From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.web09.1292.1622655601760504422 for ; Wed, 02 Jun 2021 10:40:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@akeo-ie.20150623.gappssmtp.com header.s=20150623 header.b=RAubMqgG; spf=pass (domain: akeo.ie, ip: 209.85.128.53, mailfrom: pete@akeo.ie) Received: by mail-wm1-f53.google.com with SMTP id t16-20020a05600c1990b02901a0d45ff03aso730057wmq.2 for ; Wed, 02 Jun 2021 10:40:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akeo-ie.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=oNz1GryxOB8q7NdbX0dJ5WKKEd/YJdVHycqz8dFfHZY=; b=RAubMqgGAye6p5VPOZ51GagFiAcORg7EMGWx5uTVsu1Lj+EmPHN+INAmYRYHwpXE8b 4ju79Fh+XujLudfaFsx4UWWhACdmJwMhP3y5GFu1e7fefAX5c2dkSR08LfDPe6dn1Gus YdWNL2jqM0jeZ6viQc1TOMLGscEx+ZqnI1T0ce7HurPgty0pJmHh4YuNGog2LV+6M156 jbm3n1fEVA4XI/fyU6rJQ2J66e/CxDyYzC0ASlH9uAkJc9gB7K5t4JXJt5z32M9a7j/I 0hjsGixXQHAMG2361ZN05lQo6a7l/OhPWNlwPCsVTddy3rS7BNyHdbOqIGbnmCKWGsl4 wM/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=oNz1GryxOB8q7NdbX0dJ5WKKEd/YJdVHycqz8dFfHZY=; b=X/jA3/TPriAy1uwkZtcUGvS3fvhVY0nLlaDlBJV+9Z0pxQX1GK6CEcjw5LWjBiPN5p VzzLzDSYBgetPnlUGBZJrniOVITCozxVI1PQMOP62e7BMp9QffB47U0XRqMTg8Z7Fayz SrTLgT+9umi0Grqlpd0831ZVsmVRdR/gHnrMxtTQTTdhjos6g4KpXnUQLlsSuvkkmobV Rf4eLCKq5SzeP0l0V0tInEXLZ8yF0spsZAi/3usECJPvMXsekXQJcdPDPVRuG8vTali0 0EMOZlwbM3sEtA+igUtMal4jyMacg9/fzbuZqqS4mzjsk5blf/46BJ61UYCz02INE3SX OjoQ== X-Gm-Message-State: AOAM533KkYGnFAoW9it+jxbcdPsUAmJ5FV85jUWU8MALUun16ya/QzjB X+f6iQoIZjQXFZcwdf/J8H7yhQ== X-Google-Smtp-Source: ABdhPJx5x+QZlYViHjGCq5fjNb+nTblo0WmOo9vqVrD9N03UDAxDZdI9//0qtjeX4OsX6clT9x54ZA== X-Received: by 2002:a7b:c849:: with SMTP id c9mr6372953wml.84.1622655600265; Wed, 02 Jun 2021 10:40:00 -0700 (PDT) Return-Path: Received: from [10.0.0.122] ([84.203.86.196]) by smtp.googlemail.com with ESMTPSA id b188sm4242829wmh.18.2021.06.02.10.39.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Jun 2021 10:39:59 -0700 (PDT) Subject: Re: [edk2-devel] [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver To: devel@edk2.groups.io, gjb@semihalf.com Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com References: <20210601131229.630611-1-gjb@semihalf.com> <20210601131229.630611-5-gjb@semihalf.com> From: "Pete Batard" Message-ID: Date: Wed, 2 Jun 2021 18:39:58 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2 MIME-Version: 1.0 In-Reply-To: <20210601131229.630611-5-gjb@semihalf.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit 3 very minor remarks below: On 2021.06.01 14:12, Grzegorz Bernacki wrote: > This driver initializes default Secure Boot keys and databases > based on keys embedded in flash. > > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +++++++++++++ > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 69 ++++++++++++++++++++ > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +++++ > 3 files changed, 132 insertions(+) > create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf > create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c > create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni > > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf > new file mode 100644 > index 0000000000..27345eab2e > --- /dev/null > +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf > @@ -0,0 +1,46 @@ > +## @file > +# Initializes Secure Boot default keys > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SecureBootDefaultKeysDxe > + FILE_GUID = C937FCB7-25AC-4376-89A2-4EA8B317DE83 > + MODULE_TYPE = DXE_DRIVER > + ENTRY_POINT = SecureBootDefaultKeysEntryPoint > + > +# > +# VALID_ARCHITECTURES = IA32 X64 AARCH64 > +# > +[Sources] > + SecureBootDefaultKeysDxe.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + MemoryAllocationLib > + UefiDriverEntryPoint > + DebugLib > + SecureBootVariableLib > + > +[Guids] > + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault" > + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault" > + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault" > + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault" > + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault" > + gEfiGlobalVariableGuid > + > +[Depex] > + gEfiVariableArchProtocolGuid AND > + gEfiVariableWriteArchProtocolGuid > + This adds an extra trailing blank line. > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c > new file mode 100644 > index 0000000000..0928489e15 > --- /dev/null > +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c > @@ -0,0 +1,69 @@ > +/** @file > + This driver init default Secure Boot variables > + > +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +/** > + The entry point for SecureBootDefaultKeys driver. > + > + @param[in] ImageHandle The image handle of the driver. > + @param[in] SystemTable The system table. > + > + @retval EFI_ALREADY_STARTED The driver already exists in system. > + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources. > + @retval EFI_SUCCESS All the related protocols are installed on the driver. > + @retval Others Fail to get the SecureBootEnable variable. > + > +**/ > +EFI_STATUS > +EFIAPI > +SecureBootDefaultKeysEntryPoint ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_STATUS Status; > + > + Status = SecureBootInitPKDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, Status)); > + return Status; > + } > + > + Status = SecureBootInitKEKDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCTION__, Status)); > + return Status; > + } > + Status = SecureBootInitdbDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTION__, Status)); > + return Status; > + } > + > + Status = SecureBootInitdbtDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__)); > + } > + > + Status = SecureBootInitdbxDefault (); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__)); > + } > + > + return Status; > +} > + This adds an extra trailing blank line. > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni > new file mode 100644 > index 0000000000..30f03aee5d > --- /dev/null > +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni > @@ -0,0 +1,17 @@ > +// /** @file > +// Provides the capability to intialize Secure Boot default variables > +// > +// Module which initializes Secure boot default variables. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> +// Copyright (c) 2021, Semihalf All rights reserved.
> +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Module which initializes Secure boot default variables" > + > +#string STR_MODULE_DESCRIPTION #language en-US "This module reads embedded keys and initializes Secure Boot default variables." > + This adds an extra trailing blank line. > Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4