1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH v2 0/6] Secure Boot default keys

Grzegorz Bernacki posted 6 patches 2 years, 11 months ago
Failed in applying to current master (apply log)
There is a newer version of this series
SecurityPkg/SecurityPkg.dec                                                             |  14 +
SecurityPkg/SecurityPkg.dsc                                                             |   5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 252 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 979 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  17 +
17 files changed, 1862 insertions(+), 188 deletions(-)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
[edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Grzegorz Bernacki 2 years, 11 months ago 
This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
  SecurityPkg: Create library for setting Secure Boot variables.
  SecurityPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
  Platform/RaspberryPi: Enable default Secure Boot variables initialization

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 SecurityPkg/SecurityPkg.dsc                                                             |   5 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  46 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 252 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 107 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 979 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  69 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  17 +
 17 files changed, 1862 insertions(+), 188 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75900): https://edk2.groups.io/g/devel/message/75900
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Min Xu 2 years, 11 months ago 
Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

> -----Original Message-----
> From: Grzegorz Bernacki <gjb@semihalf.com>
> Sent: Tuesday, June 1, 2021 9:12 PM
> To: devel@edk2.groups.io
> Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> Subject: [PATCH v2 0/6] Secure Boot default keys
> 
> This patchset adds support for initialization of default Secure Boot variables
> based on keys content embedded in flash binary. This feature is active only if
> Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> also application to enroll keys from default variables and secure boot menu
> change to allow user to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
> 
> I also added patch for RPi4 which enables this feature for that platform.
> 
> Changes since v1:
> - change names:
>   SecBootVariableLib => SecureBootVariableLib
>   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
>   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
> 
> Grzegorz Bernacki (6):
> [edk2]
>   SecurityPkg: Create library for setting Secure Boot variables.
>   SecurityPkg: Create include file for default key content.
>   SecurityPkg: Add SecureBootDefaultKeysDxe driver
>   SecurityPkg: Add EnrollFromDefaultKeys application.
>   SecurityPkg: Add new modules to Security package.
>   SecurityPkg: Add option to reset secure boot keys.
> [edk2-platform]
>   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> 
>  SecurityPkg/SecurityPkg.dec                                                             |  14 +
>  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> |  47 +
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> |  79 ++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> Dxe.inf           |   2 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf |  46 +
>  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> 252 +++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> NvData.h          |   2 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> vfr              |   6 +
>  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> | 107 +++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> | 979 ++++++++++++++++++++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> mpl.c            | 343 ++++---
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c   |  69 ++
>  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> |  16 +
>  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> 
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> trings.uni       |   4 +
> 
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni |  17 +
>  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.inf
>  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
>  create mode 100644
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.c
>  create mode 100644
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
>  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
>  create mode 100644
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> efaultKeysDxe.uni
> 
> --
> 2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76048): https://edk2.groups.io/g/devel/message/76048
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Grzegorz Bernacki 2 years, 10 months ago 
Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
>
> Grzegorz
> Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> Would you post your test result in the mail?
> Thanks much!
>
> > -----Original Message-----
> > From: Grzegorz Bernacki <gjb@semihalf.com>
> > Sent: Tuesday, June 1, 2021 9:12 PM
> > To: devel@edk2.groups.io
> > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > Subject: [PATCH v2 0/6] Secure Boot default keys
> >
> > This patchset adds support for initialization of default Secure Boot variables
> > based on keys content embedded in flash binary. This feature is active only if
> > Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> > also application to enroll keys from default variables and secure boot menu
> > change to allow user to reset key content to default values.
> > Discussion on design can be found at:
> > https://edk2.groups.io/g/rfc/topic/82139806#600
> >
> > I also added patch for RPi4 which enables this feature for that platform.
> >
> > Changes since v1:
> > - change names:
> >   SecBootVariableLib => SecureBootVariableLib
> >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > - change name of function CheckSetupMode to GetSetupMode
> > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > - rebase to master
> >
> > Grzegorz Bernacki (6):
> > [edk2]
> >   SecurityPkg: Create library for setting Secure Boot variables.
> >   SecurityPkg: Create include file for default key content.
> >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> >   SecurityPkg: Add EnrollFromDefaultKeys application.
> >   SecurityPkg: Add new modules to Security package.
> >   SecurityPkg: Add option to reset secure boot keys.
> > [edk2-platform]
> >   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> >
> >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > |  47 +
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > |  79 ++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > Dxe.inf           |   2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf |  46 +
> >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > 252 +++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > NvData.h          |   2 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > vfr              |   6 +
> >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > | 107 +++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > | 979 ++++++++++++++++++++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > mpl.c            | 343 ++++---
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c   |  69 ++
> >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > |  16 +
> >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > trings.uni       |   4 +
> >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni |  17 +
> >  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.inf
> >  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> >  create mode 100644
> > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.c
> >  create mode 100644
> > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> >  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> >  create mode 100644
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > efaultKeysDxe.uni
> >
> > --
> > 2.25.1
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76114): https://edk2.groups.io/g/devel/message/76114
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Grzegorz Bernacki 2 years, 10 months ago 
Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?usp=sharing

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
>
> Hi Min M,
>
> I tested it with Ovmf. I will try other compiler and provide you logs soon.
>
> thanks,
> greg
>
> pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> >
> > Grzegorz
> > Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > Would you post your test result in the mail?
> > Thanks much!
> >
> > > -----Original Message-----
> > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > To: devel@edk2.groups.io
> > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> > > <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > >
> > > This patchset adds support for initialization of default Secure Boot variables
> > > based on keys content embedded in flash binary. This feature is active only if
> > > Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
> > > also application to enroll keys from default variables and secure boot menu
> > > change to allow user to reset key content to default values.
> > > Discussion on design can be found at:
> > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > >
> > > I also added patch for RPi4 which enables this feature for that platform.
> > >
> > > Changes since v1:
> > > - change names:
> > >   SecBootVariableLib => SecureBootVariableLib
> > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > - change name of function CheckSetupMode to GetSetupMode
> > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > - rebase to master
> > >
> > > Grzegorz Bernacki (6):
> > > [edk2]
> > >   SecurityPkg: Create library for setting Secure Boot variables.
> > >   SecurityPkg: Create include file for default key content.
> > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > >   SecurityPkg: Add new modules to Security package.
> > >   SecurityPkg: Add option to reset secure boot keys.
> > > [edk2-platform]
> > >   Platform/RaspberryPi: Enable default Secure Boot variables initialization
> > >
> > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > |  47 +
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > |  79 ++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > Dxe.inf           |   2 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.inf |  46 +
> > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > 252 +++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > NvData.h          |   2 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > vfr              |   6 +
> > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > | 107 +++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > | 979 ++++++++++++++++++++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > mpl.c            | 343 ++++---
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.c   |  69 ++
> > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > |  16 +
> > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62 ++
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > trings.uni       |   4 +
> > >
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.uni |  17 +
> > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.inf
> > >  create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> > >  create mode 100644
> > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.c
> > >  create mode 100644
> > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > >  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > >  create mode 100644
> > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > efaultKeysDxe.uni
> > >
> > > --
> > > 2.25.1
> >


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76464): https://edk2.groups.io/g/devel/message/76464
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Min Xu 2 years, 10 months ago 
On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
> Hi Min M,
> 
> Please find log from tests of OvmfX64 built with VS2019 at:
> https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
> sp=sharing
> 
Usually we summarize the test in a table which is posted in the mail thread, so that
the test result is clear and easy to read. Also in this way the test result can be recorded in
the review thread. I am afraid the test log in the google drive cannot be accessed
one day.

> thanks,
> greg
> 
> pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
> >
> > Hi Min M,
> >
> > I tested it with Ovmf. I will try other compiler and provide you logs soon.
> >
> > thanks,
> > greg
> >
> > pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> > >
> > > Grzegorz
> > > Have you built this feature with different tool chains, such as
> VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > > Would you post your test result in the mail?
> > > Thanks much!
> > >
> > > > -----Original Message-----
> > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > > To: devel@edk2.groups.io
> > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> > > > Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > > >
> > > > This patchset adds support for initialization of default Secure
> > > > Boot variables based on keys content embedded in flash binary.
> > > > This feature is active only if Secure Boot is enabled and
> > > > DEFAULT_KEY is defined. The patchset consist also application to
> > > > enroll keys from default variables and secure boot menu change to allow
> user to reset key content to default values.
> > > > Discussion on design can be found at:
> > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > >
> > > > I also added patch for RPi4 which enables this feature for that platform.
> > > >
> > > > Changes since v1:
> > > > - change names:
> > > >   SecBootVariableLib => SecureBootVariableLib
> > > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > - change name of function CheckSetupMode to GetSetupMode
> > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > - rebase to master
> > > >
> > > > Grzegorz Bernacki (6):
> > > > [edk2]
> > > >   SecurityPkg: Create library for setting Secure Boot variables.
> > > >   SecurityPkg: Create include file for default key content.
> > > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > > >   SecurityPkg: Add new modules to Security package.
> > > >   SecurityPkg: Add option to reset secure boot keys.
> > > > [edk2-platform]
> > > >   Platform/RaspberryPi: Enable default Secure Boot variables
> > > > initialization
> > > >
> > > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > |  47 +
> > > >
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > f
> > > > |  79 ++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > Dxe.inf           |   2 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.inf |  46 +
> > > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > > 252 +++++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > NvData.h          |   2 +
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > > vfr              |   6 +
> > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > | 107 +++
> > > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > | 979 ++++++++++++++++++++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > > mpl.c            | 343 ++++---
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > > efaultKeysDxe.c   |  69 ++
> > > >
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > i
> > > > |  16 +
> > > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62
> ++
> > > >
> > > >
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > > trings.uni       |   4 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.uni |  17 +
> > > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create
> > > > mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > f
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.inf
> > > >  create mode 100644
> > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > >  create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.c
> > > >  create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > i  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > >  create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > ootD
> > > > efaultKeysDxe.uni
> > > >
> > > > --
> > > > 2.25.1
> > >
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76630): https://edk2.groups.io/g/devel/message/76630
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Grzegorz Bernacki 2 years, 10 months ago 
Hi Min M,

Sure, I will send the test result after I make changes for the v4
version. Can you please point me to a few mails with the test result
table so I can copy the format?
thanks,
greg

czw., 17 cze 2021 o 03:30 Xu, Min M <min.m.xu@intel.com> napisał(a):
>
> On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
> > Hi Min M,
> >
> > Please find log from tests of OvmfX64 built with VS2019 at:
> > https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
> > sp=sharing
> >
> Usually we summarize the test in a table which is posted in the mail thread, so that
> the test result is clear and easy to read. Also in this way the test result can be recorded in
> the review thread. I am afraid the test log in the google drive cannot be accessed
> one day.
>
> > thanks,
> > greg
> >
> > pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):
> > >
> > > Hi Min M,
> > >
> > > I tested it with Ovmf. I will try other compiler and provide you logs soon.
> > >
> > > thanks,
> > > greg
> > >
> > > pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):
> > > >
> > > > Grzegorz
> > > > Have you built this feature with different tool chains, such as
> > VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
> > > > Would you post your test result in the mail?
> > > > Thanks much!
> > > >
> > > > > -----Original Message-----
> > > > > From: Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Sent: Tuesday, June 1, 2021 9:12 PM
> > > > > To: devel@edk2.groups.io
> > > > > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
> > > > > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
> > > > > upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang,
> > > > > Jian J <jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
> > > > > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
> > > > > Subject: [PATCH v2 0/6] Secure Boot default keys
> > > > >
> > > > > This patchset adds support for initialization of default Secure
> > > > > Boot variables based on keys content embedded in flash binary.
> > > > > This feature is active only if Secure Boot is enabled and
> > > > > DEFAULT_KEY is defined. The patchset consist also application to
> > > > > enroll keys from default variables and secure boot menu change to allow
> > user to reset key content to default values.
> > > > > Discussion on design can be found at:
> > > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > > >
> > > > > I also added patch for RPi4 which enables this feature for that platform.
> > > > >
> > > > > Changes since v1:
> > > > > - change names:
> > > > >   SecBootVariableLib => SecureBootVariableLib
> > > > >   SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > > >   SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > > - change name of function CheckSetupMode to GetSetupMode
> > > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > > - rebase to master
> > > > >
> > > > > Grzegorz Bernacki (6):
> > > > > [edk2]
> > > > >   SecurityPkg: Create library for setting Secure Boot variables.
> > > > >   SecurityPkg: Create include file for default key content.
> > > > >   SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > > >   SecurityPkg: Add EnrollFromDefaultKeys application.
> > > > >   SecurityPkg: Add new modules to Security package.
> > > > >   SecurityPkg: Add option to reset secure boot keys.
> > > > > [edk2-platform]
> > > > >   Platform/RaspberryPi: Enable default Secure Boot variables
> > > > > initialization
> > > > >
> > > > >  SecurityPkg/SecurityPkg.dec                                                             |  14 +
> > > > >  SecurityPkg/SecurityPkg.dsc                                                             |   5 +
> > > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > > |  47 +
> > > > >
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > > f
> > > > > |  79 ++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > > Dxe.inf           |   2 +
> > > > >
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.inf |  46 +
> > > > >  SecurityPkg/Include/Library/SecureBootVariableLib.h                                     |
> > > > > 252 +++++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
> > > > > NvData.h          |   2 +
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
> > > > > vfr              |   6 +
> > > > >  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > > | 107 +++
> > > > >  SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > > | 979 ++++++++++++++++++++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
> > > > > mpl.c            | 343 ++++---
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
> > > > > efaultKeysDxe.c   |  69 ++
> > > > >
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > > i
> > > > > |  16 +
> > > > >  SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  62
> > ++
> > > > >
> > > > >
> > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
> > > > > trings.uni       |   4 +
> > > > >
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.uni |  17 +
> > > > >  17 files changed, 1862 insertions(+), 188 deletions(-)  create
> > > > > mode 100644
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
> > > > > f
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.inf
> > > > >  create mode 100644
> > > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > > >  create mode 100644
> > > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.c
> > > > >  create mode 100644
> > > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
> > > > > i  create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
> > > > >  create mode 100644
> > > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
> > > > > ootD
> > > > > efaultKeysDxe.uni
> > > > >
> > > > > --
> > > > > 2.25.1
> > > >
> >
> >
> > 
> >
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76670): https://edk2.groups.io/g/devel/message/76670
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 0/6] Secure Boot default keys
Posted by Min Xu 2 years, 10 months ago 
On 06/17/2021, Grzegorz Bernacki wrote:
> Hi Min M,
> 
> Sure, I will send the test result after I make changes for the v4 version. Can
> you please point me to a few mails with the test result table so I can copy the
> format?
>
Please refer to https://edk2.groups.io/g/devel/message/74239
Just summarize the validation you do.
>
> thanks,
> greg

Thanks
Min


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76672): https://edk2.groups.io/g/devel/message/76672
Mute This Topic: https://groups.io/mt/83232291/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.