From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web11.8463.1675383107401204348 for ; Thu, 02 Feb 2023 16:11:47 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ARIOfjnU; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675383107; x=1706919107; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=4jbP0OZ41rOoz1sc9K1Lqb5+8xei1n7LVES7gw8+L9o=; b=ARIOfjnUUKhhnMlSjlZSKTDQhk/Vn7eLZI+qkoPU7GDhvXfmaFXGhJSm qUM1VrCy0nrmKt6++GNVxmQnVarJNRNBGtUR5CJ2WClz+URa1xeFvtNad EMXJ51CylixoI50mmaPSRqeoBWMS02pKFC0P0eHrpZih07T6Nynd2aQtD kvNOisFi0bu4Z7VPHoNf8Wf6s/gC1ENoKOzswnbB/bYIFbqLgI98/v+ra TTOKp7ihRydRP+l/3YAAueG3AkdWQKKBw5UGQy/ZlEz2+FiZp/z3nQAOi QH3Avf7P7Nf/hfcsYvmBybaXjhYiy24DobKbKLmuHxqRDPWge862Mxlj1 A==; X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="312262842" X-IronPort-AV: E=Sophos;i="5.97,268,1669104000"; d="scan'208";a="312262842" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2023 16:11:46 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="667472162" X-IronPort-AV: E=Sophos;i="5.97,268,1669104000"; d="scan'208";a="667472162" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmsmga007.fm.intel.com with ESMTP; 02 Feb 2023 16:11:45 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Thu, 2 Feb 2023 16:11:45 -0800 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Thu, 2 Feb 2023 16:11:45 -0800 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.176) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Thu, 2 Feb 2023 16:11:45 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mY6CHBdfomNHegNwkt7VHyrYSwIB3ZHdtpK+jUvxOYixYpRyr3ca6KcXcF3P4/5FzKleTvvJ6F2zcCtAsNHay0yIWezhxrBECwEmB0sLvssIJ3mDPdFCGdHPD9pH/mLk06Vn1FJCAg3fFHquNn2/zAPmyWAV0Dw9eUVHxkISJTR+0U5tCEnoKoXFzfZJ/XlEbxIKps6EKsYIIV3Rr4Vt+F90u09Bm0sh/BfnEfBF8sTCWPGtGZ4btUWWTzHDdKcmVy8zv9A8Xv1Vm8n4JWDUxwUnwoO35VgzdKZODBvjGiqlremJNkxirVrsQu+hJl3OIKgfRQ1ZEXCZvYAIRiv8zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=np7Mbpgn3fjx/iR2WZujhRxyrs+hxB4xYIfC5Yh6ooI=; b=nNk5y5WFuUD3PFDBlawkY+L+9g9JncK0bpsh59e1BlFaFVvFOkapZhhhia3KrlJWmfle5deveHej5sno66yAeNmR+dVbeaT+E33aDw4pKqjuRMkM3ZmwOVw+hvGJl1oU2xHNoot5614Q2Zhon2BydkuoMCiXZHIZXG4yAp8GgAvBPF24UFMveM17IbbOMZGGjGtGcJbsOPId6Hd9pCH0d1WmFIBdUTAy+IWSeNbRnQ2TuwWZdrzV0NIe1VmpdMY4G+i2Wl9kAbv3J9+h05xlNumVHVAP8sn5V6FGsrRPj8AeU3wuq5m2y3TN74jCbQQx2MxeeCa0jJN+t2kxWFjF2A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by SN7PR11MB7113.namprd11.prod.outlook.com (2603:10b6:806:298::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.27; Fri, 3 Feb 2023 00:11:43 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d%3]) with mapi id 15.20.6064.023; Fri, 3 Feb 2023 00:11:43 +0000 From: "Yao, Jiewen" To: Jan Bobek , "devel@edk2.groups.io" CC: Laszlo Ersek , Ard Biesheuvel , Leif Lindholm , "Sami Mujawar" , Gerd Hoffmann Subject: Re: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Thread-Topic: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Thread-Index: AQHZLSLW6H/bPZ8oVkyywm3Kz249mq68bc5A Date: Fri, 3 Feb 2023 00:11:42 +0000 Message-ID: References: <20230120225835.42733-1-jbobek@nvidia.com> <20230120225835.42733-4-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-4-jbobek@nvidia.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|SN7PR11MB7113:EE_ x-ms-office365-filtering-correlation-id: 01dcd7e7-7a34-4fef-0250-08db057b3adf x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9uQN4U5jC5HuSZEp2eNRexbZzDckylLR7lv1NdPKkFI+9ExeNjduv0vUFpRDw8pD3Bc25BNY2A5SD9k3jynWaIz2nlE0KiXtLqvNrBDS1NtkthGNMLeEEClLd8rOqFs4bJ1CkHmUyFIbv2Ik4NXDiqA2XLAaIba+wTLI9lN+lWRs8DX8PPE2qojlYnND/CnJp1zKcABXwZ7Coh+0/phGNWCSOMayT84/fu5b/s5VCrzBD+T7IBwzVX2Kn9TNYJkHog+z0hBJX+0G9y+wvZ0D5OmFBOR3Q84E1nDd+3rFmk3MRypi0J67l7/kJfJkuk99ASVO+rV3IWLZpYJtK/MOCtmrfr6Mr/JaeWFSvSBmjpo2Zvv7+Ev6FmnNoc86L0qrMCncgHf9T5k/ud9C51erVjzpa3uFgKLVoftPrDdFpyxSAGwZbnL1c3FrcIR8bilWJNze6Z+NiO70oXR6goDu/TGZzvRov0YFg4TqzLzzi9NuZdVmPLuVUQk5c8kSSNtz/KflYFHc63Cu6+ix7LnHMLlmfz+cjR8dFzzfIWA4vGr3TzxKtNcI2EWOr7D7DIGUcFoZlvqxj+sQoGPTy4WTqCFbZ+6JzHWxHWMxJ1NLaSA304XAJdWCK5dJoje/KEMNqRTlxXUPgN+mrJNfTiYboXWwXrmrwLHSr22sv8VYEVdursFrJkDUftC+BCP3Fhs13RUQN5O6dTpNFwh2j7tkXalSWFjceV0vQRPtq1rlYGQ= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(136003)(39860400002)(346002)(396003)(366004)(376002)(451199018)(6506007)(55016003)(71200400001)(86362001)(38070700005)(110136005)(38100700002)(186003)(53546011)(26005)(7696005)(54906003)(316002)(122000001)(33656002)(478600001)(966005)(82960400001)(41300700001)(66946007)(8676002)(4326008)(5660300002)(8936002)(64756008)(83380400001)(66446008)(76116006)(9686003)(66556008)(52536014)(2906002)(66476007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?8JMrTVAUqi55p/cjRzhrvUvBQOhfqNjYm8uMBDHPngNaG50TpnQ7o1yWA4hd?= =?us-ascii?Q?AY25wzFBmMjBmPK3rUwZWMxrEbIhC8QgROruZkuI09roM1ER6FekjiCwPwaM?= =?us-ascii?Q?ucfJ0YPgVd2ASNKBhqKW5+Qe6VQtUGeEkUWGdHVxrU0UYvrbQj3otkzO+zFL?= =?us-ascii?Q?VWMPIGKFa7cukYNS7rQAVfzHBz95pQjuci1+AKPGcOxyaED6TlQlfp2bLcSr?= =?us-ascii?Q?04bP8zd4xAJnSWR4TDJcOupdQjZL7Hhq9RWXSc/3KLytuS9rScoONww0OZn8?= =?us-ascii?Q?wgoHk/Wm78ocU68+V82n2Y29H74ML8h9EeLA9ZeNohUesnryAnTlLcxQYjK9?= =?us-ascii?Q?TrMqG6cOkr5HsEMptw2/qLX3wf16RNMp25tznoPHkgsW01ii4lBSQIvW6hKq?= =?us-ascii?Q?D/Mg2s2Ni5QBsSgnCnjtNYeBaSjOXi+z1Dyk2gx3IJvfseMDWTqLQOo/HRaC?= =?us-ascii?Q?0La+a64eBQ3qGpbTyjfoYlthOUR6XCf1JnwwA8VhwhWMk2CIZW+VQCpp1lB8?= =?us-ascii?Q?SrlAzSCW+wPsj9sFEpe6sZTBASplpNVN8U1GVHHnVLvjEyBM/Td6+k9zwjnY?= =?us-ascii?Q?HImvPDWsevg9SGKUWBeLJqF//qMcGHYXBQaL8RMO3iqH4agjbrphbNohSgME?= =?us-ascii?Q?4cQt1Cq5+ivClgphptnbH1sS2ta8JBe3FBCdpbz3SNnobcgbi9TeG6CGYl2H?= =?us-ascii?Q?K0wkdtOFCHwBYLmgmwXI6ox9uFeyGhVDKJvkykalHxzfDFUxPE761wvmvc6s?= =?us-ascii?Q?UEPGbvLKP8AiDN89wHrEplfCIsRldGwbPWHCekYAbgFRmpEj6PF5n63Hho7J?= =?us-ascii?Q?d194YTI3NATYpXnxWfEPVUTmohFZS/FzsmPOEjr6XAXJYAZCGSt2+eYfCFUj?= =?us-ascii?Q?amebodOX89w+D5kPr7JXrllVfEtMxUcd0gS9SLDAv/4YWdjvTXYNUPHZsEze?= =?us-ascii?Q?sD/0ZPm2s10wwZBGXDSlhLUGKYziwuL/ScliOqI2Xaf9aDLjKFJ2hPL45n+m?= =?us-ascii?Q?kl1Y1QTFsxEGRwEKnZo4ROIslfXnIjRUTyDUYasZsF7Bdy1SWvQ2cnYs/ibR?= =?us-ascii?Q?M/b17ZXWV5De+phUi5NVvv+WltzwIiIBaAMkVkiegxjrxdmF4UXT1XAQH8zt?= =?us-ascii?Q?BEfKHMs9dkIGAmHXAL4CbJW9nCSnIoVmrouCRouRJCL/oqTjm5HTWqUjNA+j?= =?us-ascii?Q?t6D/Ep7y+V3HNlzxuU9VUAYQcjuppX00J1u5vng6kE3/6Q7zNW2BTosyQh/h?= =?us-ascii?Q?P8X7+pAnCBXrbQJ8YUiz1/EshfE+tsshjWbpDHGL6mfRPduC1Eu1gzRFvty/?= =?us-ascii?Q?hH3zAfGEXpfhZbqlYb63lw/xqe8KfxWGhC6t5UkT8RmD2eElzCwD8gx0Rnp0?= =?us-ascii?Q?VJaBB579r0kU/sypVD1OF3yJC4MEUx4p1ybrDa/rQTkEa6F7iSsR5KX+9yEz?= =?us-ascii?Q?+OXKSrnEq9P+miVypbDDaAjJusNOwLgtdK/KLDfH6sFm8CqGuZtFZU+mBy33?= =?us-ascii?Q?fDmZvBcsrTbabjoLAa5o0UBVG7tFA/Cob8JIH1xsJ9/c38aE7cIoxYPCFSJP?= =?us-ascii?Q?g+TBbFMsXuV3KiagQNogMX0AmQLipKGLg41qlPwu?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 01dcd7e7-7a34-4fef-0250-08db057b3adf X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2023 00:11:42.9554 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: lBRN5cUF4W2zkDwAsyD97+gSmhRNzMijsrNemMwERNXFwUQW0lGyvX/jSu74WAAB7p84yM80wtA7zGr5DwDKRw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR11MB7113 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Could ArmVirtPkg maintainer(s) review this patch? > -----Original Message----- > From: Jan Bobek > Sent: Saturday, January 21, 2023 6:59 AM > To: devel@edk2.groups.io > Cc: Jan Bobek ; Laszlo Ersek ; Yao, > Jiewen ; Ard Biesheuvel = ; > Leif Lindholm ; Sami Mujawar > ; Gerd Hoffmann > Subject: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure bo= ot is > enabled >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 >=20 > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring > self-signed PK when SECURE_BOOT_ENABLE is TRUE. >=20 > Cc: Ard Biesheuvel > Cc: Leif Lindholm > Cc: Sami Mujawar > Cc: Gerd Hoffmann > Signed-off-by: Jan Bobek > --- > ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++ > ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++ > ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++ > 3 files changed, 12 insertions(+) >=20 > diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.ds= c > index 7ca7a391d9cf..dc33936d6f03 100644 > --- a/ArmVirtPkg/ArmVirtCloudHv.dsc > +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc > @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE >=20 > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > +!endif > + > [PcdsFixedAtBuild.common] > !if $(ARCH) =3D=3D AARCH64 > gArmTokenSpaceGuid.PcdVFPEnabled|1 > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc > index 0f1c6395488a..31fd0e5279ab 100644 > --- a/ArmVirtPkg/ArmVirtQemu.dsc > +++ b/ArmVirtPkg/ArmVirtQemu.dsc > @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common] >=20 > gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) >=20 > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > +!endif > + > [PcdsFixedAtBuild.common] > !if $(ARCH) =3D=3D AARCH64 > gArmTokenSpaceGuid.PcdVFPEnabled|1 > diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc > b/ArmVirtPkg/ArmVirtQemuKernel.dsc > index 807c85d48285..1e0f06c91137 100644 > --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc > +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc > @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common] >=20 > gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE >=20 > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > +!endif > + > [PcdsFixedAtBuild.common] > !if $(ARCH) =3D=3D AARCH64 > gArmTokenSpaceGuid.PcdVFPEnabled|1 > -- > 2.30.2