From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mx.groups.io with SMTP id smtpd.web10.5077.1625572437488753542 for ; Tue, 06 Jul 2021 04:53:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=ZUo2hgoN; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="196381515" X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="196381515" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2021 04:53:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="491298517" Received: from fmsmsx604.amr.corp.intel.com ([10.18.126.84]) by orsmga001.jf.intel.com with ESMTP; 06 Jul 2021 04:53:52 -0700 Received: from fmsmsx604.amr.corp.intel.com (10.18.126.84) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 04:53:52 -0700 Received: from fmsedg602.ED.cps.intel.com (10.1.192.136) by fmsmsx604.amr.corp.intel.com (10.18.126.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 6 Jul 2021 04:53:52 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.177) by edgegateway.intel.com (192.55.55.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Tue, 6 Jul 2021 04:53:51 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FRU+GQNvvcsQ6W9XlXmylRs1oh+7JvchPlWtsQjVCCgem7tMvjsMweeQiB7wxzA//ICprrE0o4EXmKwANVkLmaxieyLFe7hIR1gSWTuNkw91kTOJ6RJkxlWHuZHM7SqBqG11e/2LP/YtOc5KIivhEv90ATS+8PYa1pEyhyIvYOxV43YWxPpLFtPJrl4rSTrEHEbWsc/tr62P/fAPHNkzqPtPBVNA4eJwvYgt+H2U8n0kAPKO1gATeZ92es/mLcvO0XM9+eiKboEsnR8eE0uE109Gsmumod96UiAo1ixkvfAroH8fdB0mmiXxU6IxE29Ph+mFx1kSA0YDQDrnjif1uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ox5R7ocwfkbIhvqWxeeoDWTyyB93/R3fGbdFSI9fFwc=; b=WDhhywaJSjU1NyPAG40kcMl3Sd3IRGRxplqx91otoDuv+y1kzrrxVhRBDlF3JrhBJcwzkIoFLaboGj4fiitKJqr/ndSJCz5UWAA39oiQZ22GSCEmrsBPuvlU8sudr3TP7g8vRUukrbaaIYqi7wA5zMpaGowRLVilWdbL/59n4uhxNPlNimAQwcLpVGqHD3GWYOovzbwgHS1dvxWJz4gw7lBV4wEQloVLBcMbSy6rb3jGwdS00znDBbj/BVdAqQg/jcCR/L2zERqCFHk0kkpl/Cx4S7UfCvMtBpbEUO3Iq8+q8+o9t2J+H/dZAVQC69qtYvNOIcz8ThBoaJZC6vjsWA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ox5R7ocwfkbIhvqWxeeoDWTyyB93/R3fGbdFSI9fFwc=; b=ZUo2hgoNJnmbjnBnjWK9SlCMTSeu0FxgubcDOczAbZWGvqP9vxEvCquyro8awU9QRrt2zrNiYrW576j2ddqEWej9r3qsAnjNUfYRPHRRiV3x0IJzx2luXMTsGg45RNIUZrBoscD/6XesHJW7v1l8VYPlsuq0As6tpi/pj5fw7so= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB5125.namprd11.prod.outlook.com (2603:10b6:510:3e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Tue, 6 Jul 2021 11:53:50 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121%3]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021 11:53:50 +0000 From: "Yao, Jiewen" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Wang, Jian J" , "Xu, Min M" , "lersek@redhat.com" , "sami.mujawar@arm.com" , "afish@apple.com" , "Ni, Ray" , "Justen, Jordan L" , "rebecca@bsdio.com" , "grehan@freebsd.org" , "thomas.abraham@arm.com" , "Chiu, Chasel" , "Desimone, Nathaniel L" , "gaoliming@byosoft.com.cn" , "Dong, Eric" , "Kinney, Michael D" , "Sun, Zailiang" , "Qian, Yi" , "graeme@nuviainc.com" , "rad@semihalf.com" , "pete@akeo.ie" , Sunny Wang Subject: Re: [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys. Thread-Topic: [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot keys. Thread-Index: AQHXbloabvggdtZka0+8pq/h+64VI6s13nAA Date: Tue, 6 Jul 2021 11:53:49 +0000 Message-ID: References: <20210701091758.1057485-1-gjb@semihalf.com> <20210701091758.1057485-11-gjb@semihalf.com> In-Reply-To: <20210701091758.1057485-11-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: fab1a6c6-6a9c-47a3-008a-08d94074b833 x-ms-traffictypediagnostic: PH0PR11MB5125: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:40; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 9L1+8ECuCSY3Y6cRq/5yu/pG7OJhC2VszZCbJtH25ne+5682Afm7EtwNl+SnlFAAO88fatC1KqY0j5Gx9H9rqcAzjOgwsNOcGNqdym2AqFvWhKwwkkNU9ngKqeDQCAGS+nXOD8/L3CbxVs625w1shacMgjsuEDURnxQBnTKhh1OB9HolDmLEyNmW+us35miyVUd14x6KwxYzwh7R+fJgvTuCUzkaKbsChTqVnE5YbPyYaVbriGuj+n9JLFKXb+/u5T1wpEFsCgDO/e/7Wf3pI9rWX4mGHgxmU2zJie6m7i70IRdnf+QHwuMBQGQjI+ovRVcu7I6Y7tTg0XguNn7mTP1ZTX8X2nNRnDkoka66Wu3HZIFdd+loa4kvrapOLHVpAhqMl6KDQaSSPC7SvFjQ1MiypQQACrex3sWuV2Pm8D3v+voiZj27aChNW/30mgWEuMFZc5K38DDejNf0D6cX7lnk/jnzXab4+qgnb5HkkntBJXMBl219Z5RClXhwIMSx26dViARqRJdqJoSMOgnsE+xYLv1r6unU+YcOMbETcuBZwsB0+A2iAOMbiBaXkb3VqkfA2OH1JSO3kJ3vWttpW7r72x1mV6zVKz0NUCkTuGkoHVVo8HR0aVyFZOX+oyPCrNxkpjey2jJNq65RUW316A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(39860400002)(396003)(136003)(376002)(346002)(33656002)(15650500001)(64756008)(71200400001)(316002)(52536014)(5660300002)(186003)(83380400001)(26005)(6506007)(66556008)(66446008)(54906003)(7416002)(38100700002)(4326008)(86362001)(9686003)(478600001)(53546011)(7696005)(110136005)(122000001)(66476007)(76116006)(8676002)(66946007)(2906002)(55016002)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?ehpx9dnBkFlaP8fBU+JV8onn+JzByecxu4yqm8r8gJPgQjaLiG7+Ql3jt6uf?= =?us-ascii?Q?xT7MTwInu3krrfEJePWDFM7ei/SzaogVWzt9ZcNHiF1iqALwMiD+IQzxNvIT?= =?us-ascii?Q?QytRnD0ih7wTME4PrkJNjt8rs8zj2InXYurO9XH8LBW70vEWH06j4dCV9+Uy?= =?us-ascii?Q?gV/B9Ga9dGmP8Q76e1/c9/Aqfeeh16wR3csQOzrJY6ztqeDGDwzYcqywZkJT?= =?us-ascii?Q?RwDC8a9P5edG1ExN0suCCwtoTLLKVPsB+hfYkpYoHKvwP5CC8nX3a+XT2dTv?= =?us-ascii?Q?meRyyt8uHRT6LBTAgX4A7cQ1gAgs6C3qprmlZ2+g2G+87azZdzIyjfzSNwPk?= =?us-ascii?Q?QRKNUlJZaJyEubn+4qTCndkvRiwEB/bArDrP5Dbw+Wp/jN68fgjcUEPVdoqj?= =?us-ascii?Q?97aE9N70zkzRrHNYVYfJJlacXcRj34z8PQ9U7rq9Zzfmgqo+VTML0c+Y+Ema?= =?us-ascii?Q?n6lB+8bq/XxNOaa2yJ7fF1JLlh/cnhOUTP0b8V1vzdV2eSn9GHAedaV5rhG+?= =?us-ascii?Q?CgFBsoBHy611/9CRAPCwrU9JAixXfNUeDlugMeTLnoXb1PCET9KY6yy9LP4L?= =?us-ascii?Q?9NOjhOkKHp5KXTOkzzxOOoXuyqJobGA7NWiiREEU1mVTj9cTNdUAXNi9j22r?= =?us-ascii?Q?fSTw9EnPNFDVcKttRqCCK/GapVBlw3R7Xyuh/5I8kqcR10OqgL2kjWjJ07VG?= =?us-ascii?Q?nu7ontRFWUYpUgQ5RBL2EpsPs+8x2EQA/RwUBYqNuLbaMXW+ms/PlaYOKtHh?= =?us-ascii?Q?DDydw0XHMeYEmyrvuZlSezFqg2a/RM+1xlCIdLRwBNe/J1oDa/2eqtPEdNht?= =?us-ascii?Q?xyawwNQ/DlRXZ8JsQdigxT1Juf3YtF4e8f1BT/e998qZLRTg1SW5NtvczR3A?= =?us-ascii?Q?z7QCFlaXxmoFhDnBPEoZD771PG6LwqdmZibcfhHKER08es+4u5cjgnSAfSLx?= =?us-ascii?Q?nQPJwV1IZbTDlH5TDVNfLfTwtJe3iEvfJb2XLQNKQFTGA1zY2RGS0pJrHXT9?= =?us-ascii?Q?9Q/2GSbTKmn/vuoqVYFLzGAHOLYQJflmkglrLBAJxyW9qFjTu3WLmihW+V6Q?= =?us-ascii?Q?YFc/8Vh0Duj1zo288Iai8fVaLGJHlCkMRXpb18041DvVBJF8p00GvJnv09R2?= =?us-ascii?Q?y+KYIv3iS2znwJA5HXZX1+k+OQ4750PXxFo7URcAYDQy92U0iDACT6SCt0Gj?= =?us-ascii?Q?O33VNtxPx+DlZkYnIHMwjr4icc7cgFMxi3jlNZcHkCy7bLJhb+pqCdoWurIK?= =?us-ascii?Q?7oNPzmmECWJHaTeJACAgXLsnQszLN5AVWli8EhkkWhyQBTpZa7fEPEHndk8V?= =?us-ascii?Q?H3I8cgSVyq0NwQiSsKc+S2FZ?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fab1a6c6-6a9c-47a3-008a-08d94074b833 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 11:53:49.8707 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: NOR7ciayn8WjUZl8tx88oMhyIb3wjCQYeZsAEkI+kMkls8L/mBruuruhQI6ARWksEqmLJB6MotMxVY6mgmhuHg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5125 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Grzegorz Bernacki > Sent: Thursday, July 1, 2021 5:18 PM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj- > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com; > upstream@semihalf.com; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; > lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray > ; Justen, Jordan L ; > rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu, > Chasel ; Desimone, Nathaniel L > ; gaoliming@byosoft.com.cn; Dong, Eric > ; Kinney, Michael D ; Su= n, > Zailiang ; Qian, Yi ; > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki > ; Sunny Wang > Subject: [PATCH v5 10/10] SecurityPkg: Add option to reset secure boot ke= ys. >=20 > This commit add option which allows reset content of Secure Boot > keys and databases to default variables. >=20 > Signed-off-by: Grzegorz Bernacki > Reviewed-by: Sunny Wang > Reviewed-by: Pete Batard > Tested-by: Pete Batard on Raspberry Pi 4 > --- >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf | 1 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNv > Data.h | 2 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vf= r > | 6 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c | 154 ++++++++++++++++++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStr= i > ngs.uni | 4 + > 5 files changed, 167 insertions(+) >=20 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > index 30d9cd8025..bd8d256dde 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > @@ -109,6 +109,7 @@ > [Protocols] > gEfiHiiConfigAccessProtocolGuid ## PRODUCES > gEfiDevicePathProtocolGuid ## PRODUCES > + gEfiHiiPopupProtocolGuid >=20 > [Depex] > gEfiHiiConfigRoutingProtocolGuid AND > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > NvData.h > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > NvData.h > index 6e54a4b0f2..4ecc25efc3 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > NvData.h > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > NvData.h > @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent >=20 > #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f >=20 > +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 > + > #define KEY_SECURE_BOOT_OPTION 0x1100 > #define KEY_SECURE_BOOT_PK_OPTION 0x1101 > #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig. > vfr > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig. > vfr > index fa7e11848c..e4560c592c 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig. > vfr > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig. > vfr > @@ -69,6 +69,12 @@ formset > endif; > endif; >=20 > + text > + help =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), > + text =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), > + flags =3D INTERACTIVE, > + key =3D KEY_SECURE_BOOT_RESET_TO_DEFAULT; > + > endform; >=20 > // > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > index 67e5e594ed..47f281873b 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c > @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > **/ >=20 > #include "SecureBootConfigImpl.h" > +#include > #include > #include >=20 > @@ -4154,6 +4155,132 @@ ON_EXIT: > return Status; > } >=20 > +/** > + This function reinitializes Secure Boot variables with default values. > + > + @retval EFI_SUCCESS Success to update the signature list p= age > + @retval others Fail to delete or enroll signature dat= a. > +**/ > + > +STATIC EFI_STATUS > +EFIAPI > +KeyEnrollReset ( > + VOID > + ) > +{ > + EFI_STATUS Status; > + UINT8 SetupMode; > + > + Status =3D EFI_SUCCESS; > + > + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR(Status)) { > + return Status; > + } > + > + // Clear all the keys and databases > + Status =3D DeleteDb (); > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); > + return Status; > + } > + > + Status =3D DeleteDbx (); > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); > + return Status; > + } > + > + Status =3D DeleteDbt (); > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); > + return Status; > + } > + > + Status =3D DeleteKEK (); > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); > + return Status; > + } > + > + Status =3D DeletePlatformKey (); > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); > + return Status; > + } > + > + // After PK clear, Setup Mode shall be enabled > + Status =3D GetSetupMode (&SetupMode); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", > + Status)); > + return Status; > + } > + > + if (SetupMode =3D=3D USER_MODE) { > + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); > + return EFI_SUCCESS; > + } > + > + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot set > CUSTOM_SECURE_BOOT_MODE: %r\n", > + Status)); > + return EFI_SUCCESS; > + } > + > + // Enroll all the keys from default variables > + Status =3D EnrollDbFromDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); > + goto error; > + } > + > + Status =3D EnrollDbxFromDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); > + } > + > + Status =3D EnrollDbtFromDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); > + } > + > + Status =3D EnrollKEKFromDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); > + goto cleardbs; > + } > + > + Status =3D EnrollPKFromDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); > + goto clearKEK; > + } > + > + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to > STANDARD_SECURE_BOOT_MODE\n" > + "Please do it manually, otherwise system can be easily compromised= \n")); > + } > + > + return Status; > + > +clearKEK: > + DeleteKEK (); > + > +cleardbs: > + DeleteDbt (); > + DeleteDbx (); > + DeleteDb (); > + > +error: > + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) !=3D EFI_SUCCESS) > { > + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); > + } > + return Status; > +} > + > /** > This function is called to provide results data to the driver. >=20 > @@ -4205,6 +4332,8 @@ SecureBootCallback ( > SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; > BOOLEAN GetBrowserDataResult; > ENROLL_KEY_ERROR EnrollKeyErrorCode; > + EFI_HII_POPUP_PROTOCOL *HiiPopup; > + EFI_HII_POPUP_SELECTION UserSelection; >=20 > Status =3D EFI_SUCCESS; > SecureBootEnable =3D NULL; > @@ -4755,6 +4884,31 @@ SecureBootCallback ( > FreePool (SetupMode); > } > break; > + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: > + { > + Status =3D gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (= VOID **) > &HiiPopup); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + Status =3D HiiPopup->CreatePopup ( > + HiiPopup, > + EfiHiiPopupStyleInfo, > + EfiHiiPopupTypeYesNo, > + Private->HiiHandle, > + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), > + &UserSelection > + ); > + if (UserSelection =3D=3D EfiHiiPopupSelectionYes) { > + Status =3D KeyEnrollReset (); > + } > + // > + // Update secure boot strings after key reset > + // > + if (Status =3D=3D EFI_SUCCESS) { > + Status =3D UpdateSecureBootString (Private); > + SecureBootExtractConfigFromVariable (Private, IfrNvData); > + } > + } > default: > break; > } > diff --git > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > index ac783453cc..0d01701de7 100644 > --- > a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > +++ > b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni > @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secu= re > Boot" > #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disab= le the > Secure Boot feature after platform reset" >=20 > +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll > keys with data from default variables" > +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure > Boot Keys" > +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot > Keys & databases will be initialized from defaults.\n Are you sure?" > + > #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll > Signature" > #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete > Signature" > #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete > Signature List Form" > -- > 2.25.1