From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web08.6280.1622029805690515573 for ; Wed, 26 May 2021 04:50:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=N8OuS/M1; spf=pass (domain: redhat.com, ip: 216.205.24.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622029804; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=11d8bnB6hdUloA/9sHIa0Tz4O2Rj7XNaAD4T901fNNw=; b=N8OuS/M1pZdXAqqVvT7Z9+8a4j/+NuDcIQ8WGVni+yiata+jdwuGfJZvhNnPQ7HlG81jg5 6GhMuwWJJZS/cm1d2h9Z2oaNaqNjJPfv9YOxFhiJCMTyu844Z181UB1D+n/fc7F2UJBGzl tI6CpLOkq53GWw9t19CXusPOg5tfvLk= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-359-L9ZLR1-HNsOJsWcT5j69Ow-1; Wed, 26 May 2021 07:50:00 -0400 X-MC-Unique: L9ZLR1-HNsOJsWcT5j69Ow-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 86500107ACCA; Wed, 26 May 2021 11:49:58 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-33.ams2.redhat.com [10.36.113.33]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4559954466; Wed, 26 May 2021 11:49:56 +0000 (UTC) Subject: Re: [PATCH 0/6] Secure Boot default keys To: Grzegorz Bernacki , devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com References: <20210526094204.73600-1-gjb@semihalf.com> From: "Laszlo Ersek" Message-ID: Date: Wed, 26 May 2021 13:49:54 +0200 MIME-Version: 1.0 In-Reply-To: <20210526094204.73600-1-gjb@semihalf.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 05/26/21 11:41, Grzegorz Bernacki wrote: > This patchset adds support for initialization of default > Secure Boot variables based on keys content embedded in > flash binary. This feature is active only if Secure Boot > is enabled and DEFAULT_KEY is defined. The patchset > consist also application to enroll keys from default > variables and secure boot menu change to allow user > to reset key content to default values. > Discussion on design can be found at: > https://edk2.groups.io/g/rfc/topic/82139806#600 > > I also added patch for RPi4 which enables this feature for > that platform. Thanks for the CC -- but my plate is overflowing; I won't be reviewing this SecurityPkg patch set. Thanks laszlo > > Grzegorz Bernacki (6): > [edk2] > SecurityPkg: Create library for setting Secure Boot variables. > SecurityPkg: Create include file for default key content. > SecurityPkg: Add SecBootDefaultKeysDxe driver > SecurityPkg: Add SecEnrollDefaultKeys application. > SecurityPkg: Add new modules to Security package. > SecurityPkg: Add option to reset secure boot keys. > > [edk2-platforms] > Platform/RaspberryPi: Enable default Secure Boot variables initialization > > SecurityPkg/SecurityPkg.dec | 14 + > SecurityPkg/SecurityPkg.dsc | 5 + > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf | 79 ++ > SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf | 48 + > SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 + > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + > SecurityPkg/Include/Library/SecBootVariableLib.h | 252 +++++ > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 + > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 + > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c | 979 ++++++++++++++++++++ > SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c | 108 +++ > SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++ > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++--- > SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni | 16 + > SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++ > SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 + > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 + > 17 files changed, 1864 insertions(+), 188 deletions(-) > create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf > create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf > create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf > create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h > create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c > create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c > create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c > create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni > create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc > create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni >