From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.122]) by mx.groups.io with SMTP id smtpd.web11.2859.1622662700424236475 for ; Wed, 02 Jun 2021 12:38:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=WYnYYsIm; spf=pass (domain: microsoft.com, ip: 40.107.243.122, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eLSEDS0xsWDL2qLs3HnGh/v89MQhz/X09/m9Wzhq7hH5wkieYtpTisuPNDYsmToTe2uJAmTSv6khLUht+ANsHP8gQcy3l9hq33S3WJd68sk2T8U0Ws9ADzWLPxgRq7/q6nCTwUB8WymlW25hPhjETyZOdYgGAyBHEGt1ulUzcxiTBfMn/Qde5bNJe0PzPA9J4rX4/Hp5VkodPuI/epJBd8N3x98sn6q/lkn5ET9cnSTv1JwfRfnelM0KDcoY1mbDLlMHVPVb4JcAKcTg1rF7F7JiP/+upLYKcW3wpQ0KlAc0hTUJPgkB70BzPCDKHlWt6VMpfwe2gJegm6/2N/VDKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAD4dTp8mAtRHxqycZ7LA3SrZVdgL4TcrHEsRQihcWo=; b=MAh0ydn1oACHiJj9byo8C3js8M234jDug2cirNKFa4MMbspt6hcdQRjDag+rmz7OQlxs0P9L3h+VCeG58aTbW8ux12k2CyBitKaXkxxgSXsCrzSvTEVDS6UtR+j3OXE7tExmX0ypvTgmVh96zwSVRlOjJzitYIaTU77MOZyA43xwLguoKbXZyKyBDUrA9/krqtzmOUe9tzwPqa2ffcYQldGc0xfNCub5BIiIDWo8QH2NtZDWHKeOqPTBgUC9X3cCSCgyJO36R46yFeZopP1zhdJJ/m9MhlHrSegy8XiXORkqTuZEk6C9KHckJvhqkZvJPTM26jtN1iklpKQE/cO1VA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FAD4dTp8mAtRHxqycZ7LA3SrZVdgL4TcrHEsRQihcWo=; b=WYnYYsImev6s52x0W+U0Vc+vrgN0uYtaeZ7tKxu5bs8Fm7idTrtQYbgPaYfuEdAPcPCAdT8G2ztqUL41sTJ5qmdO8S8xLWSl8kgckcF1siVpadYmG7Dlg2EeUqcckZ2V/ZJzVpWKu4AQLyEQNkFnoh9Aqtd3OgG5fKrw2l5vz4A= Received: from MW4PR21MB1907.namprd21.prod.outlook.com (2603:10b6:303:71::8) by MWHPR21MB0831.namprd21.prod.outlook.com (2603:10b6:300:76::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.4; Wed, 2 Jun 2021 19:38:16 +0000 Received: from MW4PR21MB1907.namprd21.prod.outlook.com ([fe80::1425:4744:6399:9d32]) by MW4PR21MB1907.namprd21.prod.outlook.com ([fe80::1425:4744:6399:9d32%5]) with mapi id 15.20.4219.010; Wed, 2 Jun 2021 19:38:16 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "pete@akeo.ie" , "gjb@semihalf.com" CC: "Lindholm, Leif" , "ardb+tianocore@kernel.org" , Samer El-Haj-Mahmoud , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Yao, Jiewen" , "jian.j.wang@intel.com" , "min.m.xu@intel.com" , "lersek@redhat.com" Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application. Thread-Topic: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application. Thread-Index: AQHXV9ZaH4K7dj7aokuBwe3Z6uzEC6sBHZoE Date: Wed, 2 Jun 2021 19:38:16 +0000 Message-ID: References: <20210601131229.630611-1-gjb@semihalf.com> <20210601131229.630611-6-gjb@semihalf.com>, In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-06-02T19:36:52.3792597Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.153.42] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 512481c0-1878-4334-4a6a-08d925fdf7b9 x-ms-traffictypediagnostic: MWHPR21MB0831: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:513; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: MnvmwBssn625LRLgE+mJkRm5NQE95q8kdvK+xHL+rx6ZKleMN3Gl2UVc2LUlHsPis9s/rLjrsQVY1pHLkMxnPA7ayRyTxGQbaS4qOgSIxBHOgXCNY519ykAwb0Nuvv09+8M571rYlnF0+83Mm5T2JC70Y+HJ9FmevwPC4vSsMr6ZLzi988fJrC4a7bQM7UeYe+xWW6+r1fttFNGvfenpGphcCaNg9Z9e4BSe6LmU6j1z49GHxH+j8Ptd45+nQgpyU5KwZiGgYFZpCCG3IkTffPZ8FHvJkeDz0uXLWNj4NkE87NffnaPehKizNlt/zGRdf8MIjlzBSHqsUtVy5nFwto2EP5r9NOn3g9tozC1hVtv3+Mwi4sfHti/hDS4y965uh5P8tegyqxBAYDPC6jcxZm0pjDQq6Dr2QAhDxjyieJocr8ePABtkxvJbqKsHVkeOIna7Wnl5dLOznoKkXpuANev32Mr1VMQgZPABEA+pdA8xtYkz2TAE6Zz6jbdE9JGbd88P7JUg8b8cVgOg1BLymVNmeF/K+XhgBQi4BaTF0OJTo8WIFzl4ifLUUiPl0KbM7R/+i6ig8AvwJQTussR6pywzTRAZUgW3fVzZgKm9HLIJAqXVXcXvGBe5ucXh8WjdT19RjeEw0xDR3OijWiVnTgff9JocHnWcjCpIDmNPWuIZcb5F1idNGSpXgw9UUBt+2spn8chvRmkDDZ4JfglJqN2/l+WjirBrw/bxTmYl0O0cws/LwfjJ6NagqCWIGTlQhZwPZfaSvSbJax/8ZFO1EA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR21MB1907.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(15650500001)(7416002)(316002)(86362001)(54906003)(122000001)(9686003)(71200400001)(26005)(4326008)(6506007)(38100700002)(2906002)(53546011)(110136005)(10290500003)(33656002)(8676002)(966005)(82960400001)(66476007)(66556008)(64756008)(66446008)(166002)(478600001)(83380400001)(52536014)(186003)(66946007)(8936002)(8990500004)(76116006)(55016002)(82950400001)(5660300002)(7696005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 2 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?t1ON58RD5y+4MuP+CE3ELqLhIR1Yk/IrHsOJ22Nji3UhcVuEJyatLGGN?= =?Windows-1252?Q?LHVKBvAZqfPVeTy4aJZcstMwnHUwKhSzEXAHzFSA9QDuHgIeqO3vEMzl?= =?Windows-1252?Q?NHUioZqu1Y8fdkBqDtRjvuaDyCTz4ddElmFid+3WJItTtIf0MFWjM2N2?= =?Windows-1252?Q?NroYS/NzwwC3G41N2LGZ7m7IX7d8L/lIHMsyuTvjbjECwuwZoW+FMlP7?= =?Windows-1252?Q?tbn9Sv/uAtFZGxLQEGvHwKrmJXUirm3W+mEpNiWYXb/TNc+iSoZeJxxK?= =?Windows-1252?Q?I+O4TJRoBD5u2xk0YTZIH/hEgJS7sAVteTtzKZ8PdYz/EuqEHq3N0Vux?= =?Windows-1252?Q?un/dNrcJjheybqM1uX2biWUGiW/82+fSd8bx9OK7Zgn/I6hiRzMaZlNh?= =?Windows-1252?Q?gjY2LtE8g939sX+R3VGX4coHINV8aqqx697YTKV0/JeqYB6Z7dIWDMLi?= =?Windows-1252?Q?4hCDihkFxbLZY9QmLpv+eTDd/Wk9LEEJLhkHJrc1ohjyf1AqXhHxZq8/?= =?Windows-1252?Q?v4ZLHRRcDdsWAmG6i03lW+cBLeCQHZkisdAXb8WYY5vJHhYWl7JUwNdE?= =?Windows-1252?Q?nY7tJcRH+LUUMg36FOdkGDOOEBUNHQJNR8ZGU+ivhqwTDhXJH2KLQKJn?= =?Windows-1252?Q?xPcokJZPLx1kjmVhXbmI5xpaS6IvDPZdMVMC52IulKEV71/3M3zFoVMv?= =?Windows-1252?Q?+NQXZp3R2oGNYHQBdi3joCMu8a9GsdyV5WaYQRkfBvgJXaIugjJ1Z3sX?= =?Windows-1252?Q?z1Olvf0jxPatbofVDZ8KVDNDgJSdHLtE7V+Fn6xAY5pkJooEWcRPeX2e?= =?Windows-1252?Q?d97YO9RNItgC3Fu0dTVWRX2o3Fg+Hzc/QlKB/dLmqr2y+pDeT5iE7qsU?= =?Windows-1252?Q?rTr4kN+ctwSa46QxU6Hh7Q0PhwiNHL9aersPtFuTIubCv1iKmxzYpENs?= =?Windows-1252?Q?lHJ5rI9eNeqfc7KrFXd3dwEQ07jFTFFbx5briVTp5zuz+NPmsUEWzkai?= =?Windows-1252?Q?S4yQ9xoA8qbDltwelfwxC2AUBR0IKAegBrjN2epiIy0y9buq?= x-ms-exchange-antispam-messagedata-1: zvvM5Vii6ZAfPqPNfCkp9ziQhYUyu5/ZfmxedaatyXnj4pcBjKzT31oi5GcZYKMTWTXK+9xmSAKxihH45mMWSljvIAWGL9bQWBK2j9pnZwSAuVhacnIFCOUgt0aYsjlJm/L2+zYY79BonPWW54savBV3Cd+8ShLaRG4JoptrwVJbxeI1kJ2aWsu5bkx6oAVZvt9hXQcfQtfhRBOUdsMtpmhy1lbHP6xkjQZT1IDyQoEpYHYOOK9McMnDZ64dHQ0kfpRJbTqPue/adMKTIFZMEfSrC34nZmI97K3cp3BDIucoyNSpGk/XUvOw3VQEFdmSj99RZS5Z4+PfOoqis2F5Lhf8sDsA7emtuzZDLhkB6pep5Q== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1907.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 512481c0-1878-4334-4a6a-08d925fdf7b9 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2021 19:38:16.1072 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: JRwBQV045PuR7aVabdWtkFdw3jtsCM8bXpy+LkElsuDasem88W242cZU6ICwAeXUe7CYTKpZoibKyHhfsF6YnA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0831 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MW4PR21MB190770A85E5EB328A9D47BEEEF3D9MW4PR21MB1907namp_" --_000_MW4PR21MB190770A85E5EB328A9D47BEEEF3D9MW4PR21MB1907namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable > +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt) I don=92t think this sort of implied concatenation works on all compilers. - Bret From: Pete Batard via groups.io Sent: Wednesday, June 2, 2021 10:40 AM To: devel@edk2.groups.io; gjb@semihalf.com Cc: Lindholm, Leif; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud; sunny.Wang@arm.com; mw@semihalf= .com; upstream@semihalf.com; Yao, Jiewen; jian.j.wang@intel.com; min.m.xu@intel.com; = lersek@redhat.com Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add Enrol= lFromDefaultKeys application. On 2021.06.01 14:12, Grzegorz Bernacki wrote: > This application allows user to force key enrollment from > Secure Boot default variables. > > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 4= 7 +++++++++ > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 10= 7 ++++++++++++++++++++ > 2 files changed, 154 insertions(+) > create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefa= ultKeysApp.inf > create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefa= ultKeysApp.c > > diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysA= pp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > new file mode 100644 > index 0000000000..4d79ca3844 > --- /dev/null > +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > @@ -0,0 +1,47 @@ > +## @file > +# Enroll PK, KEK, db, dbx from Default variables > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +## > + > +[Defines] > + INF_VERSION =3D 1.28 > + BASE_NAME =3D EnrollFromDefaultKeysApp > + FILE_GUID =3D 6F18CB2F-1293-4BC1-ABB8-35F84C7181= 2E > + MODULE_TYPE =3D UEFI_APPLICATION > + VERSION_STRING =3D 0.1 > + ENTRY_POINT =3D UefiMain > + > +[Sources] > + EnrollFromDefaultKeysApp.c > + > +[Packages] > + MdeModulePkg/MdeModulePkg.dec > + MdePkg/MdePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[Guids] > + gEfiCertPkcs7Guid > + gEfiCertSha256Guid > + gEfiCertX509Guid > + gEfiCustomModeEnableGuid > + gEfiGlobalVariableGuid > + gEfiImageSecurityDatabaseGuid > + gEfiSecureBootEnableDisableGuid > + > +[Protocols] > + gEfiSmbiosProtocolGuid ## CONSUMES > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + PrintLib > + UefiApplicationEntryPoint > + UefiBootServicesTableLib > + UefiLib > + UefiRuntimeServicesTableLib > + SecureBootVariableLib > diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysA= pp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > new file mode 100644 > index 0000000000..1907ce1d4e > --- /dev/null > +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > @@ -0,0 +1,107 @@ > +/** @file > + Enroll default PK, KEK, db, dbx. > + > +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> + > +SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > + > +#include // gEfiCustomModeEnabl= eGuid > +#include // EFI_SETUP_MODE_NAME > +#include // EFI_IMAGE_SECURITY_= DATABASE > +#include // GUID_STRING_LENGTH > +#include // CopyGuid() > +#include // ASSERT() > +#include // FreePool() > +#include // AsciiSPrint() > +#include // gBS > +#include // AsciiPrint() > +#include // gRT > +#include > +#include > + > +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt) > + > +/** > + Entry point function of this shell application. > +**/ > +EFI_STATUS > +EFIAPI > +UefiMain ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + UINT8 SetupMode; > + > + Status =3D GetSetupMode (&SetupMode); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot get SetupMode variable: %r\n", Status); > + return 1; > + } > + > + if (SetupMode =3D=3D USER_MODE) { > + FAIL ("Skipped - USER_MODE\n"); > + return 1; > + } > + > + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status); > + return 1; > + } > + > + Status =3D EnrollDbFromDefault (); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot enroll db: %r\n", Status); > + goto error; > + } > + > + Status =3D EnrollDbxFromDefault (); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot enroll dbt: %r\n", Status); > + } > + > + Status =3D EnrollDbtFromDefault (); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot enroll dbx: %r\n", Status); > + } > + > + Status =3D EnrollKEKFromDefault (); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot enroll KEK: %r\n", Status); > + goto cleardbs; > + } > + > + Status =3D EnrollPKFromDefault (); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot enroll PK: %r\n", Status); > + goto clearKEK; > + } > + > + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" > + "Please do it manually, otherwise system can be easily compromise= d\n"); > + } > + return 0; > + > +clearKEK: > + DeleteKEK (); > + > +cleardbs: > + DeleteDbt (); > + DeleteDbx (); > + DeleteDb (); > + > +error: > + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" > + "Please do it manually, otherwise system can be easily compromise= d\n"); > + } > + > + return 1; > +} > Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --_000_MW4PR21MB190770A85E5EB328A9D47BEEEF3D9MW4PR21MB1907namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

> +#define FAIL(fmt...) AsciiPrint("EnrollF= romDefaultKeysApp: " fmt)

 

I don=92t think this sort of implied concatenation = works on all compilers.

 

- Bret

 

From: Pete Batard via groups.io
Sent: Wednesday, June 2, 2021 10:40 AM
To: devel@edk2.groups.io; gjb@semihalf.com
Cc: Lindholm, Leif; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud; sunny.Wang@arm.com; mw@semihalf.com; upstream@sem= ihalf.com; Yao, Jiewen; jian.j.wang@intel.com; min.m.xu@= intel.com; lersek@redhat.com
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Ad= d EnrollFromDefaultKeys application.

 

On 2021.06.01 14:12,= Grzegorz Bernacki wrote:
> This application allows user to force key enrollment from
> Secure Boot default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKey= sApp.inf |  47 +++++++++
>   SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKey= sApp.c   | 107 ++++++++++++++++++++
>   2 files changed, 154 insertions(+)
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/E= nrollFromDefaultKeysApp.inf
>   create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/E= nrollFromDefaultKeysApp.c
>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKe= ysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.i= nf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.i= nf
> @@ -0,0 +1,47 @@
> +## @file
> +#  Enroll PK, KEK, db, dbx from Default variables
> +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><= br> > +#  Copyright (c) 2021, Semihalf All rights reserved.<BR><= br> > +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> +  INF_VERSION        &n= bsp;           =3D 1.28 > +  BASE_NAME        &nbs= p;             = = =3D EnrollFromDefaultKeysApp
> +  FILE_GUID        &nbs= p;             = = =3D 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> +  MODULE_TYPE        &n= bsp;           =3D UEFI_A= PPLICATION
> +  VERSION_STRING        = ;         =3D 0.1
> +  ENTRY_POINT        &n= bsp;           =3D UefiMa= in
> +
> +[Sources]
> +  EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> +  MdeModulePkg/MdeModulePkg.dec
> +  MdePkg/MdePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> +  gEfiCertPkcs7Guid
> +  gEfiCertSha256Guid
> +  gEfiCertX509Guid
> +  gEfiCustomModeEnableGuid
> +  gEfiGlobalVariableGuid
> +  gEfiImageSecurityDatabaseGuid
> +  gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> +  gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  PrintLib
> +  UefiApplicationEntryPoint
> +  UefiBootServicesTableLib
> +  UefiLib
> +  UefiRuntimeServicesTableLib
> +  SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKe= ysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > new file mode 100644
> index 0000000000..1907ce1d4e
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c=
> @@ -0,0 +1,107 @@
> +/** @file
> +  Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h>   = ; // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h>     =             // EFI_S= ETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h>    &= nbsp;       // EFI_IMAGE_SECURITY_DATABASE > +#include <Library/BaseLib.h>     &nbs= p;            &= nbsp;  // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h>    &nbs= p;          // CopyGuid()
> +#include <Library/DebugLib.h>     &nb= sp;            =   // ASSERT()
> +#include <Library/MemoryAllocationLib.h>   &nbs= p;     // FreePool()
> +#include <Library/PrintLib.h>     &nb= sp;            =   // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h>   = ; // gBS
> +#include <Library/UefiLib.h>     &nbs= p;            &= nbsp;  // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: &quo= t; fmt)
> +
> +/**
> +  Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> +  IN EFI_HANDLE        Image= Handle,
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> +  )
> +{
> +  EFI_STATUS Status;
> +  UINT8      SetupMode;
> +
> +  Status =3D GetSetupMode (&SetupMode);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot get SetupMode variable: %r\n&q= uot;, Status);
> +    return 1;
> +  }
> +
> +  if (SetupMode =3D=3D USER_MODE) {
> +    FAIL ("Skipped - USER_MODE\n");
> +    return 1;
> +  }
> +
> +  Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %= r\n", Status);
> +    return 1;
> +  }
> +
> +  Status =3D EnrollDbFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll db: %r\n", Status)= ;
> +    goto error;
> +  }
> +
> +  Status =3D EnrollDbxFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbt: %r\n", Status= );
> +  }
> +
> +  Status =3D EnrollDbtFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll dbx: %r\n", Status= );
> +  }
> +
> +  Status =3D EnrollKEKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll KEK: %r\n", Status= );
> +    goto cleardbs;
> +  }
> +
> +  Status =3D EnrollPKFromDefault ();
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot enroll PK: %r\n", Status)= ;
> +    goto clearKEK;
> +  }
> +
> +  Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SEC= URE_BOOT_MODE\n"
> +      "Please do it manually, otherwis= e system can be easily compromised\n");
> +  }
> +  return 0;
> +
> +clearKEK:
> +  DeleteKEK ();
> +
> +cleardbs:
> +  DeleteDbt ();
> +  DeleteDbx ();
> +  DeleteDb ();
> +
> +error:
> +  Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    FAIL ("Cannot set CustomMode to STANDARD_SEC= URE_BOOT_MODE\n"
> +      "Please do it manually, otherwis= e system can be easily compromised\n");
> +  }
> +
> +  return 1;
> +}
>

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4




 

--_000_MW4PR21MB190770A85E5EB328A9D47BEEEF3D9MW4PR21MB1907namp_--