Re: [edk2-devel] [edk2-platforms][PATCH 1/1] Ampere/JadePkg: Add secure boot default keys initialization

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Rebecca Cran via groups.io" <rebecca=os.amperecomputing.com@groups.io>
To: Nhi Pham <nhi@os.amperecomputing.com>, devel@edk2.groups.io
Cc: quic_llindhol@quicinc.com, chuong@os.amperecomputing.com
Subject: Re: [edk2-devel] [edk2-platforms][PATCH 1/1] Ampere/JadePkg: Add secure boot default keys initialization
Date: Tue, 4 Jun 2024 22:10:00 -0600	[thread overview]
Message-ID: <fffd7769-7da7-4432-b987-014feafea56d@os.amperecomputing.com> (raw)
In-Reply-To: <20240605005752.818401-1-nhi@os.amperecomputing.com>

Reviewed-by: Rebecca Cran <rebecca@os.amperecomputing.com>

-- 
Rebecca Cran

On 6/4/2024 6:57 PM, Nhi Pham wrote:
> This allows to initialize secure boot with the default factory keys
> embedded in firmware flash image.
>
> For example, to incorporate PK, KEK, and DB default keys, specify the
> corresponding key files in the Jade.dsc as follows:
>
> DEFINE DEFAULT_KEYS        = TRUE
> DEFINE PK_DEFAULT_FILE     = path/to/PK.crt
> DEFINE KEK_DEFAULT_FILE1   = path/to/KEK.crt
> DEFINE DB_DEFAULT_FILE1    = path/to/DB1.crt
> DEFINE DB_DEFAULT_FILE2    = path/to/DB2.crt
>
> Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
> ---
>   Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc | 2 ++
>   Platform/Ampere/JadePkg/Jade.fdf                     | 2 ++
>   2 files changed, 4 insertions(+)
>
> diff --git a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
> index 23579497661d..93b4d1d99dcd 100644
> --- a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
> +++ b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
> @@ -590,6 +590,8 @@ [Components.common]
>   
>   !if $(SECURE_BOOT_ENABLE) == TRUE
>     SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> +  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !endif
>     MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
>     MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
> diff --git a/Platform/Ampere/JadePkg/Jade.fdf b/Platform/Ampere/JadePkg/Jade.fdf
> index 7795f0e11115..1e2df5ba6142 100644
> --- a/Platform/Ampere/JadePkg/Jade.fdf
> +++ b/Platform/Ampere/JadePkg/Jade.fdf
> @@ -219,7 +219,9 @@ [FV.FvMain]
>     INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
>     INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
>   !if $(SECURE_BOOT_ENABLE) == TRUE
> +!include ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
>     INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
> +  INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
>   !endif
>     INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
>     INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119465): https://edk2.groups.io/g/devel/message/119465
Mute This Topic: https://groups.io/mt/106495161/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

next prev parent reply	other threads:[~2024-06-05  4:10 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-05  0:57 [edk2-devel] [edk2-platforms][PATCH 1/1] Ampere/JadePkg: Add secure boot default keys initialization Nhi Pham via groups.io
2024-06-05  4:10 ` Rebecca Cran via groups.io [this message]
2024-06-05  4:31   ` Nhi Pham via groups.io
2024-07-31  9:41   ` Nhi Pham via groups.io

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fffd7769-7da7-4432-b987-014feafea56d@os.amperecomputing.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox