From: "Laszlo Ersek" <lersek@redhat.com>
To: Grzegorz Bernacki <gjb@semihalf.com>, devel@edk2.groups.io
Cc: leif@nuviainc.com, ardb+tianocore@kernel.org,
Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com,
upstream@semihalf.com, jiewen.yao@intel.com,
jian.j.wang@intel.com, min.m.xu@intel.com
Subject: Re: [PATCH 0/6] Secure Boot default keys
Date: Wed, 26 May 2021 13:49:54 +0200 [thread overview]
Message-ID: <eafaeed9-4eae-ce93-39ec-241de3cb2739@redhat.com> (raw)
In-Reply-To: <20210526094204.73600-1-gjb@semihalf.com>
On 05/26/21 11:41, Grzegorz Bernacki wrote:
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> I also added patch for RPi4 which enables this feature for
> that platform.
Thanks for the CC -- but my plate is overflowing; I won't be reviewing
this SecurityPkg patch set.
Thanks
laszlo
>
> Grzegorz Bernacki (6):
> [edk2]
> SecurityPkg: Create library for setting Secure Boot variables.
> SecurityPkg: Create include file for default key content.
> SecurityPkg: Add SecBootDefaultKeysDxe driver
> SecurityPkg: Add SecEnrollDefaultKeys application.
> SecurityPkg: Add new modules to Security package.
> SecurityPkg: Add option to reset secure boot keys.
>
> [edk2-platforms]
> Platform/RaspberryPi: Enable default Secure Boot variables initialization
>
> SecurityPkg/SecurityPkg.dec | 14 +
> SecurityPkg/SecurityPkg.dsc | 5 +
> SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf | 79 ++
> SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf | 48 +
> SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
> SecurityPkg/Include/Library/SecBootVariableLib.h | 252 +++++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
> SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c | 979 ++++++++++++++++++++
> SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c | 108 +++
> SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
> SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni | 16 +
> SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++
> SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
> 17 files changed, 1864 insertions(+), 188 deletions(-)
> create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf
> create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf
> create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf
> create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h
> create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c
> create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c
> create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c
> create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni
> create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni
>
prev parent reply other threads:[~2021-05-26 11:50 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-26 9:41 [PATCH 0/6] Secure Boot default keys Grzegorz Bernacki
2021-05-26 9:41 ` [edk2-platforms PATCH] Platform/RaspberryPi: Enable default Secure Boot variables initialization Grzegorz Bernacki
2021-05-26 9:41 ` [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables Grzegorz Bernacki
2021-05-26 9:58 ` Sunny Wang
[not found] ` <1682957906E2CAD3.2072@groups.io>
2021-05-26 10:11 ` [edk2-devel] " Sunny Wang
2021-05-26 12:55 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 2/6] SecurityPkg: Create include file for default key content Grzegorz Bernacki
2021-05-26 9:42 ` [PATCH 3/6] SecurityPkg: Add SecBootDefaultKeysDxe driver Grzegorz Bernacki
2021-05-26 12:56 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 4/6] SecurityPkg: Add SecEnrollDefaultKeys application Grzegorz Bernacki
2021-05-26 12:50 ` Yao, Jiewen
2021-05-26 9:42 ` [PATCH 5/6] SecurityPkg: Add new modules to Security package Grzegorz Bernacki
2021-05-26 9:42 ` [PATCH 6/6] SecurityPkg: Add option to reset secure boot keys Grzegorz Bernacki
2021-05-26 11:49 ` Laszlo Ersek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eafaeed9-4eae-ce93-39ec-241de3cb2739@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox