From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78501+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78501+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901224; cv=none; d=zohomail.com; s=zohoarc; b=TgWt7/9rZF2jf1cFSSyfgQlUAQYByXfTJ8t8UT1ue89AqEvppK318kfP0pc5Sqph80WJkXatF3asmBTpO50ieWPiShMT8B/wdEKaCJYA8rTE44TxF0tfO0TGxQF3GpeuFTmtTqpRCpULsr2aWn7eGIeuMRfhN1iEUK7UlcgGjmE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901224; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=oP+a7UcRoFC9Puozwk8rXx2KMnwPCHzQJtJiCq3Mjz0=; b=DJCe/aYCZxFwa43W+9joLuwJTqOZjWXtBRTajpag4a5K9b6NYVHxeqTxU2sZNaREiHbEiJwS6lXUcfSdK0/bLbbREGq0Hx0wLtmrccujd1i4g2r7EYGaro9UvB+88HXhHs2OmI8+FkZXwthX3OC14yamGHTAqmgIPxVSQ4X56ME= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78501+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901224565239.42348549776773; Mon, 2 Aug 2021 03:47:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id n8WSYY1788612xxggPvykQhG; Mon, 02 Aug 2021 03:47:04 -0700 X-Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by mx.groups.io with SMTP id smtpd.web09.18180.1627901223257013563 for ; Mon, 02 Aug 2021 03:47:03 -0700 X-Received: by mail-lf1-f42.google.com with SMTP id t9so19925999lfc.6 for ; Mon, 02 Aug 2021 03:47:03 -0700 (PDT) X-Gm-Message-State: jZ4HyGpxu4VACIVQ8iFEfxlrx1787277AA= X-Google-Smtp-Source: ABdhPJz5jKfQGa9KwGtJ0FpBAVay1DNpPc/b0SEHExOsyAqiCwyzwj2uXeiuBJHb11hsOjM3NxZNHg== X-Received: by 2002:a05:6512:ea9:: with SMTP id bi41mr10826354lfb.103.1627901221273; Mon, 02 Aug 2021 03:47:01 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.46.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:00 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [edk2-devel] [PATCH v8 01/11] SecurityPkg: Create SecureBootVariableLib. Date: Mon, 2 Aug 2021 12:46:23 +0200 Message-Id: <20210802104633.2833333-2-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901224; bh=GEQvz65vNjnlSuRZlv3k3gOLHqgvdp5S2mHXv+2HFcQ=; h=Cc:Date:From:Reply-To:Subject:To; b=ZKqStMHfekqmvkqcwONqwqvYUo8Y7Jqk/p1ic/pZoMvgfQfrt73fQtZQaJV/ZbndDG0 jaI6IR1lHh+moggVzGHRj9dp/jz9/FtcJGmIPVbBUKuDfjSvhZokFxXVZwBdiuKK9+CvV qaEfCFx3XBOxfrrFQQwiiesvMeCTHWDleAc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901226218100001 Content-Type: text/plain; charset="utf-8" This commits add library, which consist helper functions related to creation/removal Secure Boot variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Jiewen Yao --- SecurityPkg/SecurityPkg.dec | 4 + SecurityPkg/SecurityPkg.dsc | 1 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 80 = +++ SecurityPkg/Include/Library/SecureBootVariableLib.h | 153 = ++++++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 510 = ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 17 + 6 files changed, 765 insertions(+) create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.inf create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVar= iableLib.uni diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 4001650fa2..8f3710e59f 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -87,6 +87,10 @@ ## @libraryclass Provides interfaces about firmware TPM measurement. # TcgEventLogRecordLib|Include/Library/TcgEventLogRecordLib.h + + ## @libraryclass Provides helper functions related to creation/removal = Secure Boot variables. + # + SecureBootVariableLib|Include/Library/SecureBootVariableLib.h [Guids] ## Security package token space guid. # Include/Guid/SecurityPkgTokenSpace.h diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index bd4b810bce..854f250625 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -70,6 +70,7 @@ RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo= gRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf =20 [LibraryClasses.ARM] # diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf new file mode 100644 index 0000000000..b32814736d --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -0,0 +1,80 @@ +## @file +# Provides helper function for initialization of Secure Boot +# keys and databases. +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecureBootVariableLib + MODULE_UNI_FILE =3D SecureBootVariableLib.uni + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D SecureBootVariableLib|DXE_DRIVER DXE_= RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + SecureBootVariableLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + DxeServicesLib + +[Guids] + ## CONSUMES ## Variable:L"SetupMode" + ## PRODUCES ## Variable:L"SetupMode" + ## CONSUMES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"PK" + ## PRODUCES ## Variable:L"KEK" + ## CONSUMES ## Variable:L"PKDefault" + ## CONSUMES ## Variable:L"KEKDefault" + ## CONSUMES ## Variable:L"dbDefault" + ## CONSUMES ## Variable:L"dbxDefault" + ## CONSUMES ## Variable:L"dbtDefault" + gEfiGlobalVariableGuid + + ## SOMETIMES_CONSUMES ## Variable:L"DB" + ## SOMETIMES_CONSUMES ## Variable:L"DBX" + ## SOMETIMES_CONSUMES ## Variable:L"DBT" + gEfiImageSecurityDatabaseGuid + + ## CONSUMES ## Variable:L"SecureBootEnable" + ## PRODUCES ## Variable:L"SecureBootEnable" + gEfiSecureBootEnableDisableGuid + + ## CONSUMES ## Variable:L"CustomMode" + ## PRODUCES ## Variable:L"CustomMode" + gEfiCustomModeEnableGuid + + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES + gEfiCertX509Guid ## CONSUMES + gEfiCertPkcs7Guid ## CONSUMES + + gDefaultPKFileGuid + gDefaultKEKFileGuid + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultdbtFileGuid + diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h new file mode 100644 index 0000000000..6e6d624071 --- /dev/null +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -0,0 +1,153 @@ +/** @file + Provides a helper functions for creating variable authenticated + payloads, signature lists related to secure boot keys. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SECURE_BOOT_VARIABLE_LIB_H_ +#define SECURE_BOOT_VARIABLE_LIB_H_ + +/** + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. + @return other Fail to operate the secure boot mode. + +--*/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode +); + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Error codes from GetVariable. +--*/ +EFI_STATUS +EFIAPI +GetSetupMode ( + OUT UINT8 *SetupMode +); + +/** + Create a EFI Signature List with data fetched from section specified as = a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut +); + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 + descriptor with the input data. NO authentication is required in this fu= nction. + + @param[in, out] DataSize On input, the size of Data buffer in by= tes. + On output, the size of data returned in= Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be = wrapped or + pointer to NULL to wrap an empty payloa= d. + On output, Pointer to the new payload d= ate buffer allocated from pool, + it's caller's responsibility to free th= e memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data +); + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +); + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +); + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +); + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +); + +/** + Clears the content of the 'PK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeletePlatformKey ( + VOID +); +#endif diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c new file mode 100644 index 0000000000..ff65184713 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -0,0 +1,510 @@ +/** @file + This library provides helper functions to set/clear Secure Boot + keys and databases. + + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021, ARM Ltd. All rights reserved.
+ Copyright (c) 2021, Semihalf All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "Library/DxeServicesLib.h" + +/** Creates EFI Signature List structure. + + @param[in] Data A pointer to signature data. + @param[in] Size Size of signature data. + @param[out] SigList Created Signature List. + + @retval EFI_SUCCESS Signature List was created successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +**/ +STATIC +EFI_STATUS +CreateSigList ( + IN VOID *Data, + IN UINTN Size, + OUT EFI_SIGNATURE_LIST **SigList + ) +{ + UINTN SigListSize; + EFI_SIGNATURE_LIST *TmpSigList; + EFI_SIGNATURE_DATA *SigData; + + // + // Allocate data for Signature Database + // + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA= ) - 1 + Size; + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Only gEfiCertX509Guid type is supported + // + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 = + Size); + TmpSigList->SignatureHeaderSize =3D 0; + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); + + // + // Copy key data + // + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); + CopyMem (&SigData->SignatureData[0], Data, Size); + + *SigList =3D TmpSigList; + + return EFI_SUCCESS; +} + +/** Adds new signature list to signature database. + + @param[in] SigLists A pointer to signature database. + @param[in] SigListAppend A signature list to be added. + @param[out] *SigListOut Created signature database. + @param[in, out] SigListsSize A size of created signature database. + + @retval EFI_SUCCESS Signature List was added successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +**/ +STATIC +EFI_STATUS +ConcatenateSigList ( + IN EFI_SIGNATURE_LIST *SigLists, + IN EFI_SIGNATURE_LIST *SigListAppend, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN OUT UINTN *SigListsSize +) +{ + EFI_SIGNATURE_LIST *TmpSigList; + UINT8 *Offset; + UINTN NewSigListsSize; + + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; + + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (TmpSigList, SigLists, *SigListsSize); + + Offset =3D (UINT8 *)TmpSigList; + Offset +=3D *SigListsSize; + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize= ); + + *SigListsSize =3D NewSigListsSize; + *SigListOut =3D TmpSigList; + return EFI_SUCCESS; +} + +/** + Create a EFI Signature List with data fetched from section specified as = a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListOut a pointer to a callee-allocated buffer w= ith signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +**/ +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut +) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig2; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + + + KeyIndex =3D 0; + EfiSig =3D NULL; + *SigListsSize =3D 0; + while (1) { + Status =3D GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status =3D=3D EFI_SUCCESS) { + RsaPubKey =3D NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + if (EfiSig !=3D NULL) { + FreePool(EfiSig); + } + FreePool(Buffer); + return EFI_INVALID_PARAMETER; + } + + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); + + // + // Concatenate lists if more than one section found + // + if (KeyIndex =3D=3D 0) { + EfiSig =3D TmpEfiSig; + *SigListsSize =3D TmpEfiSig->SignatureListSize; + } else { + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize); + FreePool (EfiSig); + FreePool (TmpEfiSig); + EfiSig =3D TmpEfiSig2; + } + + KeyIndex++; + FreePool (Buffer); + } if (Status =3D=3D EFI_NOT_FOUND) { + break; + } + }; + + if (KeyIndex =3D=3D 0) { + return EFI_NOT_FOUND; + } + + *SigListOut =3D EfiSig; + + return EFI_SUCCESS; +} + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 + descriptor with the input data. NO authentication is required in this fu= nction. + + @param[in, out] DataSize On input, the size of Data buffer in by= tes. + On output, the size of data returned in= Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be = wrapped or + pointer to NULL to wrap an empty payloa= d. + On output, Pointer to the new payload d= ate buffer allocated from pool, + it's caller's responsibility to free th= e memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +**/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data + ) +{ + EFI_STATUS Status; + UINT8 *NewData; + UINT8 *Payload; + UINTN PayloadSize; + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; + UINTN DescriptorSize; + EFI_TIME Time; + + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // In Setup mode or Custom mode, the variable does not need to be signed= but the + // parameters to the SetVariable() call still need to be prepared as aut= henticated + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate + // data in it. + // + Payload =3D *Data; + PayloadSize =3D *DataSize; + + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo= ) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); + if (NewData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); + } + + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); + + ZeroMem (&Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (&Time, NULL); + if (EFI_ERROR (Status)) { + FreePool(NewData); + return Status; + } + Time.Pad1 =3D 0; + Time.Nanosecond =3D 0; + Time.TimeZone =3D 0; + Time.Daylight =3D 0; + Time.Pad2 =3D 0; + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; + DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); + + if (Payload !=3D NULL) { + FreePool(Payload); + } + + *DataSize =3D DescriptorSize + PayloadSize; + *Data =3D NewData; + return EFI_SUCCESS; +} + +/** + Internal helper function to delete a Variable given its name and GUID, N= O authentication + required. + + @param[in] VariableName Name of the Variable. + @param[in] VendorGuid GUID of the Variable. + + @retval EFI_SUCCESS Variable deleted successfully. + @retval Others The driver failed to start the device. + +**/ +EFI_STATUS +DeleteVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + EFI_STATUS Status; + VOID* Variable; + UINT8 *Data; + UINTN DataSize; + UINT32 Attr; + + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); + if (Variable =3D=3D NULL) { + return EFI_SUCCESS; + } + FreePool (Variable); + + Data =3D NULL; + DataSize =3D 0; + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + Status =3D CreateTimeBasedPayload (&DataSize, &Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); + return Status; + } + + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + Attr, + DataSize, + Data + ); + if (Data !=3D NULL) { + FreePool (Data); + } + return Status; +} + +/** + + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. + @return other Fail to operate the secure boot mode. + +**/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode + ) +{ + return gRT->SetVariable ( + EFI_CUSTOM_MODE_NAME, + &gEfiCustomModeEnableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCES= S, + sizeof (UINT8), + &SecureBootMode + ); +} + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Retval from GetVariable. +**/ +EFI_STATUS +EFIAPI +GetSetupMode ( + OUT UINT8 *SetupMode +) +{ + UINTN Size; + EFI_STATUS Status; + + Size =3D sizeof (*SetupMode); + Status =3D gRT->GetVariable ( + EFI_SETUP_MODE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &Size, + SetupMode + ); + if (EFI_ERROR (Status)) { + return Status; + } + + return EFI_SUCCESS; +} + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE2, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Remove the PK variable. + + @retval EFI_SUCCESS Delete PK successfully. + @retval Others Could not allow to delete PK. + +**/ +EFI_STATUS +EFIAPI +DeletePlatformKey ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D DeleteVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid + ); + return Status; +} diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni new file mode 100644 index 0000000000..2d5fb7cbb8 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni @@ -0,0 +1,17 @@ +// /** @file +// +// Provides helper function for initialization of Secure Boot +// keys and databases. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides helper f= unctions to initialize PK, KEK and databases based on default variables." + +#string STR_MODULE_DESCRIPTION #language en-US "Provides helper f= unctions to initialize PK, KEK and databases based on default variables." + --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78501): https://edk2.groups.io/g/devel/message/78501 Mute This Topic: https://groups.io/mt/84608355/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78502+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78502+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901226; cv=none; d=zohomail.com; s=zohoarc; b=PxLRs6DuManiAq6jrQgtzv/gLJfT2GQiNDGvcVr8BqgoS46r2acMzl0/9tuci26/4PBgLSJRqMwBrL6cCOzmON+xciZsX88Ogdelo/yG+tuSTIIAcbyaoHFbp4iX9tDzhoBkxVMG3IMfz1kDgmbiZvjlqi7C26djcOAirnwTSMo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901226; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=kQl5gOe0l5HMr5h/QA/WthK65kZy1tYV3V8THo3r2CM=; b=P6UJmZVyXcFbyUEtw4OSq1l3jt1wWBbxRBn0DXX2AdlHQewcTwnbbrBzYyfu389GYkr7aOytg7fQcBzmEvZVtwOEJFhJlPn4xSwf5jrpr6aN2F1tW1aio2QbXtobXU6786bY9yj39FBIOJQz0wdcMzfzsMShTahic61aqidTxrk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78502+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901226173286.2096281729215; Mon, 2 Aug 2021 03:47:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 4943YY1788612xhSNsOkUAdN; Mon, 02 Aug 2021 03:47:05 -0700 X-Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by mx.groups.io with SMTP id smtpd.web08.18281.1627901224913239875 for ; Mon, 02 Aug 2021 03:47:05 -0700 X-Received: by mail-lf1-f41.google.com with SMTP id t9so19926084lfc.6 for ; Mon, 02 Aug 2021 03:47:04 -0700 (PDT) X-Gm-Message-State: 8EGNtN04Ic1cgrPVaOc4BSYlx1787277AA= X-Google-Smtp-Source: ABdhPJxSAVo82//Ec7AuX0j+mibLoLDT6m3hf23DH0BSBkdgMCN152o/qBn2H5c/n1zF36XDhZ8X4w== X-Received: by 2002:a19:c192:: with SMTP id r140mr11434823lff.109.1627901222709; Mon, 02 Aug 2021 03:47:02 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:02 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables. Date: Mon, 2 Aug 2021 12:46:24 +0200 Message-Id: <20210802104633.2833333-3-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901225; bh=pPW6i7izAcj3WbmYrb9NLgEcZI/1M7wrW8Fe6F+kA5A=; h=Cc:Date:From:Reply-To:Subject:To; b=feLBdlNumpN18EMmyD2Br2+U1Tq3A5r5DdDVw+cmlzrQ7RMBDftTQx4bsrwOdzXs9JZ ReFl4GBO+GmjUVInefOCO8lsMuaNpBESj+w414WYfNNElpZtUyfThtOgXSuxHPJ9C2CJ+ kJtP5m4myYZHDcNQcuL/pficEgrXLu2o2tw= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901228252100006 Content-Type: text/plain; charset="utf-8" This commits add library, which consist functions to enrolll Secure Boot keys and initialize Secure Boot default variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Jiewen Yao --- SecurityPkg/SecurityPkg.dec = | 4 + SecurityPkg/SecurityPkg.dsc = | 1 + SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvi= sionLib.inf | 80 ++++ SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h = | 134 ++++++ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvi= sionLib.c | 482 ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvi= sionLib.uni | 16 + 6 files changed, 717 insertions(+) create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/Secu= reBootVariableProvisionLib.inf create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvision= Lib.h create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/Secu= reBootVariableProvisionLib.c create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/Secu= reBootVariableProvisionLib.uni diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 8f3710e59f..e30c39f321 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -91,6 +91,10 @@ ## @libraryclass Provides helper functions related to creation/removal = Secure Boot variables. # SecureBootVariableLib|Include/Library/SecureBootVariableLib.h + + ## @libraryclass Provides support to enroll Secure Boot keys. + # + SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisi= onLib.h [Guids] ## Security package token space guid. # Include/Guid/SecurityPkgTokenSpace.h diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 854f250625..99c227dad2 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo= gRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf =20 [LibraryClasses.ARM] # diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvisionLi= b/SecureBootVariableProvisionLib.inf new file mode 100644 index 0000000000..a09abd29ce --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.inf @@ -0,0 +1,80 @@ +## @file +# Provides initialization of Secure Boot keys and databases. +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecureBootVariableLib + MODULE_UNI_FILE =3D SecureBootVariableLib.uni + FILE_GUID =3D 18192DD0-9430-45F1-80C7-5C52061CD183 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D SecureBootVariableProvisionLib|DXE_DR= IVER DXE_RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + SecureBootVariableProvisionLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + DxeServicesLib + SecureBootVariableLib + +[Guids] + ## CONSUMES ## Variable:L"SetupMode" + ## PRODUCES ## Variable:L"SetupMode" + ## CONSUMES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"PK" + ## PRODUCES ## Variable:L"KEK" + ## CONSUMES ## Variable:L"PKDefault" + ## CONSUMES ## Variable:L"KEKDefault" + ## CONSUMES ## Variable:L"dbDefault" + ## CONSUMES ## Variable:L"dbxDefault" + ## CONSUMES ## Variable:L"dbtDefault" + gEfiGlobalVariableGuid + + ## SOMETIMES_CONSUMES ## Variable:L"DB" + ## SOMETIMES_CONSUMES ## Variable:L"DBX" + ## SOMETIMES_CONSUMES ## Variable:L"DBT" + gEfiImageSecurityDatabaseGuid + + ## CONSUMES ## Variable:L"SecureBootEnable" + ## PRODUCES ## Variable:L"SecureBootEnable" + gEfiSecureBootEnableDisableGuid + + ## CONSUMES ## Variable:L"CustomMode" + ## PRODUCES ## Variable:L"CustomMode" + gEfiCustomModeEnableGuid + + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES + gEfiCertX509Guid ## CONSUMES + gEfiCertPkcs7Guid ## CONSUMES + + gDefaultPKFileGuid + gDefaultKEKFileGuid + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultdbtFileGuid + diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h b= /SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h new file mode 100644 index 0000000000..ba8009b5cd --- /dev/null +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h @@ -0,0 +1,134 @@ +/** @file + Provides a functions to enroll keys based on default values. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +); + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +); + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +); + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +); + +/** + Sets the content of the 'PK' variable based on 'PKDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime() = and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +); + +/** + Initializes PKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitPKDefault ( + IN VOID + ); + +/** + Initializes KEKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitKEKDefault ( + IN VOID + ); + +/** + Initializes dbDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitDbDefault ( + IN VOID + ); + +/** + Initializes dbtDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitDbtDefault ( + IN VOID + ); + +/** + Initializes dbxDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecureBootInitDbxDefault ( + IN VOID + ); +#endif diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/= SecureBootVariableProvisionLib.c new file mode 100644 index 0000000000..848f7ce929 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c @@ -0,0 +1,482 @@ +/** @file + This library provides functions to set/clear Secure Boot + keys and databases. + + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021, ARM Ltd. All rights reserved.
+ Copyright (c) 2021, Semihalf All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + Enroll a key/certificate based on a default variable. + + @param[in] VariableName The name of the key/database. + @param[in] DefaultName The name of the default variable. + @param[in] VendorGuid The namespace (ie. vendor GUID) of the va= riable + + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader. + @retval EFI_SUCCESS Successful enrollment. + @return Error codes from GetTime () and SetVariab= le (). +**/ +STATIC +EFI_STATUS +EnrollFromDefault ( + IN CHAR16 *VariableName, + IN CHAR16 *DefaultName, + IN EFI_GUID *VendorGuid + ) +{ + VOID *Data; + UINTN DataSize; + EFI_STATUS Status; + + Status =3D EFI_SUCCESS; + + DataSize =3D 0; + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &D= ataSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName,= Status)); + return Status; + } + + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); + return Status; + } + + // + // Allocate memory for auth variable + // + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DataSize, + Data + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, Var= iableName, + VendorGuid, Status)); + } + + if (Data !=3D NULL) { + FreePool (Data); + } + + return Status; +} + +/** Initializes PKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +SecureBootInitPKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_PK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARI= ABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &Efi= Sig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIA= BLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME= )); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes KEKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +SecureBootInitKEKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_KEK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARI= ABLE_NAME)); + return Status; + } + + + Status =3D gRT->SetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +SecureBootInitDbDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DB_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARI= ABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &Efi= Sig); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NA= ME)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbxDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +SecureBootInitDbxDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBX_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARI= ABLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbtDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +SecureBootInitDbtDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBT_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &Ef= iSig); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_A= CCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return EFI_SUCCESS; +} + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable cont= ent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE, + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE1, + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE2, + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_KEY_EXCHANGE_KEY_NAME, + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable co= ntent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_= AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime (= ) and SetVariable () +**/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_PLATFORM_KEY_NAME, + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvisionLi= b/SecureBootVariableProvisionLib.uni new file mode 100644 index 0000000000..68d928ef30 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.uni @@ -0,0 +1,16 @@ +// /** @file +// +// Provides initialization of Secure Boot keys and databases. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides function= s to initialize PK, KEK and databases based on default variables." + +#string STR_MODULE_DESCRIPTION #language en-US "Provides function= s to initialize PK, KEK and databases based on default variables." + --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78502): https://edk2.groups.io/g/devel/message/78502 Mute This Topic: https://groups.io/mt/84608356/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78503+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78503+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901227; cv=none; d=zohomail.com; s=zohoarc; b=P8ubRLf0EbHrNrvQpg+ydhWfv8blckKQCtedBdpwA4yI/paB7AzrMJWV2PKYo7Z1+3CMSk/J4zcY1QVO7xD/09H8Xth2UNmN+KMf89q9wYVYvGmAiGN6WEvPa7SftTOW3c11l5fGlBn0+x/z6avKKeRdfXHtlao8369YzMnW7rM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901227; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=9IOILftwS30Wm6SRB91SHbeb4FFJXSrlsenfCBROnqU=; b=MAeomule+iyXG575fFkVZ9szdoYvkrlPN2O4GFcZKfcVTuTv9Qi4CK5tOBzLwehuXiY5xuODoqPHMJaSrEU3VR7jzb6KMtHgcPJLPoGfS6z0oJsk78RqrDwbPFUf2p7cF2CabwFSccZ9A7VDyfqSOTszSt6YDMbBStXMfnBlpI0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78503+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901227388975.0636815136; Mon, 2 Aug 2021 03:47:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id i5VsYY1788612xFXHUyupWZs; Mon, 02 Aug 2021 03:47:07 -0700 X-Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web09.18181.1627901226176724451 for ; Mon, 02 Aug 2021 03:47:06 -0700 X-Received: by mail-lf1-f53.google.com with SMTP id b6so10104076lff.10 for ; Mon, 02 Aug 2021 03:47:05 -0700 (PDT) X-Gm-Message-State: FTlxIi7TXPzQ7O8dF9vaQafRx1787277AA= X-Google-Smtp-Source: ABdhPJzffw42Y9xjIu7EAxMYQKvA9DfoLkBM6E9HCRWXwBD5yrjnzzx1G+MFZmpBi6xwn7Nq54b3Jw== X-Received: by 2002:a05:6512:401b:: with SMTP id br27mr12502681lfb.220.1627901224199; Mon, 02 Aug 2021 03:47:04 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:03 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v8 03/11] ArmVirtPkg: add SecureBootVariableLib class resolution Date: Mon, 2 Aug 2021 12:46:25 +0200 Message-Id: <20210802104633.2833333-4-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901227; bh=Q12EzS1azkzmi9Z5MdrIDbGmxQe362ojeS6ur9susb0=; h=Cc:Date:From:Reply-To:Subject:To; b=IEAswYv8ZTu/5RQFuBuH+s2InVQSJbQkweTY19o2l26F4m0eZFiZ1ZsjDBMwOw7Wavf YRcoA86w2Olej3bPD55fIj8ih5rLTHoNeJQ5P32hneJbgdiNC6UqV9asdjZsKBmSQPE7A n5pzfr+RQ3WWmFW9pq5/g/c7UPdhrymVO2w= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901228261100007 Content-Type: text/plain; charset="utf-8" The edk2 patch SecurityPkg: Create library for setting Secure Boot variables. moves generic functions from SecureBootConfigDxe and places them into SecureBootVariableLib. This patch adds SecureBootVariableLib mapping for ArmVirtPkg platform. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Liming Gao --- ArmVirtPkg/ArmVirt.dsc.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc index 619b5f0b44..5a1598d90c 100644 --- a/ArmVirtPkg/ArmVirt.dsc.inc +++ b/ArmVirtPkg/ArmVirt.dsc.inc @@ -168,6 +168,8 @@ # !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf =20 # re-use the UserPhysicalPresent() dummy implementation from the ovmf tr= ee PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78503): https://edk2.groups.io/g/devel/message/78503 Mute This Topic: https://groups.io/mt/84608357/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78504+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78504+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901228; cv=none; d=zohomail.com; s=zohoarc; b=afflzPJtscsfO9iFtysUC8YZ/+ePJfiHCqRd/Kb4+wO42V9BWXU0ZGAYnWyyn15CKlMgZ886Pcq772TA3IEYX+zlA59G3ECN4YHHJsgLI0aXW8RBitaGL9lGtiyvtqQGH9H8IYGlFCtN7M2KbHEU2slP//TaeQyJj46vfF8N5pE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901228; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ycANXHL2UfVOEgl+qcla+9V4harzHq+THnPlCFpK8+M=; b=JF7X5Sc9fZ8PYJJZ7G+qtpwD6fxgV7cjQRBpVWSOy9yT0uCsuMHG2h65l50cPZ4cRRys7EEXZWGwvrI7TAS8ZCCsKUPsgs3ZphEAtbCymjoEZlFETzwvTSwVBqft3DDKi6MJj3lKH/1OoGVgo3qNgdbkQ/S6C2x8aurnP2EADUM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78504+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901228819428.1005927581281; Mon, 2 Aug 2021 03:47:08 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id tDj2YY1788612xIHmTB7mpkA; Mon, 02 Aug 2021 03:47:08 -0700 X-Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) by mx.groups.io with SMTP id smtpd.web12.18222.1627901227706634083 for ; Mon, 02 Aug 2021 03:47:08 -0700 X-Received: by mail-lj1-f174.google.com with SMTP id b21so23286140ljo.13 for ; Mon, 02 Aug 2021 03:47:07 -0700 (PDT) X-Gm-Message-State: kAaa5o1VBLqSf2ACmYEWKZZdx1787277AA= X-Google-Smtp-Source: ABdhPJxGnhkbBCRec4MTdj2/9tmi4SMftTrPmN5MgqVXqMLzLSNetHPUhzdJcWFCClFxAxeKJoGacQ== X-Received: by 2002:a2e:911a:: with SMTP id m26mr11021262ljg.109.1627901225535; Mon, 02 Aug 2021 03:47:05 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:05 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v8 04/11] OvmfPkg: add SecureBootVariableLib class resolution Date: Mon, 2 Aug 2021 12:46:26 +0200 Message-Id: <20210802104633.2833333-5-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901228; bh=bhyDV+e/kjwsnLgHE2l64blWpWt7fmGW9XhHsvDHV5o=; h=Cc:Date:From:Reply-To:Subject:To; b=NzfWvcEvrw85doisvFygZJqCxFbUcEIjanZfr5Tqy+f5+BZRpDA1VpBvqFnd6bhN8fR MX9XGvRz22vqpld6FBtDjX2WFPEMPGqWjwskpGeyatLozB6ra6gb8BFXveDWh8jdHV5xj FExJ2jsqcoc8MRIGQVJawCBLbcyQ9BKd3HM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901230424100002 Content-Type: text/plain; charset="utf-8" The edk2 patch SecurityPkg: Create library for setting Secure Boot variables. moves generic functions from SecureBootConfigDxe and places them into SecureBootVariableLib. This patch adds SecureBootVariableLib mapping for OvmfPkg. Signed-off-by: Grzegorz Bernacki Reviewed-by: Laszlo Ersek Reviewed-by: Sunny Wang --- OvmfPkg/Bhyve/BhyveX64.dsc | 2 ++ OvmfPkg/OvmfPkgIa32.dsc | 2 ++ OvmfPkg/OvmfPkgIa32X64.dsc | 2 ++ OvmfPkg/OvmfPkgX64.dsc | 2 ++ 4 files changed, 8 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index 0068314495..d8fe607d1c 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -197,6 +197,8 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecure= Lib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 799a974cf2..d1d92c97ba 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -204,6 +204,8 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 66ad5dc70c..a467ab7090 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -208,6 +208,8 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 180565a100..e56b83d95e 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -208,6 +208,8 @@ !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78504): https://edk2.groups.io/g/devel/message/78504 Mute This Topic: https://groups.io/mt/84608358/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78505+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78505+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901229; cv=none; d=zohomail.com; s=zohoarc; b=EOT4mDKM7M/eMXLb1TSnrPP90HL+lmy9kQgeYe2FakWjDy7tzel0Tw5eUU0Clj5Z0Z38I/2MJ3JhhMUsAr5BMNZxFW3ySUFs2yzXA27jRUscsK6CwnYonuLud+0doJQt1zzpvIFzfj/OA7fO1ksWOUVe6MLVK4M0Ef0M+/o2GcY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901229; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lI/PCA79Fh18gH5L+CsrWhHvVUMHkNE+MrT68oH0dOc=; b=nDVLzRpUi8mxw4x+GbFcoWIwzaMfppjlgVLykEpDV+pOZctjsmRK9Zc1/Z2zazgtL8mqZMY0r0MsgTiEpe1idXs42J5QQv6o7v5BVt8AlRlNvZPLwda5rWNIQzu4P38JAsL6HhEHNwD30O2oag2WMAZ4onTrMhuLNrpLmfceQVM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78505+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901229815344.5751510833927; Mon, 2 Aug 2021 03:47:09 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 11tyYY1788612x532kcb55Nd; Mon, 02 Aug 2021 03:47:09 -0700 X-Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by mx.groups.io with SMTP id smtpd.web11.18099.1627901228761316943 for ; Mon, 02 Aug 2021 03:47:09 -0700 X-Received: by mail-lf1-f52.google.com with SMTP id x8so19562852lfe.3 for ; Mon, 02 Aug 2021 03:47:08 -0700 (PDT) X-Gm-Message-State: okkenP1VspgBQwtl16Xj4veUx1787277AA= X-Google-Smtp-Source: ABdhPJxgqMFfAxzHPHrSn2pJHBfj10TAShqbJzaEZXW9djlkvkrHwEWJ7ETteZP/r/R/cPvcpTyvyA== X-Received: by 2002:ac2:5089:: with SMTP id f9mr912147lfm.647.1627901226989; Mon, 02 Aug 2021 03:47:06 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:06 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v8 05/11] EmulatorPkg: add SecureBootVariableLib class resolution Date: Mon, 2 Aug 2021 12:46:27 +0200 Message-Id: <20210802104633.2833333-6-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901229; bh=7uSl9pfLt4prBvnKIXgNoZsREyutlWZSXtriXM7sOXE=; h=Cc:Date:From:Reply-To:Subject:To; b=jGC7U1L7wWbqLeMWj2ZlmLwDQwpVwMuiaoFxaa7q7UQSOPN+ogxRArSNvAMzR6bly+f bwxrk8FoUsIf7Qf0YDECVA+giRXWvjnvmu9ecyTswUGVyUb71Fb0JTXiioWRAW6KXsTnE czbtlK9Ga8n0DZyR8n+R9bzF2p+OprOqxDY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901230615100003 Content-Type: text/plain; charset="utf-8" The edk2 patch SecurityPkg: Create library for setting Secure Boot variables. moves generic functions from SecureBootConfigDxe and places them into SecureBootVariableLib. This patch adds SecureBootVariableLib mapping for EmulatorPkg. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang --- EmulatorPkg/EmulatorPkg.dsc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 20e5468398..554c13ddb5 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -132,6 +132,8 @@ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78505): https://edk2.groups.io/g/devel/message/78505 Mute This Topic: https://groups.io/mt/84608359/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78506+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78506+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901231; cv=none; d=zohomail.com; s=zohoarc; b=CjboKHhCSfikA4jCrb/d19mN1ny9gPYnKVwQ/vJLIj9sun+QOORpYNm5LKG9fBGZ4wRl70c3Hdc8j5CuRoqM3Ujg4EJ56GE14czgmyp0/HlSt7NTjxihcoJV2pmO+bYmWwc69KiQg3Q1B4X4sfxs0QJWVB2YcaO5+pYmyMrIxJk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901231; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ro4DuBuwJ0JmRg1gkE/e7XtLSfJCD4tFVkKLf7GO3l4=; b=ikN1c6TEQfJx0ZfcSxTsj7x0pLgN3NZgWnvxPA8b7vb5JIJ3405RiLE2Zw9bfW9phKPSHRPOVhhiv3LdtmO6gdYYYdoQ/ibJFLZexazGFfsZ6TAIKvuiMyFsYbO7AyazXFbPb6dhHKPIAjsshYIivRz8VQw+80Fnqr1y9m6ScDc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78506+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901231909665.2553587875872; Mon, 2 Aug 2021 03:47:11 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 4KtRYY1788612x6hpYWhrn2A; Mon, 02 Aug 2021 03:47:11 -0700 X-Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46]) by mx.groups.io with SMTP id smtpd.web10.18275.1627901230255932210 for ; Mon, 02 Aug 2021 03:47:10 -0700 X-Received: by mail-lf1-f46.google.com with SMTP id m13so32862904lfg.13 for ; Mon, 02 Aug 2021 03:47:10 -0700 (PDT) X-Gm-Message-State: 0WBIx0V7SO1CTa4maZ220NfGx1787277AA= X-Google-Smtp-Source: ABdhPJxTP/SwZiqDCqBd4XFF6qrwS4kG9cnIFbzlyXVAdQAfPFwwZXI/gNIH3HML4tdsmq2CwoTI6w== X-Received: by 2002:a19:5e4c:: with SMTP id z12mr12383247lfi.275.1627901228361; Mon, 02 Aug 2021 03:47:08 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:08 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Jiewen Yao , Sunny Wang Subject: [edk2-devel] [PATCH v8 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. Date: Mon, 2 Aug 2021 12:46:28 +0200 Message-Id: <20210802104633.2833333-7-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901231; bh=HCaMuCN4OgHAj1jjjvXVpaac4heYB+SZbdPCeaLzvrQ=; h=Cc:Date:From:Reply-To:Subject:To; b=ijsBY7yENDkoyMoa/GAx82AQkCPRDoCKs7UXkYlE7JZXWaq/n9MZAoMOBL7zV5v+vE9 8rY/35vIeUbE2IzuIiAPAeuvMeOdBs1iF9vV9VJeFeEpgta5ud7oq4ml4CNqc1mH7onU4 4+rNG9USaxUoKX6hwbABKzXTcvctrguTKus= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901232965100003 Content-Type: text/plain; charset="utf-8" This commit removes functions which were added to SecureBootVariableLib. It also adds dependecy on that library. Signed-off-by: Grzegorz Bernacki Reviewed-by: Jiewen Yao eviewed-by: Sunny Wang --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 190 +------------------- 2 files changed, 4 insertions(+), 188 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 573efa6379..14c7311b08 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -54,6 +54,8 @@ DevicePathLib FileExplorerLib PeCoffLib + SecureBootVariableLib + SecureBootVariableProvisionLib =20 [Guids] ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index e82bfe7757..f527aa32e6 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -9,6 +9,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #include "SecureBootConfigImpl.h" #include +#include +#include =20 CHAR16 mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGURATIO= N"; =20 @@ -237,168 +239,6 @@ SaveSecureBootVariable ( return Status; } =20 -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHE= NTICATION_2 - descriptor with the input data. NO authentication is required in this fu= nction. - - @param[in, out] DataSize On input, the size of Data buffer in by= tes. - On output, the size of data returned in= Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be = wrapped or - pointer to NULL to wrap an empty payloa= d. - On output, Pointer to the new payload d= ate buffer allocated from pool, - it's caller's responsibility to free th= e memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed= but the - // parameters to the SetVariable() call still need to be prepared as aut= henticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor withou= t certificate - // data in it. - // - Payload =3D *Data; - PayloadSize =3D *DataSize; - - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo= ) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload !=3D NULL) { - FreePool(Payload); - } - - *DataSize =3D DescriptorSize + PayloadSize; - *Data =3D NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, N= O authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data =3D NULL; - DataSize =3D 0; - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status =3D CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - return Status; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data !=3D NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE= _BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the spec= ial mode successfully. - @return other Fail to operate the secure boot mode. - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCES= S, - sizeof (UINT8), - &SecureBootMode - ); -} - /** This code checks if the encode type and key strength of X.509 certificate is qualified. @@ -646,32 +486,6 @@ ON_EXIT: return Status; } =20 -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - /** Enroll a new KEK item from public key storing file (*.pbk). =20 --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78506): https://edk2.groups.io/g/devel/message/78506 Mute This Topic: https://groups.io/mt/84608360/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78507+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78507+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901232; cv=none; d=zohomail.com; s=zohoarc; b=Cej1Qf2yhMB0piM7QISP7MUyEvAfHPFPdyCATDICut21OHZy1SD1Ar5V+g27u9IQAubXcNRSI6Y8bbp0GWK+FAZSlToGjiIEikwix2IwXRrLXxyCPMFdrhrjsjQgrUyosxiH4rfxhOfh5eSz1keihTV8VVs2wCXEg0yIcbBsnk4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901232; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=uItniSzrxIwHYQQKePF+PxU5EXuagUhk8I4CayjmMJA=; b=n2MyhYlHaFwh2aqUbJVKSlAub0eoD5ALxMYmpb+Xi701NYfxIka4uxkW/DV6tx30fDUZwS3dzOhlXv7qRQjtItpKTCef5Y02GjMWEKiOvAiEs1Htc6xIivsSwDkAhdGD3t7rjUdfAMHQRO6eOmpQx24x6Rv++6+HK1gduMr3vU4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78507+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901232636717.3149358125048; Mon, 2 Aug 2021 03:47:12 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 6eVqYY1788612x3ZqVo8jkXA; Mon, 02 Aug 2021 03:47:12 -0700 X-Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web10.18276.1627901231509880635 for ; Mon, 02 Aug 2021 03:47:11 -0700 X-Received: by mail-lf1-f53.google.com with SMTP id t9so19926499lfc.6 for ; Mon, 02 Aug 2021 03:47:11 -0700 (PDT) X-Gm-Message-State: ekUQ6nYqP7ZxFhmpCKsQ5IFSx1787277AA= X-Google-Smtp-Source: ABdhPJyZLpW7cui39N9hC9MWapNGQYjwCXzTcRp/20sm/3ITc9JJ56Db318Jnb1XuWJlPGF8Y+kFbg== X-Received: by 2002:a19:6407:: with SMTP id y7mr12734650lfb.594.1627901229721; Mon, 02 Aug 2021 03:47:09 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:09 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang Subject: [edk2-devel] [PATCH v8 07/11] ArmPlatformPkg: Create include file for default key content. Date: Mon, 2 Aug 2021 12:46:29 +0200 Message-Id: <20210802104633.2833333-8-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901232; bh=nG4rr/Fh89nUhSpLWmQUHRtlIDIBf+fIOo09CMWjJUM=; h=Cc:Date:From:Reply-To:Subject:To; b=TmhkDYeAaQD5tV31g4YZopOYjl5tegUIvBRcEvnKu8MHU6FHfRNXquak/zO2/iSgcIi N2miNJMmJpnwtjJz9y5BtT0Y/cSluTiorMDbMfv0k2w+p2tOGxXKnvQ6sR6LqesGgIZsq /TO9ex21E50GUrv6pnOM+BdC5ab1Vr78cok= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901232941100001 Content-Type: text/plain; charset="utf-8" This commits add file which can be included by platform Flash Description File. It allows to specify certificate files, which will be embedded into binary file. The content of these files can be used to initialize Secure Boot default keys and databases. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang --- ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc diff --git a/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc b/ArmPlatformPkg/= SecureBootDefaultKeys.fdf.inc new file mode 100644 index 0000000000..bf4f2d42de --- /dev/null +++ b/ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc @@ -0,0 +1,70 @@ +## @file +# FDF include file which allows to embed Secure Boot keys +# +# Copyright (c) 2021, ARM Limited. All rights reserved. +# Copyright (c) 2021, Semihalf. All rights reserved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# + +!if $(DEFAULT_KEYS) =3D=3D TRUE + FILE FREEFORM =3D 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { + !ifdef $(PK_DEFAULT_FILE) + SECTION RAW =3D $(PK_DEFAULT_FILE) + !endif + SECTION UI =3D "PK Default" + } + + FILE FREEFORM =3D 6f64916e-9f7a-4c35-b952-cd041efb05a3 { + !ifdef $(KEK_DEFAULT_FILE1) + SECTION RAW =3D $(KEK_DEFAULT_FILE1) + !endif + !ifdef $(KEK_DEFAULT_FILE2) + SECTION RAW =3D $(KEK_DEFAULT_FILE2) + !endif + !ifdef $(KEK_DEFAULT_FILE3) + SECTION RAW =3D $(KEK_DEFAULT_FILE3) + !endif + SECTION UI =3D "KEK Default" + } + + FILE FREEFORM =3D c491d352-7623-4843-accc-2791a7574421 { + !ifdef $(DB_DEFAULT_FILE1) + SECTION RAW =3D $(DB_DEFAULT_FILE1) + !endif + !ifdef $(DB_DEFAULT_FILE2) + SECTION RAW =3D $(DB_DEFAULT_FILE2) + !endif + !ifdef $(DB_DEFAULT_FILE3) + SECTION RAW =3D $(DB_DEFAULT_FILE3) + !endif + SECTION UI =3D "DB Default" + } + + FILE FREEFORM =3D 36c513ee-a338-4976-a0fb-6ddba3dafe87 { + !ifdef $(DBT_DEFAULT_FILE1) + SECTION RAW =3D $(DBT_DEFAULT_FILE1) + !endif + !ifdef $(DBT_DEFAULT_FILE2) + SECTION RAW =3D $(DBT_DEFAULT_FILE2) + !endif + !ifdef $(DBT_DEFAULT_FILE3) + SECTION RAW =3D $(DBT_DEFAULT_FILE3) + !endif + SECTION UI =3D "DBT Default" + } + + FILE FREEFORM =3D 5740766a-718e-4dc0-9935-c36f7d3f884f { + !ifdef $(DBX_DEFAULT_FILE1) + SECTION RAW =3D $(DBX_DEFAULT_FILE1) + !endif + !ifdef $(DBX_DEFAULT_FILE2) + SECTION RAW =3D $(DBX_DEFAULT_FILE2) + !endif + !ifdef $(DBX_DEFAULT_FILE3) + SECTION RAW =3D $(DBX_DEFAULT_FILE3) + !endif + SECTION UI =3D "DBX Default" + } + +!endif --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78507): https://edk2.groups.io/g/devel/message/78507 Mute This Topic: https://groups.io/mt/84608361/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78508+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78508+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901234; cv=none; d=zohomail.com; s=zohoarc; b=BigXpVBpaV8N0SwqzEIu5QyfdC1Kd9qMra0111g03Ae4hjUeDXkCoF/nIqIzVkgt6VjP3lEUjpc/jKTb42IEUlNi1yf6OhEYQBbgj3OfrC6V10HaM0WPKF2HHuhclBU3sgaUFK5x7VhKMuUC/VNXzNDCciHVD2YrLdD8sbqA9ow= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901234; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=4fgN6JVSykj2YF3URA8Ysys0d04wKVSfpgKdgjkruGU=; b=ZOQbWZ1G3Ik0X+4LxI3vGd1X6+GF9o5slAR61RGOt3Q82aJlAh1G4umh23FAX4AD4aPuH42KfiSjM02svQPaswuW8opB6hTZexbfZZByv2q/4mBOeoXwQMsNwPJve8Sm5QToKsGXb4YBUVxSK4W7/0hToE0JgzFC+vvU1NmSbuk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78508+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901234042453.10156601318283; Mon, 2 Aug 2021 03:47:14 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 6SkVYY1788612xJ2z22IKLTV; Mon, 02 Aug 2021 03:47:13 -0700 X-Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by mx.groups.io with SMTP id smtpd.web12.18223.1627901232893249959 for ; Mon, 02 Aug 2021 03:47:13 -0700 X-Received: by mail-lf1-f50.google.com with SMTP id b6so10104572lff.10 for ; Mon, 02 Aug 2021 03:47:12 -0700 (PDT) X-Gm-Message-State: 1wP3ovDYb1fGNZM45j1xsr1Hx1787277AA= X-Google-Smtp-Source: ABdhPJwGf1aN7i00PyGsYjzNZEqGsljbhWuoIGG0IWPdki39olhL/qbfZLkEpnQt0BI0H5K2M9O+gQ== X-Received: by 2002:a05:6512:3ca5:: with SMTP id h37mr12406497lfv.46.1627901231086; Mon, 02 Aug 2021 03:47:11 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:10 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [edk2-devel] [PATCH v8 08/11] SecurityPkg: Add SecureBootDefaultKeysDxe driver Date: Mon, 2 Aug 2021 12:46:30 +0200 Message-Id: <20210802104633.2833333-9-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901233; bh=H7r82d9KdvsDvmhynul8TYvxtsR4cAGKoNKgQF3Q+RI=; h=Cc:Date:From:Reply-To:Subject:To; b=sXxLNmoR5Zihqo7/WvkVbvSvoqTZ4mPPWTv/p3rDskFrz0cR7DuGrgaOa1/fQzre/v3 6dFC1F4xBDwTqXHlsdQaLHsgxpYVylsDmJGAwoIW3nCR+iLoCr3TUXYs4kt/FRu2LpRlD gudBrdggYnlQxTAfvhjAEt3UrO0d+M9gWzE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901235168100002 Content-Type: text/plain; charset="utf-8" This driver initializes default Secure Boot keys and databases based on keys embedded in flash. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi Reviewed-by: Jiewen Yao --- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.inf | 46 +++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.c | 69 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.uni | 16 +++++ 3 files changed, 131 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.c create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys= Dxe/SecureBootDefaultKeysDxe.uni diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootDef= aultKeysDxe/SecureBootDefaultKeysDxe.inf new file mode 100644 index 0000000000..3ed45fa497 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.inf @@ -0,0 +1,46 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecureBootDefaultKeysDxe + FILE_GUID =3D C937FCB7-25AC-4376-89A2-4EA8B317DE83 + MODULE_TYPE =3D DXE_DRIVER + ENTRY_POINT =3D SecureBootDefaultKeysEntryPoint + +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# +[Sources] + SecureBootDefaultKeysDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + MemoryAllocationLib + UefiDriverEntryPoint + DebugLib + SecureBootVariableLib + SecureBootVariableProvisionLib + +[Guids] + ## SOMETIMES_PRODUCES ## Variable:L"PKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"KEKDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbtDefault" + ## SOMETIMES_PRODUCES ## Variable:L"dbxDefault" + gEfiGlobalVariableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefau= ltKeysDxe/SecureBootDefaultKeysDxe.c new file mode 100644 index 0000000000..f51d5243b7 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.c @@ -0,0 +1,69 @@ +/** @file + This driver init default Secure Boot variables + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + The entry point for SecureBootDefaultKeys driver. + + @param[in] ImageHandle The image handle of the driver. + @param[in] SystemTable The system table. + + @retval EFI_ALREADY_STARTED The driver already exists in system. + @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack o= f resources. + @retval EFI_SUCCESS All the related protocols are installed o= n the driver. + @retval Others Fail to get the SecureBootEnable variable. + +**/ +EFI_STATUS +EFIAPI +SecureBootDefaultKeysEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status =3D SecureBootInitPKDefault (); + if (EFI_ERROR (Status)) { + DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTIO= N__, Status)); + return Status; + } + + Status =3D SecureBootInitKEKDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __FUNCT= ION__, Status)); + return Status; + } + Status =3D SecureBootInitDbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __FUNCTI= ON__, Status)); + return Status; + } + + Status =3D SecureBootInitDbtDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__)); + } + + Status =3D SecureBootInitDbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__)); + } + + return Status; +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.uni b/SecurityPkg/VariableAuthenticated/SecureBootDef= aultKeysDxe/SecureBootDefaultKeysDxe.uni new file mode 100644 index 0000000000..2b6cb7f950 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.uni @@ -0,0 +1,16 @@ +// /** @file +// Provides the capability to intialize Secure Boot default variables +// +// Module which initializes Secure boot default variables. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Module which init= ializes Secure boot default variables" + +#string STR_MODULE_DESCRIPTION #language en-US "This module reads= embedded keys and initializes Secure Boot default variables." --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78508): https://edk2.groups.io/g/devel/message/78508 Mute This Topic: https://groups.io/mt/84608362/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78509+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78509+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901235; cv=none; d=zohomail.com; s=zohoarc; b=SuFgAMT45ofRhRVDRQryFxkzmcpE7RsEWSn0RACe/wGji0ChHVSubpJzW/PqQxVQPE/1IM+Y1tN0buoCePTT2dk9+3o9mHmSLd45vE2nFfzq3iInBMHBw1ZAPeL6nSJRV32GjkOubxnWZcdAst+HSUWfocqE/R/TgYBcsiGo5+o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901235; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=AvIad++7n0jjlJrVQ6dHpfEmqbwo1DEHL5ypE892sqs=; b=npDuhK7+zYt772vRdDfGnbNsHfZDdhHBje5otvI4jOZpdZ0Tezi6TMnhfw6ZWMxmT7AfJhrDvuJIVrH8uSxO+fjewmd0F6mJ3YpD1ZC81AzAjSWoFymv7nLTY3EKfjPtr4SZmY3/ms6a3eQAAcC4xvFI8pvTZFF98AP7PB+Jzss= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78509+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901235545675.6512844843165; Mon, 2 Aug 2021 03:47:15 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cirsYY1788612xY4VE4RLBHl; Mon, 02 Aug 2021 03:47:15 -0700 X-Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) by mx.groups.io with SMTP id smtpd.web12.18224.1627901234474839534 for ; Mon, 02 Aug 2021 03:47:14 -0700 X-Received: by mail-lj1-f171.google.com with SMTP id h9so23331209ljq.8 for ; Mon, 02 Aug 2021 03:47:14 -0700 (PDT) X-Gm-Message-State: mgkDvy6zHf2PphbTZxN0i5btx1787277AA= X-Google-Smtp-Source: ABdhPJxWZ6LjaVm9uuZ6oP1tSVQsc/CkzEAoXb1GuPKxL6OFjH6NTFDGwQD/uVHgCiNZgtKRpNDsSw== X-Received: by 2002:a2e:320b:: with SMTP id y11mr10774188ljy.374.1627901232458; Mon, 02 Aug 2021 03:47:12 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:12 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Jiewen Yao , Sunny Wang Subject: [edk2-devel] [PATCH v8 09/11] SecurityPkg: Add EnrollFromDefaultKeys application. Date: Mon, 2 Aug 2021 12:46:31 +0200 Message-Id: <20210802104633.2833333-10-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901235; bh=C2BAc39HBsty2HAEGeRP7SekGf4FwLyboi3hp7KoS64=; h=Cc:Date:From:Reply-To:Subject:To; b=WA6hf8Ogq1u24vgQfxbF09HQzCftO3GV1KDaG/HTSWUWlaTMxlqgr1EeOnbvaLzKwGD ewVExDpplPHTQHmD4YMuhItpdcnyCaNuSv2pG5FQKNwxTEcqX30DTKJcp2eDRUw+P27zB TN4ZV+VBycZNcVa8nFmF1tU6nZFxbixEwFs= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901237162100008 Content-Type: text/plain; charset="utf-8" This application allows user to force key enrollment from Secure Boot default variables. Signed-off-by: Grzegorz Bernacki Reviewed-by: Jiewen Yao Reviewed-by: Sunny Wang --- SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 48 ++= ++++++ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 115 ++= ++++++++++++++++++ 2 files changed, 163 insertions(+) create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultK= eysApp.inf create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultK= eysApp.c diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.= inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf new file mode 100644 index 0000000000..8675b30291 --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf @@ -0,0 +1,48 @@ +## @file +# Enroll PK, KEK, db, dbx from Default variables +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION =3D 1.28 + BASE_NAME =3D EnrollFromDefaultKeysApp + FILE_GUID =3D 6F18CB2F-1293-4BC1-ABB8-35F84C71812E + MODULE_TYPE =3D UEFI_APPLICATION + VERSION_STRING =3D 0.1 + ENTRY_POINT =3D UefiMain + +[Sources] + EnrollFromDefaultKeysApp.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[Guids] + gEfiCertPkcs7Guid + gEfiCertSha256Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiGlobalVariableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[Protocols] + gEfiSmbiosProtocolGuid ## CONSUMES + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PrintLib + UefiApplicationEntryPoint + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib + SecureBootVariableLib + SecureBootVariableProvisionLib diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.= c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c new file mode 100644 index 0000000000..0e4b06551a --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c @@ -0,0 +1,115 @@ +/** @file + Enroll default PK, KEK, db, dbx. + +Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+ +SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include // gEfiCustomModeEnableGu= id +#include // EFI_SETUP_MODE_NAME +#include // EFI_IMAGE_SECURITY_DAT= ABASE +#include // GUID_STRING_LENGTH +#include // CopyGuid() +#include // ASSERT() +#include // FreePool() +#include // AsciiSPrint() +#include // gBS +#include // AsciiPrint() +#include // gRT +#include +#include +#include + +/** + Entry point function of this shell application. + @param[in] ImageHandle The firmware allocated handle for the EFI imag= e. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval 0 The entry point is executed successfully. + @retval other Some error occurs when executing this entry point. +**/ +EFI_STATUS +EFIAPI +UefiMain ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: = %r\n", Status); + return 1; + } + + if (SetupMode =3D=3D USER_MODE) { + AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n"); + return 1; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_M= ODE: %r\n", Status); + return 1; + } + + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status= ); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Statu= s); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Statu= s); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Statu= s); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status= ); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ( + "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_= BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n" + ); + } + return 0; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + AsciiPrint ( + "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_= BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n" + ); + } + + return 1; +} --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78509): https://edk2.groups.io/g/devel/message/78509 Mute This Topic: https://groups.io/mt/84608363/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78510+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78510+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901236; cv=none; d=zohomail.com; s=zohoarc; b=neERpm6Gg7z6HiJNiWrYszezRF7jtT5NO59t6N8SMp8wwNzJAcWDlO3i/FATplyzrsILpuBpvQgWyII5jZTJ5q9qBdOsEJRkIhLcDoYHCgtv8AzuuThzlnVirlQrE3GYEJ5PKzQExEzgLg4hChpzu6a+wAmBqMXJr+YlMBqlRHU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901236; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=vVXjDI16dLTxhvlNsZZWDmCIGRpCwyxH66fzjjBxt8I=; b=TSn6zYahGefDMvEtVk4Rlqh6GOPQx4HpWkl8opVnn87b/tgNIa/X5/Bwj4hMDZnNY2D/NIuyDVrbVznbvuxSp5vRoHEz9liU6CvbsjkpXdz+HwbgCPQuZDNWWyV93cOyqqnlEFTjmIgIGs2QaLvTseCdx8g/4LjqGwHlRE1U8Eg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78510+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901236863953.2356363865285; Mon, 2 Aug 2021 03:47:16 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Y2VZYY1788612xq3Pz2Tthlx; Mon, 02 Aug 2021 03:47:16 -0700 X-Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) by mx.groups.io with SMTP id smtpd.web08.18284.1627901235681289792 for ; Mon, 02 Aug 2021 03:47:16 -0700 X-Received: by mail-lj1-f181.google.com with SMTP id u20so23383496ljo.0 for ; Mon, 02 Aug 2021 03:47:15 -0700 (PDT) X-Gm-Message-State: S7cXXokeEAPEox2fCr1nlTcOx1787277AA= X-Google-Smtp-Source: ABdhPJzWWv00S/EP2IDeOh0+D1mDQ40WzH/FuhuJGAgLyegxTYTZ3/YOilMQ00uTPUxh0gT1mFFUsg== X-Received: by 2002:a2e:a4aa:: with SMTP id g10mr10513552ljm.348.1627901233878; Mon, 02 Aug 2021 03:47:13 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:13 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [edk2-devel] [PATCH v8 10/11] SecurityPkg: Add new modules to Security package. Date: Mon, 2 Aug 2021 12:46:32 +0200 Message-Id: <20210802104633.2833333-11-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901236; bh=ARKd+1ytM1sYIxsomeFi7LQtowsS988EoQia3++7re8=; h=Cc:Date:From:Reply-To:Subject:To; b=Hxs+tUcOErSh1re3Vcp11YpkQFzK9PMia/fzU2XCnEj5/CAY4PiM0xw65J4QAYEOuw4 BE9kNvzIgWBh1CFVM8pLRrxmV+DFbk2pAkXZJY/AIALn/duzLmL08G5v328jjd7MpteWF RVRuENz7QzWkVW0wP6IHe5ABJ+gi4EA6S3w= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901237266100012 Content-Type: text/plain; charset="utf-8" This commits adds modules and dependencies related to initialization and usage of default Secure Boot key variables to SecurityPkg. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Jiewen Yao Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++ SecurityPkg/SecurityPkg.dsc | 7 ++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index e30c39f321..d5ace6f654 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -198,6 +198,20 @@ ## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm gTcg2MmSwSmiRegisteredGuid =3D { 0x9d4548b9, 0xa48d, 0x4db4, { 0= x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } } =20 + ## GUID used to specify section with default PK content + gDefaultPKFileGuid =3D { 0x85254ea7, 0x4759, 0x4fc4, { 0= x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } } + + ## GUID used to specify section with default KEK content + gDefaultKEKFileGuid =3D { 0x6f64916e, 0x9f7a, 0x4c35, { 0= xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } } + + ## GUID used to specify section with default db content + gDefaultdbFileGuid =3D { 0xc491d352, 0x7623, 0x4843, { 0= xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } } + + ## GUID used to specify section with default dbx content + gDefaultdbxFileGuid =3D { 0x5740766a, 0x718e, 0x4dc0, { 0= x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } } + + ## GUID used to specify section with default dbt content + gDefaultdbtFileGuid =3D { 0x36c513ee, 0xa338, 0x4976, { 0= xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } } =20 [Ppis] ## The PPI GUID for that TPM physical presence should be locked. diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 99c227dad2..64157e20f9 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -73,7 +73,7 @@ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf =20 -[LibraryClasses.ARM] +[LibraryClasses.ARM, LibraryClasses.AARCH64] # # It is not possible to prevent the ARM compiler for generic intrinsic f= unctions. # This library provides the intrinsic functions generate by a given comp= iler. @@ -149,6 +149,7 @@ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf !endif HashLib|SecurityPkg/Library/HashLibBaseCryptoRouter/HashLibBaseCryptoRou= terDxe.inf + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.i= nf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf =20 @@ -260,6 +261,10 @@ =20 [Components.IA32, Components.X64, Components.ARM, Components.AARCH64] SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro= visionLib.inf + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDef= aultKeysDxe.inf =20 [Components.IA32, Components.X64, Components.AARCH64] # --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78510): https://edk2.groups.io/g/devel/message/78510 Mute This Topic: https://groups.io/mt/84608364/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Tue Apr 30 15:09:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+78511+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78511+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1627901238; cv=none; d=zohomail.com; s=zohoarc; b=nyDJl1CQOcGnblECV+7/t1EhCprkkbDT9O2jbqN8oPSMCBmgtccgeYYZJuDk0fTnZFBSguMq9DumxZZJNB5njhi1GukHex3vqINJ5q7QWqCPq6NcCMSmbAY2THKfqBH8Dq5Hpsqy37+4UNTIr1N650vjzqrZMvaVAT9/5Erj09k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627901238; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=2+aryHyvByHuN6FEb/WvN+qucjIVV3Cm7D9iu+JiZyE=; b=gIE3oIm3FRCVZprhzqG3ZMP03U42oh4RjrJpuQnWMrxFZqfIeGuXy+lSoaQsOGvBr5nA5peFhZJfoZAqA8fQG18jKgbJx8xAfI9kMQRVm4yISQzovGZ3JHVWrhND+lMV6SMeCjjz7ubnDTFd7I0lGFlXw2vDFM4cVtvVO7p2jjg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+78511+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1627901238552902.9989065754095; Mon, 2 Aug 2021 03:47:18 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Tds0YY1788612xt8SW0A0dbx; Mon, 02 Aug 2021 03:47:17 -0700 X-Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by mx.groups.io with SMTP id smtpd.web09.18182.1627901237077358014 for ; Mon, 02 Aug 2021 03:47:17 -0700 X-Received: by mail-lf1-f50.google.com with SMTP id t9so19926828lfc.6 for ; Mon, 02 Aug 2021 03:47:16 -0700 (PDT) X-Gm-Message-State: oWOECNBxfURzdarPnItQa1IAx1787277AA= X-Google-Smtp-Source: ABdhPJyylDiIRJExewbKuD6XZG6ilxHkwPbXKaVwlqZ9+K8Y3PDiFHMl/g6NnrUB4wdKCzV4QJo5MQ== X-Received: by 2002:ac2:4c29:: with SMTP id u9mr2078274lfq.410.1627901235264; Mon, 02 Aug 2021 03:47:15 -0700 (PDT) X-Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:14 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Sunny Wang , Jiewen Yao Subject: [edk2-devel] [PATCH v8 11/11] SecurityPkg: Add option to reset secure boot keys. Date: Mon, 2 Aug 2021 12:46:33 +0200 Message-Id: <20210802104633.2833333-12-gjb@semihalf.com> In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,gjb@semihalf.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1627901237; bh=Sr7kj5KYqK7eFmQdsqDzPQfTKts/XHmbnP4no+NVHuw=; h=Cc:Date:From:Reply-To:Subject:To; b=jMzuLKDMR7rd1U4MW0L+UQ72M5J0qPcUiEmYMxhNQxwRHd6x4W8B1j9r/K5y4WCvFJa +r5meboq/pfn2pZNtLCC2V8IMjeVPzo+e7HLss4/OfoVuWAi89kwdfUFhwz3MyjScluSe xXI0Mx1JGe5OyLijQFASzzoIb9/Ee85KnSA= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1627901239616100002 Content-Type: text/plain; charset="utf-8" This commit add option which allows reset content of Secure Boot keys and databases to default variables. Signed-off-by: Grzegorz Bernacki Reviewed-by: Sunny Wang Reviewed-by: Jiewen Yao Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvDa= ta.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr= | 6 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 153 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri= ngs.uni | 4 + 5 files changed, 166 insertions(+) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 14c7311b08..420687a211 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -110,6 +110,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiPopupProtocolGuid =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index 6e54a4b0f2..4ecc25efc3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f =20 +#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010 + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index fa7e11848c..e4560c592c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -69,6 +69,12 @@ formset endif; endif; =20 + text + help =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), + text =3D STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_RESET_TO_DEFAULT; + endform; =20 // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index f527aa32e6..65a8188d6d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "SecureBootConfigImpl.h" +#include #include #include #include @@ -4155,6 +4156,131 @@ ON_EXIT: return Status; } =20 +/** + This function reinitializes Secure Boot variables with default values. + + @retval EFI_SUCCESS Success to update the signature list page + @retval others Fail to delete or enroll signature data. +**/ +STATIC EFI_STATUS +EFIAPI +KeyEnrollReset ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status =3D EFI_SUCCESS; + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR(Status)) { + return Status; + } + + // Clear all the keys and databases + Status =3D DeleteDb (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbx (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status)); + return Status; + } + + Status =3D DeleteDbt (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status)); + return Status; + } + + Status =3D DeleteKEK (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status)); + return Status; + } + + Status =3D DeletePlatformKey (); + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status)); + return Status; + } + + // After PK clear, Setup Mode shall be enabled + Status =3D GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n", + Status)); + return Status; + } + + if (SetupMode =3D=3D USER_MODE) { + DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n")); + return EFI_SUCCESS; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", + Status)); + return EFI_SUCCESS; + } + + // Enroll all the keys from default variables + Status =3D EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); + goto error; + } + + Status =3D EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); + } + + Status =3D EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); + } + + Status =3D EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); + goto cleardbs; + } + + Status =3D EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); + goto clearKEK; + } + + Status =3D SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MO= DE\n" + "Please do it manually, otherwise system can be easily compromised\n= ")); + } + + return Status; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) !=3D EFI_SUCCESS) { + DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); + } + return Status; +} + /** This function is called to provide results data to the driver. =20 @@ -4206,6 +4332,8 @@ SecureBootCallback ( SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; BOOLEAN GetBrowserDataResult; ENROLL_KEY_ERROR EnrollKeyErrorCode; + EFI_HII_POPUP_PROTOCOL *HiiPopup; + EFI_HII_POPUP_SELECTION UserSelection; =20 Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -4756,6 +4884,31 @@ SecureBootCallback ( FreePool (SetupMode); } break; + case KEY_SECURE_BOOT_RESET_TO_DEFAULT: + { + Status =3D gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VO= ID **) &HiiPopup); + if (EFI_ERROR (Status)) { + return Status; + } + Status =3D HiiPopup->CreatePopup ( + HiiPopup, + EfiHiiPopupStyleInfo, + EfiHiiPopupTypeYesNo, + Private->HiiHandle, + STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP), + &UserSelection + ); + if (UserSelection =3D=3D EfiHiiPopupSelectionYes) { + Status =3D KeyEnrollReset (); + } + // + // Update secure boot strings after key reset + // + if (Status =3D=3D EFI_SUCCESS) { + Status =3D UpdateSecureBootString (Private); + SecureBootExtractConfigFromVariable (Private, IfrNvData); + } + } default: break; } diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index ac783453cc..0d01701de7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure= Boot" #string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable= the Secure Boot feature after platform reset" =20 +#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys wi= th data from default variables" +#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure B= oot Keys" +#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Ke= ys & databases will be initialized from defaults.\n Are you sure?" + #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signatu= re" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signatu= re" #string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signatu= re List Form" --=20 2.25.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#78511): https://edk2.groups.io/g/devel/message/78511 Mute This Topic: https://groups.io/mt/84608366/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-