回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

gaoliming posted 1 patch 3 years, 6 months ago
Failed in applying to current master (apply log)
2 files changed, 49 insertions(+), 2 deletions(-)
回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Posted by gaoliming 3 years, 6 months ago
Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request. 

 

Thanks

Liming

发件人: bounce+27952+65409+4905953+8761045@groups.io <bounce+27952+65409+4905953+8761045@groups.io> 代表 Wadhawan, Divneil R
发送时间: 2020年9月19日 13:34
收件人: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
抄送: gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>
主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg.

If you can help with the steps to add a configuration in CI, I can work on that.

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

It’s very strange that the build test cannot detect this.

To follow today’s process, you need to send another patch for review.

 

  _____

发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io <mailto:devel@edk2.groups.io>  <devel@edk2.groups.io <mailto:devel@edk2.groups.io> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >
抄送: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot 

 

Hi Ray,

 

I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942

 

Regards,

Divneil

 

From: devel@edk2.groups.io <mailto:devel@edk2.groups.io>  <devel@edk2.groups.io <mailto:devel@edk2.groups.io> > On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Hi Ray,

 

Thanks for your help.

I see the patch is merged now. :)

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941

 

If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.

 

Thanks,

Ray

 

From: Ni, Ray 
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Reviewed-by: Ray Ni <ray.ni@intel.com <mailto:ray.ni@intel.com> >

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Hi Ray,

 

Yes, I have tested the following:

 

A.     SECURE_BOOT_ENABLE=true

*	Key Enrollment (PK, KEK, db) via custom mode
*	Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)

 

B.     SECURE_BOOT_ENABLE=false (default case)

*	Secure Boot Configuration menu is not visible (Same as existing default case)
*	Execution of Unit Test Application (Signed/Unsigned both works okay)

 

I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.

 

Regards,

Divneil

 

From: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> > 
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >; devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?

 

Thanks,

Ray

 

From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> > 
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io <mailto:devel@edk2.groups.io> 
Cc: Ni, Ray <ray.ni@intel.com <mailto:ray.ni@intel.com> >; gaoliming <gaoliming@byosoft.com.cn <mailto:gaoliming@byosoft.com.cn> >; 'Andrew Fish' <afish@apple.com <mailto:afish@apple.com> >; Justen, Jordan L <jordan.l.justen@intel.com <mailto:jordan.l.justen@intel.com> >; Kinney, Michael D <michael.d.kinney@intel.com <mailto:michael.d.kinney@intel.com> >; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

 

SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images

 

Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com <mailto:divneil.r.wadhawan@intel.com> >

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)

 

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE

 

 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf

 

+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif

 

   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"

 

@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf

 

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

 

   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf

 

+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

-- 

2.24.1.windows.2

 





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65412): https://edk2.groups.io/g/devel/message/65412
Mute This Topic: https://groups.io/mt/76981992/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-


Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Posted by Wadhawan, Divneil R 3 years, 6 months ago
Hi Liming,
Here’s the bz: https://bugzilla.tianocore.org/show_bug.cgi?id=2979

Regards,
Divneil

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of gaoliming
Sent: Monday, September 21, 2020 6:19 AM
To: devel@edk2.groups.io; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com>; Ni, Ray <ray.ni@intel.com>
Cc: 'Andrew Fish' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>
Subject: 回复: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

Yes. Current CI for EmulatorPkg is the default build. It doesn’t cover the build with SECURE_BOOT_ENABLE enable. Please submit one BZ for this request.

Thanks
Liming
发件人: bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io> <bounce+27952+65409+4905953+8761045@groups.io<mailto:bounce+27952+65409+4905953+8761045@groups.io>> 代表 Wadhawan, Divneil R
发送时间: 2020年9月19日 13:34
收件人: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
主题: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

The CI may be missing SECURE_BOOT_ENABLE configuration for EmulatorPkg.
If you can help with the steps to add a configuration in CI, I can work on that.

From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Saturday, September 19, 2020 5:31 AM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot

It’s very strange that the build test cannot detect this.
To follow today’s process, you need to send another patch for review.

________________________________
发件人: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
发送时间: Saturday, September 19, 2020 3:41:11 AM
收件人: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
抄送: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
主题: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot


Hi Ray,



I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.

This caused the EmulatorPkg Secure boot enable build to fail.

I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942



Regards,

Divneil



From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Thanks for your help.

I see the patch is merged now. :)



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

pull request is created: https://github.com/tianocore/edk2/pull/941



If it succeeds, the patch will be merged automatically.

If it fails, please check the specific failure message and provide updated patch.



Thanks,

Ray



From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Reviewed-by: Ray Ni <ray.ni@intel.com<mailto:ray.ni@intel.com>>



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Hi Ray,



Yes, I have tested the following:



A.     SECURE_BOOT_ENABLE=true

  *   Key Enrollment (PK, KEK, db) via custom mode
  *   Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)



B.     SECURE_BOOT_ENABLE=false (default case)

  *   Secure Boot Configuration menu is not visible (Same as existing default case)
  *   Execution of Unit Test Application (Signed/Unsigned both works okay)



I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.

The script generates the full key hierarchy that makes it easy to test this patch.

The patch in BZ requires modifications as per Mike’s comment, so, you can skip the patches in BZ for now.



Regards,

Divneil



From: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



Divneil,

Just want to double confirm: did you test the secure boot and non-secure boot?



Thanks,

Ray



From: Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Ni, Ray <ray.ni@intel.com<mailto:ray.ni@intel.com>>; gaoliming <gaoliming@byosoft.com.cn<mailto:gaoliming@byosoft.com.cn>>; 'Andrew Fish' <afish@apple.com<mailto:afish@apple.com>>; Justen, Jordan L <jordan.l.justen@intel.com<mailto:jordan.l.justen@intel.com>>; Kinney, Michael D <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot



SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.

The following gets enabled with this patch:

o Secure Boot Menu in "Device Manager" for enrolling keys

o Storage space for Authenticated Variables

o Authenticated execution of 3rd party images



Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan@intel.com<mailto:divneil.r.wadhawan@intel.com>>

---

EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--

EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++

2 files changed, 49 insertions(+), 2 deletions(-)



diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc

index 86a6271735..c6e25c745e 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -32,6 +32,7 @@

   DEFINE NETWORK_TLS_ENABLE       = FALSE

   DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE

   DEFINE NETWORK_ISCSI_ENABLE     = FALSE

+  DEFINE SECURE_BOOT_ENABLE       = FALSE



 [SkuIds]

   0|DEFAULT

@@ -106,12 +107,20 @@

   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf

   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf

   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf

-  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

   VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf

   SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf

   ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf

   FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf

+  PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf

+  AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf

+!else

+  AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf

+!endif

+

[LibraryClasses.common.SEC]

   PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf

   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf

@@ -162,6 +171,16 @@

   TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf

  EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf



+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf

+!endif

+

+[LibraryClasses.common.DXE_RUNTIME_DRIVER]

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf

+!endif

+

[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]

   HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf

   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf

@@ -190,6 +209,10 @@

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000

   gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"

+!if $(SECURE_BOOT_ENABLE) == TRUE

+  gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800

+  gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE

+!endif



   gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"



@@ -306,7 +329,14 @@

   EmulatorPkg/ResetRuntimeDxe/Reset.inf

   MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf

   EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf

-  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf

+

+  MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {

+    <LibraryClasses>

+!if $(SECURE_BOOT_ENABLE) == TRUE

+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

+!endif

+  }

+

   MdeModulePkg/Universal/EbcDxe/EbcDxe.inf

   MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf

   EmulatorPkg/EmuThunkDxe/EmuThunk.inf

@@ -315,6 +345,9 @@

   EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf

   EmulatorPkg/TimerDxe/Timer.inf



+!if $(SECURE_BOOT_ENABLE) == TRUE

+  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif



   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {

     <LibraryClasses>

diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf

index 295f6f1db8..b256aa9397 100644

--- a/EmulatorPkg/EmulatorPkg.fdf

+++ b/EmulatorPkg/EmulatorPkg.fdf

@@ -46,10 +46,17 @@ DATA = {

   # Blockmap[1]: End

   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

   ## This is the VARIABLE_STORE_HEADER

+!if $(SECURE_BOOT_ENABLE) == FALSE

   #Signature: gEfiVariableGuid =

   #  { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}

   0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,

   0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,

+!else

+  # Signature: gEfiAuthenticatedVariableGuid =

+  #  { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}

+  0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,

+  0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,

+!endif

   #Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8

   # This can speed up the Variable Dispatch a bit.

   0xB8, 0xBF, 0x00, 0x00,

@@ -186,6 +193,13 @@ INF  RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf

INF  MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf

INF  MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf



+#

+# Secure Boot Key Enroll

+#

+!if $(SECURE_BOOT_ENABLE) == TRUE

+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf

+!endif

+

#

# Network stack drivers

#

--

2.24.1.windows.2





-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65415): https://edk2.groups.io/g/devel/message/65415
Mute This Topic: https://groups.io/mt/76985945/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-