From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: redhat.com, ip: 209.85.221.65, mailfrom: philmd@redhat.com)
Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65])
 by groups.io with SMTP; Mon, 29 Apr 2019 22:24:21 -0700
Received: by mail-wr1-f65.google.com with SMTP id s18so19450511wrp.0
        for <devel@edk2.groups.io>; Mon, 29 Apr 2019 22:24:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id
         :date:user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=XXGmdU9Q/CP0EQyM/hq9T21hLgI8l/Iyzcih/MnlWrY=;
        b=BzpzUbPAxCs3kfZYCaAA4P1ZrfIl+C+n3LwbT9JuszATc66Efz0DBdtcj/jL+vbhc3
         M9mie/8EHxnTRo+SAMPk1gEas41T1DJGuNBVMceaJacIxLhDzJKG6OSMngzzX/6txFfh
         wqGnKerOs9zktPzyDVfbvJkDCzsl445u2MdwK0z6mh0EN4i9ta5fYr6x/nsjnR7u8n+F
         mLo4RzKLqNP3NAR4haa242eA1eVea8i7nT1PLqWfzP/aBn5fFBTLqj80ais+UeOgkBbV
         OK9oSz711uFJOoEEzVHC58icqyGy71Yb6Yb9HlIRn1NkiHkdMdQ1QWmdTP9r0F9qS0Bf
         68Eg==
X-Gm-Message-State: APjAAAV6WxvQUROPpK8IZPDSiBoLvAZ5j1aNJ2r2VyHiOmYxmIjX1doG
	Li9/BSx7NuWy6tSOum/nAx6bNg==
X-Google-Smtp-Source: APXvYqwrBfWU//qV4QGo8Sp1L61IyjLW0v4fqxpiXOTKOzfBT7leB+livuxrnYvEv2HAsihO7ceHKg==
X-Received: by 2002:adf:83a7:: with SMTP id 36mr8516389wre.310.1556601859989;
        Mon, 29 Apr 2019 22:24:19 -0700 (PDT)
Return-Path: <philmd@redhat.com>
Received: from [192.168.1.37] (193.red-88-21-103.staticip.rima-tde.net. [88.21.103.193])
        by smtp.gmail.com with ESMTPSA id 11sm1096232wmk.17.2019.04.29.22.24.18
        (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128);
        Mon, 29 Apr 2019 22:24:19 -0700 (PDT)
Subject: Re: [edk2-devel] [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID
To: devel@edk2.groups.io, lersek@redhat.com
Cc: Anthony Perard <anthony.perard@citrix.com>,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Jordan Justen <jordan.l.justen@intel.com>,
 Julien Grall <julien.grall@arm.com>
References: <20190427005328.27005-1-lersek@redhat.com>
 <20190427005328.27005-15-lersek@redhat.com>
From: =?UTF-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= <philmd@redhat.com>
Openpgp: id=89C1E78F601EE86C867495CBA2A3FD6EDEADC0DE;
 url=http://pgp.mit.edu/pks/lookup?op=get&search=0xA2A3FD6EDEADC0DE
Message-ID: <c6930c0a-b814-95e2-46da-a27d692b5d8d@redhat.com>
Date: Tue, 30 Apr 2019 07:24:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <20190427005328.27005-15-lersek@redhat.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

On 4/27/19 2:53 AM, Laszlo Ersek wrote:
> For the EnrollDefaultKeys application, the hypervisor is expected to add a
> string entry to the "OEM Strings" (Type 11) SMBIOS table, with the
> following format:
> 
> 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
> 
> The string representation of the GUID at the front is the "application
> prefix", in terms of QEMU commit
> <https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0>.
> 
> Introduce this GUID in the usual manner.
> 
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@arm.com>
> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  OvmfPkg/OvmfPkg.dec                        |  1 +
>  OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h | 45 ++++++++++++++++++++
>  2 files changed, 46 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec
> index 922e061cc85c..0e555c5c78c5 100644
> --- a/OvmfPkg/OvmfPkg.dec
> +++ b/OvmfPkg/OvmfPkg.dec
> @@ -67,16 +67,17 @@ [LibraryClasses]
>  
>    ##  @libraryclass  Manage XenBus device path and I/O handles
>    #
>    XenIoMmioLib|Include/Library/XenIoMmioLib.h
>  
>  [Guids]
>    gUefiOvmfPkgTokenSpaceGuid          = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}}
>    gEfiXenInfoGuid                     = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}}
> +  gOvmfPkKek1AppPrefixGuid            = {0x4e32566d, 0x8e9e, 0x4f52, {0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27}}
>    gOvmfPlatformConfigGuid             = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}}
>    gVirtioMmioTransportGuid            = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}}
>    gQemuRamfbGuid                      = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
>    gXenBusRootDeviceGuid               = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
>    gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
>    gMicrosoftVendorGuid                = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
>  
>  [Protocols]
> diff --git a/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> new file mode 100644
> index 000000000000..e05d2fe021b7
> --- /dev/null
> +++ b/OvmfPkg/Include/Guid/OvmfPkKek1AppPrefix.h
> @@ -0,0 +1,45 @@
> +/** @file
> +  Declare the application prefix string as a GUID, for locating the PK/KEK1
> +  X509 certificate to enroll, in the "OEM Strings" SMBIOS table.
> +
> +  Copyright (C) 2019, Red Hat, Inc.
> +
> +  SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +  @par Specification Reference:
> +  - https://git.qemu.org/?p=qemu.git;a=commit;h=2d6dcbf93fb0
> +  - https://libvirt.org/formatdomain.html#elementsSysinfo
> +  - https://bugs.launchpad.net/qemu/+bug/1826200
> +  - https://bugzilla.tianocore.org/show_bug.cgi?id=1747
> +**/
> +
> +#ifndef OVMF_PK_KEK1_APP_PREFIX_H_
> +#define OVMF_PK_KEK1_APP_PREFIX_H_
> +
> +#include <Uefi/UefiBaseType.h>
> +
> +//
> +// For the EnrollDefaultKeys application, the hypervisor is expected to add a
> +// string entry to the "OEM Strings" (Type 11) SMBIOS table, with the following
> +// format:
> +//
> +// 4e32566d-8e9e-4f52-81d3-5bb9715f9727:<Base64 X509 cert for PK and first KEK>
> +//
> +// The string representation of the GUID at the front is the "application
> +// prefix". It is matched by EnrollDefaultKeys case-insensitively.
> +//
> +// The base64-encoded blob following the application prefix and the colon (:)
> +// is an X509 certificate in DER representation; the hypervisor instructs
> +// EnrollDefaultKeys to enroll this certificate as both Platform Key and first
> +// Key Exchange Key.
> +//
> +#define OVMF_PK_KEK1_APP_PREFIX_GUID                    \
> +  { 0x4e32566d,                                         \
> +    0x8e9e,                                             \
> +    0x4f52,                                             \
> +    { 0x81, 0xd3, 0x5b, 0xb9, 0x71, 0x5f, 0x97, 0x27 }, \
> +  }
> +
> +extern EFI_GUID gOvmfPkKek1AppPrefixGuid;
> +
> +#endif /* OVMF_PK_KEK1_APP_PREFIX_H_ */
> 

Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>