This application allows user to force key enrollment from
Secure Boot default variables.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++
2 files changed, 154 insertions(+)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+# Enroll PK, KEK, db, dbx from Default variables
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 1.28
+ BASE_NAME = EnrollFromDefaultKeysApp
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = UefiMain
+
+[Sources]
+ EnrollFromDefaultKeysApp.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PrintLib
+ UefiApplicationEntryPoint
+ UefiBootServicesTableLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+ SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..1907ce1d4e
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,107 @@
+/** @file
+ Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
+
+/**
+ Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot get SetupMode variable: %r\n", Status);
+ return 1;
+ }
+
+ if (SetupMode == USER_MODE) {
+ FAIL ("Skipped - USER_MODE\n");
+ return 1;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+ return 1;
+ }
+
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll db: %r\n", Status);
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll dbt: %r\n", Status);
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll dbx: %r\n", Status);
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll KEK: %r\n", Status);
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll PK: %r\n", Status);
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n");
+ }
+ return 0;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n");
+ }
+
+ return 1;
+}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75905): https://edk2.groups.io/g/devel/message/75905
Mute This Topic: https://groups.io/mt/83232300/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This application allows user to force key enrollment from
> Secure Boot default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++
> 2 files changed, 154 insertions(+)
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> @@ -0,0 +1,47 @@
> +## @file
> +# Enroll PK, KEK, db, dbx from Default variables
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> + INF_VERSION = 1.28
> + BASE_NAME = EnrollFromDefaultKeysApp
> + FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> + MODULE_TYPE = UEFI_APPLICATION
> + VERSION_STRING = 0.1
> + ENTRY_POINT = UefiMain
> +
> +[Sources]
> + EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> + MdeModulePkg/MdeModulePkg.dec
> + MdePkg/MdePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> + gEfiCertPkcs7Guid
> + gEfiCertSha256Guid
> + gEfiCertX509Guid
> + gEfiCustomModeEnableGuid
> + gEfiGlobalVariableGuid
> + gEfiImageSecurityDatabaseGuid
> + gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> + gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + PrintLib
> + UefiApplicationEntryPoint
> + UefiBootServicesTableLib
> + UefiLib
> + UefiRuntimeServicesTableLib
> + SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> new file mode 100644
> index 0000000000..1907ce1d4e
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> @@ -0,0 +1,107 @@
> +/** @file
> + Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h> // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h> // CopyGuid()
> +#include <Library/DebugLib.h> // ASSERT()
> +#include <Library/MemoryAllocationLib.h> // FreePool()
> +#include <Library/PrintLib.h> // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h> // gBS
> +#include <Library/UefiLib.h> // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
> +
> +/**
> + Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> + IN EFI_HANDLE ImageHandle,
> + IN EFI_SYSTEM_TABLE *SystemTable
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 SetupMode;
> +
> + Status = GetSetupMode (&SetupMode);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot get SetupMode variable: %r\n", Status);
> + return 1;
> + }
> +
> + if (SetupMode == USER_MODE) {
> + FAIL ("Skipped - USER_MODE\n");
> + return 1;
> + }
> +
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> + return 1;
> + }
> +
> + Status = EnrollDbFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll db: %r\n", Status);
> + goto error;
> + }
> +
> + Status = EnrollDbxFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll dbt: %r\n", Status);
> + }
> +
> + Status = EnrollDbtFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll dbx: %r\n", Status);
> + }
> +
> + Status = EnrollKEKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll KEK: %r\n", Status);
> + goto cleardbs;
> + }
> +
> + Status = EnrollPKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll PK: %r\n", Status);
> + goto clearKEK;
> + }
> +
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n");
> + }
> + return 0;
> +
> +clearKEK:
> + DeleteKEK ();
> +
> +cleardbs:
> + DeleteDbt ();
> + DeleteDbx ();
> + DeleteDb ();
> +
> +error:
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n");
> + }
> +
> + return 1;
> +}
>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75990): https://edk2.groups.io/g/devel/message/75990
Mute This Topic: https://groups.io/mt/83232300/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
I don’t think this sort of implied concatenation works on all compilers.
- Bret
From: Pete Batard via groups.io<mailto:pete=akeo.ie@groups.io>
Sent: Wednesday, June 2, 2021 10:40 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; gjb@semihalf.com<mailto:gjb@semihalf.com>
Cc: Lindholm, Leif<mailto:leif@nuviainc.com>; ardb+tianocore@kernel.org<mailto:ardb+tianocore@kernel.org>; Samer El-Haj-Mahmoud<mailto:Samer.El-Haj-Mahmoud@arm.com>; sunny.Wang@arm.com<mailto:sunny.Wang@arm.com>; mw@semihalf.com<mailto:mw@semihalf.com>; upstream@semihalf.com<mailto:upstream@semihalf.com>; Yao, Jiewen<mailto:jiewen.yao@intel.com>; jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>; min.m.xu@intel.com<mailto:min.m.xu@intel.com>; lersek@redhat.com<mailto:lersek@redhat.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
On 2021.06.01 14:12, Grzegorz Bernacki wrote:
> This application allows user to force key enrollment from
> Secure Boot default variables.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++
> 2 files changed, 154 insertions(+)
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> new file mode 100644
> index 0000000000..4d79ca3844
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> @@ -0,0 +1,47 @@
> +## @file
> +# Enroll PK, KEK, db, dbx from Default variables
> +#
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> +##
> +
> +[Defines]
> + INF_VERSION = 1.28
> + BASE_NAME = EnrollFromDefaultKeysApp
> + FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
> + MODULE_TYPE = UEFI_APPLICATION
> + VERSION_STRING = 0.1
> + ENTRY_POINT = UefiMain
> +
> +[Sources]
> + EnrollFromDefaultKeysApp.c
> +
> +[Packages]
> + MdeModulePkg/MdeModulePkg.dec
> + MdePkg/MdePkg.dec
> + SecurityPkg/SecurityPkg.dec
> +
> +[Guids]
> + gEfiCertPkcs7Guid
> + gEfiCertSha256Guid
> + gEfiCertX509Guid
> + gEfiCustomModeEnableGuid
> + gEfiGlobalVariableGuid
> + gEfiImageSecurityDatabaseGuid
> + gEfiSecureBootEnableDisableGuid
> +
> +[Protocols]
> + gEfiSmbiosProtocolGuid ## CONSUMES
> +
> +[LibraryClasses]
> + BaseLib
> + BaseMemoryLib
> + DebugLib
> + MemoryAllocationLib
> + PrintLib
> + UefiApplicationEntryPoint
> + UefiBootServicesTableLib
> + UefiLib
> + UefiRuntimeServicesTableLib
> + SecureBootVariableLib
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> new file mode 100644
> index 0000000000..1907ce1d4e
> --- /dev/null
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> @@ -0,0 +1,107 @@
> +/** @file
> + Enroll default PK, KEK, db, dbx.
> +
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +**/
> +
> +#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
> +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
> +#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
> +#include <Library/BaseLib.h> // GUID_STRING_LENGTH
> +#include <Library/BaseMemoryLib.h> // CopyGuid()
> +#include <Library/DebugLib.h> // ASSERT()
> +#include <Library/MemoryAllocationLib.h> // FreePool()
> +#include <Library/PrintLib.h> // AsciiSPrint()
> +#include <Library/UefiBootServicesTableLib.h> // gBS
> +#include <Library/UefiLib.h> // AsciiPrint()
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT
> +#include <Uefi/UefiMultiPhase.h>
> +#include <Library/SecureBootVariableLib.h>
> +
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
> +
> +/**
> + Entry point function of this shell application.
> +**/
> +EFI_STATUS
> +EFIAPI
> +UefiMain (
> + IN EFI_HANDLE ImageHandle,
> + IN EFI_SYSTEM_TABLE *SystemTable
> + )
> +{
> + EFI_STATUS Status;
> + UINT8 SetupMode;
> +
> + Status = GetSetupMode (&SetupMode);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot get SetupMode variable: %r\n", Status);
> + return 1;
> + }
> +
> + if (SetupMode == USER_MODE) {
> + FAIL ("Skipped - USER_MODE\n");
> + return 1;
> + }
> +
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
> + return 1;
> + }
> +
> + Status = EnrollDbFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll db: %r\n", Status);
> + goto error;
> + }
> +
> + Status = EnrollDbxFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll dbt: %r\n", Status);
> + }
> +
> + Status = EnrollDbtFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll dbx: %r\n", Status);
> + }
> +
> + Status = EnrollKEKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll KEK: %r\n", Status);
> + goto cleardbs;
> + }
> +
> + Status = EnrollPKFromDefault ();
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot enroll PK: %r\n", Status);
> + goto clearKEK;
> + }
> +
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n");
> + }
> + return 0;
> +
> +clearKEK:
> + DeleteKEK ();
> +
> +cleardbs:
> + DeleteDbt ();
> + DeleteDbx ();
> + DeleteDb ();
> +
> +error:
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
> + if (EFI_ERROR (Status)) {
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
> + "Please do it manually, otherwise system can be easily compromised\n");
> + }
> +
> + return 1;
> +}
>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75997): https://edk2.groups.io/g/devel/message/75997
Mute This Topic: https://groups.io/mt/83267548/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Internally reviewed this patch before sending the edk2 mailing list and Greg already addressed all my comments, so It looks good to me.
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
As for Bret's comment, the "#define FAIL(fmt...).. " was added for addressing my internal review comment for better maintenance. If this would cause an error with some compilers, I'm fine with reverting FAIL() macro related changes.
Best Regards,
Sunny Wang
-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.
This application allows user to force key enrollment from
Secure Boot default variables.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++
2 files changed, 154 insertions(+)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
new file mode 100644
index 0000000000..4d79ca3844
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
@@ -0,0 +1,47 @@
+## @file
+# Enroll PK, KEK, db, dbx from Default variables
+#
+# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+# Copyright (c) 2021, Semihalf All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 1.28
+ BASE_NAME = EnrollFromDefaultKeysApp
+ FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
+ MODULE_TYPE = UEFI_APPLICATION
+ VERSION_STRING = 0.1
+ ENTRY_POINT = UefiMain
+
+[Sources]
+ EnrollFromDefaultKeysApp.c
+
+[Packages]
+ MdeModulePkg/MdeModulePkg.dec
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[Guids]
+ gEfiCertPkcs7Guid
+ gEfiCertSha256Guid
+ gEfiCertX509Guid
+ gEfiCustomModeEnableGuid
+ gEfiGlobalVariableGuid
+ gEfiImageSecurityDatabaseGuid
+ gEfiSecureBootEnableDisableGuid
+
+[Protocols]
+ gEfiSmbiosProtocolGuid ## CONSUMES
+
+[LibraryClasses]
+ BaseLib
+ BaseMemoryLib
+ DebugLib
+ MemoryAllocationLib
+ PrintLib
+ UefiApplicationEntryPoint
+ UefiBootServicesTableLib
+ UefiLib
+ UefiRuntimeServicesTableLib
+ SecureBootVariableLib
diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
new file mode 100644
index 0000000000..1907ce1d4e
--- /dev/null
+++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
@@ -0,0 +1,107 @@
+/** @file
+ Enroll default PK, KEK, db, dbx.
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
+#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
+#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
+#include <Library/BaseLib.h> // GUID_STRING_LENGTH
+#include <Library/BaseMemoryLib.h> // CopyGuid()
+#include <Library/DebugLib.h> // ASSERT()
+#include <Library/MemoryAllocationLib.h> // FreePool()
+#include <Library/PrintLib.h> // AsciiSPrint()
+#include <Library/UefiBootServicesTableLib.h> // gBS
+#include <Library/UefiLib.h> // AsciiPrint()
+#include <Library/UefiRuntimeServicesTableLib.h> // gRT
+#include <Uefi/UefiMultiPhase.h>
+#include <Library/SecureBootVariableLib.h>
+
+#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)
+
+/**
+ Entry point function of this shell application.
+**/
+EFI_STATUS
+EFIAPI
+UefiMain (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot get SetupMode variable: %r\n", Status);
+ return 1;
+ }
+
+ if (SetupMode == USER_MODE) {
+ FAIL ("Skipped - USER_MODE\n");
+ return 1;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
+ return 1;
+ }
+
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll db: %r\n", Status);
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll dbt: %r\n", Status);
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll dbx: %r\n", Status);
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll KEK: %r\n", Status);
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot enroll PK: %r\n", Status);
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n");
+ }
+ return 0;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n");
+ }
+
+ return 1;
+}
--
2.25.1
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76049): https://edk2.groups.io/g/devel/message/76049
Mute This Topic: https://groups.io/mt/83232300/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2026 Red Hat, Inc.