
   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"
@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 12994 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Ni, Ray]

[-- Attachment #1: Type: text/plain, Size: 6491 bytes --]

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io
Cc: Ni, Ray <ray.ni@intel.com>; gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 14479 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 7935 bytes --]

Hi Ray,

Yes, I have tested the following:


  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)


  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 22750 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Ni, Ray]

[-- Attachment #1: Type: text/plain, Size: 8655 bytes --]

Reviewed-by: Ray Ni <ray.ni@intel.com>

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Hi Ray,

Yes, I have tested the following:


  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)


  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 29421 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Ni, Ray]

[-- Attachment #1: Type: text/plain, Size: 9563 bytes --]

Divneil,
pull request is created: https://github.com/tianocore/edk2/pull/941

If it succeeds, the patch will be merged automatically.
If it fails, please check the specific failure message and provide updated patch.

Thanks,
Ray

From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Hi Ray,

Yes, I have tested the following:


  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)


  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 31212 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 10254 bytes --]

Hi Ray,

Thanks for your help.
I see the patch is merged now. :)

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
pull request is created: https://github.com/tianocore/edk2/pull/941

If it succeeds, the patch will be merged automatically.
If it fails, please check the specific failure message and provide updated patch.

Thanks,
Ray

From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Hi Ray,

Yes, I have tested the following:


  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)


  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2

[-- Attachment #2: Type: text/html, Size: 32417 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 11249 bytes --]

Hi Ray,

I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.
This caused the EmulatorPkg Secure boot enable build to fail.
I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942

Regards,
Divneil

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Hi Ray,

Thanks for your help.
I see the patch is merged now. :)

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
pull request is created: https://github.com/tianocore/edk2/pull/941

If it succeeds, the patch will be merged automatically.
If it fails, please check the specific failure message and provide updated patch.

Thanks,
Ray

From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Hi Ray,

Yes, I have tested the following:


  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)


  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.

Regards,
Divneil

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?

Thanks,
Ray

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
   DEFINE NETWORK_TLS_ENABLE       = FALSE
   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
   DEFINE NETWORK_ISCSI_ENABLE     = FALSE
+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 [SkuIds]
   0|DEFAULT
@@ -106,12 +107,20 @@
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

@@ -306,7 +329,14 @@
   EmulatorPkg/ResetRuntimeDxe/Reset.inf
   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+    <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+  }
+
   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
   EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
   EmulatorPkg/TimerDxe/Timer.inf

+!if $(SECURE_BOOT_ENABLE) == TRUE
+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
     <LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
   # Blockmap[1]: End
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
   ## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
   #Signature: gEfiVariableGuid =
   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+  # Signature: gEfiAuthenticatedVariableGuid =
+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
   # This can speed up the Variable Dispatch a bit.
   0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2


[-- Attachment #2: Type: text/html, Size: 34439 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Ni, Ray]

[-- Attachment #1: Type: text/plain, Size: 12362 bytes --]

It’s very strange that the build test cannot detect this.
To follow today’s process, you need to send another patch for review.

________________________________
发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io <devel@edk2.groups.io>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, Ray <ray.ni@intel.com>
抄送: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot


Hi Ray,



I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942



Regards,

Divneil



From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Thanks for your help.

I see the patch is merged now. :)



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941



If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.



Thanks,

Ray



From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Yes, I have tested the following:



  1.  SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)



  1.  SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)



I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?



Thanks,

Ray



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images



Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)



diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE



 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf



+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif



   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"



@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif



   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf



+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2



[-- Attachment #2: Type: text/html, Size: 22617 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 13594 bytes --]

The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg.
If you can help with the steps to add a configuration in CI, I can work on that.

From: Ni, Ray <ray.ni@intel.com>
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; devel@edk2.groups.io
Cc: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

It’s very strange that the build test cannot detect this.
To follow today’s process, you need to send another patch for review.

________________________________
发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot


Hi Ray,



I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942



Regards,

Divneil



From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Thanks for your help.

I see the patch is merged now. :)



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941



If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.



Thanks,

Ray



From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Yes, I have tested the following:



A.     SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)



B.     SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)



I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?



Thanks,

Ray



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images



Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)



diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE



 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf



+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif



   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"



@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif



   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf



+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2



[-- Attachment #2: Type: text/html, Size: 36610 bytes --]

回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[gaoliming]

[-- Attachment #1: Type: text/plain, Size: 14736 bytes --]

Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request. 

 

Thanks

Liming

发件人: bounce+27952+65409+4905953+8761045@groups.io <bounce+27952+65409+4905953+8761045@groups.io> 代表 Wadhawan, Divneil R
发送时间: 2020年9月19日 13:34
收件人: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
抄送: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg.

If you can help with the steps to add a configuration in CI, I can work on that.

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

It’s very strange that the build test cannot detect this.

To follow today’s process, you need to send another patch for review.

 

  _____

发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io <mailto:devel@edk2.groups.io>  <devel@edk2.groups.io <mailto:devel@edk2.groups.io> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >
抄送: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 

 

Hi Ray,

 

I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942

 

Regards,

Divneil

 

From: devel@edk2.groups.io <mailto:devel@edk2.groups.io>  <devel@edk2.groups.io <mailto:devel@edk2.groups.io> > On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Hi Ray,

 

Thanks for your help.

I see the patch is merged now. :)

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941

 

If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.

 

Thanks,

Ray

 

From: Ni, Ray 
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Reviewed-by: Ray Ni <ray.ni@intel.com <mailto:ray.ni@intel.com> >

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Hi Ray,

 

Yes, I have tested the following:

 

A.     SECURE_BOOT_ENABLE=true

*	Key Enrollment (PK, KEK, db) via custom mode
*	Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)

 

B.     SECURE_BOOT_ENABLE=false (default case)

*	Secure Boot Configuration menu is not visible (Same as existing default case)
*	Execution of Unit Test Application (Signed/Unsigned both works okay)

 

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?

 

Thanks,

Ray

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images

 

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)

 

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 

 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

 

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif

 

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

 

@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

 

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

 

+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

-- 

2.24.1.windows.2

 




[-- Attachment #2: Type: text/html, Size: 47430 bytes --]

Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

[Wadhawan, Divneil R]

[-- Attachment #1: Type: text/plain, Size: 15430 bytes --]

Hi Liming,
Here’s the bz: https://bugzilla.tianocore.org/show_bug.cgi?id=2979

Regards,
Divneil

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming
Sent: Monday, September 21, 2020 6:19 AM
To: devel@edk2.groups.io; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, Ray <ray.ni@intel.com>
Cc: 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: 回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request.

Thanks
Liming
发件人: bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io> <bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io>> 代表 Wadhawan, Divneil R
发送时间: 2020年9月19日 13:34
收件人: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg.
If you can help with the steps to add a configuration in CI, I can work on that.

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

It’s very strange that the build test cannot detect this.
To follow today’s process, you need to send another patch for review.

________________________________
发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot


Hi Ray,



I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942



Regards,

Divneil



From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Thanks for your help.

I see the patch is merged now. :)



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941



If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.



Thanks,

Ray



From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Yes, I have tested the following:



A.     SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)



B.     SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)



I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?



Thanks,

Ray



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images



Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)



diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE



 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf



+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif



   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"



@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif



   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf



+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2




[-- Attachment #2: Type: text/html, Size: 56603 bytes --]