From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web11.5626.1622794657798215683 for ; Fri, 04 Jun 2021 01:17:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=lYNwm/Kp; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: min.m.xu@intel.com) IronPort-SDR: 4jSOv4dH2/B81fG4cDsJ0pJKCtTmW5k33NdzKr0NE3+AMnlOLAElxQwhsMRMSJa/sRjPnFMuAX aG9yM/LADuqw== X-IronPort-AV: E=McAfee;i="6200,9189,10004"; a="265413021" X-IronPort-AV: E=Sophos;i="5.83,247,1616482800"; d="scan'208";a="265413021" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jun 2021 01:17:37 -0700 IronPort-SDR: vyOn9jetSA4pZDg90GqYmc6/G/A6Me7OJt6S5fVZ61VWKY3Oc2Zs3/er4gvsrNq1ObsH9+HiLm vaNfA/cbeIdA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,247,1616482800"; d="scan'208";a="475375434" Received: from orsmsx605.amr.corp.intel.com ([10.22.229.18]) by FMSMGA003.fm.intel.com with ESMTP; 04 Jun 2021 01:17:36 -0700 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 4 Jun 2021 01:17:36 -0700 Received: from orsmsx605.amr.corp.intel.com (10.22.229.18) by ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Fri, 4 Jun 2021 01:17:35 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx605.amr.corp.intel.com (10.22.229.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4 via Frontend Transport; Fri, 4 Jun 2021 01:17:35 -0700 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.47) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Fri, 4 Jun 2021 01:17:35 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ad6nbfVUamhB87n/aYWB0GSMNJjSM6A8BPKl4Hup8DOPlT2uEdZj5Hnt6aubAL2jd7sYScjdxiGJ/NGYRMF5C3Ei1K/YpaOATHOWALhAdX9g68vShLCYKBF+8MMc0eROhVMtCYwXE0CB2WS3qDl18UtGDRZgCF4yGlEk+zW2CqOfwmiGnQGnrJWd7yB5ubxxTjAbdPFTTbAm8R+caXkyyR0Rk4hOdCtLwh6aOPwF/jtDv5MWUnfQE7SdoWhakMkbN16x8QMT08795PBTmageA6JX0rKdVvUSHA+VelmVvvWC0nWB5qBuDh7qc3MRfP0LN7GuFMEQF78EpDk7+5RnYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nY4Wruy0E2EztfnwXpU5aERJ8szvMAxl8fnFSfNVrPY=; b=FPoXS67aQXL/zjmpvj751MBt08Q4Y9FetRuw2SwSa+7f4QHrmKjpOXSSwuHhTP2OAICZjlZOy6r9QJHeJex8wW/RO+BUJZPxw3ooYtjoKLzQHcoN1CBR4cIG527x/hBm314ZGt7Vgkufv5Jtj/U/Y4RrAj4hG4zgSF+iqUPPtdg2A59pntrEWX2C8215riCx49mL3qeV2ZRWT7rDdfU3UGLVeLwwtYF4C/rqA3kyuvab8WZrkgDQX8f7Wfzmq/ks7x6UFDsJIGCzswozh7Gdxq/OpLkNMn81BPKVlvxPbbl4lVzl1KUoPDE8/Ctw/+h/RcgSSbWS/o0bg5sZqW1arQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nY4Wruy0E2EztfnwXpU5aERJ8szvMAxl8fnFSfNVrPY=; b=lYNwm/KpSOX+/Htk2yA6hLP1QzxsF1NFD4TWTi6wmzpgLeOdabywCfuZWksldkEzloSnRimHF/QnteIA13MUcgNyuyhW309yTfd8JvGXwjSxaoN6HqmDTiQ9cfCEIET2aZhh8k27xU2Se7qWetSdRuYe5/Iurx1xtb0Y0MrSxjk= Received: from PH0PR11MB5064.namprd11.prod.outlook.com (2603:10b6:510:3b::15) by PH0PR11MB4998.namprd11.prod.outlook.com (2603:10b6:510:32::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.22; Fri, 4 Jun 2021 08:17:34 +0000 Received: from PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::b4be:3994:dd4d:7b9d]) by PH0PR11MB5064.namprd11.prod.outlook.com ([fe80::b4be:3994:dd4d:7b9d%8]) with mapi id 15.20.4173.030; Fri, 4 Jun 2021 08:17:34 +0000 From: "Min Xu" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Yao, Jiewen" , "Wang, Jian J" , "lersek@redhat.com" Subject: Re: [PATCH v2 0/6] Secure Boot default keys Thread-Topic: [PATCH v2 0/6] Secure Boot default keys Thread-Index: AQHXVufbONw+O3kTQEeqw/sxxDhLSKsDhMMg Date: Fri, 4 Jun 2021 08:17:33 +0000 Message-ID: References: <20210601131229.630611-1-gjb@semihalf.com> In-Reply-To: <20210601131229.630611-1-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-reaction: no-action dlp-version: 11.5.1.3 authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.198.143.25] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 834114c9-8ef7-44ed-4700-08d9273134c1 x-ms-traffictypediagnostic: PH0PR11MB4998: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: d86latCPyis3s7ySjVAGTz6s5yQ9+2fgGMLc/cl9q55Cnw72tR4syz5AwSky7HEEOb9mRtsGo1bqQKWCmkasvg2f5R+yBomBK9QIb6yGTXehGQtOFgfd8zmtZ2DKe0RRqzWdnIdBZ/IeE3wmHmO5P/5qMjcsHECf47BoFAiZhCWbNw1e5qUeSf4o+Z+K2+7j9ZbJyl/8tnHWwhvTcvB1BgPZZbNI7I9JfU8+Jom4plEGs0M5E/TFAWFqqWhXkyOHAKBxklu5zqt9Bvhqw+nsTe5E+adv3BHuu4huMC2FkOmPiy+FthQ3pUVTCvF1oUT8PhV9Gk0e/Id6Jo7MvX+2p+4l1E4nnkAplwhBjseDAVZ/7ONmeY2IMyWo4U8LsVsqAPPqNpps9GDTudbHrVgitVKOg+SkPvXYHJpYYesAoJF0MD25sGOiN8sMux0RyjImvUMiVFSjpn7dmzKnmSbndoJ86PXln27yLa5/dmvc5MYO9YdqFluaJPy8ovs1rHMeOepMnm2E5K0Eijs71cwo7bDg71QR926X6nm2VTT0kB3iWZhGo0rl22vXwReFIa6Eq7+GPE1Nzhy130RZTxJUCH0/+jjvixYp68E5LeM1opL1Q5DK5CqnhwDX/bi8M1MAbG1vfjDQW+FlEnOQR4IdvFLWnSQ41bn5OO4jp+NfYvaSlQIVQVjIcdg/qxjd5ebzPlW9hG9xSxNcsvjiOZV/HlI18PGJIDyZOP3M2XaXWOU= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB5064.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(366004)(136003)(346002)(376002)(39860400002)(122000001)(2906002)(8676002)(38100700002)(86362001)(8936002)(9686003)(83380400001)(966005)(55016002)(71200400001)(76116006)(316002)(33656002)(26005)(52536014)(186003)(7696005)(53546011)(64756008)(66556008)(66476007)(4326008)(66446008)(66946007)(6506007)(478600001)(5660300002)(54906003)(110136005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?BCnsIiSendm/Fe56d3bZNQdyMNqD8Wa6zTD+kctPWqjAMaUt1wyjTW2E79rL?= =?us-ascii?Q?Oiw8fcxy3W+I9MPh4mLDUVBIznrsFBAyLwVGthNpFyBDrx5bCCfAo5bwHhu0?= =?us-ascii?Q?WBSWUxRw2dvJmGIJmIhlT1nEn2VC+brxlUV2fSnYYQVNBxtn9vlwrg0v75AO?= =?us-ascii?Q?vGk3Fi1AE9Fvpt6NRuNpeg4kN+vgQjXDvxcYCEmmVdm+ZknC+FByJPuHdUij?= =?us-ascii?Q?/XyZbaawlsfcOKOkj4MOyQa3YoATKcr93Gu2LWEInG5PbM9X6SrVwAJcXPIf?= =?us-ascii?Q?kFdSG0Bq2FE0JOnzP2YLItWDGI81nQ70+bIUSMc178vKhMum+rW+iWZIkXGF?= =?us-ascii?Q?MozngQz9ZCCrBME59g2IQjlvgEuoH9AFYZY5miZdEXJ5So+Wfi6huPp08Vpk?= =?us-ascii?Q?JnbWs+Dp+LgGwXa384OGyeSLVAFBlEkKWnQrthImtok4kJjzAomiemM9e9/U?= =?us-ascii?Q?kBe7CDkro3Ja5flNVrTgRyDgwmRWpeRbI3Umrv9aC6g4ja+HCySCNdAF3Psm?= =?us-ascii?Q?SxHaytKl/ihCbg3mM9eHoi/e9pB+AxDgdergUX4RZTwVn9SIV8t7kyHRD60a?= =?us-ascii?Q?ak00m7wBEChTEQLDO9sYgmScqpJQ1BvQVHG2Ozp9QNAYMn+AmQeY4UoldW4L?= =?us-ascii?Q?q5ZasAaSicE8I7cdSz4uGSbAzpqH0GB/ASxV7N1nySGezaYpNnTtl7dglsXu?= =?us-ascii?Q?rlgTaheYibLpk/N8zTs9a4j8/ZJ9/eqVOs+HyzPY8cKd2C8ycUSjmAGxBYMD?= =?us-ascii?Q?8uj//gmHcscAqxVsh4OLaiOVfwH89YLNfbfj1VsM3ofwx3gaBHWhyQ32Ymmf?= =?us-ascii?Q?ISgGBoAJX8yFJbTygMt0T9BbVT0JqJMigQtPF/8cHYMaGuVzqWyPMuor/D0z?= =?us-ascii?Q?t8pBwJdZY6SKmK/TWuQIMJWI6QSzXGek9lf2vNvLbG+JF0fCDtYx+OeeQczL?= =?us-ascii?Q?6cVUvYfkyHlnHQXvHpGsb54yfePqbbKDQ7nK1/GFSCol9GamnD8cBGftTWW5?= =?us-ascii?Q?TunE06NjNUS0RfDNtUj3N01P/38VdLuLwDAYBS2RH27ZHFFPchFJSKsxVJtF?= =?us-ascii?Q?0HcotNLOxxEcymqXFNm9IWyih6uoPM6RtMRq2u3SJNa1r5qxoM+dS432NaEE?= =?us-ascii?Q?XWyMlIW8oIg49bH10msEpxZp0Mc0eZsapbc8yVsuTWrfsHgYR+qzzyJt6iv4?= =?us-ascii?Q?oZpuTiw9NcHrbJ0cV3skhllQctNIYku9wvQ043c2hLFsN8rdiiTu9/lTE0QN?= =?us-ascii?Q?0WJFFShpZEoBD3EKcQUpYxfaDPwNP+i2tl5OuUzKrwW5D5Fj7A7o0ubM3dWP?= =?us-ascii?Q?RybGRJ9SdsSzgqUqhk81kz21?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5064.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 834114c9-8ef7-44ed-4700-08d9273134c1 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jun 2021 08:17:33.9885 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: bwynthLJD8DlJpSqesrssMJLGIHStghD+s9w0YwFXIBoT2T8Xe/ujh+s9u3qRH05vrQJfjwhh27RyRfazi9EPw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4998 Return-Path: min.m.xu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Grzegorz Have you built this feature with different tool chains, such as VS2017/VS20= 19/GCC5? And test it in IA32/X64/AARCH64? Would you post your test result in the mail? Thanks much! > -----Original Message----- > From: Grzegorz Bernacki > Sent: Tuesday, June 1, 2021 9:12 PM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj- > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com; > upstream@semihalf.com; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; > lersek@redhat.com; Grzegorz Bernacki > Subject: [PATCH v2 0/6] Secure Boot default keys >=20 > This patchset adds support for initialization of default Secure Boot vari= ables > based on keys content embedded in flash binary. This feature is active on= ly if > Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist > also application to enroll keys from default variables and secure boot me= nu > change to allow user to reset key content to default values. > Discussion on design can be found at: > https://edk2.groups.io/g/rfc/topic/82139806#600 >=20 > I also added patch for RPi4 which enables this feature for that platform. >=20 > Changes since v1: > - change names: > SecBootVariableLib =3D> SecureBootVariableLib > SecBootDefaultKeysDxe =3D> SecureBootDefaultKeysDxe > SecEnrollDefaultKeysApp =3D> EnrollFromDefaultKeysApp > - change name of function CheckSetupMode to GetSetupMode > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > - rebase to master >=20 > Grzegorz Bernacki (6): > [edk2] > SecurityPkg: Create library for setting Secure Boot variables. > SecurityPkg: Create include file for default key content. > SecurityPkg: Add SecureBootDefaultKeysDxe driver > SecurityPkg: Add EnrollFromDefaultKeys application. > SecurityPkg: Add new modules to Security package. > SecurityPkg: Add option to reset secure boot keys. > [edk2-platform] > Platform/RaspberryPi: Enable default Secure Boot variables initializati= on >=20 > SecurityPkg/SecurityPkg.dec = | 14 + > SecurityPkg/SecurityPkg.dsc = | 5 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > | 47 + > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > | 79 ++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf | 2 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf | 46 + > SecurityPkg/Include/Library/SecureBootVariableLib.h = | > 252 +++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > NvData.h | 2 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig. > vfr | 6 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > | 107 +++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > | 979 ++++++++++++++++++++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI > mpl.c | 343 ++++--- >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.c | 69 ++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > | 16 + > SecurityPkg/SecureBootDefaultKeys.fdf.inc = | 62 ++ >=20 > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS > trings.uni | 4 + >=20 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.uni | 17 + > 17 files changed, 1862 insertions(+), 188 deletions(-) create mode 1006= 44 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.uni >=20 > -- > 2.25.1