From nobody Mon Feb 9 20:11:21 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+75653+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75653+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1622031117; cv=none; d=zohomail.com; s=zohoarc; b=mxBcO9EOAK6p+jkv/CeoDeRolJIKA+k89+wyWTuPThPbYJswCp7Y2EkI6JKu17dlkgaEdSFRL7OzScK5BVmwtUJXIKPmoAM7NrBW8wEiq8HFl0QKwGQZmxdk3qoqxDUAHIkWSO7cyqOLQEzn7zeyBOR5aE8QMNfWSrzJ6roaUuA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1622031117; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=7jmdLD6HFCVbZLTiANWPC5AIRbTQlC6eEad9uTjXLPw=; b=gf072zucR7kWKJXalPK0J8ukDuucZZtdf/7FskzofgKk/B7bRHlbfhBZa8hxxEp7SjWd25mgWfY7O9XbrM/G3szRJE1fBZe2An63T/XqlkUOdfqgQFWLkrWJJXWfhviQ/Cn0ByEyveINVzJqmHks8qGmav3F1nKy3177PsHNoj4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+75653+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162203111760372.1418747522074; Wed, 26 May 2021 05:11:57 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id j1C0YY1788612xPWdEDLg7lA; Wed, 26 May 2021 05:11:57 -0700 X-Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) by mx.groups.io with SMTP id smtpd.web09.5123.1622022161627166054 for ; Wed, 26 May 2021 02:42:42 -0700 X-Received: by mail-lf1-f51.google.com with SMTP id q7so1581128lfr.6 for ; Wed, 26 May 2021 02:42:41 -0700 (PDT) X-Gm-Message-State: ZW1akJWHPhxHQCKVOKBDsKEcx1787277AA= X-Google-Smtp-Source: ABdhPJzF81rqcsYJYTp36FWuUK+Hxz5O0B63dyEClkBedJPH4yCE/h+qxDB5kPFYdEYhbyrjC9Viiw== X-Received: by 2002:a05:6512:3dac:: with SMTP id k44mr1578340lfv.256.1622022159593; Wed, 26 May 2021 02:42:39 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id y19sm2380268ljy.32.2021.05.26.02.42.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 May 2021 02:42:39 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, gjb@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com Subject: [edk2-devel] [PATCH 3/6] SecurityPkg: Add SecBootDefaultKeysDxe driver Date: Wed, 26 May 2021 11:42:01 +0200 Message-Id: <20210526094204.73600-5-gjb@semihalf.com> In-Reply-To: <20210526094204.73600-1-gjb@semihalf.com> References: <20210526094204.73600-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1622031117; bh=tXl72mZGV2ZeTiHMTcYpdd0QypE4YQFb8ZJObwHg1vU=; h=Cc:Date:From:Reply-To:Subject:To; b=uQNB+VOD9bty10l1U1WVrUz8WYjrgjIbpSJIMwnQ81xXozx9y3vltjgdNLX9i6lOwZ4 Jk6E+i7VwCSaZFWHCgxE2xLPasPOAFzU7KO0HABoMQs9aZi83xazpd+m2/RQoAAFSi5ng IXRewXBqDtvOoSsXQyH0Mn0T1Z7GtUzHKcU= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This driver initializes default Secure Boot keys and databases based on keys embedded in flash. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeys= Dxe.inf | 46 +++++++++++++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeys= Dxe.c | 69 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeys= Dxe.uni | 17 +++++ 3 files changed, 132 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe= /SecBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe= /SecBootDefaultKeysDxe.c create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe= /SecBootDefaultKeysDxe.uni diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBoo= tDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysD= xe/SecBootDefaultKeysDxe.inf new file mode 100644 index 0000000000..28e197ca2f --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaul= tKeysDxe.inf @@ -0,0 +1,46 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecBootDefaultKeysDxe + FILE_GUID =3D C937FCB7-25AC-4376-89A2-4EA8B317DE83 + MODULE_TYPE =3D DXE_DRIVER + ENTRY_POINT =3D SecBootDefaultKeysEntryPoint + +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# +[Sources] + SecBootDefaultKeysDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiDriverEntryPoint + DebugLib + SecBootVariableLib + +[Guids] + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault" + gEfiGlobalVariableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid + diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBoo= tDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe= /SecBootDefaultKeysDxe.c new file mode 100644 index 0000000000..a68dc2571d --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaul= tKeysDxe.c @@ -0,0 +1,69 @@ +/** @file + This driver init default Secure Boot variables + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + The entry point for SecBootDefaultKeys driver. + + @param[in] ImageHandle The image handle of the driver. + @param[in] SystemTable The system table. + + @retval EFI_ALREADY_STARTED The driver already exists in system. + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack o= f resources. + @retval EFI_SUCCESS All the related protocols are installed o= n the driver. + @retval Others Fail to get the SecureBootEnable variable. + +**/ +EFI_STATUS +EFIAPI +SecBootDefaultKeysEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status =3D SecBootInitPKDefault (); + if (EFI_ERROR (Status)) { + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTIO= N__, Status)); + return Status; + } + + Status =3D SecBootInitKEKDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCT= ION__, Status)); + return Status; + } + Status =3D SecBootInitdbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTI= ON__, Status)); + return Status; + } + + Status =3D SecBootInitdbtDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__)); + } + + Status =3D SecBootInitdbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__)); + } + + return Status; +} + diff --git a/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBoo= tDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysD= xe/SecBootDefaultKeysDxe.uni new file mode 100644 index 0000000000..30f03aee5d --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaul= tKeysDxe.uni @@ -0,0 +1,17 @@ +// /** @file +// Provides the capability to intialize Secure Boot default variables +// +// Module which initializes Secure boot default variables. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Module which init= ializes Secure boot default variables" + +#string STR_MODULE_DESCRIPTION #language en-US "This module reads= embedded keys and initializes Secure Boot default variables." + --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75653): https://edk2.groups.io/g/devel/message/75653 Mute This Topic: https://groups.io/mt/83098885/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-