From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.37078.1674454443612879844 for ; Sun, 22 Jan 2023 22:14:03 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=O+KD+tgo; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674454443; x=1705990443; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=95S7Qi5bLyXjI0jXrp/Nr/4CHKNkcteHKmpjb/rfegU=; b=O+KD+tgoIF890Ly9HxmGHhgDlrM5brIIWId13J7KlZbkzKc0XWYXDMhy rZGA2a0BuzMCYdpWJcc07ilVY16+bmJo9zyZGY+HOMhirC0i8aNbIJaXv eQr0WlKotYBFd2pWPr31SkZjGyjJyhoujpy216o607S7Bx6K7OGMKoN8p UtR/ovUHqcrOzuqL/D95TwidONg2CtXbIewDTeiuYh7WEQzwJHQBQ4Eo7 CwmtDbXFeGrVzN0Rf5xiJpakoTkD1458wOInwitjLsXHtjRkZ2yi3A3pu frVw5jhgNtIxgz9QEJidlIuZpfeiJ+5O+eaKdq7M0n7UGxNP0bHnzNOg6 Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10598"; a="353240287" X-IronPort-AV: E=Sophos;i="5.97,238,1669104000"; d="scan'208";a="353240287" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Jan 2023 22:13:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10598"; a="663418458" X-IronPort-AV: E=Sophos;i="5.97,238,1669104000"; d="scan'208";a="663418458" Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by fmsmga007.fm.intel.com with ESMTP; 22 Jan 2023 22:13:51 -0800 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Sun, 22 Jan 2023 22:13:50 -0800 Received: from orsmsx603.amr.corp.intel.com (10.22.229.16) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16; Sun, 22 Jan 2023 22:13:50 -0800 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.16 via Frontend Transport; Sun, 22 Jan 2023 22:13:50 -0800 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.177) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Sun, 22 Jan 2023 22:13:50 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TR+nw0hiEcVYYuZKX1pSKljt4Sb110UtbjiIBWZkxDg14VP+xBg+/qBT8Y6MSsWa0ng2PQZ7JZ5zNKHy/CJArXM5Re4swHUWwzoLQJK26LOpOahFC6SIKo2H8PGQOa3/NyUN5GWf7UH9taY0vbWAVs/AGgivktcJcapcLxH+Rb9nUJ2nBinQ+0KYy8NBbINJ7Rm8SViHYVF8J9TEVa1ORUWrQDvD8R1fP4GqiF+47lK6LyPf+GJj8H1qtiea3h1pnThdMvAZ6G7Y+llYenfOUkUjSXR1Sir9SjBd4BzCPNHbnCDZ0ZiZ4HOaE7Pvsi7axirQUvaOBTnCb5O0tVY55w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MgRR/DhRha5Dm27pCkxEn6+kKCCLlOf7uXw+4jbytqs=; b=FtkOhHAmcL1yFCDr9LAqcYzK2+WgG/0fR/7uq+F5HbhXtMDkGf5/TdboSsJHyehUqlxOheDeQwJ9XCOSpy+BzEkTTn5x1usmvDS4JuIYkKqfIEiZk2NCUjtwlXC9xtdj1sVGdxnrUxtUaDVHlEpg3AuZiAnld8aYnr0Qj+7kDmF0HwHsUw8t2Q+1GwOhwP1oYxW1k3NzCYPg5L2NJ8uwwCL6+M4eSnRrBwvYkCgnZAM4WrnB25RR/pOjDycG5/oVOp/xdkpj5p2ELjEqW7HPXwFb5qpL1PsbGq4wJT1TG6Umryh2NhOzdtBIeXgue88akcYTV2zmlsEeReWCQZkZGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by IA0PR11MB7816.namprd11.prod.outlook.com (2603:10b6:208:407::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Mon, 23 Jan 2023 06:13:48 +0000 Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::5f56:1bdc:2eae:c041%9]) with mapi id 15.20.6002.033; Mon, 23 Jan 2023 06:13:48 +0000 From: "Yao, Jiewen" To: Jan Bobek , "devel@edk2.groups.io" , Sean Brogan CC: Laszlo Ersek Subject: Re: [PATCH v1 0/4] Don't require self-signed PK in setup mode Thread-Topic: [PATCH v1 0/4] Don't require self-signed PK in setup mode Thread-Index: AQHZLSLT4uR44/338Eefm1fA3UB81a6riKdg Date: Mon, 23 Jan 2023 06:13:47 +0000 Message-ID: References: <20230120225835.42733-1-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|IA0PR11MB7816:EE_ x-ms-office365-filtering-correlation-id: f35d999d-603e-4831-1b1a-08dafd08fd4f x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: GMcdDke7GBDBq/JBjPcZL1BX4QfJhdvEmcKIQ4pIA/FRunf/cCZgKRN2B+98RbwweW2PW9YG0bkbsSWtWRuG8oE2Tenl3fzwpVjX71OrKcUQa8oPzHxS8AVXhMFe9o9EiqXyNzYpBzg26zeoHnoxOI7bsxdxNW7vkHljtv+84aZtzoT5LXQKVTHARaVhr7MuOV0xB+k1zPRk1emr2IbUhzS7WeeiXEF3oHnMaUQl33lHgfxKaEMPynNkdXEYeXni2pGavizDWlOV23OQ0VU+ovcScvK96Yg8/hndWfIlHaU0gG5REPxvjFhPrOOydVe4/NYZc1ooeUXmSWKO4PmWVuSSAf5nsYjOSItNK/Oeix2CFdkmBDnx+6UKPwjPta1gWO1hAEeN9sOVg0dAhTkQss5rtL1hQ7UFaVeSafpjxjHys2mAEhWRBcyijhlzd7Rsa6q0r+jNJNCegPcsJ+GlcEmaM2+wzglT2XkkxTUZ0npp4OGO6sbHgglSvqLGDPIDWH6VKphIgey+UN8064+Y4GWAPrJexCTd2Wo1Ikv4x44W5aDnsiDg8BKeHa9lSHamvVt8x5wh+BCnl4PbSP0Qn7Dc4NoZ+LO7t4lb4F5njlOj73OzcxLK88SHOwH8N9MHBc6v0/9hS4+psWo5I+Hvmuxw03PO2oRGLHkVNPL9obkOg2OGe6Nu/Ay3sqLDQimsUbCjjtIv2A8QhTfUlEx9Z7F6T3n94P7lLEJqrf0gTWM= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR11MB5872.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(366004)(39860400002)(346002)(396003)(376002)(136003)(451199015)(38070700005)(33656002)(2906002)(82960400001)(52536014)(38100700002)(66899015)(41300700001)(5660300002)(8936002)(122000001)(8676002)(64756008)(66446008)(66476007)(66556008)(66946007)(4326008)(86362001)(76116006)(55016003)(26005)(186003)(9686003)(110136005)(966005)(71200400001)(316002)(19627235002)(7696005)(478600001)(83380400001)(6506007)(53546011);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/LHilDs5MMhCFKM7Rmot6qHwAvd29doxwDs5LluzB9dkR4xpa0iiS1idZDqV?= =?us-ascii?Q?rFeJ0+aU3PGaZszBs+Gy7b4Kuilvpnwx5PKBHBnSnnH7sgM7geGoLgwzoy2Q?= =?us-ascii?Q?642EgNUQiTdBhZuOmx0J+CPwshqxwfYo38FeOQkQ2x3DHWjCRRUzXgB9KQgx?= =?us-ascii?Q?EuD59e2DG4e0kVdD3+/k00uWllyhEY9HkVA7IWKy05tcee7FBLEPDapTXNlP?= =?us-ascii?Q?GRkLuVHvDDuH43h31VuJjmN96AZL4Zo34HSZC1K3OrGgiNl4h81j4vroW67R?= =?us-ascii?Q?H5Bk+FK/qyK3CNRD7dqRxdjOyKtyaQy/wfjgMYlWFA1G1jA839LpdviAhhbE?= =?us-ascii?Q?5nJjZbRFPV9YaQ3lRF9z0l72VrRYIUmzShhGb62l3/h/VWqaAOK10KH95ntF?= =?us-ascii?Q?RQofKj6sA0EN2UWQoQzYhHeFWB/urM6wm4fsNhobyig48SP7VfQU/rxv2g8I?= =?us-ascii?Q?D7HVnp9ScZFVSFgngkr0wRw4ZAxEre9uXzGx4/toXzC/NAcU8ee8VjU+orD5?= =?us-ascii?Q?au5t7ZYehVpvpVfLhEnaTocnciqqq8FE/LoVaosi9KVFb/sVw69TCCCZ9kse?= =?us-ascii?Q?8dTzBvKnrXCrjp00uei+HHV58Ky+lgGTnp7zCYb/v5Y3VmR+DmBgKpnGE9q0?= =?us-ascii?Q?vryAzD2/tvLOKdZP+HFRJ+rQGM9J7dU+i5P6KwrsHZ8eUJ5dREmGyxrVP38e?= =?us-ascii?Q?3QPwm4iAB9Lu82rZlvwcsF+ftR8oiTGoQ1oEWJ9NqatBTJxbQMR4+xt6Xo3h?= =?us-ascii?Q?Z7gLMqVW5TkU6wdYEJcwFGV0Iqw1EUcnvRxUnKhiUbmjqI/0UJx62TKFLW5t?= =?us-ascii?Q?1irLdCIgMMiI5R76CkRBQG1fppsJU1yK5t5v1phtHnaF2G/FC1d6GyJlxNOG?= =?us-ascii?Q?lKfqNgPX4LrJ8cXkoLgowcwpt8EXGCJUw09sPmf4v6d6mu0H+qwaEB1q4k1m?= =?us-ascii?Q?WzW05MpkgE8HPtFZx6RxlRYM9BZH+/VLF064a2jdyEYQEN2ujuwVmYnMTJ2g?= =?us-ascii?Q?DqsiCvw4D+maleD0BvLtgbZeabnvqS6T3nkOx0PbeJOLQFPelWk04NrENSC4?= =?us-ascii?Q?gNFRx6tTosysm49NgqSK117Wvb6YHcJf5IyfsEQsAuhQv3XAxbmno+dAakBE?= =?us-ascii?Q?+zB65SNG+1RJNqMQiNM/xAStey2jv7OCkEX6knQEWszJdfw8jXumnL0yovng?= =?us-ascii?Q?3JBrkdkaS/BzIpbQHrcbxEM+3oIFUypb2NPIBtDXtwKBXjylcod08EK3wk/C?= =?us-ascii?Q?0o5kJBFDAVN0M2ySRn7uqAFfS1fOJm0q4pBtklCjXyqhhOPQraak3ai5tHcL?= =?us-ascii?Q?FLel8L/UcA/I1bG+ltjMeMwMQZC4+agzkZyvC8NXahvX8hd0dRI15HFuNhJu?= =?us-ascii?Q?3ZRyKgdQivsXIJtd3lwRTG4orUll+GG32lvDU4Ln7F2KT8gd6xfymA7yS/3D?= =?us-ascii?Q?fuFjIBkHtUhrrLOpA+Fg71pWG0Om21zJlwvKkAylP6eBhqHhNmHqpoN6lLan?= =?us-ascii?Q?Wh0hXE9oqZmblRtgr8rMsytTsHysMQqR71lHR0r1neOQSbX7WoarCVHtnUm8?= =?us-ascii?Q?xL77cYwoch7TCj9ZT9nPHpa3FAVhKnpqm5q7iBzg?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f35d999d-603e-4831-1b1a-08dafd08fd4f X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2023 06:13:47.7575 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 1dSLCdpywMlBb79Zsw9Ju7ol8Nt7TBhUqKQdQV7SqHVA26q0aBfh4YLk8ISUfsVDTjS2sBJxGYBf11q9MKX9IQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB7816 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Sean I would like to hear your feedback, since it is a little different from the= original MSFT patch. Would you please take a look? Thank you Yao, Jiewen > -----Original Message----- > From: Jan Bobek > Sent: Saturday, January 21, 2023 6:59 AM > To: devel@edk2.groups.io > Cc: Jan Bobek ; Laszlo Ersek ; Yao, > Jiewen > Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode >=20 > Hi all, >=20 > I'm sending out v1 of my patch series that addresses a UEFI spec > non-compliance when enrolling PK in setup mode. Additional info can be > found in bugzilla [1]; the changes are split into 4 patches as > suggested by Laszlo Ersek in comment #4. >=20 > I've based my work on the patch by Matthew Carlson; I've credited him > with co-authorship of the first patch even though in the end I decided > to do the implementation a bit differently. >=20 > Comments & reviews welcome! >=20 > Cheers, > -Jan >=20 > References: > 1. https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 >=20 > Jan Bobek (4): > SecurityPkg: limit verification of enrolled PK in setup mode > OvmfPkg: require self-signed PK when secure boot is enabled > ArmVirtPkg: require self-signed PK when secure boot is enabled > SecurityPkg: don't require PK to be self-signed by default >=20 > SecurityPkg/SecurityPkg.dec | 7 +++++++ > ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++ > ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++ > ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++ > OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ > OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ > OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++ > OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ > OvmfPkg/OvmfPkgIa32.dsc | 3 +++ > OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ > OvmfPkg/OvmfPkgX64.dsc | 3 +++ > SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++ > SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++-- > 13 files changed, 50 insertions(+), 2 deletions(-) >=20 > -- > 2.30.2