From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76454+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76454+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663831; cv=none; d=zohomail.com; s=zohoarc; b=Mlq6qCLgwqdxFcMvlPXpiYT9+HOSbfOAuc14VrcbTUL4+CO6JiTJUUq/ct4na6IGCsUL1LHLmEm3xOc58Fo3Y+ctpmTCeVUapaJAsXossjbD/5lanOB1XdR8M8M/OUAojGZ1Q3LVyc8hysBurQcckGRWKkrCLnkzraea6uhNzwU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663831; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Zedl6afN2dNbnoDM7cpuBSyGmWtAZBRwf4kHDB6iIcI=; b=VONiwgXfsW5IMStA6lxz/aD+SPdNNkiLa6WDOu0EJBfyMdHbDFwO4pctu8LHL+0C1h7p93fTfgWdTy/OvwpJKVUCjdUM4BSVZTuFEln/txCCwWa8mTFPygclu/2afvb9mp4NLhL184wdZlFJsbao7SxKoWuTkNdn6XsSgjOx+n4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76454+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663831424553.2651484600532; Mon, 14 Jun 2021 02:43:51 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id z5cGYY1788612xZOMgJ1UzX5; Mon, 14 Jun 2021 02:43:45 -0700 X-Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by mx.groups.io with SMTP id smtpd.web09.27757.1623663819008344607 for ; Mon, 14 Jun 2021 02:43:39 -0700 X-Received: by mail-lf1-f45.google.com with SMTP id a1so20032699lfr.12 for ; Mon, 14 Jun 2021 02:43:38 -0700 (PDT) X-Gm-Message-State: 8QxmYfiPCxKsx6Dbk8ZOJSmXx1787277AA= X-Google-Smtp-Source: ABdhPJyg5EOWx8yto5V9G1NYuFIzP1qUoHRCa1I1mPG7ZtiLnSlQkMUUh+DM0s3G495E5KYvNwCDuQ== X-Received: by 2002:a19:e00c:: with SMTP id x12mr2478580lfg.376.1623663817036; Mon, 14 Jun 2021 02:43:37 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:36 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [edk2-platforms PATCH v3 1/2] Platforms: add SecureBootVariableLib class resolution Date: Mon, 14 Jun 2021 11:42:59 +0200 Message-Id: <20210614094308.2314345-2-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663825; bh=8SMqNfP73XumXEuOYl/jZ6lOs4Nji+MWpBpTF9kiL/I=; h=Cc:Date:From:Reply-To:Subject:To; b=dW4gtmu0EHJS3zMmWJAdi6HUAtqhS/vsRoDRr+1sHlrF3dxeKuFxhbjuWvRd3UhA61u LedbIfUDaEyjMHRuKBGcvPmVScwhtNhxTEXaKmvFX7DyHbE7wvuV3kI7SL3d2mqo76bmH 96aERaEURbbVsj6Y17R+D7CvvaANHFFLqfs= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" SecureBootConfigDxe needs this library after change in edk2: SecurityPkg: Create library for setting Secure Boot variables. Signed-off-by: Grzegorz Bernacki --- Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 1 + Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc | 1 + Platform/Comcast/RDKQemu/RDKQemu.dsc | 3 += ++ Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc | 1 + Platform/Intel/QuarkPlatformPkg/Quark.dsc | 1 + Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc | 1 + Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc | 3 += +- Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 1 + Platform/RaspberryPi/RPi3/RPi3.dsc | 1 + Platform/RaspberryPi/RPi4/RPi4.dsc | 1 + Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc | 1 + Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 1 + Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 4 += +++ 13 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc b/Platform/ARM/SgiPkg/= SgiPlatform.dsc.inc index e4aee7a09a..2b3317feb7 100644 --- a/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc +++ b/Platform/ARM/SgiPkg/SgiPlatform.dsc.inc @@ -32,6 +32,7 @@ TimerLib|ArmPkg/Library/ArmArchTimerLib/ArmArchTimerLib.inf !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !endif =20 # Virtio Support diff --git a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc b/Platfor= m/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc index cf7350649e..2591cf8932 100644 --- a/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc +++ b/Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc @@ -51,6 +51,7 @@ VirtioMmioDeviceLib|OvmfPkg/Library/VirtioMmioDeviceLib/VirtioMmioDevice= Lib.inf !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !endif =20 DtPlatformDtbLoaderLib|Platform/ARM/VExpressPkg/Library/ArmVExpressDtPla= tformDtbLoaderLib/ArmVExpressDtPlatformDtbLoaderLib.inf diff --git a/Platform/Comcast/RDKQemu/RDKQemu.dsc b/Platform/Comcast/RDKQem= u/RDKQemu.dsc index 13f00d86da..71747300fb 100644 --- a/Platform/Comcast/RDKQemu/RDKQemu.dsc +++ b/Platform/Comcast/RDKQemu/RDKQemu.dsc @@ -68,6 +68,9 @@ PciSegmentLib|MdePkg/Library/BasePciSegmentLibPci/BasePciSegmentLibPci.i= nf PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridge= Lib.inf RdkBootManagerLib|Platform/Comcast/Library/RdkBootManagerLib/RdkBootMana= gerLib.inf +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf +!endif =20 [LibraryClasses.common.PEIM] ArmVirtMemInfoLib|ArmVirtPkg/Library/QemuVirtMemInfoLib/QemuVirtMemInfoP= eiLib.inf diff --git a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc b/= Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc index b154f9615d..5157c87a9a 100644 --- a/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc +++ b/Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc @@ -139,6 +139,7 @@ =20 !if gMinPlatformPkgTokenSpaceGuid.PcdUefiSecureBootEnable =3D=3D TRUE AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !endif =20 SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf diff --git a/Platform/Intel/QuarkPlatformPkg/Quark.dsc b/Platform/Intel/Qua= rkPlatformPkg/Quark.dsc index cc1eba4df4..35f99429f7 100644 --- a/Platform/Intel/QuarkPlatformPkg/Quark.dsc +++ b/Platform/Intel/QuarkPlatformPkg/Quark.dsc @@ -175,6 +175,7 @@ !if $(SECURE_BOOT_ENABLE) PlatformSecureLib|QuarkPlatformPkg/Library/PlatformSecureLib/PlatformSec= ureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc b/Platfor= m/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc index d15da40819..5a0d3e31e1 100644 --- a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc +++ b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc @@ -227,6 +227,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc b/Platform= /Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc index 4a5548b80e..36a5ae333c 100644 --- a/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc +++ b/Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc @@ -1,4 +1,4 @@ -#/** @file +e # Platform description. # # Copyright (c) 2012 - 2021, Intel Corporation. All rights reserved.
@@ -229,6 +229,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc b/Platform/Qemu/SbsaQemu/S= bsaQemu.dsc index 11ce361cdb..b1c4030ec9 100644 --- a/Platform/Qemu/SbsaQemu/SbsaQemu.dsc +++ b/Platform/Qemu/SbsaQemu/SbsaQemu.dsc @@ -156,6 +156,7 @@ DEFINE NETWORK_HTTP_BOOT_ENABLE =3D FALSE # TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf =20 # re-use the UserPhysicalPresent() dummy implementation from the ovmf tr= ee PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/Platform/RaspberryPi/RPi3/RPi3.dsc b/Platform/RaspberryPi/RPi3= /RPi3.dsc index 425c7ff9ec..b5ae6e8a40 100644 --- a/Platform/RaspberryPi/RPi3/RPi3.dsc +++ b/Platform/RaspberryPi/RPi3/RPi3.dsc @@ -167,6 +167,7 @@ =20 # re-use the UserPhysicalPresent() dummy implementation from the ovmf tr= ee PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4= /RPi4.dsc index d8c6fdd4bd..dfcf58dd38 100644 --- a/Platform/RaspberryPi/RPi4/RPi4.dsc +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc @@ -164,6 +164,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf =20 # re-use the UserPhysicalPresent() dummy implementation from the ovmf tr= ee PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf diff --git a/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc b/P= latform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc index b91823ceeb..fc5ba2a07f 100644 --- a/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc +++ b/Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc @@ -122,6 +122,7 @@ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U5= 40.dsc b/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.d= sc index 0eafe29880..71add8ff9a 100644 --- a/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc +++ b/Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc @@ -122,6 +122,7 @@ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasure= mentLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc b/Platform/So= cionext/DeveloperBox/DeveloperBox.dsc index 88454c1f90..a5607c0562 100644 --- a/Platform/Socionext/DeveloperBox/DeveloperBox.dsc +++ b/Platform/Socionext/DeveloperBox/DeveloperBox.dsc @@ -52,6 +52,10 @@ =20 MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D FALSE + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf +!endif + [LibraryClasses.common.SEC] PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76454): https://edk2.groups.io/g/devel/message/76454 Mute This Topic: https://groups.io/mt/83526312/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76455+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76455+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663832; cv=none; d=zohomail.com; s=zohoarc; b=gYxV0RmB+dmH0jcz/0NpndnqBQ7l5EEWfJviZF2WHHRI80W/ye6nTMAYUNBwZ64QXT/2zm+W9TyOQuJ2lcxBR08F+xXpUeUWHjyImxxWBe17I4WQpsMMGJe58T/OgUH0zGj62julRW0iee9pc3jymiWPpb9DGjc0miALWeH3u50= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663832; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=GWePGPtBAWWSd4AE1Zo1pkQxvHGcTiLJ5YqjOfJZSNQ=; b=ZY2lkd1eVEr+8t/kf3EoSPCTb58td5rZ+PL9E9SJ4tjdVXU/iNvivTvKEluGaW9cl3Eebbc6rRndTMDHGuM6VzI/kwkxi6HnYmd6N3vOqBBw/MlnZ9aSnClkteW76k+pgA70Tv445D+KUb2GjYg8/NL0bpl6OusnpZKgZFWtydE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76455+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663832282927.2220667460648; Mon, 14 Jun 2021 02:43:52 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id SNMgYY1788612xpgut0xnmZ7; Mon, 14 Jun 2021 02:43:51 -0700 X-Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) by mx.groups.io with SMTP id smtpd.web09.27758.1623663820782757843 for ; Mon, 14 Jun 2021 02:43:41 -0700 X-Received: by mail-lj1-f169.google.com with SMTP id b37so3267220ljr.13 for ; Mon, 14 Jun 2021 02:43:40 -0700 (PDT) X-Gm-Message-State: AwBrKmv8ef5fheoihRqeU6ABx1787277AA= X-Google-Smtp-Source: ABdhPJwE0FO5tnhvplXJQuQ9DAfiBptvBSD3WfS9EQ2VqjV5gGvc4xksbyRNiZWWan/SMu5y1sgdZQ== X-Received: by 2002:a05:651c:2c7:: with SMTP id f7mr12936968ljo.287.1623663818573; Mon, 14 Jun 2021 02:43:38 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:38 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v3 1/8] SecurityPkg: Create library for setting Secure Boot variables. Date: Mon, 14 Jun 2021 11:43:00 +0200 Message-Id: <20210614094308.2314345-3-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663831; bh=APWBV6k0sF/4s+dyAhGhKla3rLTWP/LiY2f6JtHgh9k=; h=Cc:Date:From:Reply-To:Subject:To; b=xKMtjhjVcFdJ6KZdxd1isf0w9Mqd9aD6SVlRW7WWzIJ5jBgVHiIFvb0CMSceMLk2oYu pW1JBNdnUqG1/fyOhW81FYcWbvEdiTDwNi92fo1pHpBILXII+PU06GLtLDMmqvtTFa1YF WaKHNbhh2xhdP9ly5I0reSi+dyRiK5r2+l4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commits add library, which consist functions related creation/removal Secure Boot variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecurityPkg.dsc = | 1 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf = | 79 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + SecurityPkg/Include/Library/SecureBootVariableLib.h = | 251 +++++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c = | 980 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 189 +--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni = | 16 + 7 files changed, 1329 insertions(+), 188 deletions(-) create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.inf create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index bd4b810bce..854f250625 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -70,6 +70,7 @@ RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo= gRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf =20 [LibraryClasses.ARM] # diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf new file mode 100644 index 0000000000..84367841d5 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -0,0 +1,79 @@ +## @file +# Provides initialization of Secure Boot keys and databases. +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecureBootVariableLib + MODULE_UNI_FILE =3D SecureBootVariableLib.uni + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D SecureBootVariableLib|DXE_DRIVER DXE_= RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + SecureBootVariableLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + DxeServicesLib + +[Guids] + ## CONSUMES ## Variable:L"SetupMode" + ## PRODUCES ## Variable:L"SetupMode" + ## CONSUMES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"PK" + ## PRODUCES ## Variable:L"KEK" + ## CONSUMES ## Variable:L"PKDefault" + ## CONSUMES ## Variable:L"KEKDefault" + ## CONSUMES ## Variable:L"dbDefault" + ## CONSUMES ## Variable:L"dbxDefault" + ## CONSUMES ## Variable:L"dbtDefault" + gEfiGlobalVariableGuid + + ## SOMETIMES_CONSUMES ## Variable:L"DB" + ## SOMETIMES_CONSUMES ## Variable:L"DBX" + ## SOMETIMES_CONSUMES ## Variable:L"DBT" + gEfiImageSecurityDatabaseGuid + + ## CONSUMES ## Variable:L"SecureBootEnable" + ## PRODUCES ## Variable:L"SecureBootEnable" + gEfiSecureBootEnableDisableGuid + + ## CONSUMES ## Variable:L"CustomMode" + ## PRODUCES ## Variable:L"CustomMode" + gEfiCustomModeEnableGuid + + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES + gEfiCertX509Guid ## CONSUMES + gEfiCertPkcs7Guid ## CONSUMES + + gDefaultPKFileGuid + gDefaultKEKFileGuid + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultdbtFileGuid + diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 573efa6379..30d9cd8025 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -54,6 +54,7 @@ DevicePathLib FileExplorerLib PeCoffLib + SecureBootVariableLib =20 [Guids] ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h new file mode 100644 index 0000000000..e010667165 --- /dev/null +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -0,0 +1,251 @@ +/** @file + Provides a function to enroll keys based on default values. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__ +#define __SECURE_BOOT_VARIABLE_LIB_H__ + +/** + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. + @return other Fail to operate the secure boot mode. + +--*/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode +); + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Error codes from GetVariable. +--*/ +EFI_STATUS +EFIAPI +GetSetupMode ( + OUT UINT8 *SetupMode +); + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 + descriptor with the input data. NO authentication is required in this fu= nction. + + @param[in, out] DataSize On input, the size of Data buffer in by= tes. + On output, the size of data returned in= Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be = wrapped or + pointer to NULL to wrap an empty payloa= d. + On output, Pointer to the new payload d= ate buffer allocated from pool, + it's caller's responsibility to free th= e memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data +); + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +); + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +); + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +); + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +); + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +); + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +); + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +); + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +); + +/** + Sets the content of the 'PK' variable based on 'PKDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +); + +/** + Clears the content of the 'PK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeletePlatformKey ( + VOID +); + +/** + Initializes PKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitPKDefault ( + IN VOID + ); + +/** + Initializes KEKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitKEKDefault ( + IN VOID + ); + +/** + Initializes dbDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbDefault ( + IN VOID + ); + +/** + Initializes dbtDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbtDefault ( + IN VOID + ); + +/** + Initializes dbxDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbxDefault ( + IN VOID + ); +#endif diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c new file mode 100644 index 0000000000..f3dafeca6e --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -0,0 +1,980 @@ +/** @file + This library provides functions to set/clear Secure Boot + keys and databases. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "Library/DxeServicesLib.h" + +/** Creates EFI Signature List structure. + + @param[in] Data A pointer to signature data. + @param[in] Size Size of signature data. + @param[out] SigList Created Signature List. + + @retval EFI_SUCCESS Signature List was created successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +--*/ +STATIC +EFI_STATUS +CreateSigList ( + IN VOID *Data, + IN UINTN Size, + OUT EFI_SIGNATURE_LIST **SigList + ) +{ + UINTN SigListSize; + EFI_SIGNATURE_LIST *TmpSigList; + EFI_SIGNATURE_DATA *SigData; + + // + // Allocate data for Signature Database + // + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA= ) - 1 + Size; + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Only gEfiCertX509Guid type is supported + // + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 = + Size); + TmpSigList->SignatureHeaderSize =3D 0; + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); + + // + // Copy key data + // + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); + CopyMem (&SigData->SignatureData[0], Data, Size); + + *SigList =3D TmpSigList; + + return EFI_SUCCESS; +} + +/** Adds new signature list to signature database. + + @param[in] SigLists A pointer to signature database. + @param[in] SiglListAppend A signature list to be added. + @param[out] *SigListOut Created signature database. + @param[out] SigListsSize A size of created signature database. + + @retval EFI_SUCCESS Signature List was added successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +--*/ +STATIC +EFI_STATUS +ConcatenateSigList ( + IN EFI_SIGNATURE_LIST *SigLists, + IN EFI_SIGNATURE_LIST *SigListAppend, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN OUT UINTN *SigListsSize +) +{ + EFI_SIGNATURE_LIST *TmpSigList; + UINT8 *Offset; + UINTN NewSigListsSize; + + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; + + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (TmpSigList, SigLists, *SigListsSize); + + Offset =3D (UINT8 *)TmpSigList; + Offset +=3D *SigListsSize; + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize= ); + + *SigListsSize =3D NewSigListsSize; + *SigListOut =3D TmpSigList; + return EFI_SUCCESS; +} + +/** + Create a EFI Signature List with data fetched from section specified as = a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +--*/ +STATIC +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut +) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig2; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + + + KeyIndex =3D 0; + EfiSig =3D NULL; + *SigListsSize =3D 0; + while (1) { + Status =3D GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status =3D=3D EFI_SUCCESS) { + RsaPubKey =3D NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + if (EfiSig !=3D NULL) { + FreePool(EfiSig); + } + FreePool(Buffer); + return EFI_INVALID_PARAMETER; + } + + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); + + // + // Concatenate lists if more than one section found + // + if (KeyIndex =3D=3D 0) { + EfiSig =3D TmpEfiSig; + *SigListsSize =3D TmpEfiSig->SignatureListSize; + } else { + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize); + FreePool (EfiSig); + FreePool (TmpEfiSig); + EfiSig =3D TmpEfiSig2; + } + + KeyIndex++; + FreePool (Buffer); + } if (Status =3D=3D EFI_NOT_FOUND) { + break; + } + }; + + if (KeyIndex =3D=3D 0) { + return EFI_NOT_FOUND; + } + + *SigListOut =3D EfiSig; + + return EFI_SUCCESS; +} + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 + descriptor with the input data. NO authentication is required in this fu= nction. + + @param[in, out] DataSize On input, the size of Data buffer in by= tes. + On output, the size of data returned in= Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be = wrapped or + pointer to NULL to wrap an empty payloa= d. + On output, Pointer to the new payload d= ate buffer allocated from pool, + it's caller's responsibility to free th= e memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data + ) +{ + EFI_STATUS Status; + UINT8 *NewData; + UINT8 *Payload; + UINTN PayloadSize; + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; + UINTN DescriptorSize; + EFI_TIME Time; + + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // In Setup mode or Custom mode, the variable does not need to be signed= but the + // parameters to the SetVariable() call still need to be prepared as aut= henticated + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate + // data in it. + // + Payload =3D *Data; + PayloadSize =3D *DataSize; + + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo= ) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); + if (NewData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); + } + + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); + + ZeroMem (&Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (&Time, NULL); + if (EFI_ERROR (Status)) { + FreePool(NewData); + return Status; + } + Time.Pad1 =3D 0; + Time.Nanosecond =3D 0; + Time.TimeZone =3D 0; + Time.Daylight =3D 0; + Time.Pad2 =3D 0; + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; + DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); + + if (Payload !=3D NULL) { + FreePool(Payload); + } + + *DataSize =3D DescriptorSize + PayloadSize; + *Data =3D NewData; + return EFI_SUCCESS; +} + +/** + Internal helper function to delete a Variable given its name and GUID, N= O authentication + required. + + @param[in] VariableName Name of the Variable. + @param[in] VendorGuid GUID of the Variable. + + @retval EFI_SUCCESS Variable deleted successfully. + @retval Others The driver failed to start the device. + +--*/ +EFI_STATUS +DeleteVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + EFI_STATUS Status; + VOID* Variable; + UINT8 *Data; + UINTN DataSize; + UINT32 Attr; + + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); + if (Variable =3D=3D NULL) { + return EFI_SUCCESS; + } + FreePool (Variable); + + Data =3D NULL; + DataSize =3D 0; + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + Status =3D CreateTimeBasedPayload (&DataSize, &Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); + return Status; + } + + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + Attr, + DataSize, + Data + ); + if (Data !=3D NULL) { + FreePool (Data); + } + return Status; +} + +/** + + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. + @return other Fail to operate the secure boot mode. + +--*/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode + ) +{ + return gRT->SetVariable ( + EFI_CUSTOM_MODE_NAME, + &gEfiCustomModeEnableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCES= S, + sizeof (UINT8), + &SecureBootMode + ); +} + + +/** + Enroll a key/certificate based on a default variable. + + @param[in] VariableName The name of the key/database. + @param[in] DefaultName The name of the default variable. + @param[in] VendorGuid The namespace (ie. vendor GUID) of the va= riable + + + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader. + @retval EFI_SUCCESS Successful enrollment. + @return Error codes from GetTime () and SetVariab= le (). +--*/ +STATIC +EFI_STATUS +EnrollFromDefault ( + IN CHAR16 *VariableName, + IN CHAR16 *DefaultName, + IN EFI_GUID *VendorGuid + ) +{ + VOID *Data; + UINTN DataSize; + EFI_STATUS Status; + + Status =3D EFI_SUCCESS; + + DataSize =3D 0; + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &D= ataSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName,= Status)); + return Status; + } + + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); + return Status; + } + + // + // Allocate memory for auth variable + // + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DataSize, + Data + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, Var= iableName, + VendorGuid, Status)); + } + + if (Data !=3D NULL) { + FreePool (Data); + } + + return Status; +} + +/** Initializes PKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitPKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_PK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARI= ABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &Efi= Sig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIA= BLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME= )); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes KEKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitKEKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_KEK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARI= ABLE_NAME)); + return Status; + } + + + Status =3D gRT->SetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DB_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARI= ABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &Efi= Sig); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NA= ME)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbxDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbxDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBX_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARI= ABLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbtDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitdbtDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBT_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return EFI_SUCCESS; +} + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Retval from GetVariable. +--*/ +EFI_STATUS +EFIAPI +GetSetupMode ( + OUT UINT8 *SetupMode +) +{ + UINTN Size; + EFI_STATUS Status; + + Size =3D sizeof (*SetupMode); + Status =3D gRT->GetVariable ( + EFI_SETUP_MODE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &Size, + SetupMode + ); + if (EFI_ERROR (Status)) { + return Status; + } + + return EFI_SUCCESS; +} + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE, + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE1, + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE2, + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid); + + return Status; +} + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE2, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_KEY_EXCHANGE_KEY_NAME, + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_PLATFORM_KEY_NAME, + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Remove the PK variable. + + @retval EFI_SUCCESS Delete PK successfully. + @retval Others Could not allow to delete PK. + +--*/ +EFI_STATUS +EFIAPI +DeletePlatformKey ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D DeleteVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid + ); + return Status; +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index e82bfe7757..67e5e594ed 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #include "SecureBootConfigImpl.h" #include +#include =20 CHAR16 mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGURATIO= N"; =20 @@ -237,168 +238,6 @@ SaveSecureBootVariable ( return Status; } =20 -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 - descriptor with the input data. NO authentication is required in this fu= nction. - - @param[in, out] DataSize On input, the size of Data buffer in by= tes. - On output, the size of data returned in= Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be = wrapped or - pointer to NULL to wrap an empty payloa= d. - On output, Pointer to the new payload d= ate buffer allocated from pool, - it's caller's responsibility to free th= e memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed= but the - // parameters to the SetVariable() call still need to be prepared as aut= henticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate - // data in it. - // - Payload =3D *Data; - PayloadSize =3D *DataSize; - - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo= ) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload !=3D NULL) { - FreePool(Payload); - } - - *DataSize =3D DescriptorSize + PayloadSize; - *Data =3D NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, N= O authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data =3D NULL; - DataSize =3D 0; - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status =3D CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - return Status; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data !=3D NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. - @return other Fail to operate the secure boot mode. - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCES= S, - sizeof (UINT8), - &SecureBootMode - ); -} - /** This code checks if the encode type and key strength of X.509 certificate is qualified. @@ -646,32 +485,6 @@ ON_EXIT: return Status; } =20 -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - /** Enroll a new KEK item from public key storing file (*.pbk). =20 diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni new file mode 100644 index 0000000000..2c51e4db53 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni @@ -0,0 +1,16 @@ +// /** @file +// +// Provides initialization of Secure Boot keys and databases. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides function= to initialize PK, KEK and databases based on default variables." + +#string STR_MODULE_DESCRIPTION #language en-US "Provides function= to initialize PK, KEK and databases based on default variables." + --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76455): https://edk2.groups.io/g/devel/message/76455 Mute This Topic: https://groups.io/mt/83526314/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76456+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76456+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663823; cv=none; d=zohomail.com; s=zohoarc; b=MmMC8bGihajABRWjQ6E3NIyAUOL+HEFZcvnjUj/8ZWU/6d6jrI0ld3uoD8+RGiwIdCrCOr9FXX+tlsY+1zYKFWigxZXSb34+xeoyiyVRawS6nCRNfJBa3nTb1AY+A3pz1Bro5FzywRWLDmrJWHB18HieF2R+p62TERpnHd1pqAE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663823; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=Kmt43VUTLxRUK2IS/R6D70tbG+QgC2lEbAI69fMb9zg=; b=O29+vLWkVNYVX2qARl3RpqzOiUShTcyyv02yN1TEABn8f+T/AshlvyuXbvdbbfyWIPi1IujRz6UgyuwKNKbuZN4uodjeNFCnjRScrICdPPT6ToJ7T3i65AUw0zZLfIdBioUSRKQvFiNLNuP2F+kdz50SXd/bliAkcbaIM8XwPpQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76456+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663823337708.271791308318; Mon, 14 Jun 2021 02:43:43 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id WeRhYY1788612xpMkSLxf72K; Mon, 14 Jun 2021 02:43:42 -0700 X-Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) by mx.groups.io with SMTP id smtpd.web08.27552.1623663821925089576 for ; Mon, 14 Jun 2021 02:43:42 -0700 X-Received: by mail-lj1-f172.google.com with SMTP id z22so19247312ljh.8 for ; Mon, 14 Jun 2021 02:43:41 -0700 (PDT) X-Gm-Message-State: Z19J3LF5oO0rSrTKigGPlN61x1787277AA= X-Google-Smtp-Source: ABdhPJyO9H2KByipNfvg7W7ckqnnoVENM/+wgKFCta/RK1w74i/g1fwkUEyuOWCK07N/H6QHgyT0QA== X-Received: by 2002:a2e:9104:: with SMTP id m4mr9242366ljg.234.1623663819951; Mon, 14 Jun 2021 02:43:39 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:39 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [edk2-platforms PATCH v3 2/2] Platform/RaspberryPi: Enable default Secure Boot variables initialization Date: Mon, 14 Jun 2021 11:43:01 +0200 Message-Id: <20210614094308.2314345-4-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663822; bh=0FoOaLsPXdDyFxLLNYN2hI2msgQlZHrZfTNrxzoqV1s=; h=Cc:Date:From:Reply-To:Subject:To; b=FHTmTVjAolZ3gYnQv+4VYjj9PtIcf3YikXFIAB0K025eUzuT/4edWgm2L4Rublm3X8O w637Uen2XmjHYrwKs1NgIjHNyb+cii/ds+fr3Jr8mqdVaFlJeYtGMneg3bNXKJVW3ANl6 mDBC/YZ0SPOkBvcFaPQKQOoZ2YDkqtq0Lxw= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commit allows to initialize Secure Boot default key and databases from data embedded in firmware binary. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- Platform/RaspberryPi/RPi4/RPi4.dsc | 3 +++ Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++ 2 files changed, 5 insertions(+) diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4= /RPi4.dsc index dfcf58dd38..e5458da1b1 100644 --- a/Platform/RaspberryPi/RPi4/RPi4.dsc +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc @@ -218,6 +218,7 @@ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll= ocationLib.inf HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf =20 [LibraryClasses.common.UEFI_DRIVER] @@ -613,6 +614,8 @@ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificatio= nLib.inf } SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx= e.inf + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDef= aultKeysDxe.inf !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4= /RPi4.fdf index 1e13909a57..0e43d24c7a 100644 --- a/Platform/RaspberryPi/RPi4/RPi4.fdf +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf @@ -189,7 +189,9 @@ READ_LOCK_STATUS =3D TRUE INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.i= nf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoo= tDefaultKeysDxe.inf !endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRu= ntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76456): https://edk2.groups.io/g/devel/message/76456 Mute This Topic: https://groups.io/mt/83526315/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76457+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76457+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663825; cv=none; d=zohomail.com; s=zohoarc; b=UZUBsOaN3UrXeDRHKeZA2cCCxo/+0XP/+YqO8otmhZB6gGwbkjRnLQPqmE0szIyAuzyB5P/OT1vA8nGDv6rYxnWhpZyGrWfNUF1FnCPEbJaQh6efNyY0gh9ExiCJ2pbo/rE5E8fWmm52jfI4N+f9zrA0f529CIO8NNYiJQe/NgI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663825; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=TqCqRNn+ljIUUi5D4WVEyatKBQJQOyPBG1pAbIfifRg=; b=QTmm4UHAlh1yKyP9eohOWJgDYYSboyrjN9sozrskV/977jkUtKigTg1CEKQXqWRGituV7tQl2gIcJzcjyzfjYcQa1VSVD1pmJMU9tP8xAnIpJOl/LSzzedIXFz0/1EWDaU0yEDwl+rTBatxA6ywZKpJPoXwTb3S325tAb8RoxOk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76457+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663825417471.2457136747006; Mon, 14 Jun 2021 02:43:45 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id metUYY1788612x7Emvkfa4Xb; Mon, 14 Jun 2021 02:43:45 -0700 X-Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) by mx.groups.io with SMTP id smtpd.web09.27759.1623663823533824870 for ; Mon, 14 Jun 2021 02:43:43 -0700 X-Received: by mail-lj1-f181.google.com with SMTP id s22so19297135ljg.5 for ; Mon, 14 Jun 2021 02:43:43 -0700 (PDT) X-Gm-Message-State: upj9DdcNuO5cJbco8re0rKfSx1787277AA= X-Google-Smtp-Source: ABdhPJwn45DjFxX+zkwzGuyiTJ1AzPANV9Brj1bvPbo30w8CxQm9UODYrTOlkj5jUmWSeZtn17pKWw== X-Received: by 2002:a2e:a4b2:: with SMTP id g18mr10741901ljm.113.1623663821352; Mon, 14 Jun 2021 02:43:41 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:41 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v3 2/8] Platforms: add SecureBootVariableLib class resolution Date: Mon, 14 Jun 2021 11:43:02 +0200 Message-Id: <20210614094308.2314345-5-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663825; bh=dRBbUN9oQiTj9keG4dk8/I7m817CiPjSW+l4w53krK4=; h=Cc:Date:From:Reply-To:Subject:To; b=r2YSP3Y0ITxEHzKx0uX3S6uTrM5+yzen0V2u58FXg2P3V9MQfNKKMnbwxDFAKwxjq0z DmbVFDF4Pt6KdsFFvW1VVeu3pNrEhTyVtpVrAHyiDadE5ejYD7nlPntmt9efpjOfmAIxn 2ICIJyvKk5T5OxUXwd/UPKbH5gyZhiqC1go= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Update platform files to add SecureBootVariableLib for each platform which uses SecureBootConfigDxe. Signed-off-by: Grzegorz Bernacki --- ArmVirtPkg/ArmVirtQemu.dsc | 3 +++ ArmVirtPkg/ArmVirtQemuKernel.dsc | 3 +++ EmulatorPkg/EmulatorPkg.dsc | 1 + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + 7 files changed, 11 insertions(+) diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 7ef5e7297b..c9cb0ff4ae 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -82,6 +82,9 @@ PciHostBridgeLib|ArmVirtPkg/Library/FdtPciHostBridgeLib/FdtPciHostBridge= Lib.inf PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostB= ridgeUtilityLib.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf +!endif !if $(TPM2_ENABLE) =3D=3D TRUE Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeT= cg2PhysicalPresenceLib.inf diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKerne= l.dsc index a542fcb157..97b36e895e 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -81,6 +81,9 @@ PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostB= ridgeUtilityLib.inf TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf =20 +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf +!endif [LibraryClasses.common.DXE_DRIVER] ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeRepor= tStatusCodeLib.inf =20 diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 20e5468398..966cc7af01 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -132,6 +132,7 @@ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index d8792812ab..f9c8131309 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -198,6 +198,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecure= Lib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f53efeae79..9225966541 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -204,6 +204,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index b3662e17f2..5d53327edb 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -208,6 +208,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 0a237a9058..509acf7926 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -208,6 +208,7 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76457): https://edk2.groups.io/g/devel/message/76457 Mute This Topic: https://groups.io/mt/83526316/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76458+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76458+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663831; cv=none; d=zohomail.com; s=zohoarc; b=Ymeh1UBRjcPL6aRqjMHmjNlRUeAObAjTpOHxdkYCLc/hPVTP5ZiRBIG1B5I1a8yUe/GzmLVWW2ROIDK7j08FnW1Lu9LmBjLW2cZ4iQwhfsHNJtXMJFr1z+i0Zp5xdWZpK+hZw3Z3ccd7ElrqK8DvV5GAuxKfoSFYz1RwrqYvH2E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663831; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=VO+uBTP0okSMwlHI+3LYv35mwgy/FDYVLc1+ST5UpUY=; b=fquUH4HGJYR5ge20qGrPjhF6OYUu1ITlTSRyaR5YpmPjNhlqndTBvPAo+z+6P7tnY3qOIIWtHGprIOP2FsMPMKM+CYtpRxDQXDdt4FPHionm3MIlcYFejnHr34U7mTfAccY1TKs9G0UgnxIFLyol4eyWQD+3Nw6RsEDBJKNVWz4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76458+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663831358223.18503462150875; Mon, 14 Jun 2021 02:43:51 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id aKSpYY1788612xSno8fVzsix; Mon, 14 Jun 2021 02:43:45 -0700 X-Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) by mx.groups.io with SMTP id smtpd.web11.27821.1623663824687978470 for ; Mon, 14 Jun 2021 02:43:45 -0700 X-Received: by mail-lj1-f175.google.com with SMTP id bn21so19313350ljb.1 for ; Mon, 14 Jun 2021 02:43:44 -0700 (PDT) X-Gm-Message-State: JlXuiUIirm0wmnL8pcqnUkHex1787277AA= X-Google-Smtp-Source: ABdhPJzdFns0HvZBP/K0bJGj16pdP70DhDHLZ7VRrHOrPWFF4vhg+qJacilzYJTHgtwjjAqA/KW15Q== X-Received: by 2002:a2e:9251:: with SMTP id v17mr13341104ljg.193.1623663822675; Mon, 14 Jun 2021 02:43:42 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:42 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v3 3/8] SecurityPkg: Create include file for default key content. Date: Mon, 14 Jun 2021 11:43:03 +0200 Message-Id: <20210614094308.2314345-6-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663825; bh=rdytcrB4dqYg4697a+rFN5yro/hYnJ4It2vmH/2T+Kw=; h=Cc:Date:From:Reply-To:Subject:To; b=A3ib1vfjY+s+rU8HSowUsAQG9usWZMbCslXc2aVF/poaKH0nN7X1ECUQX0sjEESbsm9 UJdAjyfUBLC7mhYJsQh1hNfqWvHr/N1uhn8nRhkW5OG6EaPxnAFPxrT6JyUAVc9i0kQGs u2ya3r8JSsWd5vzmh32LQG4yyNPu4FaOMWw= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commits add file which can be included by platform Flash Description File. It allows to specify certificate files, which will be embedded into binary file. The content of these files can be used to initialize Secure Boot default keys and databases. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/Secure= BootDefaultKeys.fdf.inc new file mode 100644 index 0000000000..bf4f2d42de --- /dev/null +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc @@ -0,0 +1,70 @@ +## @file +# FDF include file which allows to embed Secure Boot keys +# +# Copyright (c) 2021, ARM Limited. All rights reserved. +# Copyright (c) 2021, Semihalf. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# + +!if $(DEFAULT_KEYS) =3D=3D TRUE + FILE FREEFORM =3D 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { + !ifdef $(PK_DEFAULT_FILE) + SECTION RAW =3D $(PK_DEFAULT_FILE) + !endif + SECTION UI =3D "PK Default" + } + + FILE FREEFORM =3D 6f64916e-9f7a-4c35-b952-cd041efb05a3 { + !ifdef $(KEK_DEFAULT_FILE1) + SECTION RAW =3D $(KEK_DEFAULT_FILE1) + !endif + !ifdef $(KEK_DEFAULT_FILE2) + SECTION RAW =3D $(KEK_DEFAULT_FILE2) + !endif + !ifdef $(KEK_DEFAULT_FILE3) + SECTION RAW =3D $(KEK_DEFAULT_FILE3) + !endif + SECTION UI =3D "KEK Default" + } + + FILE FREEFORM =3D c491d352-7623-4843-accc-2791a7574421 { + !ifdef $(DB_DEFAULT_FILE1) + SECTION RAW =3D $(DB_DEFAULT_FILE1) + !endif + !ifdef $(DB_DEFAULT_FILE2) + SECTION RAW =3D $(DB_DEFAULT_FILE2) + !endif + !ifdef $(DB_DEFAULT_FILE3) + SECTION RAW =3D $(DB_DEFAULT_FILE3) + !endif + SECTION UI =3D "DB Default" + } + + FILE FREEFORM =3D 36c513ee-a338-4976-a0fb-6ddba3dafe87 { + !ifdef $(DBT_DEFAULT_FILE1) + SECTION RAW =3D $(DBT_DEFAULT_FILE1) + !endif + !ifdef $(DBT_DEFAULT_FILE2) + SECTION RAW =3D $(DBT_DEFAULT_FILE2) + !endif + !ifdef $(DBT_DEFAULT_FILE3) + SECTION RAW =3D $(DBT_DEFAULT_FILE3) + !endif + SECTION UI =3D "DBT Default" + } + + FILE FREEFORM =3D 5740766a-718e-4dc0-9935-c36f7d3f884f { + !ifdef $(DBX_DEFAULT_FILE1) + SECTION RAW =3D $(DBX_DEFAULT_FILE1) + !endif + !ifdef $(DBX_DEFAULT_FILE2) + SECTION RAW =3D $(DBX_DEFAULT_FILE2) + !endif + !ifdef $(DBX_DEFAULT_FILE3) + SECTION RAW =3D $(DBX_DEFAULT_FILE3) + !endif + SECTION UI =3D "DBX Default" + } + +!endif --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76458): https://edk2.groups.io/g/devel/message/76458 Mute This Topic: https://groups.io/mt/83526317/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76459+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76459+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663836; cv=none; d=zohomail.com; s=zohoarc; b=gIFezsgek0bkDx4JxWUTCKa++JGFxQ9J9n3UGyX6/pUZ1LVuSkEW5aR7LoRU5nCOj+e9Wv8vfC72fDL5pPmWFtZgGtTuqqed/gd6+pTCaSidAsoB07p/7JqeT7FrYQ6q50uv7oP5M1URM917JdXjjdUg5jrha+iY0knhD8jSMh4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663836; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=cNfxSeLYcC01Llh1WdUKN9VrKU8PVSuq1oXTcJk8SGQ=; b=C6jBlIMlr5hxuJxqUxCqxaAzT0UzE3lfA3E31dgxN7HXDaCnI9BUmzyWDqHbMm8IJO4KMvD2bMcbPJfRKXQWArHbDnVTeF7yZTQURyKIsLnPXv2/M8khlU9dLhU98LlMug8wPbK3aGYvG7ANdOx71FSkWDr3o6Dq+7BzZ1VwYwU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76459+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162366383691630.069781036634026; Mon, 14 Jun 2021 02:43:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id nMWEYY1788612xsMhEugORFt; Mon, 14 Jun 2021 02:43:56 -0700 X-Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46]) by mx.groups.io with SMTP id smtpd.web09.27760.1623663826162659793 for ; Mon, 14 Jun 2021 02:43:46 -0700 X-Received: by mail-lf1-f46.google.com with SMTP id bp38so20158867lfb.0 for ; Mon, 14 Jun 2021 02:43:45 -0700 (PDT) X-Gm-Message-State: wIUCRYyITpClmmRleljWyON4x1787277AA= X-Google-Smtp-Source: ABdhPJwn56HuI9JH5JsUt882/zTGmh62/IXr8BNzuMNliEkfKbZqiBXYUlJ9R4YL5lQC2v7OgL5rSQ== X-Received: by 2002:ac2:5e2b:: with SMTP id o11mr11524853lfg.548.1623663824054; Mon, 14 Jun 2021 02:43:44 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:43 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v3 4/8] SecurityPkg: Add SecureBootDefaultKeysDxe driver Date: Mon, 14 Jun 2021 11:43:04 +0200 Message-Id: <20210614094308.2314345-7-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663836; bh=t+p4yItUrZPnk6kqPIGIGd7FkfxqmZtJRbp6J//WKw4=; h=Cc:Date:From:Reply-To:Subject:To; b=ksnKtQCrgzB+rcJAZSQ1W5HtcrHnzhAcxY+aJj0cAAwmvKJRJaHQQykDmtBNcxUfDc2 hzOYsKn+jMdx1cNG/8CFH6uiXtctMewuZq8u9IUIlorVHwB/IvRjk6zhsZ6vsJqml5/dL t8c6uqq7hyv0yDpHrGsjHIQ+ufDFbYLqbF4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This driver initializes default Secure Boot keys and databases based on keys embedded in flash. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi --- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.inf | 45 +++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.c | 68 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.uni | 16 +++++ 3 files changed, 129 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.c create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.uni diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDef= aultKeysDxe/SecureBootDefaultKeysDxe.inf new file mode 100644 index 0000000000..0af7563a3b --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.inf @@ -0,0 +1,45 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecureBootDefaultKeysDxe + FILE_GUID =3D C937FCB7-25AC-4376-89A2-4EA8B317DE83 + MODULE_TYPE =3D DXE_DRIVER + ENTRY_POINT =3D SecureBootDefaultKeysEntryPoint + +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# +[Sources] + SecureBootDefaultKeysDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiDriverEntryPoint + DebugLib + SecureBootVariableLib + +[Guids] + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault" + gEfiGlobalVariableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefau= ltKeysDxe/SecureBootDefaultKeysDxe.c new file mode 100644 index 0000000000..12a18dc352 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.c @@ -0,0 +1,68 @@ +/** @file + This driver init default Secure Boot variables + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + The entry point for SecureBootDefaultKeys driver. + + @param[in] ImageHandle The image handle of the driver. + @param[in] SystemTable The system table. + + @retval EFI_ALREADY_STARTED The driver already exists in system. + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack o= f resources. + @retval EFI_SUCCESS All the related protocols are installed o= n the driver. + @retval Others Fail to get the SecureBootEnable variable. + +**/ +EFI_STATUS +EFIAPI +SecureBootDefaultKeysEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status =3D SecureBootInitPKDefault (); + if (EFI_ERROR (Status)) { + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTIO= N__, Status)); + return Status; + } + + Status =3D SecureBootInitKEKDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCT= ION__, Status)); + return Status; + } + Status =3D SecureBootInitdbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTI= ON__, Status)); + return Status; + } + + Status =3D SecureBootInitdbtDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__)); + } + + Status =3D SecureBootInitdbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__)); + } + + return Status; +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDef= aultKeysDxe/SecureBootDefaultKeysDxe.uni new file mode 100644 index 0000000000..2b6cb7f950 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides the capability to intialize Secure Boot default variables +// +// Module which initializes Secure boot default variables. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Module which init= ializes Secure boot default variables" + +#string STR_MODULE_DESCRIPTION #language en-US "This module reads= embedded keys and initializes Secure Boot default variables." --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76459): https://edk2.groups.io/g/devel/message/76459 Mute This Topic: https://groups.io/mt/83526318/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76460+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76460+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663841; cv=none; d=zohomail.com; s=zohoarc; b=MI+F2JGRnWekoGXFXh5n+PGZivVlNkv8zZOLcJg2oaXbADX0fSZG+uUD/Qo9J9eHnWmmm5uWJjza5gZmvRp2mWZNhVmMtw31C4pvvXmYCiqUzT3KD7PKiyz/ZWlh4AhWFTu1M5df6MqqDgVTXz0xdSPyxKBYAxQLUBSEjHOtn58= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663841; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=X1gmbl5AWtC9ApEQGbioDFzSfy+zGceauOCxCOvFQfg=; b=aqqhqXvIi8ZhOGoyeqtu3mabLxdPRq1LHnWCM2v6BZ+QZ1hr+5c7LIVQlEBKkw14WtPoBYgAS70f9yfmmdOrfC+upuQEpxX2Zye8Y+eia2uK1Bf48ASR8fxcRfq/zUHqiUt5Cu+nPErjCQA7IYwshWukOkTrOrbUgy3houKm9dk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76460+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663841749369.07459030205837; Mon, 14 Jun 2021 02:44:01 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id iiLGYY1788612xtjWnveZ4QO; Mon, 14 Jun 2021 02:43:57 -0700 X-Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) by mx.groups.io with SMTP id smtpd.web09.27761.1623663827382990644 for ; Mon, 14 Jun 2021 02:43:47 -0700 X-Received: by mail-lj1-f173.google.com with SMTP id c11so19308187ljd.6 for ; Mon, 14 Jun 2021 02:43:47 -0700 (PDT) X-Gm-Message-State: yKkfkXgwzjxxeLsmo8PPIW75x1787277AA= X-Google-Smtp-Source: ABdhPJxB9pLP3t3r+LIMBoWkPKeugdyOnBNOvkURzEK7wUgwrklidHrKvsajykPLpUGto9MyTGuWbw== X-Received: by 2002:a2e:9948:: with SMTP id r8mr8607500ljj.421.1623663825413; Mon, 14 Jun 2021 02:43:45 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:45 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v3 5/8] SecurityPkg: Add EnrollFromDefaultKeys application. Date: Mon, 14 Jun 2021 11:43:05 +0200 Message-Id: <20210614094308.2314345-8-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663837; bh=iRTUygFFTZtXVUrcI8BMclBsYLdlKIpo+AEBTBhCDfg=; h=Cc:Date:From:Reply-To:Subject:To; b=pqgKsYqqIJESSjTr0cQj9aNJWHhoIkNHaEt8j3kpBzgoqpS13NFOefDE2wIrwydi+GM FkuW6zVJfr5ewXLvdx1tOL3pXRs2sybjDgPWeruTy4wOZSqdbuA5wcOkvLzYG+pt+HmCu vMvzVa9bmI3i3HANkQFchBWFyySXxcYWGwE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This application allows user to force key enrollment from Secure Boot default variables. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 ++= +++++++ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 ++= ++++++++++++++++++ 2 files changed, 156 insertions(+) create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultK= eysApp.inf create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultK= eysApp.c diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.= inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf new file mode 100644 index 0000000000..4d79ca3844 --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf @@ -0,0 +1,47 @@ +## @file +# Enroll PK, KEK, db, dbx from Default variables +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION =3D 1.28 + BASE_NAME =3D EnrollFromDefaultKeysApp + FILE_GUID =3D 6F18CB2F-1293-4BC1-ABB8-35F84C71812E + MODULE_TYPE =3D UEFI_APPLICATION + VERSION_STRING =3D 0.1 + ENTRY_POINT =3D UefiMain + +[Sources] + EnrollFromDefaultKeysApp.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[Guids] + gEfiCertPkcs7Guid + gEfiCertSha256Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiGlobalVariableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[Protocols] + gEfiSmbiosProtocolGuid ## CONSUMES + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PrintLib + UefiApplicationEntryPoint + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib + SecureBootVariableLib diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.= c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c new file mode 100644 index 0000000000..3407c1c4b9 --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c @@ -0,0 +1,109 @@ +/** @file + Enroll default PK, KEK, db, dbx. + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+ +SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include // gEfiCustomModeEnableGu= id +#include // EFI_SETUP_MODE_NAME +#include // EFI_IMAGE_SECURITY_DAT= ABASE +#include // GUID_STRING_LENGTH +#include // CopyGuid() +#include // ASSERT() +#include // FreePool() +#include // AsciiSPrint() +#include // gBS +#include // AsciiPrint() +#include // gRT +#include +#include + +/** + Entry point function of this shell application. +**/ +EFI_STATUS +EFIAPI +UefiMain ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: = %r\n", Status); + return 1; + } + + if (SetupMode =3D=3D USER_MODE) { + AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n"); + return 1; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_M= ODE: %r\n", Status); + return 1; + } + + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status= ); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Statu= s); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Statu= s); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Statu= s); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status= ); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ( + "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_= BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n" + ); + } + return 0; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ( + "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_= BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n" + ); + } + + return 1; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76460): https://edk2.groups.io/g/devel/message/76460 Mute This Topic: https://groups.io/mt/83526319/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76461+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76461+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663833; cv=none; d=zohomail.com; s=zohoarc; b=XzahK+Rf993ACbVTvRs6l666ZFi9G/6YSY3TQkPzQmOmhY+Il7f2+BXz3yEqyJzhSJQiCHkyt6pl33Wl9I/qHA9xEMIFQl3bLW6xuvCvfM6CYGqxKkYGcYm5Qtx2Gjdc1x+LrWTa+jLXNLk0NPf5yn0dJ+wBvTMGKPRLHsrhn0A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663833; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ZTR7JFvUSOCWTaOusnoSKHcXHO/Kmt4FguGnQTdfFqw=; b=XVaKy46tzdXBnfslbqpybrRt6F2/feGH0UkgXF0LM3ZvpMH88OW4VSJwkJVas+abD33SCp6S/sj2YjlAGiCfKqdfjU50dQx3RGwQR4oBcRYel6YnOQhyiLjcv8zt4bYnAVfNVs3eJLHqaU+2danJ/nvJtW4cD8LMpocrwR6+ruM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76461+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162366383315447.06448259109618; Mon, 14 Jun 2021 02:43:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id LBiWYY1788612xCGJCBihWCN; Mon, 14 Jun 2021 02:43:52 -0700 X-Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by mx.groups.io with SMTP id smtpd.web12.27789.1623663828868790450 for ; Mon, 14 Jun 2021 02:43:49 -0700 X-Received: by mail-lj1-f176.google.com with SMTP id l4so6766471ljg.0 for ; Mon, 14 Jun 2021 02:43:48 -0700 (PDT) X-Gm-Message-State: FqEWkFW4hqPOlZwqbhRpbCujx1787277AA= X-Google-Smtp-Source: ABdhPJxpBQB7oHVPCO06TPTXiEi46MFfNhNBXwKHAukNHYwoEwdopg9nA8hrFs2E3ySUSCG54wdfGw== X-Received: by 2002:a2e:9207:: with SMTP id k7mr12771659ljg.253.1623663826935; Mon, 14 Jun 2021 02:43:46 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:46 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v3 6/8] SecurityPkg: Add new modules to Security package. Date: Mon, 14 Jun 2021 11:43:06 +0200 Message-Id: <20210614094308.2314345-9-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663832; bh=VXCzd91f2IpwfYsBJylUCWHFunwuAIqMsW4uM8hmVUg=; h=Cc:Date:From:Reply-To:Subject:To; b=BpgOZceRMMticPwEHC7K6yboTQZeD8ORY8nDvhiT63GKHr4Y+iy1By6X0+Zq7wtw0ip WlIYW5oGSuSKWdQzxYMoo2eZsKVIAKNCAcIA6iZyAzBpnx7pSVDpUEUd5bUBdyaYo0ejy RU8Qv+zfW66DVXhiP0RpF+Y0oWej2QJ8YP0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commits adds modules related to initialization and usage of default Secure Boot key variables to SecurityPkg. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++ SecurityPkg/SecurityPkg.dsc | 3 +++ 2 files changed, 17 insertions(+) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 4001650fa2..dad3cae0ba 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -190,6 +190,20 @@ ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm gTcg2MmSwSmiRegisteredGuid =3D { 0x9d4548b9, 0xa48d, 0x4db4, { 0= x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } } =20 + ## GUID used to specify section with default PK content + gDefaultPKFileGuid =3D { 0x85254ea7, 0x4759, 0x4fc4, { 0= x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } } + + ## GUID used to specify section with default KEK content + gDefaultKEKFileGuid =3D { 0x6f64916e, 0x9f7a, 0x4c35, { 0= xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } } + + ## GUID used to specify section with default db content + gDefaultdbFileGuid =3D { 0xc491d352, 0x7623, 0x4843, { 0= xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } } + + ## GUID used to specify section with default dbt content + gDefaultdbxFileGuid =3D { 0x5740766a, 0x718e, 0x4dc0, { 0= x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } } + + ## GUID used to specify section with default dbx content + gDefaultdbtFileGuid =3D { 0x36c513ee, 0xa338, 0x4976, { 0= xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } } =20 [Ppis] ## The PPI GUID for that TPM physical presence should be locked. diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 854f250625..f2f90f49de 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -259,6 +259,9 @@ =20 [Components.IA32, Components.X64, Components.ARM, Components.AARCH64] SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaul= tKeys.inf =20 [Components.IA32, Components.X64, Components.AARCH64] # --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76461): https://edk2.groups.io/g/devel/message/76461 Mute This Topic: https://groups.io/mt/83526321/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76462+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76462+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663834; cv=none; d=zohomail.com; s=zohoarc; b=dTbEqyYuURVuqMbQvBB576qkGWR83n8UIjM5cKUgWUP3Db900r3SCMtkYv63mPYoTISAcVyz/EVPZx3V7BldigsXVzYLlqgyZIOG/73lGuQa+01p0QVxpEHW8ovWSFwYQhbx6lMRXxvQ2KwITQWUQ/MLXTV1QoDmPTYQtO5N9NU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663834; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=8uBJTIl9lsMqr66VXfdeKrtbiELSMbqUpKlhGfJxDxc=; b=BnTuSfYk0s8n+xsj35SdBJxpg1lQsJS9lXBZKmsfCVJD6Ka9p57s6G3glrhsWVBCDYv5Aa5bo5Eh83MmDIPBi3uQYf8pT19OiwinhvHuA9D2/gR9ByPE7ZfsrgMBJLjXQKk9JIYHTl7BEJL1zA+6Vp5x9JKs1T6q3S/hNtQotO8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76462+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663834089849.7833328165192; Mon, 14 Jun 2021 02:43:54 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 41AVYY1788612xSY3ZzmWdSA; Mon, 14 Jun 2021 02:43:53 -0700 X-Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by mx.groups.io with SMTP id smtpd.web11.27822.1623663830476468894 for ; Mon, 14 Jun 2021 02:43:50 -0700 X-Received: by mail-lf1-f52.google.com with SMTP id a1so20033549lfr.12 for ; Mon, 14 Jun 2021 02:43:50 -0700 (PDT) X-Gm-Message-State: Z301wSXkW1ZKQVUBV3REGBPLx1787277AA= X-Google-Smtp-Source: ABdhPJwWHnbNBlEaMCySEP/PQFZMZsHqMd+X2+o+zhTccSR9xlrQ1EqBip7wKZGreLJsBMetC15MOg== X-Received: by 2002:a05:6512:323a:: with SMTP id f26mr7946643lfe.620.1623663828303; Mon, 14 Jun 2021 02:43:48 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:47 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v3 7/8] SecurityPkg: Add option to reset secure boot keys. Date: Mon, 14 Jun 2021 11:43:07 +0200 Message-Id: <20210614094308.2314345-10-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663833; bh=JZFB7Tbfs0E68ZWoiu1UhQbN4BeecHRDOk+xQRsJdcM=; h=Cc:Date:From:Reply-To:Subject:To; b=DmcZoC8dOi/1T90Y7OHy8eqgfJivx1TDQiL8P1Fx29hmwow+I+kbQCRFSz7KO/UliR5 sl9lUCdYyvcxlhdorLTniAg+vyWOwY2W82VAySj3ezS2o0cUZFQRbpMPbGUofaF2K5CCC ld/S7i5wHfidOYzhM2A9nnCgRLzaZ2Gxwr4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvDa= ta.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr= | 6 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 154 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri= ngs.uni | 4 + 5 files changed, 167 insertions(+) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 30d9cd8025..bd8d256dde 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -109,6 +109,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiPopupProtocolGuid =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index 6e54a4b0f2..4ecc25efc3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f =20 +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index fa7e11848c..e4560c592c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -69,6 +69,12 @@ formset endif; endif; =20 + text + help =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), + text =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_RESET_TO_DEFAULT; + endform; =20 // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 67e5e594ed..47f281873b 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "SecureBootConfigImpl.h" +#include #include #include =20 @@ -4154,6 +4155,132 @@ ON_EXIT: return Status; } =20 +/** + This function reinitializes Secure Boot variables with default values. + + @retval EFI_SUCCESS Success to update the signature list page + @retval others Fail to delete or enroll signature data. +**/ + +STATIC EFI_STATUS +EFIAPI +KeyEnrollReset ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D EFI_SUCCESS; + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR(Status)) { + return Status; + } + + // Clear all the keys and databases + Status =3D DeleteDb (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbx (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbt (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); + return Status; + } + + Status =3D DeleteKEK (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); + return Status; + } + + Status =3D DeletePlatformKey (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); + return Status; + } + + // After PK clear, Setup Mode shall be enabled + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", + Status)); + return Status; + } + + if (SetupMode =3D=3D USER_MODE) { + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); + return EFI_SUCCESS; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", + Status)); + return EFI_SUCCESS; + } + + // Enroll all the keys from default variables + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MO= DE\n" + "Please do it manually, otherwise system can be easily compromised\n= ")); + } + + return Status; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) !=3D EFI_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); + } + return Status; +} + /** This function is called to provide results data to the driver. =20 @@ -4205,6 +4332,8 @@ SecureBootCallback ( SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; BOOLEAN GetBrowserDataResult; ENROLL_KEY_ERROR EnrollKeyErrorCode; + EFI_HII_POPUP_PROTOCOL *HiiPopup; + EFI_HII_POPUP_SELECTION UserSelection; =20 Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -4755,6 +4884,31 @@ SecureBootCallback ( FreePool (SetupMode); } break; + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: + { + Status =3D gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VO= ID **) &HiiPopup); + if (EFI_ERROR (Status)) { + return Status; + } + Status =3D HiiPopup->CreatePopup ( + HiiPopup, + EfiHiiPopupStyleInfo, + EfiHiiPopupTypeYesNo, + Private->HiiHandle, + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), + &UserSelection + ); + if (UserSelection =3D=3D EfiHiiPopupSelectionYes) { + Status =3D KeyEnrollReset (); + } + // + // Update secure boot strings after key reset + // + if (Status =3D=3D EFI_SUCCESS) { + Status =3D UpdateSecureBootString (Private); + SecureBootExtractConfigFromVariable (Private, IfrNvData); + } + } default: break; } diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index ac783453cc..0d01701de7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure= Boot" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable= the Secure Boot feature after platform reset" =20 +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys wi= th data from default variables" +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure B= oot Keys" +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Ke= ys & databases will be initialized from defaults.\n Are you sure?" + #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signatu= re" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signatu= re" #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signatu= re List Form" --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76462): https://edk2.groups.io/g/devel/message/76462 Mute This Topic: https://groups.io/mt/83526323/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri May 3 12:29:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76463+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76463+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1623663836; cv=none; d=zohomail.com; s=zohoarc; b=gfi5wN2AvAWyMeyOqip+lHQPa+FsAPUQBzJDcl3PfDXC+02AghbMIESOOa0gvqiZfk1UE30vKgZTIl0I0d/XP60y3ef52Ur7duVqkL810jv6UNwvEpIzR1NYQGAaj146PVmnrJ5loOOW6p7MFZPs/9h8ZE6td88OHpK/PDUcBqw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623663836; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=yYtPNEHpY03HUQyWrQtq1NdPXMQw5wCslocq50vqVEs=; b=KS/yqTwDzvLqKmRRa5BajXLcfri9DrldzGw/XakrBXhbzgvGaJWggFkTQIQwTsR29+AW9dZSzZ/dcOLQ4aaYJNR/vPd9La0E1R0c9QSNbDV0eZVeVzK2k1jIrMA6+1zFWOOKR2UGllR1lN6LdRUcxy0V+Nyhe5xzRDUaCZl/7MM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76463+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1623663836008637.657265728425; Mon, 14 Jun 2021 02:43:56 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id UBUbYY1788612xLtsLnPVQyE; Mon, 14 Jun 2021 02:43:54 -0700 X-Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com [209.85.208.170]) by mx.groups.io with SMTP id smtpd.web08.27554.1623663831594854818 for ; Mon, 14 Jun 2021 02:43:52 -0700 X-Received: by mail-lj1-f170.google.com with SMTP id x14so19275210ljp.7 for ; Mon, 14 Jun 2021 02:43:51 -0700 (PDT) X-Gm-Message-State: k3EZB2mNN9VGvpCrsRDeqzbbx1787277AA= X-Google-Smtp-Source: ABdhPJzhnABvBlugGKKFmFIpQj89aeEVJc8mSCCSWWOJLsZRDOgjr+6kHAK4XdJmjmNaRf2t26cFdg== X-Received: by 2002:a2e:9788:: with SMTP id y8mr12220162lji.100.1623663829640; Mon, 14 Jun 2021 02:43:49 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id c32sm367777lfv.30.2021.06.14.02.43.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Jun 2021 02:43:49 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki Subject: [edk2-devel] [PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib. Date: Mon, 14 Jun 2021 11:43:08 +0200 Message-Id: <20210614094308.2314345-11-gjb@semihalf.com> In-Reply-To: <20210614094308.2314345-1-gjb@semihalf.com> References: <20210614094308.2314345-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623663834; bh=q64xhfjENX11ZzKgaiBR57foTvQ96LdAm4Hm1hQ4c44=; h=Cc:Date:From:Reply-To:Subject:To; b=mhP6Wz/cq2yVJPEiSUfUp4HCEehCYk3jfAxT4qAzcYEUw5Fyvxcyxej2vj+v+ljCXHP EKZpyD0uVGHqPfWIQ18lsNUxgEHW2hMmzpY6MnZo8WVCi6k0Lcd7AnWjFleVyCrWUjZOT iykqPv1kECSprCKHB42DAyAPafOBOcU7KZc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commits removes CreateTimeBasedPayload() function from PlatformVarCleanupLib and uses exactly the same function from SecureBootVariableLib. Signed-off-by: Grzegorz Bernacki --- MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf | 2 + MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h | 1 + MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c | 84 = -------------------- 3 files changed, 3 insertions(+), 84 deletions(-) diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupL= ib.inf b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.i= nf index 8d5db826a0..493d03e1d8 100644 --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf @@ -34,6 +34,7 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec =20 [LibraryClasses] UefiBootServicesTableLib @@ -44,6 +45,7 @@ PrintLib MemoryAllocationLib HiiLib + SecureBootVariableLib =20 [Guids] gEfiIfrTianoGuid ## SOMETIMES_PRODUCES ## GUID diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h b/= MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h index c809a7086b..94fbc7d2a4 100644 --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h @@ -18,6 +18,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include =20 #include #include diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c= b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c index 3875d614bb..204f1e00ad 100644 --- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c +++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c @@ -319,90 +319,6 @@ DestroyUserVariableNode ( } } =20 -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 - descriptor with the input data. NO authentication is required in this fu= nction. - - @param[in, out] DataSize On input, the size of Data buffer in b= ytes. - On output, the size of data returned i= n Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be= wrapped or - pointer to NULL to wrap an empty paylo= ad. - On output, Pointer to the new payload = date buffer allocated from pool, - it's caller's responsibility to free t= he memory after using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses = to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // At user physical presence, the variable does not need to be signed bu= t the - // parameters to the SetVariable() call still need to be prepared as aut= henticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate - // data in it. - // - Payload =3D *Data; - PayloadSize =3D *DataSize; - - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) += OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData =3D (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool (NewData); - return Status; - } - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload !=3D NULL) { - FreePool (Payload); - } - - *DataSize =3D DescriptorSize + PayloadSize; - *Data =3D NewData; - return EFI_SUCCESS; -} - /** Create a counter based data payload by concatenating the EFI_VARIABLE_AU= THENTICATION descriptor with the input data. NO authentication is required in this fu= nction. --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76463): https://edk2.groups.io/g/devel/message/76463 Mute This Topic: https://groups.io/mt/83526324/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-