From nobody Mon Feb 9 14:33:21 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+98948+1787277+3901457@groups.io; arc=fail (BodyHash is different from the expected one) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1674255552105948.2438610623415; Fri, 20 Jan 2023 14:59:12 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id 9McQYY1788612xAWiKNqE4ca; Fri, 20 Jan 2023 14:59:11 -0800 X-Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.41]) by mx.groups.io with SMTP id smtpd.web10.89952.1674255550826156466 for ; Fri, 20 Jan 2023 14:59:10 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dGObxrjo0omTeZ5VX1Xr7qt+zLe5dPqFs7mcEQL36KTCsefgjU/hgFq5dutYw910HaVPHLco9yjSc3AQ9PYf7Hdvv2s8xgD8Ge+qIjoynllUhCyAyQ/vmGJzOveaMMF4u2LudZhj7SIrxiVQ2ZVzP8lhZZKQrbkhb5XLQkMJRK38JT8CgUUTczSjn94cpjKzKB+xRE3SkaUOAi32q5HNneboHho8PFIaG3H6H2E7OIaIICS7Vk0qTxdDXtqOCi4Anj7nAyr3msP7yd3k9ks+WCb6pf3qHJXXa6jG/dBw8Y2FFshGQTulRE12ixW55zyj7O/fuGfkYubfz4PPj4N4Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0LcYhle67it80FQRtXzBebqxOa0c8G4kQb9RtYgn59Y=; b=ZkBToCwYIXjswI63axRbUZKYNqoq1DLNIOBm7aT72jihzoQ8h8AABALUMszcLQmlahRLZv2wPTRmLNsKoXNwVxT4qre6diARx2n2W79CjjgTFtCgON6Tym30/rcVusEAyDbsCqcRMFDtPQ19LguQl1hC65DX8HZmBYsq0MbnKTVIGBYvF70i4L4rnq2Y/fFEMkp0QGyR/1a+MM13f6jfUU2vd7uAs6ZUKeNSHFlooqz8SCVHLx5sTE5rTindbITKelIbk+Hq2gq7CqRG7YOMbrpH8Rmk8b6355sHdI9833bBgV2wUAaq28o/FZwH0q2P5cNOglu+6BFWhmNkex3ccw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none X-Received: from DS7PR05CA0020.namprd05.prod.outlook.com (2603:10b6:5:3b9::25) by PH7PR12MB5926.namprd12.prod.outlook.com (2603:10b6:510:1d9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.27; Fri, 20 Jan 2023 22:59:08 +0000 X-Received: from DS1PEPF0000E638.namprd02.prod.outlook.com (2603:10b6:5:3b9:cafe::cf) by DS7PR05CA0020.outlook.office365.com (2603:10b6:5:3b9::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.7 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+98948+1787277+3901457@groups.io; helo=mail02.groups.io; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C X-Received: from mail.nvidia.com (216.228.117.160) by DS1PEPF0000E638.mail.protection.outlook.com (10.167.17.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.11 via Frontend Transport; Fri, 20 Jan 2023 22:59:08 +0000 X-Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:56 -0800 X-Received: from jbobek-titan.nvidia.com (10.126.231.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Fri, 20 Jan 2023 14:58:55 -0800 From: "Jan Bobek via groups.io" To: CC: Jan Bobek , Laszlo Ersek , "Jiewen Yao" , Ard Biesheuvel , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf Subject: [edk2-devel] [PATCH v1 2/4] OvmfPkg: require self-signed PK when secure boot is enabled Date: Fri, 20 Jan 2023 15:58:33 -0700 Message-ID: <20230120225835.42733-3-jbobek@nvidia.com> In-Reply-To: <20230120225835.42733-1-jbobek@nvidia.com> References: <20230120225835.42733-1-jbobek@nvidia.com> MIME-Version: 1.0 X-Originating-IP: [10.126.231.37] X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF0000E638:EE_|PH7PR12MB5926:EE_ X-MS-Office365-Filtering-Correlation-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: bVty3xKMBs7emBTFoW5j00mL+qq+P6B49b+lDF2/uxHPUb3fHncmtLveuaXnJzXzVAYkN40EU8QJiXEf2Kt7a7H0WYIFlYc95xu8A6G+B8j4Oud6xI1xgLbwW3JDbVPe5C56Sd/OPETpjPisZBapOa0eZYUJCYGDwOddDiHSuMwL6XRoIt2JVCKdalof6sjD7OUtWfiZxvYGQqQ9E11Q8i96UKg2EdBQtSXqW7GoO8I4wV9cmjkIrnsDLZiFOEecld/7ByE3WTAZKunNE4BZ7ZdHhxFL6Akh/Z1lr7K8TFw5dFuJEK0vjMxF/wYCaQTycLQdstP7Bvu8ZbxKNQvvum7si7OBQPthQNPT9fzvtnEhFSllBqyIQtwWWiDSCVKJ2ftggDh2hBIGRbB3ifCsGLe3mRGzoCD8ENelbsPjGoKYDsjcNvexn4YByiC4de3X8/Fj2kQJ1NokB+U7mASA0Es2CpnAGyDGg/ARGcukHsuyLJ5CyapVWT2iFYOi3xbWlVnemwWau8bnYULuatF9k1NGb3u4bev2tCQm0BRUi1A7UQTuY9ys5Pf8RodTpR+DFsEucZB2ozafv6WHCifIql8H36ylBcDwd0tLi0xqeZ842Ia9qdgYVpVjPem1lXLIajFOkkFRxm8LDJhS9e9zyrgikaBrzX46GSYE3c+vwdS9fP6hjFqrU8xxSgA7EZZkXsADNwj/swtY4+1fsibJRKVWcdvl3Qcm9N6Sve8NrTQN09OsUdx/IO5l3wWZtelNLqJQXCC8vHrKDBMQjkWgJVXnoC8AAp04RYwbxn4EksY= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jan 2023 22:59:08.0300 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 5f494484-7fdd-46bd-0f8b-08dafb39efd4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E638.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB5926 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jbobek@nvidia.com X-Gm-Message-State: LOhw8Eaj8ecGqEpP2vpu3XwCx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1674255551; bh=CTM5S1kQp9VQE70f/yPEg6vLYwk0H0LqpOuOsy5qVBw=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=AFj0kWB9My1V/eiFviPJC/QE4pSRwLX+gRwkXrZ+eRUJ/qLCx6c365Br1hk5CTKtzbf m86e/M+MXfZFuQVroM8Gg3Fzr7PwP2oIH6s/d71Wc+leU8A/MT2QgCILYW6gxNtBd1kHD fsQKRvf6U8GADV63Z0iPhzyBy6o/l6QQcRE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1674255552607100011 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Signed-off-by: Jan Bobek --- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++ OvmfPkg/OvmfPkgIa32.dsc | 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++ OvmfPkg/OvmfPkgX64.dsc | 3 +++ 7 files changed, 21 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index befec670d4f3..66a2ae8868e5 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -422,6 +422,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration|TRUE diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 7326417eab62..9cb267f98942 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -480,6 +480,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index 0f1e970fbbb3..93918b55b1a5 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -390,6 +390,9 @@ [PcdsFeatureFlag] !ifdef $(CSM_ENABLE) gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable|TRUE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 2d53b5c2950d..3c988f3e65e0 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -476,6 +476,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f232de13a7b6..22dc29330d2d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -488,6 +488,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a9d422bd9169..6b539814bdb0 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -493,6 +493,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..f6b8b342c4ed 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -513,6 +513,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache|FALSE !endif +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE +!endif =20 [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1 --=20 2.30.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#98948): https://edk2.groups.io/g/devel/message/98948 Mute This Topic: https://groups.io/mt/96412385/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-