[v3] Secure Boot default keys

[edk2-devel] [PATCH v3 0/8] Secure Boot default keys

Grzegorz Bernacki posted 8 patches 2 years, 10 months ago

Diff against v1 v2 v4 v5 v5 v6 v6 v7 v8
Download series mbox

Failed in applying to current master (apply log)

There is a newer version of this series

SecurityPkg/SecurityPkg.dec                                                             |  14 +
ArmVirtPkg/ArmVirtQemu.dsc                                                              |   3 +
ArmVirtPkg/ArmVirtQemuKernel.dsc                                                        |   3 +
EmulatorPkg/EmulatorPkg.dsc                                                             |   1 +
OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   1 +
OvmfPkg/OvmfPkgIa32.dsc                                                                 |   1 +
OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   1 +
OvmfPkg/OvmfPkgX64.dsc                                                                  |   1 +
SecurityPkg/SecurityPkg.dsc                                                             |   4 +
MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf                    |   2 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  45 +
MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h                             |   1 +
SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 251 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c                          |  84 --
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 109 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 980 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  68 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  70 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
Platform/ARM/SgiPkg/SgiPlatform.dsc.inc                              | 1 +
Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc                 | 1 +
Platform/Comcast/RDKQemu/RDKQemu.dsc                                 | 3 +++
Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc          | 1 +
Platform/Intel/QuarkPlatformPkg/Quark.dsc                            | 1 +
Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc                 | 1 +
Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc                  | 3 ++-
Platform/Qemu/SbsaQemu/SbsaQemu.dsc                                  | 1 +
Platform/RaspberryPi/RPi3/RPi3.dsc                                   | 1 +
Platform/RaspberryPi/RPi4/RPi4.dsc                                   | 4 ++++
Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 1 +
Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 1 +
Platform/Socionext/DeveloperBox/DeveloperBox.dsc                     | 4 ++++
Platform/RaspberryPi/RPi4/RPi4.fdf                                   | 2 ++
41 files changed, 1882 insertions(+), 272 deletions(-)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

Expand all Fold all

[edk2-devel] [PATCH v3 0/8] Secure Boot default keys

Posted by Grzegorz Bernacki 2 years, 10 months ago

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
  SecBootVariableLib => SecureBootVariableLib
  SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
  SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Changes since v2:
- fix coding style for functions headers in SecureBootVariableLib.h
- add header to SecureBootDefaultKeys.fdf.inc
- remove empty line spaces in SecureBootDefaultKeysDxe files
- revert FAIL macro in EnrollFromDefaultKeysApp
- remove functions duplicates and  add SecureBootVariableLib
  to platforms which used it

Grzegorz Bernacki (10):
[edk2]
  SecurityPkg: Create library for setting Secure Boot variables.
  Platforms: add SecureBootVariableLib class resolution
  SecurityPkg: Create include file for default key content.
  SecurityPkg: Add SecureBootDefaultKeysDxe driver
  SecurityPkg: Add EnrollFromDefaultKeys application.
  SecurityPkg: Add new modules to Security package.
  SecurityPkg: Add option to reset secure boot keys.
  MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.
[edk2-platform]
  Platforms: add SecureBootVariableLib class resolution
  Platform/RaspberryPi: Enable default Secure Boot variables initialization

 SecurityPkg/SecurityPkg.dec                                                             |  14 +
 ArmVirtPkg/ArmVirtQemu.dsc                                                              |   3 +
 ArmVirtPkg/ArmVirtQemuKernel.dsc                                                        |   3 +
 EmulatorPkg/EmulatorPkg.dsc                                                             |   1 +
 OvmfPkg/Bhyve/BhyveX64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgIa32.dsc                                                                 |   1 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                              |   1 +
 OvmfPkg/OvmfPkgX64.dsc                                                                  |   1 +
 SecurityPkg/SecurityPkg.dsc                                                             |   4 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf                    |   2 +
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf                       |  47 +
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf                     |  79 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf           |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf |  45 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h                             |   1 +
 SecurityPkg/Include/Library/SecureBootVariableLib.h                                     | 251 +++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h          |   2 +
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr              |   6 +
 MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c                          |  84 --
 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c                         | 109 +++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c                       | 980 ++++++++++++++++++++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c            | 343 ++++---
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c   |  68 ++
 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni                     |  16 +
 SecurityPkg/SecureBootDefaultKeys.fdf.inc                                               |  70 ++
 SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni       |   4 +
 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni |  16 +
 Platform/ARM/SgiPkg/SgiPlatform.dsc.inc                              | 1 +
 Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc                 | 1 +
 Platform/Comcast/RDKQemu/RDKQemu.dsc                                 | 3 +++
 Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc          | 1 +
 Platform/Intel/QuarkPlatformPkg/Quark.dsc                            | 1 +
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc                 | 1 +
 Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc                  | 3 ++-
 Platform/Qemu/SbsaQemu/SbsaQemu.dsc                                  | 1 +
 Platform/RaspberryPi/RPi3/RPi3.dsc                                   | 1 +
 Platform/RaspberryPi/RPi4/RPi4.dsc                                   | 4 ++++
 Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc           | 1 +
 Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 1 +
 Platform/Socionext/DeveloperBox/DeveloperBox.dsc                     | 4 ++++
 Platform/RaspberryPi/RPi4/RPi4.fdf                                   | 2 ++
 41 files changed, 1882 insertions(+), 272 deletions(-)
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
 create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
 create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
 create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76453): https://edk2.groups.io/g/devel/message/76453
Mute This Topic: https://groups.io/mt/83526309/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-