From nobody Sun May 19 16:27:57 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98946+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674255550313971.7380892385784; Fri, 20 Jan 2023 14:59:10 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id byRgYY1788612xx7TzUOgyO6; Fri, 20 Jan 2023 14:59:10 -0800 X-Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.47]) by mx.groups.io with SMTP id smtpd.web10.89951.1674255549219426179 for ; Fri, 20 Jan 2023 14:59:09 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WMFpD2bHvZ3dPnJV2Ae9Do5LjFuGBCHkTWJwUHGfDliPQcSVg+13DCHp1EtxvQ958WDF6mtlKaKi1HEnNdQsWeCMfDEiRZdGWHnTTB0b033tBKAiJ09Zq5u5XDoOxyXxaLu2OhzQ0hnyf5alK7s6+onlWK5/AHGTr1KeVq2JTKnvpz8A6VffQeqeia2cDO3c/zvIq6pt1qmnq6e6JRpJD8pOgwXZ5Ow2n1O4B8q+VwDKoy48P6/dWJAG7jaXhuZQlAFkuCx1finyijLyb7I4Sixq7K5PMHr8917GXRuLrgI+BItU3JaPshtJxjqcNUoZWeSS3knZWWqbrFg6Hg8oUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d1E6BWTBIh48sHs9oQh1eM1Djty0oVjcxzhFlGcgkfg=; b=dBsjMog9hBX6vjTvvvYjh4gm/mwM2KvCIhYYZOU+6bHYaZ1GkCx1kQr48sGTvSg7Zy+Syajjf3B0GgHyLYJ77VKymP5c6yGCA6QeyB3NysuaGHeGERXuDZ4o28/yvm8JXcKn/nzU3hf1JW8bHb3vq5aDBLVae5TdkqI97YIbYS9d5rV87d+0biLPO4FEw6V3cVjZIJT26+MMH5+0gIQkMOxtl4yiEGF+o3XseTnP2ujHM6/0WGjPyk2Lx33qCQjJx3SaTlcygpwIp6bxI/4CwjSskgz5+8p24d5AtcVUswqPROL7mqyQn6p17Po3OgSrUFO48HW+KtzvaRU3lml15Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none X-Received: from DM6PR12CA0025.namprd12.prod.outlook.com (2603:10b6:5:1c0::38) by CH0PR12MB5315.namprd12.prod.outlook.com (2603:10b6:610:d6::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan 2023 22:59:07 +0000 X-Received: from DS1PEPF0000E63A.namprd02.prod.outlook.com (2603:10b6:5:1c0:cafe::a1) by DM6PR12CA0025.outlook.office365.com (2603:10b6:5:1c0::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27 via Frontend Transport; Fri, 20 Jan 2023 22:59:07 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98946+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E63A.mail.protection.outlook.com (10.167.17.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:55 -0800 X-Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:54 -0800 From: "Jan Bobek via groups.io" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Jian J Wang , Min Xu , Matthew Carlson Subject: [edk2-devel] [PATCH v1 1/4] SecurityPkg: limit verification of enrolled PK in setup mode Date: Fri, 20 Jan 2023 15:58:32 -0700 Message-ID: <20230120225835.42733-2-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E63A:EE_|CH0PR12MB5315:EE_ X-MS-Office365-Filtering-Correlation-Id: a96c85ae-6786-423f-26b8-08dafb39ef2d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: +/0EWyvyuqXPFsys0MpwP0GVR/dU66HpP1FMk32CiOhAdJO1Rtb6V0hQ7N382JNBFCEYONhE/+vOz3rRu83oM+GxaTXrfQvW+TylWP1nVdB4maqV0jahTpvuopOSltbxebysy1kCrphkZmYEuO9qwBfR8y6ECzo7tU3N/H0HZIOYzmlCs47rL26uS7ubPD/UTHCys5M4GuDGgVFWUFYS5dgpIOUYBrxwUhDCoKIen5Ae/DhLf6vK5YYdGbYlyRSpN4glLFfy7zDlobxWMOEPp2ICM/NvHFwXoeO1AG8T4i2lDrTsaIlZ56W0slD6Rh8tlhg3Smg3bvEK4GipD1VMXykBhDf29VmtIbNIoXTMaHGmua9gPwOZDSx0o6M4Y4kdk9TtCT2P1tEDJSit4qENdtlcmmwGjsc6k6HLnU5ITSFviB2yqZgxBdRaezqpsXJKyIUMppNzvIK8M5y3n7OLUH3NQ2sVSJpct8eexlCh7Susz6XF4gbleaFYajLl0jfQejaACdkzpHirSWg3pKYDVcU2GzuegbFcfRrbqOjaPzR4rOVM/s8AYmcPG4d8uJfsoftwpfYkmPCh3e01WYFvb3lkPTXctt6bzMoKEZfkq1fgsuYTEuvvav/XCB0UoLkzstSMcuH+60hNVKN+RdYpe51Rw2kqyDdtbr7Tw57Ryq2EVavr6VIdlHw3oGdEpwEfzX7Xql172zF+PYtou16JYA7hGv3Ix0cZQUtZNEgIVGcdswpFyWtPVha8yUN5sODTqnymapgPjtfU3oDgyuUdufnhxkMbU5ZbOqRCJYGUId4= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:06.9205 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a96c85ae-6786-423f-26b8-08dafb39ef2d X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E63A.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR12MB5315 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jbobek@nvidia.com X-Gm-Message-State: XU1mrRxNcLzEClpdMGTrkHmRx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674255550; bh=Gk+Fxw9nQWZezYouPiYVzGPDJZO2XilT5IZzc9hs188=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=roqce8IToyP2m8SZzCcdpOOvJBx8h+BgLeVDL5r84QWMjsPbdTI1L779UwkoR0QEgYr X8m0Gbnc0CjCPPEeBIqBYUs8ZGDuRNNXriOFdVxkH7TCoI+pkcg7ZpEaKuusNtPknSACo WfgicVz0OekJEhWUV0+nQCW8rLI01ybQJ6c= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674255550632100003 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 Per UEFI spec, enrolling a new PK in setup mode should not require a self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk to control this requirement. Default to TRUE in order to preserve the legacy behavior. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Co-authored-by: Matthew Carlson Signed-off-by: Jan Bobek Acked-by: Jiewen Yao Reviewed-by: Sean Brogan --- SecurityPkg/SecurityPkg.dec | 7 +++++++ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++ SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 8257f11d17c7..d3b7ad7ff6fb 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -580,5 +580,12 @@ [PcdsDynamic, PcdsDynamicEx] ## This PCD records LASA field in CC EVENTLOG ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x0001= 0026 =20 +[PcdsFeatureFlag] + ## Indicates if the platform requires PK to be self-signed when setting = the PK in setup mode. + # TRUE - Require PK to be self-signed. + # FALSE - Do not require PK to be self-signed. + # @Prompt Require PK to be self-signed + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x000= 10027 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu= rityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8eadeebcebd7..e5985c5f8b60 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -86,3 +86,6 @@ [Guids] gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique= ID for the type of the certificate. gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique= ID for the type of the certificate. gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique= ID for the type of the signature. + +[FeaturePcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index 054ee4d1d988..e9989695626e 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -603,7 +603,10 @@ ProcessVarWithPk ( // Init state of Del. State may change due to secure check // Del =3D FALSE; - if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode =3D= =3D SETUP_MODE) && !IsPk)) { + if ( (InCustomMode () && UserPhysicalPresent ()) + || ( (mPlatformMode =3D=3D SETUP_MODE) + && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))) + { Payload =3D (UINT8 *)Data + AUTHINFO2_SIZE (Data); PayloadSize =3D DataSize - AUTHINFO2_SIZE (Data); if (PayloadSize =3D=3D 0) { @@ -627,7 +630,9 @@ ProcessVarWithPk ( return Status; } =20 - if ((mPlatformMode !=3D SETUP_MODE) || IsPk) { + if ( (mPlatformMode !=3D SETUP_MODE) + || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)) + { Status =3D VendorKeyIsModified (); } } else if (mPlatformMode =3D=3D USER_MODE) { --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98946): https://edk2.groups.io/g/devel/message/98946 Mute This Topic: https://groups.io/mt/96412383/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 16:27:57 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98948+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674255552105948.2438610623415; Fri, 20 Jan 2023 14:59:12 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 9McQYY1788612xAWiKNqE4ca; Fri, 20 Jan 2023 14:59:11 -0800 X-Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.41]) by mx.groups.io with SMTP id smtpd.web10.89952.1674255550826156466 for ; Fri, 20 Jan 2023 14:59:10 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dGObxrjo0omTeZ5VX1Xr7qt+zLe5dPqFs7mcEQL36KTCsefgjU/hgFq5dutYw910HaVPHLco9yjSc3AQ9PYf7Hdvv2s8xgD8Ge+qIjoynllUhCyAyQ/vmGJzOveaMMF4u2LudZhj7SIrxiVQ2ZVzP8lhZZKQrbkhb5XLQkMJRK38JT8CgUUTczSjn94cpjKzKB+xRE3SkaUOAi32q5HNneboHho8PFIaG3H6H2E7OIaIICS7Vk0qTxdDXtqOCi4Anj7nAyr3msP7yd3k9ks+WCb6pf3qHJXXa6jG/dBw8Y2FFshGQTulRE12ixW55zyj7O/fuGfkYubfz4PPj4N4Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0LcYhle67it80FQRtXzBebqxOa0c8G4kQb9RtYgn59Y=; b=ZkBToCwYIXjswI63axRbUZKYNqoq1DLNIOBm7aT72jihzoQ8h8AABALUMszcLQmlahRLZv2wPTRmLNsKoXNwVxT4qre6diARx2n2W79CjjgTFtCgON6Tym30/rcVusEAyDbsCqcRMFDtPQ19LguQl1hC65DX8HZmBYsq0MbnKTVIGBYvF70i4L4rnq2Y/fFEMkp0QGyR/1a+MM13f6jfUU2vd7uAs6ZUKeNSHFlooqz8SCVHLx5sTE5rTindbITKelIbk+Hq2gq7CqRG7YOMbrpH8Rmk8b6355sHdI9833bBgV2wUAaq28o/FZwH0q2P5cNOglu+6BFWhmNkex3ccw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none X-Received: from DS7PR05CA0020.namprd05.prod.outlook.com (2603:10b6:5:3b9::25) by PH7PR12MB5926.namprd12.prod.outlook.com (2603:10b6:510:1d9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan 2023 22:59:08 +0000 X-Received: from DS1PEPF0000E638.namprd02.prod.outlook.com (2603:10b6:5:3b9:cafe::cf) by DS7PR05CA0020.outlook.office365.com (2603:10b6:5:3b9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.7 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98948+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E638.mail.protection.outlook.com (10.167.17.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:56 -0800 X-Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:55 -0800 From: "Jan Bobek via groups.io" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf Subject: [edk2-devel] [PATCH v1 2/4] OvmfPkg: require self-signed PK when secure boot is enabled Date: Fri, 20 Jan 2023 15:58:33 -0700 Message-ID: <20230120225835.42733-3-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E638:EE_|PH7PR12MB5926:EE_ X-MS-Office365-Filtering-Correlation-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: bVty3xKMBs7emBTFoW5j00mL+qq+P6B49b+lDF2/uxHPUb3fHncmtLveuaXnJzXzVAYkN40EU8QJiXEf2Kt7a7H0WYIFlYc95xu8A6G+B8j4Oud6xI1xgLbwW3JDbVPe5C56Sd/OPETpjPisZBapOa0eZYUJCYGDwOddDiHSuMwL6XRoIt2JVCKdalof6sjD7OUtWfiZxvYGQqQ9E11Q8i96UKg2EdBQtSXqW7GoO8I4wV9cmjkIrnsDLZiFOEecld/7ByE3WTAZKunNE4BZ7ZdHhxFL6Akh/Z1lr7K8TFw5dFuJEK0vjMxF/wYCaQTycLQdstP7Bvu8ZbxKNQvvum7si7OBQPthQNPT9fzvtnEhFSllBqyIQtwWWiDSCVKJ2ftggDh2hBIGRbB3ifCsGLe3mRGzoCD8ENelbsPjGoKYDsjcNvexn4YByiC4de3X8/Fj2kQJ1NokB+U7mASA0Es2CpnAGyDGg/ARGcukHsuyLJ5CyapVWT2iFYOi3xbWlVnemwWau8bnYULuatF9k1NGb3u4bev2tCQm0BRUi1A7UQTuY9ys5Pf8RodTpR+DFsEucZB2ozafv6WHCifIql8H36ylBcDwd0tLi0xqeZ842Ia9qdgYVpVjPem1lXLIajFOkkFRxm8LDJhS9e9zyrgikaBrzX46GSYE3c+vwdS9fP6hjFqrU8xxSgA7EZZkXsADNwj/swtY4+1fsibJRKVWcdvl3Qcm9N6Sve8NrTQN09OsUdx/IO5l3wWZtelNLqJQXCC8vHrKDBMQjkWgJVXnoC8AAp04RYwbxn4EksY= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:08.0300 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E638.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB5926 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jbobek@nvidia.com X-Gm-Message-State: LOhw8Eaj8ecGqEpP2vpu3XwCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674255551; bh=CTM5S1kQp9VQE70f/yPEg6vLYwk0H0LqpOuOsy5qVBw=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=AFj0kWB9My1V/eiFviPJC/QE4pSRwLX+gRwkXrZ+eRUJ/qLCx6c365Br1hk5CTKtzbf m86e/M+MXfZFuQVroM8Gg3Fzr7PwP2oIH6s/d71Wc+leU8A/MT2QgCILYW6gxNtBd1kHD fsQKRvf6U8GADV63Z0iPhzyBy6o/l6QQcRE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674255552607100011 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Signed-off-by: Jan Bobek Acked-by: Jiewen Yao Reviewed-by: Sean Brogan --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ 7 files changed, 21 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index befec670d4f3..66a2ae8868e5 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -422,6 +422,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration|TRUE diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 7326417eab62..9cb267f98942 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -480,6 +480,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 0f1e970fbbb3..93918b55b1a5 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -390,6 +390,9 @@ [PcdsFeatureFlag] !ifdef $(CSM_ENABLE) gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 2d53b5c2950d..3c988f3e65e0 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -476,6 +476,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f232de13a7b6..22dc29330d2d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -488,6 +488,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a9d422bd9169..6b539814bdb0 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -493,6 +493,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..f6b8b342c4ed 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -513,6 +513,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98948): https://edk2.groups.io/g/devel/message/98948 Mute This Topic: https://groups.io/mt/96412385/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 16:27:57 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98947+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674255550714413.60872997474155; Fri, 20 Jan 2023 14:59:10 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id IGXrYY1788612xJzUI3w14VC; Fri, 20 Jan 2023 14:59:10 -0800 X-Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.76]) by mx.groups.io with SMTP id smtpd.web11.89998.1674255549672006080 for ; Fri, 20 Jan 2023 14:59:09 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jxzk2vKv8Md8Y5L8zCL3KyMocPZaLokNAmFTGROhdIOTnRoGbQYz6du3t1WVJA7iBQvw1ISvzgUszQRxJQfa2n/maN5A6FIxftPtPXwb43G3rb3bw55zNzb4xhMgO7jBDwjhEYozYjk+1pwPHmeeBUGcn7B4A/4ADr6paU2G1oPNBZZa5Lgy5JDbECC//0dINDjyr5/P7XsDEDIB43hqAXJOJrYcdeO1OAdWMm2bgqI//Qyo8VjUwAKXQzTOSzMrTNbfcsf+Z9w3z4GWgMAxvELQLVx1fjC9lngT6Q0a7OSb0CgxZjnbxFdhfXrWpw9pw1dAGwdlus99J5s8p9JhcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZlTsEkd5qyGLLFOjC8m4JgTm/Q0mbD/sGqzGgnKYJZM=; b=LuNtQ6W3pi3hkhWgtR3afyv6sfVXbASmkfXRVXxy675EU/a8GGwOXZSQq4xlbb5JLVnbqNbvV02WmbIa/3MIaoEu4nab7dncTvgE9xAxjtJog0/0/IDmUG4+kzJJe18XsnI6mSOyvCKD+p3dqS+2HsBchRj0HSDP8yRiX9xDCPkhR4Wm0AkSBrz9bAj1+22vQPwCi6pa2RJVXdkPv91FfGnoq/7L5M2TH1QQvUJ4Ly2+d0sP8+BtxK+W5DAIE8rxp3LF4xJj/RbnFRIN9qAuOTPdmq5vWAJAJtR1zJ5tYC81YZed7GLdn9IUIgKDHywR3PpbD67FCy1xVYw5ft9MzQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none X-Received: from CY5PR03CA0013.namprd03.prod.outlook.com (2603:10b6:930:8::44) by PH8PR12MB7328.namprd12.prod.outlook.com (2603:10b6:510:214::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.26; Fri, 20 Jan 2023 22:59:07 +0000 X-Received: from CY4PEPF0000C982.namprd02.prod.outlook.com (2603:10b6:930:8:cafe::81) by CY5PR03CA0013.outlook.office365.com (2603:10b6:930:8::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27 via Frontend Transport; Fri, 20 Jan 2023 22:59:07 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98947+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.161) by CY4PEPF0000C982.mail.protection.outlook.com (10.167.241.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:06 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:57 -0800 X-Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:56 -0800 From: "Jan Bobek via groups.io" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Ard Biesheuvel , "Leif Lindholm" , Sami Mujawar , Gerd Hoffmann Subject: [edk2-devel] [PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Date: Fri, 20 Jan 2023 15:58:34 -0700 Message-ID: <20230120225835.42733-4-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CY4PEPF0000C982:EE_|PH8PR12MB7328:EE_ X-MS-Office365-Filtering-Correlation-Id: 7f412aaa-2df8-4641-ebba-08dafb39ef1a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: QBFBNiFnh7Ax1uibNSgnUfrRsM4ykcqJ+Oo4DmMBBKf7Q3ca6Xf4aKxcp8oiSIbQSB0JIFy25cSaQx0F/indIPGudX/PQdUw6AjalQ3UZUamehE/IYfW2STq+tdv4vYtLv80jVtDr0kKKxmGTTrmYvoXQqXs0t2+UvVLjG9KJn2mxGSzHKE4ao5OwFeieH7TLKCq/rvi/AW5PNfE72YK+JUPaMZnJ32Lj6gzo0ejLFuY4WLxTlmHuOIcGGDdj+cm7xvuFUgWmxHbm2mjV8tK/Ck8+p4v7OGf9OYqIUX1ZMFxQUxsyi2NcX2zh0ijbhRhot7ZEpg3HDitxFaINYtPivEVxU8MJTig+U5lNhs/KmevrpScqT//fSLY+pbIHIx5DbvSFPAotgrBH0rLPBRP3rOOwiZqbLxC8dx5HZDch6JsfzliyPhXZOtqwXtVApxt/ezFWKIgVU0EyZugnf3dGr/3d6Vme64wMqNedJAQKGIwsAaeEWau2dryOwTztzK/lkYjS3qK/oNB0JasTqFpPtkW8bmtzEqxztrXXY1LbOsFpKXyC4thMt9LAdFyflnd4ohcz/gRNhU8CFHU0/dhaJTa+GLxONNgvAH08gPQQIRCbLK6B28cS0XU+VoCjt+bj4kwyge6LOV7sYIEU6z42aD/WV3jNWC4jqg5SHIC1kzz/J1b+/D77UIbe2DkTHMLalfS8goq84KTE+3RkROC0lNmqlA46M/B1K1J+aeRi1VrHWGsc9iBcYsjxUuiFQ0N/1gCDTVd6+l8WGB5bmZNVCKOGNMqIpipy596JqI1jm0= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:06.7853 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7f412aaa-2df8-4641-ebba-08dafb39ef1a X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000C982.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR12MB7328 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jbobek@nvidia.com X-Gm-Message-State: aejgFPcnKDYj0tzR2CWaezDYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674255550; bh=42OvRg/4+OwkYiXIjwWcI9LL166wZ9LuD9LIRTGMlV4=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=JO7VUaH4MJI5R76i2kfZaTVz8Nwe0fZkRLEARQbXbDiCzE2RzDmUE8/dc2UYre0hB5V QE9Losdq0YaPwHkCW0cOuJ8W7dauFGFml9BOSq2d5jKhwG2Ql5HAUwOJzgQz6IqGPTyAo BPgPregCN4lZ9uEFTq0McPJ+MrmlS99XecE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674255552582100007 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel Cc: Leif Lindholm Cc: Sami Mujawar Cc: Gerd Hoffmann Signed-off-by: Jan Bobek Acked-by: Jiewen Yao Reviewed-by: Sean Brogan --- ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++ ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++ ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc index 7ca7a391d9cf..dc33936d6f03 100644 --- a/ArmVirtPkg/ArmVirtCloudHv.dsc +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common] =20 gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) =3D=3D AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled|1 diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 0f1c6395488a..31fd0e5279ab 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common] =20 gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled|$(TPM2_ENABLE) =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) =3D=3D AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled|1 diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index 807c85d48285..1e0f06c91137 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common] =20 gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport|TRUE =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) =3D=3D AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled|1 --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98947): https://edk2.groups.io/g/devel/message/98947 Mute This Topic: https://groups.io/mt/96412384/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun May 19 16:27:57 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98949+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674255553017726.0617389977859; Fri, 20 Jan 2023 14:59:13 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id NGGUYY1788612xuxJhnHdveK; Fri, 20 Jan 2023 14:59:12 -0800 X-Received: from NAM04-MW2-obe.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com [40.107.101.52]) by mx.groups.io with SMTP id smtpd.web11.89999.1674255552086575914 for ; Fri, 20 Jan 2023 14:59:12 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HsugccFvZ5oQxKjkGlUS7Unsk8HvhDd7IRlTPvQTcw+dpdDbblYb4CIG6SsPabg0oCsABLbXeJmE+ZHkAu1Q5R6ZfpfMkeQTaEL0AVOZnGKNl1F56WXHXPjUtpGdSaawBIFOs3Qvg4BhFIRdp/cOvArdsSIJ5QsgWOhDH/84BWlEGBkKRV49L6AufErQ0xW5nhlgFK2BVMS8T8hmtQLngHloz1ceMW51/ePI3Bm9DrchiFAmlzg44SpEsH0EBGgARiD68VFjGkEZRAZPK5Su36xHdSGEIZlJkBhSisaFcnGQnUBCgkrQya41IvvWgYU9zTD/mCiq+zvdKCNslvvCPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nAbA0hErXrJC0ksrQ44m2zJEfggX1+WICduM0r5XjdA=; b=HmiP6UbLXl863mvlCvznu6Q60ld2WdpD89GFEO2upwZ3TZNF+YKduICYia8FhpnpnNSqntLdkywglwLBXWa9l/aSJTLcSWUowfFTGqKL8BVGTYLJcSdw01KpoutM6txrocuiZmvcsdj1a7soFfkBiZEXD+yrBekIy7aUDhfGI2ZdEYXWpVZeK4OBnkQ24WVXPsJu6SlFoJZle0EzRQ/zXAIXpN0CW/JgbGePh4PJCvHZZJc3YYNvDbi3r6lkGWOiata+GvchG2Pt/V2/gep82PBX8bnA81D9uDY8W3PkjDoswLDls1EG+1RR4XJoK/ioI7wCrI+p4OC5pzrikqpmYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none X-Received: from DS7PR05CA0022.namprd05.prod.outlook.com (2603:10b6:5:3b9::27) by BY5PR12MB4322.namprd12.prod.outlook.com (2603:10b6:a03:20a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan 2023 22:59:10 +0000 X-Received: from DS1PEPF0000E638.namprd02.prod.outlook.com (2603:10b6:5:3b9:cafe::22) by DS7PR05CA0022.outlook.office365.com (2603:10b6:5:3b9::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6023.17 via Frontend Transport; Fri, 20 Jan 2023 22:59:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98949+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E638.mail.protection.outlook.com (10.167.17.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:09 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:58 -0800 X-Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:57 -0800 From: "Jan Bobek via groups.io" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Jian J Wang Subject: [edk2-devel] [PATCH v1 4/4] SecurityPkg: don't require PK to be self-signed by default Date: Fri, 20 Jan 2023 15:58:35 -0700 Message-ID: <20230120225835.42733-5-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E638:EE_|BY5PR12MB4322:EE_ X-MS-Office365-Filtering-Correlation-Id: f58a9f44-5700-4bb5-52e3-08dafb39f0bb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: DX/bP5ir6ivme9kzn7XVth3rsnom3srV+9X6dVKCKQYb7BiFHDm7VUItfK9V0IHJrZ7Mge4p790amxNbiGBevvrvE2RUok9NR7lCbl8QddJ9CbEgMGPu24lEOmSx7iZ16SRj02TZRe4oVDfU2afZpf3ATCNJzFGPLLMIXnKWc8eTKV5Pb67fZfhBdKl4bWZP2BoQ61faq1UBq7+XSnxbd+eCZKgLmvd2gaPDU8vztUjLecIN2j2nJ4evi/L0T+WY3wdN0tdedo19NRZMp3Vp+8pTbGQJIgfcKmmK3stPb0sUouBcRvvyEW83UH9ATF5PnwiOQmramtIrfrpr5t03NwevwLPI0vmXqHFw1HBpzhLvUZ+8169kQ3sFdDBXaraSbqxltRpvj0rP7NXkic8NGGNVJBPrNya1SWMLw+9BhaXpnHRzfGhwvPI3L30uDmMjDtjsb8pX5DempxMjYKL08tkzxiF2F5D1ospswddYsp1AaxVhsPUVSzvOiuFT+ktW/C5uyohmWzEkM1SJRNSZnRJAjNWoqcHvOV//SjKPw8/LRd3aflFdKWSIrUMQbRpUXKDXq8e+lLA492gztURKO2sbNCGLXbxP9SgeSYDxwinDu+tAdjU31xr0KCJm5RIg8l9Y2OWGe6tLXmcN+I1V/H+bLufn58dh+MfpMM7SY/1VpHlMmc99ifJ3/sCy46k0qtqBuTwJT8eP6DzG76jXH8U8hmoQljJmR9Ts/P309CbCsVCS/DtVO67wt1S3NFik X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:09.5299 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f58a9f44-5700-4bb5-52e3-08dafb39f0bb X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E638.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4322 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jbobek@nvidia.com X-Gm-Message-State: v2lnMbRCE1hAWunop1NhCktZx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674255552; bh=qMhkMMP8NR1Vq6d2u7GW+I+fuT4YdHmXP6ued362+xU=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Bxs8LYWrxFVf2qKAD6fGCbQWpeACbFFkvCio2N8q/hfZidVStwvSQuA5gow6JU5nr8W hrR2GuneuqAmc594QUkfU/FcqiN5CemWJjl+q0tYGQV6JTJG7iLLYfPzWguwkOkZOrHvL 9UCIe93PmOYg3QekDKnHsEKapiDr82do2c8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674255554598100017 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 Change the default value of PcdRequireSelfSignedPk to FALSE in accordance with UEFI spec, which states that PK need not be self-signed when enrolling in setup mode. Note that this relaxes the legacy behavior, which required the PK to be self-signed in this case. Cc: Jiewen Yao Cc: Jian J Wang Signed-off-by: Jan Bobek Acked-by: Jiewen Yao Reviewed-by: Sean Brogan --- SecurityPkg/SecurityPkg.dec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index d3b7ad7ff6fb..0382090f4e75 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -585,7 +585,7 @@ [PcdsFeatureFlag] # TRUE - Require PK to be self-signed. # FALSE - Do not require PK to be self-signed. # @Prompt Require PK to be self-signed - gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x000= 10027 + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|FALSE|BOOLEAN|0x00= 010027 =20 [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98949): https://edk2.groups.io/g/devel/message/98949 Mute This Topic: https://groups.io/mt/96412386/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-