From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"gjb@semihalf.com" <gjb@semihalf.com>
Cc: "leif@nuviainc.com" <leif@nuviainc.com>,
"ardb+tianocore@kernel.org" <ardb+tianocore@kernel.org>,
"Samer.El-Haj-Mahmoud@arm.com" <Samer.El-Haj-Mahmoud@arm.com>,
"sunny.Wang@arm.com" <sunny.Wang@arm.com>,
"mw@semihalf.com" <mw@semihalf.com>,
"upstream@semihalf.com" <upstream@semihalf.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
"Xu, Min M" <min.m.xu@intel.com>,
"lersek@redhat.com" <lersek@redhat.com>,
"sami.mujawar@arm.com" <sami.mujawar@arm.com>,
"afish@apple.com" <afish@apple.com>, "Ni, Ray" <ray.ni@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
"rebecca@bsdio.com" <rebecca@bsdio.com>,
"grehan@freebsd.org" <grehan@freebsd.org>,
"thomas.abraham@arm.com" <thomas.abraham@arm.com>,
"Chiu, Chasel" <chasel.chiu@intel.com>,
"Desimone, Nathaniel L" <nathaniel.l.desimone@intel.com>,
"gaoliming@byosoft.com.cn" <gaoliming@byosoft.com.cn>,
"Dong, Eric" <eric.dong@intel.com>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Sun, Zailiang" <zailiang.sun@intel.com>,
"Qian, Yi" <yi.qian@intel.com>,
"graeme@nuviainc.com" <graeme@nuviainc.com>,
"rad@semihalf.com" <rad@semihalf.com>,
"pete@akeo.ie" <pete@akeo.ie>
Subject: Re: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
Date: Thu, 15 Jul 2021 03:16:29 +0000 [thread overview]
Message-ID: <SA2PR11MB489202E2C550673279E14B8B8C129@SA2PR11MB4892.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20210714122952.1340890-1-gjb@semihalf.com>
Thank you very much Grzegorz.
SecurityPkg: Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Grzegorz
> Bernacki
> Sent: Wednesday, July 14, 2021 8:30 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray
> <ray.ni@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>;
> rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu,
> Chasel <chasel.chiu@intel.com>; Desimone, Nathaniel L
> <nathaniel.l.desimone@intel.com>; gaoliming@byosoft.com.cn; Dong, Eric
> <eric.dong@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Sun,
> Zailiang <zailiang.sun@intel.com>; Qian, Yi <yi.qian@intel.com>;
> graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki
> <gjb@semihalf.com>
> Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
>
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
> SecBootVariableLib => SecureBootVariableLib
> SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and add SecureBootVariableLib
> to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Changes since v4:
> - reorder patches to make it bisectable
> - split commits related to more than one platform
> - move edk2-platform commits to separate patchset
>
> Changes since v5:
> - split SecureBootVariableLib into SecureBootVariableLib and
> SecureBootVariableProvisionLib
>
> Grzegorz Bernacki (11):
> SecurityPkg: Create SecureBootVariableLib.
> SecurityPkg: Create library for enrolling Secure Boot variables.
> ArmVirtPkg: add SecureBootVariableLib class resolution
> OvmfPkg: add SecureBootVariableLib class resolution
> EmulatorPkg: add SecureBootVariableLib class resolution
> SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> ArmPlatformPkg: Create include file for default key content.
> SecurityPkg: Add SecureBootDefaultKeysDxe driver
> SecurityPkg: Add EnrollFromDefaultKeys application.
> SecurityPkg: Add new modules to Security package.
> SecurityPkg: Add option to reset secure boot keys.
>
> SecurityPkg/SecurityPkg.dec | 14 +
> ArmVirtPkg/ArmVirt.dsc.inc | 2 +
> EmulatorPkg/EmulatorPkg.dsc | 2 +
> OvmfPkg/Bhyve/BhyveX64.dsc | 2 +
> OvmfPkg/OvmfPkgIa32.dsc | 2 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 2 +
> OvmfPkg/OvmfPkgX64.dsc | 2 +
> SecurityPkg/SecurityPkg.dsc | 5 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> | 48 ++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> | 80 +++
>
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.inf | 80 +++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx
> e.inf | 3 +
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.inf | 46 ++
> SecurityPkg/Include/Library/SecureBootVariableLib.h | 153
> ++++++
> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h |
> 134 +++++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNv
> Data.h | 2 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
> | 6 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 110 +++++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 511 ++++++++++++++++++++
>
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.c | 491 +++++++++++++++++++
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm
> pl.c | 344 ++++++-------
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.c | 69 +++
> ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70
> +++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> | 17 +
>
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.uni | 16 +
>
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri
> ngs.uni | 4 +
>
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.uni | 16 +
> 27 files changed, 2043 insertions(+), 188 deletions(-)
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.inf
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.inf
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> create mode 100644
> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.c
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.c
> create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> create mode 100644
> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi
> onLib.uni
> create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa
> ultKeysDxe.uni
>
> --
> 2.25.1
>
>
>
>
>
next prev parent reply other threads:[~2021-07-15 3:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-14 12:29 [PATCH v6 00/11] Secure Boot default keys Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 01/11] SecurityPkg: Create SecureBootVariableLib Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 02/11] SecurityPkg: Create library for enrolling Secure Boot variables Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 03/11] ArmVirtPkg: add SecureBootVariableLib class resolution Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 04/11] OvmfPkg: " Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 05/11] EmulatorPkg: " Grzegorz Bernacki
2021-07-21 2:53 ` [edk2-devel] " Ni, Ray
2021-07-14 12:29 ` [PATCH v6 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 07/11] ArmPlatformPkg: Create include file for default key content Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 08/11] SecurityPkg: Add SecureBootDefaultKeysDxe driver Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 09/11] SecurityPkg: Add EnrollFromDefaultKeys application Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 10/11] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-07-14 12:29 ` [PATCH v6 11/11] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-07-15 3:16 ` Yao, Jiewen [this message]
2021-07-16 12:00 ` [edk2-devel] [PATCH v6 00/11] Secure Boot default keys Samer El-Haj-Mahmoud
2021-07-16 17:28 ` Ard Biesheuvel
2021-07-20 1:32 ` 回复: " gaoliming
2021-07-21 3:40 ` Sunny Wang
2021-07-28 7:44 ` 回复: " gaoliming
2021-07-28 10:39 ` Ard Biesheuvel
2021-07-28 11:07 ` Ard Biesheuvel
2021-07-29 8:54 ` Grzegorz Bernacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SA2PR11MB489202E2C550673279E14B8B8C129@SA2PR11MB4892.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox