From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.5073.1625572423100409777 for ; Tue, 06 Jul 2021 04:53:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=mULvDXY5; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="209142960" X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="209142960" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2021 04:53:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="647292093" Received: from fmsmsx606.amr.corp.intel.com ([10.18.126.86]) by fmsmga005.fm.intel.com with ESMTP; 06 Jul 2021 04:53:39 -0700 Received: from fmsmsx610.amr.corp.intel.com (10.18.126.90) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 04:53:39 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx610.amr.corp.intel.com (10.18.126.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 6 Jul 2021 04:53:39 -0700 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.174) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Tue, 6 Jul 2021 04:53:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MKQsQ0k7ew59zC/dwTPrPXaIJxVGwL8XjZNvfnxj507eZZpv8M/rCgen+i8g9ADqmA+okkyn8spzYjPwJeNN9WoNbl9IrtF6b+ANBpJdWsFVNImMPDrXyztVjo3R4YSkC98/qfKl2K0u0bBTOs7ojcNTt1dgynnlQ/RyBqXmPejZFo4UVeMHIbRSzuTpavy4lpCNVETZlWh4ie6Vr9pWV/Z7hZXI1XAONCBABmlgAh8aW+wM3x8huXBZ3nhGiyvtHgnM30owHZR3s4T8f2myemPE/FbCcQknP9N06j5wz+Aph30yhv88qRqD4s3c57VOY0zeb0Ky7+QEPNkjDmcOqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jIE5RXbtALWNLmWAVVBNDYrEdkBYW/GcRXBSpSLBMJQ=; b=AJyRctCxfIGdM12INdU0GTcBVhoStCwCuiLJGPDlROU3f7UhAG8RgOJj+Fv8uaJPuJqeJXWNCE0zSUFzqTi7jrfwsjKxypC+SpH03rOVtj6me+diMS9EKqQuUSW43P5sbTePW6ql48lz09lg6D4doWiXwYBeZoCKa8qbBGqROtJA6BjRx/aJ6GiXT33iUhhOMxSyrOWUCFvB2uFrfTpGdCWXbxE8gJuCQSfjfZ/17KDQ6AdI3cMzvkDQ/fzsQ/gE0li3C2PWDTEEAy6jWrYCJoMl9/vU/J91i6lXyoDE1xRgdtehEhCHxOxoZjJ0mX7RbQv76NBxNlhcqjIrt4ZgjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jIE5RXbtALWNLmWAVVBNDYrEdkBYW/GcRXBSpSLBMJQ=; b=mULvDXY5m88bnkAYTdsW4KwlVoqadXcmB+VWgldEI+6xlHHLUPxxZyfa6/ZHjH7NgNKY9erZpGo/3u1EOyIDLJFhvBeJ8kLj0uJkk0I0qci/KqqkQbS/rkMRDidlxky8K0sbRrRbC6LFZyOoScQhdngXgUlnU4aE5Fn/gxbkvPs= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB5125.namprd11.prod.outlook.com (2603:10b6:510:3e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Tue, 6 Jul 2021 11:53:36 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121%3]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021 11:53:36 +0000 From: "Yao, Jiewen" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Wang, Jian J" , "Xu, Min M" , "lersek@redhat.com" , "sami.mujawar@arm.com" , "afish@apple.com" , "Ni, Ray" , "Justen, Jordan L" , "rebecca@bsdio.com" , "grehan@freebsd.org" , "thomas.abraham@arm.com" , "Chiu, Chasel" , "Desimone, Nathaniel L" , "gaoliming@byosoft.com.cn" , "Dong, Eric" , "Kinney, Michael D" , "Sun, Zailiang" , "Qian, Yi" , "graeme@nuviainc.com" , "rad@semihalf.com" , "pete@akeo.ie" Subject: Re: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application. Thread-Topic: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys application. Thread-Index: AQHXbloWTmM3F/cgbEWd5gGdcxP6Gas13lfQ Date: Tue, 6 Jul 2021 11:53:36 +0000 Message-ID: References: <20210701091758.1057485-1-gjb@semihalf.com> <20210701091758.1057485-9-gjb@semihalf.com> In-Reply-To: <20210701091758.1057485-9-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 321dde45-9e36-4f95-f894-08d94074b03e x-ms-traffictypediagnostic: PH0PR11MB5125: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2043; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: S7pekIsbwKY3hHJVAYIyA2JEuIxt0Z7kzwxPCcq6p2Sl24SgcdJsrO/mDtOsjyv6mI+Yw4ZefjYOSLccC6F2ZOCNCqnWkUWBj09vic8cvlXvSYrKkpwGFEnMSN+CaYPjW6hjxPU2uGwxWkTDQn6R+eflklKkUEPfJSNb0FD22zC2QGw9z7RQ1tezUeFYvdcZRZAQ51q/tqKvmxoq2pX2XOVI5H8ObEFWz6KYYwXdntGrgH24TjhwTVjbaVf/4WqEBffo1eTP3v0h106Hn+5PolIupA3b6L6bdoe5KoXk5GMAji3avEMf3/PPmYUqaoo5xL8a0EvcJziOa/Mv3K7PXluVVDFlvH5j7IRH5vdbj/1pLOJX76zflMiNnJqFmInhx4lUzLhODub6YffS01XEc9RlDrW6uwv3QG3Xx3OhU+w3ZAMfwMVlcXC5s1Jg1tJK5V/VNr+fRRdONV5d3j6sGdJSvC8hQ44iCL2za8Ev9+3BHd0rdw4TF9gHXlJYiI4ItDvZrUkMC14jaUMkoD3sC2c4+/3jzyAlX4vxudIs7/6dj9xBnYSUnZnePW6tRHQ5rJTavuf9D9kaaVKXVl4cIWEcnEMK6NiqTPAWek2aiJ5Dcyt8rRCB73ebYPnNYuCHIqJdI9jCCdQslEMLHsiThw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(39860400002)(396003)(136003)(376002)(346002)(33656002)(15650500001)(64756008)(71200400001)(316002)(52536014)(5660300002)(186003)(83380400001)(26005)(6506007)(66556008)(66446008)(54906003)(7416002)(38100700002)(4326008)(86362001)(9686003)(478600001)(53546011)(7696005)(110136005)(122000001)(66476007)(19627235002)(76116006)(8676002)(66946007)(2906002)(55016002)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?eA+hV3CMoUik/NuSqRkMIZLItjqZPEgYPk/lOlPFpLZK43iJa0b0SGi3cnVn?= =?us-ascii?Q?5d0KOrMGIKZihf3giATP5z3bBXEQo5XHtIq0EkyXOm91zRig86r3YFWLP7Zc?= =?us-ascii?Q?0WZq4T30J4Sl1W454kaBb3DcKfp3Ti9/ezUdy4kMnCbrhrFb3ScD3aORoCH2?= =?us-ascii?Q?gEKEbKlqeTfezt2uZjofMloKjH+SfDr/dleiiI1R1iLNKszUBf3gOie3TlL2?= =?us-ascii?Q?A2pLZi3cFGwPY4SSz/3iLIJ7dotM9vCeGTjk7pMTVGH/0sgk0qP6ioCuifVz?= =?us-ascii?Q?HwIGjAtnG0giKeMdQ5UinIiAN2dsPCvBli+Xvov0N4DgRkqNyhmOCVD1A6nE?= =?us-ascii?Q?XhoYWaU8UKmfOpBGBEE2+oamG9UvT1ZkjtnOdsV9ubk3J3rCFE6ys1C50b9L?= =?us-ascii?Q?orv/UZ0WUV/I8OKi2bqPrrhZmy3CTb896I9Ctkgu4Sx6KHpyx6ZUkJThLkvV?= =?us-ascii?Q?EoPjVQSkp5aHj8a8PbozpWskdfNnDjvbrafK6G0/sPXrnUfsl57t/HO6Ti7Y?= =?us-ascii?Q?Z1RxMItGIKml7JnwBvF+7PfDJJ2/S3eBhML8BNyugpfFbaoDyp9IzZJA4yCL?= =?us-ascii?Q?nDn5R4BGKo+QameFTHNwpEsTKVJZKtBSv+ILod0YcBrkKF4YJIOCqUNw9evd?= =?us-ascii?Q?YCbkxaNpDM6Uvhs8FZOJYhJ5y/aHaZVhKc7k/aJHbhLlpj36Lv2DtzDLS0WI?= =?us-ascii?Q?XHq3xiXz02BjIfyF4VylucvCiIwat50pkqBWWLrQ+OBzj6oWzm5APt+/YTgD?= =?us-ascii?Q?xw+jvUeFgpdG0JqFTt7pgf9lNlQn+hHdbRakmZoSswWorxQvvWmLin2jSsM/?= =?us-ascii?Q?echSBO6tS9zN1MQz3LepfR+cdDdMLbF3FduQ0Ifvxg0bqYJ8Ie9fRvWvSSy5?= =?us-ascii?Q?2xlTf8m32E3mAQDYEkIjM+fo0QsKmxklVq8CB8augpkNUchln/DAC8tZDu+S?= =?us-ascii?Q?ra1Txp3ldEeajNjuidZGbAzGAoUJqdFK/RRn+Qi8qn81wM6nVREYmnhuvjcC?= =?us-ascii?Q?fyLj+2NYuSUenHIvVij0pxHCI1Z5U6fSyNcC6simInCIQJ5JNpqQY7tHpoa5?= =?us-ascii?Q?uX9WkcF7UkvQHdS1qGYFph+Yh4FXo0Ahte9kwuct+NLDKUMv4BmRpPqNf1PF?= =?us-ascii?Q?Y86wNFu31wb2OkvkcGvX+HcG35K06MftWsEpFKsmA3Wb+uJLbqozks0Vozxa?= =?us-ascii?Q?Qj51nHh5ogjybwi8yTLwFqRyiS90BimXgugzexzhSoWDIwF0Mfm82LD2yA4h?= =?us-ascii?Q?sD+WAZtTO1MC7a79OL2R2QuP11oDRD7ecleeHfbl5M3MikoAL7sX/kMDMNmj?= =?us-ascii?Q?938HaNISHhHX+2dJ0J+hVqS1?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 321dde45-9e36-4f95-f894-08d94074b03e X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 11:53:36.5393 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: BSGl7OPwrjueMQwy9XSLsJUkDmVyjXQMM9gf0BOVWiXwdCNhDq9fwWkI5mK2NWBVn8plNwN2Afcx6AoVEE3MKQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5125 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Grzegorz Bernacki > Sent: Thursday, July 1, 2021 5:18 PM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj- > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com; > upstream@semihalf.com; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; > lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray > ; Justen, Jordan L ; > rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu, > Chasel ; Desimone, Nathaniel L > ; gaoliming@byosoft.com.cn; Dong, Eric > ; Kinney, Michael D ; Su= n, > Zailiang ; Qian, Yi ; > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki > > Subject: [PATCH v5 08/10] SecurityPkg: Add EnrollFromDefaultKeys applicat= ion. >=20 > This application allows user to force key enrollment from > Secure Boot default variables. >=20 > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 > +++++++++ > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 > ++++++++++++++++++++ > 2 files changed, 156 insertions(+) > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c >=20 > diff --git > a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > new file mode 100644 > index 0000000000..4d79ca3844 > --- /dev/null > +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > @@ -0,0 +1,47 @@ > +## @file > +# Enroll PK, KEK, db, dbx from Default variables > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +## > + > +[Defines] > + INF_VERSION =3D 1.28 > + BASE_NAME =3D EnrollFromDefaultKeysApp > + FILE_GUID =3D 6F18CB2F-1293-4BC1-ABB8-35F84C71812= E > + MODULE_TYPE =3D UEFI_APPLICATION > + VERSION_STRING =3D 0.1 > + ENTRY_POINT =3D UefiMain > + > +[Sources] > + EnrollFromDefaultKeysApp.c > + > +[Packages] > + MdeModulePkg/MdeModulePkg.dec > + MdePkg/MdePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[Guids] > + gEfiCertPkcs7Guid > + gEfiCertSha256Guid > + gEfiCertX509Guid > + gEfiCustomModeEnableGuid > + gEfiGlobalVariableGuid > + gEfiImageSecurityDatabaseGuid > + gEfiSecureBootEnableDisableGuid > + > +[Protocols] > + gEfiSmbiosProtocolGuid ## CONSUMES > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + PrintLib > + UefiApplicationEntryPoint > + UefiBootServicesTableLib > + UefiLib > + UefiRuntimeServicesTableLib > + SecureBootVariableLib > diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysAp= p.c > b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > new file mode 100644 > index 0000000000..3407c1c4b9 > --- /dev/null > +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > @@ -0,0 +1,109 @@ > +/** @file > + Enroll default PK, KEK, db, dbx. > + > +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> + > +SPDX-License-Identifier: BSD-2-Clause-Patent > +**/ > + > +#include // > gEfiCustomModeEnableGuid > +#include // EFI_SETUP_MODE_NAME > +#include // > EFI_IMAGE_SECURITY_DATABASE > +#include // GUID_STRING_LENGTH > +#include // CopyGuid() > +#include // ASSERT() > +#include // FreePool() > +#include // AsciiSPrint() > +#include // gBS > +#include // AsciiPrint() > +#include // gRT > +#include > +#include > + > +/** > + Entry point function of this shell application. > +**/ > +EFI_STATUS > +EFIAPI > +UefiMain ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + UINT8 SetupMode; > + > + Status =3D GetSetupMode (&SetupMode); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode > variable: %r\n", Status); > + return 1; > + } > + > + if (SetupMode =3D=3D USER_MODE) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n"); > + return 1; > + } > + > + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set > CUSTOM_SECURE_BOOT_MODE: %r\n", Status); > + return 1; > + } > + > + Status =3D EnrollDbFromDefault (); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Stat= us); > + goto error; > + } > + > + Status =3D EnrollDbxFromDefault (); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Sta= tus); > + } > + > + Status =3D EnrollDbtFromDefault (); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Sta= tus); > + } > + > + Status =3D EnrollKEKFromDefault (); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Sta= tus); > + goto cleardbs; > + } > + > + Status =3D EnrollPKFromDefault (); > + if (EFI_ERROR (Status)) { > + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Stat= us); > + goto clearKEK; > + } > + > + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + AsciiPrint ( > + "EnrollFromDefaultKeysApp: Cannot set CustomMode to > STANDARD_SECURE_BOOT_MODE\n" > + "Please do it manually, otherwise system can be easily compromised= \n" > + ); > + } > + return 0; > + > +clearKEK: > + DeleteKEK (); > + > +cleardbs: > + DeleteDbt (); > + DeleteDbx (); > + DeleteDb (); > + > +error: > + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + AsciiPrint ( > + "EnrollFromDefaultKeysApp: Cannot set CustomMode to > STANDARD_SECURE_BOOT_MODE\n" > + "Please do it manually, otherwise system can be easily compromised= \n" > + ); > + } > + > + return 1; > +} > -- > 2.25.1