From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web11.8263.1675422903599363029 for ; Fri, 03 Feb 2023 03:15:03 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=SlZVBrd5; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675422903; x=1706958903; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=rqxu1DqQ0MO0fvha42UVbzYyRmcGrVSsvw1V2Lx+k0c=; b=SlZVBrd5Z1KpSqhLWNgBb6QqlmzgzjIyEN0oC7IZTUlYonSSkMdhgwn3 1LduxL5wlKhjSei9C+aLNVnlP7hX5EOYYxYISGvzLga4+aux7N3IMYqhK QKFcQkOkfpjXM7AMqsWgw4mb2H3FGEEtzVeSggUX4N5VWQaQyXkCVdKw6 A5IHwqN1gnh8e8LW0PBF5pwv5uJUhbzzfDABzorKDpx9liSOyfq7D0gWg JiMTeftDahJNvUmj+xM+5roemo45zfWbS6J0ianRmz4RQi6kGKxMc0khW z1WOay6idnu1gh2i1e9RDB0u2JNDJpIY0d/hiAuKiSRvV6DsZAL835I4r g==; X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="326419802" X-IronPort-AV: E=Sophos;i="5.97,270,1669104000"; d="scan'208";a="326419802" Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Feb 2023 03:15:02 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10609"; a="789660748" X-IronPort-AV: E=Sophos;i="5.97,270,1669104000"; d="scan'208";a="789660748" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga004.jf.intel.com with ESMTP; 03 Feb 2023 03:15:02 -0800 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Fri, 3 Feb 2023 03:15:02 -0800 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Fri, 3 Feb 2023 03:15:02 -0800 Received: from NAM02-BN1-obe.outbound.protection.outlook.com (104.47.51.49) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Fri, 3 Feb 2023 03:15:01 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R9G9i++U07GyIf5EJdk6f3z8f5LflD3Ybt0ejREoUEhTv35Cp+AEViuxiKX7H0Sy2qFKtR+dvnjBhF+Bef+g5P09fiOwwYlsu/xnk+zX0vqHEMFRehkovpI0iZPDWRxf1xXAcDahdQyb4UP+GayJy1T1MkJAHeJB/rqtT2EeiYYyFeJkfke2orgb1cGADKi1POVV0+8mDFPShhQc4bbDeqexqADjWihdIWSUG9y1RinjAgO9R4H0Qe8ubjqOmEYOSOBwFaOcWXN8At1XvnObMxxV97KrmJxnxz1+98EZHUBPw56ZJ1nNybC4cUeGp5LbNsflBvPkzHOzxGKhX/tIMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TYX5xQ4qcqObvBLxTqhd8h27LWRyeFdOMm4ndW402nQ=; b=CxDLRxV3foGr2Sur6kJfm/iFc5ZgEm86mboSP2I6ZBKF470EMRZfAHNvCbzEAViTvP8S+2Y4A9B/CzXjKPsHhuTy/M/1asb8T8FErAqyE+/Eod0jDI/RpZQUkfp6BAZVaQ7ko4QlO7hu6mNT2x14RcBjqzo0F5txd40Z/EOjztVqLafuf2VbeqohshSfciX5widzlZVfrxe1JiWuu2nm1mOXpaH5OOJvTBvlUgnxl9FesfTwOYQZd1DLCUxA7kv6UQ6yVPH/Nbk0BHTicSoyCZAIJ1G104sZ3qhXrvbM5pspMS9DY8/35u1rBMOMl0771TC1H3fUTHPIG2uTL7ZbRg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by LV2PR11MB6048.namprd11.prod.outlook.com (2603:10b6:408:178::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.28; Fri, 3 Feb 2023 11:14:57 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::96f4:ad8:3fb9:b60d%3]) with mapi id 15.20.6064.023; Fri, 3 Feb 2023 11:14:57 +0000 From: "Yao, Jiewen" To: Ard Biesheuvel , Jan Bobek CC: "devel@edk2.groups.io" , Laszlo Ersek , Ard Biesheuvel , "Leif Lindholm" , Sami Mujawar , Gerd Hoffmann Subject: Re: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Thread-Topic: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Thread-Index: AQHZLSLW6H/bPZ8oVkyywm3Kz249mq69IAGAgAAG1UA= Date: Fri, 3 Feb 2023 11:14:56 +0000 Message-ID: References: <20230120225835.42733-1-jbobek@nvidia.com> <20230120225835.42733-4-jbobek@nvidia.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|LV2PR11MB6048:EE_ x-ms-office365-filtering-correlation-id: 9ef09d8d-db84-4048-b654-08db05d7e1f7 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: I33J2+T2Rh5SmByNF19yQpPA+BeLXIBIr/beHNOfXoRkn1fyVU1WJzE30qieC7FIYGFizoNuyntQAQCcFMJSv+uXkWSvFsuOwaZVQz/guLZD120aC6uQH0YNgv0k+qbjRFcOoU3TK2zjJawSsa8TDmyJiDGv56F2S8+1vc3PjmeNp2qZNBsM2xufAGaB5KrEd9rnKRgvrUC0CWDUbKY674bKom7ePJCKJTZeL1HY/awX4rk1d+f84KHdbB7ICxqFE7Eu0QMmlGyCg/dOFQ5vAZ97wfrJkaIWL+JiOp3+T8FEKCjaHtGpjhJ0XtyruV0IutrRmZrUVHVlAy0bGx93AlKc2JVr4x11FYGNFOXw6rzWdy44CC3BciRyqWJqQqNC1N8OpOzdrZms5bl5SXQJuCRdLP1r2dbG4ljYVHba0+ty2cmpb3jGj5FFxmAjwNuld45tcfiiZFKzbdVRc/R5tESpTlWOinxgUnn5OymfNp9e3GLzsJ3e7/C/NSeSpshiQAghwMzfg4YHqUF48QFJGTN4ns+DHXtTa5eQ4RnN9H1SUmYLC2XnCgbzgnc7jImzRW+Q5x8PFkg5g9B3cTOr3NOkjfM6pkFNjYk/zWDZ6Wwc+sUrT/PORIzdqzp/MrVGFKjT1fZKdCNGuu52H4hPpfy9Bfs2LiZNbZBEZCfnglqpMI/bG1bJLYFCh/QVOSUAtRy0BkbK/oFNQqF1b+jT45Lvr8eNmLsX1jBH7pSVpEQ= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(346002)(136003)(39860400002)(376002)(396003)(366004)(451199018)(9686003)(26005)(53546011)(6506007)(83380400001)(66946007)(186003)(86362001)(38100700002)(38070700005)(122000001)(33656002)(55016003)(52536014)(41300700001)(8936002)(7696005)(966005)(110136005)(316002)(76116006)(4326008)(54906003)(71200400001)(8676002)(64756008)(66476007)(66556008)(66446008)(478600001)(5660300002)(82960400001)(2906002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?pp/kUq9LCrWKyqTz8HHkqH8d93DFaD1BZIdQKSf8NwBQz3DsmNQDZXtdiFyS?= =?us-ascii?Q?xpsqqKxDG7x8WsrCpBsBmi19RVOxncGgcuwaaUH4CG6LB0enLsipF/CsheOV?= =?us-ascii?Q?jrTcYrArrc+hcPHh3J53PNs7+ttyXBzQn2SJcHfXg07Kf8IW8Wnog6lXX6BO?= =?us-ascii?Q?QiECmQFW/iSTIZ1u8Hk31TbuMqApSUMl6NN3AlKJjV0O3TY7ps22UuZjuquN?= =?us-ascii?Q?tt3r3gWZb6LFemUDyRzf1AV7JIF5m81PiAHNjcZ2Vu81OPiOyguHa4T9C4mA?= =?us-ascii?Q?dLInNpb2IMsQ9sYhn9fcqQ+jRjUuzp1op5JADTmGY+KKz/hLKcB6aN7UfJF2?= =?us-ascii?Q?WDEX04J0M4W0QwfxMGv1ip5nseJPIHr4QRlEJ+pEJQOiO11WXapAAgawXvUp?= =?us-ascii?Q?JSDZqIVmJVidHn/KtLMJ/w2NdK5mrs9ac8vLRRBqO5BX4GcbYwWD4gJtS9sx?= =?us-ascii?Q?+ru+gPf21NWvcralYy3XHijGiXKN8f+9645zrNqtnt1jdX84g5ehtGd/7ZjB?= =?us-ascii?Q?/gHu+trgqUeZ8EFdSkOsKI3KOmT/u7zI1l8cMiqOYtCEtO/iDSOe2UULryRE?= =?us-ascii?Q?dFLdAxXsO4VsnUECsCvPm5DxVBfr8IxnokF3ayBHfWYzKNqyic3wawJZXdci?= =?us-ascii?Q?+TH98HM4cp1S+eOchDGbBr00OhoMDBbCEYDfyeiKDAOTxt26uGSa8/IzfiFf?= =?us-ascii?Q?VOyM6vBrQQ2PiJnUOT1scVtEGteJh0F+8PUPw/K28DbQr9w8QJoFS+IGU0wO?= =?us-ascii?Q?jEwScw+wpcQEoGCIEtHOncbGIMT3IRIUsvUHXCuVnakuNaONBFF9BeGpRD32?= =?us-ascii?Q?hZaoTJ6dwtR05R13A9BkIcWKu5HCZhsLoBKi+wWkDiIEDc/tW0K6+eHqvNtw?= =?us-ascii?Q?KqrEa5qWBeGSGdOy2kTJgVXGvOY0G8gXzGjwBoAJX5rrwbLrQott3CM9Z4WD?= =?us-ascii?Q?OjTfQn+y4FKWf18drANYgiqrqkx2pgH6Tee26uLkcPx26aO01u1nwDQBVsxk?= =?us-ascii?Q?kvf1ETm+PsqQTF9hbBT6bsP9QGn2jF9x+VuUf6BedvTyYE7Mzs7d8YQE4q2A?= =?us-ascii?Q?kxMtET+h9tuZNUk1GYfRiNUIjwTGuSR2riNnU7q15dMoTVLnuGIOifbfa+Oh?= =?us-ascii?Q?KwLVevN84HazQveA/PECn4eDeyPuDKrTPdjmGrJRsHpSF7F48bbRcfGMwZFX?= =?us-ascii?Q?7elzvJmIN2qhEnhsJCvoBCPNKNC6WqBvljr6tTkmpxGn9TB8EpLbvzp3NJYP?= =?us-ascii?Q?vIx1Ic0HdCDFD9oQyUe+fDyAHtL8uCi5PQz066yWljCutmsNrEPu5TsJIIzb?= =?us-ascii?Q?mvU9eiDVKMQfZsXTCqCHLuu8Xs0xJ1g8t1nQndTiquGPQ8soFfTBWhnccVCd?= =?us-ascii?Q?8h70hAIc5MJYl01ewQqBvOl9SQbcMMxeHd9jZLuqO+Lk6LR7R3YVMBkxNWwu?= =?us-ascii?Q?Llg+HHnRWkw1lkH/b8tMvBGGo2pGffQ9q5OfBteRGCbhzc/GBAeEtSttgfub?= =?us-ascii?Q?BPkURwr5HnNP2C9jLwv5Z/bd76y2LXct2rwAnQG0Uxv5g8tK57x8rRbmX6Uu?= =?us-ascii?Q?0lCPpafPHRVaIjVQoNoNtJyJK5tyb2T5lv1yfwt/?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9ef09d8d-db84-4048-b654-08db05d7e1f7 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2023 11:14:57.0116 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: tI/KkmDSddAYXxapnYOYpURZfbFLzeieR8o18rJBjVvTZFgFIfzvC8pLOHLDGddEp78V4yB9le170SeSPRWKmg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR11MB6048 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable That is fine. This patch is just to maintain the compatibility. Feel free to drop it, if you think it is not needed for this platform. I can merge rest patches at first. > -----Original Message----- > From: Ard Biesheuvel > Sent: Friday, February 3, 2023 6:49 PM > To: Jan Bobek > Cc: devel@edk2.groups.io; Laszlo Ersek ; Yao, Jiewen > ; Ard Biesheuvel ; Leif > Lindholm ; Sami Mujawar > ; Gerd Hoffmann > Subject: Re: [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secur= e boot > is enabled >=20 > On Fri, 20 Jan 2023 at 23:59, Jan Bobek wrote: > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 > > > > In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring > > self-signed PK when SECURE_BOOT_ENABLE is TRUE. > > > > Cc: Ard Biesheuvel > > Cc: Leif Lindholm > > Cc: Sami Mujawar > > Cc: Gerd Hoffmann > > Signed-off-by: Jan Bobek >=20 > I have no problems with this patch, but I wonder if we need it. I > suppose this is intended to retain the previous behavior, but i don't > think that makes sense at all. Secure boot support in ArmVirtPkg is > not production quality in any case, and self-signed PKs are rather > pointless too, so I think we should just go with the new default > behavior of allowing unsigned PKs. >=20 >=20 > > --- > > ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++ > > ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++ > > ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++ > > 3 files changed, 12 insertions(+) > > > > diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.= dsc > > index 7ca7a391d9cf..dc33936d6f03 100644 > > --- a/ArmVirtPkg/ArmVirtCloudHv.dsc > > +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc > > @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common] > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE > > > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > > +!endif > > + > > [PcdsFixedAtBuild.common] > > !if $(ARCH) =3D=3D AARCH64 > > gArmTokenSpaceGuid.PcdVFPEnabled|1 > > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc > > index 0f1c6395488a..31fd0e5279ab 100644 > > --- a/ArmVirtPkg/ArmVirtQemu.dsc > > +++ b/ArmVirtPkg/ArmVirtQemu.dsc > > @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common] > > > > gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) > > > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > > +!endif > > + > > [PcdsFixedAtBuild.common] > > !if $(ARCH) =3D=3D AARCH64 > > gArmTokenSpaceGuid.PcdVFPEnabled|1 > > diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc > b/ArmVirtPkg/ArmVirtQemuKernel.dsc > > index 807c85d48285..1e0f06c91137 100644 > > --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc > > +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc > > @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common] > > > > gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE > > > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE > > +!endif > > + > > [PcdsFixedAtBuild.common] > > !if $(ARCH) =3D=3D AARCH64 > > gArmTokenSpaceGuid.PcdVFPEnabled|1 > > -- > > 2.30.2 > >