From nobody Sat Feb 7 07:31:16 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39688+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39688+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556326452; cv=none; d=zoho.com; s=zohoarc; b=FoAoAPPNIs0nlfDnJb+hfulntSSBJJNC2858/s21MpFKe8UJdZ5jYXEdMlaHtsuq/rgFmfOp7xKGCMNFR6P8gWHceMwgbwSTI+pfybZr/3eX4DaHF5mQIleQGKjY7mngJ0cwZil+fM+FKOUbnK1fFB247vb+lxXSyLm+q6GChFU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556326452; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=WpWCp0HyI2Tiq6om4bN/E0wbTU4meqhzzct+BjSen/w=; b=KnIfUY+8GhLfTfeC51eTHZqZNbnfxQv/aODDeWzFeUnuB49+LJGBQYSBpvBiPLcP7YejaH/+cCGi+TZVHXxWm8k1mKqKv8ZnNPBbKEFW7sijZe/OVMYFzY/lH3bB6mlu8v44eSVw3UOL3+tqgeyT7BszmpGD1DSsSarrlxARCWg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39688+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 155632645249012.842441029754127; Fri, 26 Apr 2019 17:54:12 -0700 (PDT) Return-Path: X-Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Fri, 26 Apr 2019 17:54:11 -0700 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 53215A049B; Sat, 27 Apr 2019 00:54:11 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-104.rdu2.redhat.com [10.10.121.104]) by smtp.corp.redhat.com (Postfix) with ESMTP id BEE6D5D71B; Sat, 27 Apr 2019 00:54:09 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Anthony Perard , Ard Biesheuvel , Jordan Justen , Julien Grall Subject: [edk2-devel] [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Date: Sat, 27 Apr 2019 02:53:25 +0200 Message-Id: <20190427005328.27005-14-lersek@redhat.com> In-Reply-To: <20190427005328.27005-1-lersek@redhat.com> References: <20190427005328.27005-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Sat, 27 Apr 2019 00:54:11 +0000 (UTC) Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1556326452; bh=/K1jZpORaU/llSyX4fffJojp5FnKInAKON1QwaJ7sK0=; h=Cc:Date:From:Reply-To:Subject:To; b=vyEXseJxydI4iV4HtEeMvPF0NbRVE+JemsSUsm2csGKMgHBxaTo+xy5kzZnxK8AL6XS UPVGQPBSS4yPVCbMOZnMF2oXA1bIscJQLM+t2QfTK7B+qLF3QQlaZ0xHXDlzvUXU3vScL lua3b0blNre8f4JFfvxz8fGAeSADpbGBZiE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The entry point function of EnrollDefaultKeys finishes with a sanity check, verifying the values of the Secure Boot-related "control" variables. Add a diagram to explain why we expect the values we do. While at it, write comments on the rest of the entry point function. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1747 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 ++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/Enroll= DefaultKeys/EnrollDefaultKeys.c index 07297c631f38..9c4a0f06fb4d 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -356,92 +356,146 @@ EFIAPI ShellAppMain ( IN UINTN Argc, IN CHAR16 **Argv ) { EFI_STATUS Status; SETTINGS Settings; =20 + // + // If we're not in Setup Mode, we can't do anything. + // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 1) { AsciiPrint ("error: already in User Mode\n"); return 1; } =20 + // + // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signa= ture + // checks on those variable writes. + // if (Settings.CustomMode !=3D CUSTOM_SECURE_BOOT_MODE) { Settings.CustomMode =3D CUSTOM_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnab= leGuid, (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS), sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_= NAME, &gEfiCustomModeEnableGuid, Status); return 1; } } =20 + // + // Enroll db. + // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGu= id, mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGu= id, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll dbx. + // Status =3D EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, &gEfiCertSha256Guid, mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll KEK. + // Status =3D EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Enroll PK, leaving Setup Mode (entering User Mode) at once. + // Status =3D EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid, NULL); if (EFI_ERROR (Status)) { return 1; } =20 + // + // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require va= lid + // signatures. + // Settings.CustomMode =3D STANDARD_SECURE_BOOT_MODE; Status =3D gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnable= Guid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS, sizeof Settings.CustomMode, &Settings.CustomMode); if (EFI_ERROR (Status)) { AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NA= ME, &gEfiCustomModeEnableGuid, Status); return 1; } =20 + // + // Final sanity check: + // + // [SetupMode] + // (read-only, standardized by UEFI) + // / \_ + // 0 1, default + // / \_ + // PK enrolled no PK enrolled yet, + // (this is called "User Mode") PK enrollment poss= ible + // | + // | + // [SecureBootEnable] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0 1, default + // / \_ + // [SecureBoot]=3D0 [SecureBoot]=3D1 + // (read-only, standardized by UEFI) (read-only, standardized by UEFI) + // images are not verified images are verified, platform is + // operating in Secure Boot mode + // | + // | + // [CustomMode] + // (read-write, edk2-specific, boot service onl= y) + // / \_ + // 0, default 1 + // / \_ + // PK, KEK, db, dbx PK, KEK, db, dbx + // updates are verified updates are not veri= fied + // Status =3D GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1; } PrintSettings (&Settings); =20 if (Settings.SetupMode !=3D 0 || Settings.SecureBoot !=3D 1 || Settings.SecureBootEnable !=3D 1 || Settings.CustomMode !=3D 0 || --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39688): https://edk2.groups.io/g/devel/message/39688 Mute This Topic: https://groups.io/mt/31359385/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-