From nobody Mon Feb 9 20:13:09 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77330+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77330+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1625056488; cv=none; d=zohomail.com; s=zohoarc; b=d8BHqAEGQgQtiBmjnmCwlec5IvxQQ1/H3dQZ3Yo2F7WuzgDqfndEmB49YHIlrvmFVuxbKfVC9pt17r72lVif3zahMz+mCmFVSHHgNwEOp1QQJ4YlQNWiadJeG8H6p0SkqwOu2C6Hs746/kYUdo2CPK28fk/CSvfo7Czw4p8vdQo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1625056488; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=t/X44a89uDmYuBRyw/RdoqXg9wfzdgf/cQUM4YZnJcg=; b=iNHR7VshPRsi1ddy9a3zNCzypQou8o0hU1gBpp70kI4+see6ntkyaY5I6GSJmHUsAvRgyipir+PhzZA/8ratn3SAt4pL/TcA7XYg7f/LWVpnpzZQjyseXMmKV0zyiknZ1UyKZe7Dxclbe+SsMGwpt5AR6Se9NEMM6dPZxqa1JoE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77330+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1625056488635531.8201220811213; Wed, 30 Jun 2021 05:34:48 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ioNXYY1788612x6kGIt693s9; Wed, 30 Jun 2021 05:34:48 -0700 X-Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com [209.85.167.48]) by mx.groups.io with SMTP id smtpd.web11.5298.1625056482351601495 for ; Wed, 30 Jun 2021 05:34:42 -0700 X-Received: by mail-lf1-f48.google.com with SMTP id n14so4774821lfu.8 for ; Wed, 30 Jun 2021 05:34:42 -0700 (PDT) X-Gm-Message-State: olqaI8L6uQstxVwnlxdzvLzMx1787277AA= X-Google-Smtp-Source: ABdhPJzmRpDb7QD0aKJNzVT4OL5gwaOPr+hrXR3YnUzvvsfNja51YEE3ka4rMCk1lHAs5qGE239huA== X-Received: by 2002:a19:ca0e:: with SMTP id a14mr3443066lfg.384.1625056480427; Wed, 30 Jun 2021 05:34:40 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id d29sm1285624lfv.20.2021.06.30.05.34.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Jun 2021 05:34:40 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v4 8/8] SecurityPkg: Add option to reset secure boot keys. Date: Wed, 30 Jun 2021 14:34:08 +0200 Message-Id: <20210630123412.996158-9-gjb@semihalf.com> In-Reply-To: <20210630123412.996158-1-gjb@semihalf.com> References: <20210630123412.996158-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1625056488; bh=rVQJc480Lto8xnWw3iB3wIW8lYJbtZ9u7iaAAx8x9Ew=; h=Cc:Date:From:Reply-To:Subject:To; b=spnRfTEFfAHUOWB4TJzXGb/mE9IGI/Di3bKfevQxMd/t/nFGHp3FnefG3nlwaWtDGUh PV0sgn4heFCSP3hOZvTAA8Hrx1zmfigYMw8MhBguTlwu7T2rNgupaCBQ57IrXtHavVHaE N36MsHRHJyybtD33L3pEMzp3d1J7+ZEqlyc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvDa= ta.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr= | 6 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 154 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri= ngs.uni | 4 + 5 files changed, 167 insertions(+) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 30d9cd8025..bd8d256dde 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -109,6 +109,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiPopupProtocolGuid =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index 6e54a4b0f2..4ecc25efc3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f =20 +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index fa7e11848c..e4560c592c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -69,6 +69,12 @@ formset endif; endif; =20 + text + help =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), + text =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_RESET_TO_DEFAULT; + endform; =20 // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 67e5e594ed..47f281873b 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "SecureBootConfigImpl.h" +#include #include #include =20 @@ -4154,6 +4155,132 @@ ON_EXIT: return Status; } =20 +/** + This function reinitializes Secure Boot variables with default values. + + @retval EFI_SUCCESS Success to update the signature list page + @retval others Fail to delete or enroll signature data. +**/ + +STATIC EFI_STATUS +EFIAPI +KeyEnrollReset ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D EFI_SUCCESS; + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR(Status)) { + return Status; + } + + // Clear all the keys and databases + Status =3D DeleteDb (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbx (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbt (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); + return Status; + } + + Status =3D DeleteKEK (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); + return Status; + } + + Status =3D DeletePlatformKey (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); + return Status; + } + + // After PK clear, Setup Mode shall be enabled + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", + Status)); + return Status; + } + + if (SetupMode =3D=3D USER_MODE) { + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); + return EFI_SUCCESS; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", + Status)); + return EFI_SUCCESS; + } + + // Enroll all the keys from default variables + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MO= DE\n" + "Please do it manually, otherwise system can be easily compromised\n= ")); + } + + return Status; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) !=3D EFI_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); + } + return Status; +} + /** This function is called to provide results data to the driver. =20 @@ -4205,6 +4332,8 @@ SecureBootCallback ( SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; BOOLEAN GetBrowserDataResult; ENROLL_KEY_ERROR EnrollKeyErrorCode; + EFI_HII_POPUP_PROTOCOL *HiiPopup; + EFI_HII_POPUP_SELECTION UserSelection; =20 Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -4755,6 +4884,31 @@ SecureBootCallback ( FreePool (SetupMode); } break; + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: + { + Status =3D gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VO= ID **) &HiiPopup); + if (EFI_ERROR (Status)) { + return Status; + } + Status =3D HiiPopup->CreatePopup ( + HiiPopup, + EfiHiiPopupStyleInfo, + EfiHiiPopupTypeYesNo, + Private->HiiHandle, + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), + &UserSelection + ); + if (UserSelection =3D=3D EfiHiiPopupSelectionYes) { + Status =3D KeyEnrollReset (); + } + // + // Update secure boot strings after key reset + // + if (Status =3D=3D EFI_SUCCESS) { + Status =3D UpdateSecureBootString (Private); + SecureBootExtractConfigFromVariable (Private, IfrNvData); + } + } default: break; } diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index ac783453cc..0d01701de7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure= Boot" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable= the Secure Boot feature after platform reset" =20 +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys wi= th data from default variables" +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure B= oot Keys" +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Ke= ys & databases will be initialized from defaults.\n Are you sure?" + #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signatu= re" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signatu= re" #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signatu= re List Form" --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77330): https://edk2.groups.io/g/devel/message/77330 Mute This Topic: https://groups.io/mt/83891038/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-