Date   

[PATCH v2 1/4] StandaloneMmPkg: Core: Spelling error in comment

Kun Qin
 

From: Sean Brogan <sean.brogan@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3445

This change fixed a misspelling that was not caught by spell check.

Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Signed-off-by: Sean Brogan <sean.brogan@microsoft.com>
Signed-off-by: Kun Qin <kuqin12@gmail.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
---

Notes:
v2:
- Added signed-off-by from Kun [Ard]
- Added reviewed-by tag [Ard]

StandaloneMmPkg/Core/Dispatcher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/StandaloneMmPkg/Core/Dispatcher.c b/StandaloneMmPkg/Core/Dispatcher.c
index dbd5332fa9d3..7e4bf5e94025 100644
--- a/StandaloneMmPkg/Core/Dispatcher.c
+++ b/StandaloneMmPkg/Core/Dispatcher.c
@@ -4,7 +4,7 @@
Step #1 - When a FV protocol is added to the system every driver in the FV
is added to the mDiscoveredList. The Before, and After Depex are
pre-processed as drivers are added to the mDiscoveredList. If an Apriori
- file exists in the FV those drivers are addeded to the
+ file exists in the FV those drivers are added to the
mScheduledQueue. The mFwVolList is used to make sure a
FV is only processed once.

--
2.31.1.windows.1


[PATCH v2 0/4] Update Node to 14.x to resolve cspell failure

Kun Qin
 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3445

This patch series is a follow up of previous submission:
https://edk2.groups.io/g/devel/message/76419

v2 patches mainly focus on feedback for reviewed commits in v1 patches,
including:
a. Adding "Reviewed-by" tags for applicable patches;
b. Adding "Signed-Off-by" tags for myself for all patches;

Patch v2 branch: https://github.com/kuqin12/edk2/tree/node_14_v2

Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Supreeth Venkatesh <supreeth.venkatesh@arm.com>

Kun Qin (1):
Azurepipeline: SpellCheck: Enforce Node dependency to use version 14.x

Sean Brogan (3):
StandaloneMmPkg: Core: Spelling error in comment
ArmPlatformPkg: SpellCheck: Switch spellcheck CI to AuditOnly
ArmPkg: SpellCheck: Update valid acronyms in ExtendedWords

StandaloneMmPkg/Core/Dispatcher.c | 2 +-
.azurepipelines/templates/spell-check-prereq-steps.yml | 2 +-
ArmPkg/ArmPkg.ci.yaml | 19 +++++++++++++++++++
ArmPlatformPkg/ArmPlatformPkg.ci.yaml | 2 +-
4 files changed, 22 insertions(+), 3 deletions(-)

--
2.31.1.windows.1


[PATCH 4/4] OvmfPkg/Bhyve: use static PCI32Base address

Corvin Köhne
 

It's neccessary to allocate a Graphics Stolen Memory area to enable
GPU-Passthrough for integrated Intel GPUs. Therefore, use a new
memory layout with a static Pci32Baseaddress.

Old layout:
[... , lowmemlimit] RAM
[lowmemlimit, 0xE000 0000] PCI Space
New layout:
[... , lowmemlimit] RAM
[lowmemlimit, gsmbase ] Memory hole (may be absent)
[gsmbase , 0xC000 0000] GSM (may be absent)
[0xC000 0000, 0xE000 0000] PCI Space

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 4 ++--
OvmfPkg/Bhyve/PlatformPei/Platform.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index c35bf18449..e5d1dbccff 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -537,8 +537,8 @@
gUefiOvmfPkgTokenSpaceGuid.PcdOvmfHostBridgePciDevId|0
gUefiOvmfPkgTokenSpaceGuid.PcdPciIoBase|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdPciIoSize|0x0
- gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio32Base|0x0
- gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio32Size|0x0
+ gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio32Base|0xC0000000
+ gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio32Size|0x20000000
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Base|0x0
gUefiOvmfPkgTokenSpaceGuid.PcdPciMmio64Size|0x800000000

diff --git a/OvmfPkg/Bhyve/PlatformPei/Platform.c b/OvmfPkg/Bhyve/PlatformPei/Platform.c
index 3a414ffcb7..f38e74ccfc 100644
--- a/OvmfPkg/Bhyve/PlatformPei/Platform.c
+++ b/OvmfPkg/Bhyve/PlatformPei/Platform.c
@@ -191,7 +191,9 @@ MemMapInitialization (
ASSERT (PciExBarBase <= MAX_UINT32 - SIZE_256MB);
PciBase = (UINT32)(PciExBarBase + SIZE_256MB);
} else {
- PciBase = (TopOfLowRam < BASE_2GB) ? BASE_2GB : TopOfLowRam;
+ PciBase = PcdGet64(PcdPciMmio32Base);
+ if (PciBase == 0)
+ PciBase = (TopOfLowRam < BASE_2GB) ? BASE_2GB : TopOfLowRam;
}

//
--
2.11.0

Beckhoff Automation GmbH & Co. KG | Managing Director: Dipl. Phys. Hans Beckhoff
Registered office: Verl, Germany | Register court: Guetersloh HRA 7075


[PATCH 3/4] OvmfPkg/Bhyve: add USB support

Corvin Köhne
 

An USB driver is required to use a keyboard or mouse while installing
an OS or while in a bootloader menu like grub when using GPU + USB
Passthrough.

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 11 +++++++++++
OvmfPkg/Bhyve/BhyveX64.fdf | 10 ++++++++++
2 files changed, 21 insertions(+)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index 951282c7d0..c35bf18449 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -163,6 +163,7 @@
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
UefiCpuLib|UefiCpuPkg/Library/BaseUefiCpuLib/BaseUefiCpuLib.inf
SecurityManagementLib|MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.inf
+ UefiUsbLib|MdePkg/Library/UefiUsbLib/UefiUsbLib.inf
SerializeVariablesLib|OvmfPkg/Library/SerializeVariablesLib/SerializeVariablesLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgLibNull.inf
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/BaseQemuFwCfgS3LibNull.inf
@@ -777,6 +778,16 @@
!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf

+ #
+ # Usb Support
+ #
+ MdeModulePkg/Bus/Pci/UhciDxe/UhciDxe.inf
+ MdeModulePkg/Bus/Pci/EhciDxe/EhciDxe.inf
+ MdeModulePkg/Bus/Pci/XhciDxe/XhciDxe.inf
+ MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf
+ MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
+ MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+
!ifdef $(CSM_ENABLE)
IntelFrameworkModulePkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf {
<LibraryClasses>
diff --git a/OvmfPkg/Bhyve/BhyveX64.fdf b/OvmfPkg/Bhyve/BhyveX64.fdf
index 3eff36dac1..f081b82137 100644
--- a/OvmfPkg/Bhyve/BhyveX64.fdf
+++ b/OvmfPkg/Bhyve/BhyveX64.fdf
@@ -291,6 +291,16 @@ INF MdeModulePkg/Logo/LogoDxe.inf
!include NetworkPkg/Network.fdf.inc
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf

+#
+# Usb Support
+#
+INF MdeModulePkg/Bus/Pci/UhciDxe/UhciDxe.inf
+INF MdeModulePkg/Bus/Pci/EhciDxe/EhciDxe.inf
+INF MdeModulePkg/Bus/Pci/XhciDxe/XhciDxe.inf
+INF MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBusDxe.inf
+INF MdeModulePkg/Bus/Usb/UsbKbDxe/UsbKbDxe.inf
+INF MdeModulePkg/Bus/Usb/UsbMassStorageDxe/UsbMassStorageDxe.inf
+
!ifdef $(CSM_ENABLE)
INF IntelFrameworkModulePkg/Csm/BiosThunk/VideoDxe/VideoDxe.inf
!endif
--
2.11.0

Beckhoff Automation GmbH & Co. KG | Managing Director: Dipl. Phys. Hans Beckhoff
Registered office: Verl, Germany | Register court: Guetersloh HRA 7075


[PATCH 2/4] Revert "OvmfPkg/Bhyve: consume PciHostBridgeLibScan"

Corvin Köhne
 

This reverts commit c2f24ba3218ae91a8d5a1a31c31dad3417850d0c.

Revert this commit to enable bus enumeration properly.

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index ef331d556e..951282c7d0 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -666,7 +666,7 @@
OvmfPkg/PciHotPlugInitDxe/PciHotPlugInit.inf
MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciHostBridgeDxe.inf {
<LibraryClasses>
- PciHostBridgeLib|OvmfPkg/Library/PciHostBridgeLibScan/PciHostBridgeLibScan.inf
+ PciHostBridgeLib|OvmfPkg/Library/PciHostBridgeLib/PciHostBridgeLib.inf
PciHostBridgeUtilityLib|OvmfPkg/Library/PciHostBridgeUtilityLib/PciHostBridgeUtilityLib.inf
NULL|OvmfPkg/Library/PlatformHasIoMmuLib/PlatformHasIoMmuLib.inf
}
--
2.11.0

Beckhoff Automation GmbH & Co. KG | Managing Director: Dipl. Phys. Hans Beckhoff
Registered office: Verl, Germany | Register court: Guetersloh HRA 7075


[PATCH 1/4] OvmfPkg/Bhyve: enable bus enumeration

Corvin Köhne
 

Neccessary for GPU Passthrough of dedicated AMD GPUs. For Linux
guests, AMD GPUs require that their PCI ROM is processed by UEFI.
Enable bus enumeration to process the PCI ROM of all devices.

Signed-off-by: Corvin Köhne <c.koehne@beckhoff.com>
---
OvmfPkg/Bhyve/BhyveX64.dsc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc
index d8792812ab..ef331d556e 100644
--- a/OvmfPkg/Bhyve/BhyveX64.dsc
+++ b/OvmfPkg/Bhyve/BhyveX64.dsc
@@ -431,7 +431,7 @@
gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol|TRUE

[PcdsFixedAtBuild]
- gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration|TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeUseSerial|FALSE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeUseMemory|TRUE
gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize|1
--
2.11.0

Beckhoff Automation GmbH & Co. KG | Managing Director: Dipl. Phys. Hans Beckhoff
Registered office: Verl, Germany | Register court: Guetersloh HRA 7075


[PATCH 0/4] Prepare bhyve's OVMF for GPU-Passthrough

Corvin Köhne
 

Hi,

GPU-Passthrough for bhyve requires a few patches to work properly.
These patches will allow GPU-Passthrough for bhyve.
It will work for dedicated AMD GPUs and integrated Intel GPUs.


Best Regards,
Corvin



Corvin Köhne (4):
OvmfPkg/Bhyve: enable bus enumeration
Revert "OvmfPkg/Bhyve: consume PciHostBridgeLibScan"
OvmfPkg/Bhyve: add USB support
OvmfPkg/Bhyve: use static PCI32Base address

OvmfPkg/Bhyve/BhyveX64.dsc | 19 +++++++++++++++----
OvmfPkg/Bhyve/BhyveX64.fdf | 10 ++++++++++
OvmfPkg/Bhyve/PlatformPei/Platform.c | 4 +++-
3 files changed, 28 insertions(+), 5 deletions(-)

--
2.11.0

Beckhoff Automation GmbH & Co. KG | Managing Director: Dipl. Phys. Hans Beckhoff
Registered office: Verl, Germany | Register court: Guetersloh HRA 7075


Re: [PATCH] MdePkg/Include: Smbios Specification 3.4.0 changes

Thotala, Gopi
 

Attached V2 patch after typo correction.

 

Thanks

Gopi

 

From: Rebecca Cran <rebecca@...>
Sent: Sunday, June 13, 2021 9:34 AM
To: devel@edk2.groups.io; Thotala, Gopi <gopi.thotala@...>
Subject: Re: [edk2-devel] [PATCH] MdePkg/Include: Smbios Specification 3.4.0 changes

 

There’s a typo of ‘persistent’ in: 

 

// Optane DC Presistent Memory in SMBIOS spec 3.4.0

 

Rebecca Cran



On Jun 2, 2021, at 10:46 AM, Thotala, Gopi <gopi.thotala@...> wrote:



Initial patch submitted for review.

<MdePkg-Include-Smbios-Specification-3.4.0-changes.patch>

 

 


[PATCH v1 0/1] CryptoPkg: Update Salt length requirement for RSA-PSS scheme.

Agrawal, Sachin
 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3455

This patch enforces salt length to be equal to digest length for RSA PSS encoding scheme.

https://github.com/sagraw2/edk2/tree/pss_salt_len

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Sachin Agrawal (1):
CryptoPkg: BaseCryptLib: Update Salt length requirement for RSA-PSS
scheme.

CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c | 4 ++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c | 2 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c | 4 ++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 10 +++++++++-
CryptoPkg/Include/Library/BaseCryptLib.h | 4 ++--
CryptoPkg/Private/Protocol/Crypto.h | 4 ++--
9 files changed, 21 insertions(+), 13 deletions(-)

--
2.14.3.windows.1


[PATCH v1 1/1] CryptoPkg: BaseCryptLib: Update Salt length requirement for RSA-PSS scheme.

Agrawal, Sachin
 

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3455

Enforce salt length to be equal to digest length for RSA-PSS
encoding scheme.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>

Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c | 4 ++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c | 2 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c | 4 ++--
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c | 2 +-
CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 10 +++++++++-
CryptoPkg/Include/Library/BaseCryptLib.h | 4 ++--
CryptoPkg/Private/Protocol/Crypto.h | 4 ++--
9 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
index 0b2960f06c4c..37075ea65a0d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
@@ -50,7 +50,7 @@ GetEvpMD (
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
@@ -97,7 +97,7 @@ RsaPssVerify (
if (Signature == NULL || SigSize == 0 || SigSize > INT_MAX) {
return FALSE;
}
- if (SaltLen < DigestLen) {
+ if (SaltLen != DigestLen) {
return FALSE;
}

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
index 69c6889fbc4b..cc325c92911c 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
@@ -15,7 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c
index ece765f9ae0a..06187ff4baa7 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSign.c
@@ -59,7 +59,7 @@ GetEvpMD (
If Message is NULL, then return FALSE.
If MsgSize is zero or > INT_MAX, then return FALSE.
If DigestLen is NOT 32, 48 or 64, return FALSE.
- If SaltLen is < DigestLen, then return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
If SigSize is large enough but Signature is NULL, then return FALSE.
If this interface is not supported, then return FALSE.

@@ -120,7 +120,7 @@ RsaPssSign (
return FALSE;
}

- if (SaltLen < DigestLen) {
+ if (SaltLen != DigestLen) {
return FALSE;
}

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c
index 4ed2dfce992a..911b97252182 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssSignNull.c
@@ -24,7 +24,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
If Message is NULL, then return FALSE.
If MsgSize is zero or > INT_MAX, then return FALSE.
If DigestLen is NOT 32, 48 or 64, return FALSE.
- If SaltLen is < DigestLen, then return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
If SigSize is large enough but Signature is NULL, then return FALSE.
If this interface is not supported, then return FALSE.

diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c
index 69c6889fbc4b..cc325c92911c 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssNull.c
@@ -15,7 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c
index 4ed2dfce992a..911b97252182 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptRsaPssSignNull.c
@@ -24,7 +24,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
If Message is NULL, then return FALSE.
If MsgSize is zero or > INT_MAX, then return FALSE.
If DigestLen is NOT 32, 48 or 64, return FALSE.
- If SaltLen is < DigestLen, then return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
If SigSize is large enough but Signature is NULL, then return FALSE.
If this interface is not supported, then return FALSE.

diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index af99ed7f5b42..fcb59137805b 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1556,7 +1556,7 @@ RsaPkcs1Verify (
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
@@ -1592,6 +1592,14 @@ RsaPssVerify (
If the Signature buffer is too small to hold the contents of signature, FALSE
is returned and SigSize is set to the required buffer size to obtain the signature.

+ If RsaContext is NULL, then return FALSE.
+ If Message is NULL, then return FALSE.
+ If MsgSize is zero or > INT_MAX, then return FALSE.
+ If DigestLen is NOT 32, 48 or 64, return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
+ If SigSize is large enough but Signature is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
@param[in] RsaContext Pointer to RSA context for signature generation.
@param[in] Message Pointer to octet message to be signed.
@param[in] MsgSize Size of the message in bytes.
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 8c7d5922ef96..630ccb5e7500 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1376,7 +1376,7 @@ RsaPkcs1Verify (
If Message is NULL, then return FALSE.
If MsgSize is zero or > INT_MAX, then return FALSE.
If DigestLen is NOT 32, 48 or 64, return FALSE.
- If SaltLen is < DigestLen, then return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
If SigSize is large enough but Signature is NULL, then return FALSE.
If this interface is not supported, then return FALSE.

@@ -1411,7 +1411,7 @@ RsaPssSign (
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index e304302c9445..498f8e387dba 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3421,7 +3421,7 @@ EFI_STATUS
If Message is NULL, then return FALSE.
If MsgSize is zero or > INT_MAX, then return FALSE.
If DigestLen is NOT 32, 48 or 64, return FALSE.
- If SaltLen is < DigestLen, then return FALSE.
+ If SaltLen is not equal to DigestLen, then return FALSE.
If SigSize is large enough but Signature is NULL, then return FALSE.
If this interface is not supported, then return FALSE.

@@ -3456,7 +3456,7 @@ BOOLEAN
Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
Implementation determines salt length automatically from the signature encoding.
Mask generation function is the same as the message digest algorithm.
- Salt length should atleast be equal to digest length.
+ Salt length should be equal to digest length.

@param[in] RsaContext Pointer to RSA context for signature verification.
@param[in] Message Pointer to octet message to be verified.
--
2.14.3.windows.1


Re: [PATCH 1/1] ArmPkg: Move cache defs used in Universal/Smbios into ArmLib.h

Ard Biesheuvel
 

On Fri, 11 Jun 2021 at 00:44, Rebecca Cran <rebecca@nuviainc.com> wrote:

On 6/10/21 9:04 AM, Ard Biesheuvel wrote:
On Tue, 8 Jun 2021 at 15:54, Rebecca Cran <rebecca@nuviainc.com> wrote:
Many of the cache definitions in ArmLibPrivate.h are being used outside
of ArmLib, in Universal/Smbios. Move them into ArmLib.h to make them
public, and remove the include of ArmLibPrivate.h from files in
Universal/Smbios.

Signed-off-by: Rebecca Cran <rebecca@nuviainc.com>
Hi Rebecca,

If these definitions describe anything more than the software
interface exposed by the library, they really belong under
IndustryStandard/ not Library.

It looks like I'd need to create a new file under
ArmPkg/Include/IndustryStandard since the existing files don't look
appropriate. I was wondering if a filename like ArmCache.h would be good?
Fine with me.


Re: [edk2-platforms][PATCH v2 5/5] Platform/Sgi: Cleanup build options for StandaloneMM context

Thomas Abraham
 

On 6/11/21 4:04 PM, Pranav Madhu via groups.io wrote:
From: Omkar Anand Kulkarni <omkar.kulkarni@arm.com>

The Arm reference design platforms support only AArch64 mode for
StandaloneMM execution context. So cleanup the existing build options
specified for StandaloneMM.

Signed-off-by: Omkar Anand Kulkarni <omkar.kulkarni@arm.com>
Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
---
Platform/ARM/SgiPkg/SgiPlatformMm.dsc.inc | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

Reviewed-by: Thomas Abraham <thomas.abraham@arm.com>

[...]


Re: [edk2-platforms][PATCH v2 4/5] Platform/Sgi: update _OSC control method to control LPI and CPPC

Thomas Abraham
 

On 6/11/21 4:04 PM, Pranav Madhu via groups.io wrote:
Define and use the global macro LPI_EN and CPPC_EN to enable low power
idle and CPPC support for reference design platforms. Update platform
wide _OSC control method to enable/disable low power idle and CPPC
support based on pcd PcdOscLpiEnable and PcdOscCppcEnable. The pcds
are controlled by the global macros LPI_EN and CPPC_EN.

Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
---
Platform/ARM/SgiPkg/SgiPlatform.dec | 4 ++++
Platform/ARM/SgiPkg/SgiPlatform.dsc.inc | 14 ++++++++++++++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeAcpiTables.inf | 1 +
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf | 1 +
Platform/ARM/SgiPkg/AcpiTables/RdN2AcpiTables.inf | 2 ++
Platform/ARM/SgiPkg/AcpiTables/RdN2Cfg1AcpiTables.inf | 2 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1AcpiTables.inf | 2 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1McAcpiTables.inf | 2 ++
Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf | 1 +
Platform/ARM/SgiPkg/Include/SgiAcpiHeader.h | 2 ++
Platform/ARM/SgiPkg/AcpiTables/RdN1Edge/Dsdt.asl | 8 ++++++++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2/Dsdt.asl | 8 ++++++++
Platform/ARM/SgiPkg/AcpiTables/RdN2/Dsdt.asl | 15 +++++++++++++++
Platform/ARM/SgiPkg/AcpiTables/RdN2Cfg1/Dsdt.asl | 15
+++++++++++++++
Platform/ARM/SgiPkg/AcpiTables/RdV1/Dsdt.asl | 15 +++++++++++++++
Platform/ARM/SgiPkg/AcpiTables/RdV1Mc/Dsdt.asl | 15
+++++++++++++++
Platform/ARM/SgiPkg/AcpiTables/Sgi575/Dsdt.asl | 8 ++++++++
17 files changed, 115 insertions(+)

Reviewed-by: Thomas Abraham <thomas.abraham@arm.com>

[...]


Re: [edk2-platforms][PATCH v2 2/5] Platform/Sgi: Add GED support

Thomas Abraham
 

On 6/11/21 4:04 PM, Pranav Madhu via groups.io wrote:
Add ACPI Generic Event Device (GED) support for Arm's reference design
platforms. The SP804 dual-timer interrupt is used as the event source
for GED.

Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
---
Platform/ARM/SgiPkg/SgiPlatform.dec | 5 ++
Platform/ARM/SgiPkg/SgiMemoryMap.dsc.inc | 5 ++
Platform/ARM/SgiPkg/SgiMemoryMap2.dsc.inc | 5 ++
Platform/ARM/SgiPkg/AcpiTables/RdE1EdgeAcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeAcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdN2AcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdN2Cfg1AcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1AcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1McAcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf | 3 ++
Platform/ARM/SgiPkg/AcpiTables/SsdtEvents.asl | 49
++++++++++++++++++++
12 files changed, 88 insertions(+)
Reviewed-by: Thomas Abraham <thomas.abraham@arm.com>

[...]


Re: [edk2-platforms][PATCH v2 1/5] Platform/Sgi: Enable PrimeCell GPIO

Thomas Abraham
 

On 6/11/21 4:04 PM, Pranav Madhu via groups.io wrote:
The HW-Reduced ACPI model has specific requirements for GPIO
controllers. Arm's reference design Platforms has PrimeCell GPIO
(PL061) integrated in the RoS subsystem to provide GPIO support. Add
GPIO device entry and also add GPIO signalled ACPI event template for
reference.

Signed-off-by: Pranav Madhu <pranav.madhu@arm.com>
---
Platform/ARM/SgiPkg/SgiPlatform.dec | 5 ++
Platform/ARM/SgiPkg/SgiMemoryMap.dsc.inc | 5 ++
Platform/ARM/SgiPkg/SgiMemoryMap2.dsc.inc | 5 ++
Platform/ARM/SgiPkg/AcpiTables/RdE1EdgeAcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeAcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdN1EdgeX2AcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdN2AcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdN2Cfg1AcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1AcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/RdV1McAcpiTables.inf | 4 ++
Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf | 5 ++
Platform/ARM/SgiPkg/AcpiTables/SsdtEvents.asl | 67
++++++++++++++++++++
12 files changed, 115 insertions(+)
Reviewed-by: Thomas Abraham <thomas.abraham@arm.com>

[...]


Re: [edk2-test][PATCH v2 1/1] uefi-sct/SctPkg: Not create event with TPL_HIGH_LEVEL

Sunny Wang
 

Thanks for the review, Samer.
Moreover, I just built it and tested it on my ARM system, and confirmed the issue got fixed by this patch.

Without this fix, the result would be 18 tests, and 4 Errors.
CreateEvent_Func: [FAILED]
Passes........... 14
Warnings......... 0
Errors........... 4

Without this fix, the result would be 13 tests, and 0 Errors.
CreateEvent_Func: [PASSED]
Passes........... 13
Warnings......... 0
Errors........... 0

Best Regards,
Sunny Wang

-----Original Message-----
From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
Sent: Monday, June 14, 2021 8:36 AM
To: Heinrich Schuchardt <xypron.glpk@gmx.de>; Sunny Wang <Sunny.Wang@arm.com>; devel@edk2.groups.io
Cc: G Edhaya Chandran <Edhaya.Chandran@arm.com>; Barton Gao <gaojie@byosoft.com.cn>; Michael D Kinney <michael.d.kinney@intel.com>; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>
Subject: RE: [edk2-test][PATCH v2 1/1] uefi-sct/SctPkg: Not create event with TPL_HIGH_LEVEL

Reviewed-By: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>

-----Original Message-----
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
Sent: Friday, June 11, 2021 5:15 AM
To: Sunny Wang <Sunny.Wang@arm.com>; devel@edk2.groups.io
Cc: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; G Edhaya
Chandran <Edhaya.Chandran@arm.com>; Barton Gao
<gaojie@byosoft.com.cn>; Michael D Kinney <michael.d.kinney@intel.com>
Subject: Re: [edk2-test][PATCH v2 1/1] uefi-sct/SctPkg: Not create event
with TPL_HIGH_LEVEL

On 11.06.21 10:35, Sunny Wang wrote:
The commits a9d1fb58 and ae7e5477b555 caused SCT BS.CreateEvent
failures.

Section 7.1 of the UEFI Spec states that TPL_HIGH_LEVEL is designed for
exclusive use by the firmware. The creation of events by UEFI
applications, UEFI drivers, and UEFI OS Loaders should not use this TPL
level.

Therefore, revert TPL_HIGH_LEVEL change in commits a9d1fb58 and
ae7e5477b555 to not create event with TPL_HIGH_LEVEL to be compliant
with UEFI Spec and fix the failures.

For more information, https://edk2.groups.io/g/devel/message/76338

Cc: Samer El-Haj-Mahmoud <samer.el-haj-mahmoud@arm.com>
Cc: G Edhaya Chandran <edhaya.chandran@arm.com>
Cc: Barton Gao <gaojie@byosoft.com.cn>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Signed-off-by: Sunny Wang <sunny.wang@arm.com>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

---
.../EventTimerTaskPriorityServicesBBTestCreateEvent.c | 5 +----
.../EventTimerTaskPriorityServicesBBTestCreateEventEx.c | 4 +---
2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEvent.c b/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEvent.c
index a7e7366e..d5c033f7 100644
--- a/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEvent.c
+++ b/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEvent.c
@@ -2,6 +2,7 @@

Copyright 2006 - 2012 Unified EFI, Inc.<BR>
Copyright (c) 2010 - 2012, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2021, ARM Limited. All rights reserved.

This program and the accompanying materials
are licensed and made available under the terms and conditions of the
BSD License
@@ -190,7 +191,6 @@ BBTestCreateEvent_Conf_Sub1 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_TEST_ASSERTION AssertionType;
@@ -342,7 +342,6 @@ BBTestCreateEvent_Conf_Sub3 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_TEST_ASSERTION AssertionType;
@@ -407,7 +406,6 @@ BBTestCreateEvent_Conf_Sub4 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_TEST_ASSERTION AssertionType;
@@ -482,7 +480,6 @@ BBTestCreateEvent_Func_Sub1 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_TEST_ASSERTION AssertionType;
diff --git a/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c b/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
index eb458de5..03b7ae6e 100644
--- a/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
+++ b/uefi-
sct/SctPkg/TestCase/UEFI/EFI/BootServices/EventTimerTaskPriorityServices/
BlackBoxTest/EventTimerTaskPriorityServicesBBTestCreateEventEx.c
@@ -2,6 +2,7 @@

Copyright 2006 - 2016 Unified EFI, Inc.<BR>
Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2021, ARM Limited. All rights reserved.

This program and the accompanying materials
are licensed and made available under the terms and conditions of the
BSD License
@@ -228,7 +229,6 @@ BBTestCreateEventEx_Conf_Sub1 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_GUID *EventGroups[] = {
@@ -318,7 +318,6 @@ BBTestCreateEventEx_Conf_Sub2 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_GUID *EventGroups[] = {
@@ -413,7 +412,6 @@ BBTestCreateEventEx_Conf_Sub3 (
EFI_TPL NotifyTpls[] = {
TPL_CALLBACK,
TPL_NOTIFY,
- TPL_HIGH_LEVEL,
0
};
EFI_GUID *EventGroups[] = {

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Re: [PATCH v2 0/6] Secure Boot default keys

Grzegorz Bernacki
 

Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?usp=sharing

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@semihalf.com> napisał(a):


Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@intel.com> napisał(a):

Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj-
Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com;
upstream@semihalf.com; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
<jian.j.wang@intel.com>; Xu, Min M <min.m.xu@intel.com>;
lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure Boot variables
based on keys content embedded in flash binary. This feature is active only if
Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
also application to enroll keys from default variables and secure boot menu
change to allow user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni

--
2.25.1


[PATCH v3 8/8] MdeModulePkg: Use SecureBootVariableLib in PlatformVarCleanupLib.

Grzegorz Bernacki
 

This commits removes CreateTimeBasedPayload() function from
PlatformVarCleanupLib and uses exactly the same function from
SecureBootVariableLib.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf | 2 +
MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h | 1 +
MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c | 84 --------------------
3 files changed, 3 insertions(+), 84 deletions(-)

diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
index 8d5db826a0..493d03e1d8 100644
--- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
+++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatformVarCleanupLib.inf
@@ -34,6 +34,7 @@
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec

[LibraryClasses]
UefiBootServicesTableLib
@@ -44,6 +45,7 @@
PrintLib
MemoryAllocationLib
HiiLib
+ SecureBootVariableLib

[Guids]
gEfiIfrTianoGuid ## SOMETIMES_PRODUCES ## GUID
diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
index c809a7086b..94fbc7d2a4 100644
--- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
+++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanup.h
@@ -18,6 +18,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/MemoryAllocationLib.h>
#include <Library/HiiLib.h>
#include <Library/PlatformVarCleanupLib.h>
+#include <Library/SecureBootVariableLib.h>

#include <Protocol/Variable.h>
#include <Protocol/VarCheck.h>
diff --git a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
index 3875d614bb..204f1e00ad 100644
--- a/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
+++ b/MdeModulePkg/Library/PlatformVarCleanupLib/PlatVarCleanupLib.c
@@ -319,90 +319,6 @@ DestroyUserVariableNode (
}
}

-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory after using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // At user physical presence, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8 *) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool (NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool (Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
/**
Create a counter based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION
descriptor with the input data. NO authentication is required in this function.
--
2.25.1


[PATCH v3 7/8] SecurityPkg: Add option to reset secure boot keys.

Grzegorz Bernacki
 

This commit add option which allows reset content of Secure Boot
keys and databases to default variables.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 154 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
5 files changed, 167 insertions(+)

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
index 30d9cd8025..bd8d256dde 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
@@ -109,6 +109,7 @@
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiDevicePathProtocolGuid ## PRODUCES
+ gEfiHiiPopupProtocolGuid

[Depex]
gEfiHiiConfigRoutingProtocolGuid AND
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
index 6e54a4b0f2..4ecc25efc3 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
@@ -54,6 +54,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent

#define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f

+#define KEY_SECURE_BOOT_RESET_TO_DEFAULT 0x1010
+
#define KEY_SECURE_BOOT_OPTION 0x1100
#define KEY_SECURE_BOOT_PK_OPTION 0x1101
#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index fa7e11848c..e4560c592c 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -69,6 +69,12 @@ formset
endif;
endif;

+ text
+ help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP),
+ text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS),
+ flags = INTERACTIVE,
+ key = KEY_SECURE_BOOT_RESET_TO_DEFAULT;
+
endform;

//
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
index 67e5e594ed..47f281873b 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
**/

#include "SecureBootConfigImpl.h"
+#include <Protocol/HiiPopup.h>
#include <Library/BaseCryptLib.h>
#include <Library/SecureBootVariableLib.h>

@@ -4154,6 +4155,132 @@ ON_EXIT:
return Status;
}

+/**
+ This function reinitializes Secure Boot variables with default values.
+
+ @retval EFI_SUCCESS Success to update the signature list page
+ @retval others Fail to delete or enroll signature data.
+**/
+
+STATIC EFI_STATUS
+EFIAPI
+KeyEnrollReset (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ UINT8 SetupMode;
+
+ Status = EFI_SUCCESS;
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }
+
+ // Clear all the keys and databases
+ Status = DeleteDb ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DB: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbx ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBX: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteDbt ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear DBT: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeleteKEK ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear KEK: %r\n", Status));
+ return Status;
+ }
+
+ Status = DeletePlatformKey ();
+ if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
+ DEBUG ((DEBUG_ERROR, "Fail to clear PK: %r\n", Status));
+ return Status;
+ }
+
+ // After PK clear, Setup Mode shall be enabled
+ Status = GetSetupMode (&SetupMode);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot get SetupMode variable: %r\n",
+ Status));
+ return Status;
+ }
+
+ if (SetupMode == USER_MODE) {
+ DEBUG((DEBUG_INFO, "Skipped - USER_MODE\n"));
+ return EFI_SUCCESS;
+ }
+
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n",
+ Status));
+ return EFI_SUCCESS;
+ }
+
+ // Enroll all the keys from default variables
+ Status = EnrollDbFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
+ goto error;
+ }
+
+ Status = EnrollDbxFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
+ }
+
+ Status = EnrollDbtFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
+ }
+
+ Status = EnrollKEKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
+ goto cleardbs;
+ }
+
+ Status = EnrollPKFromDefault ();
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
+ goto clearKEK;
+ }
+
+ Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
+ "Please do it manually, otherwise system can be easily compromised\n"));
+ }
+
+ return Status;
+
+clearKEK:
+ DeleteKEK ();
+
+cleardbs:
+ DeleteDbt ();
+ DeleteDbx ();
+ DeleteDb ();
+
+error:
+ if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
+ DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
+ }
+ return Status;
+}
+
/**
This function is called to provide results data to the driver.

@@ -4205,6 +4332,8 @@ SecureBootCallback (
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
BOOLEAN GetBrowserDataResult;
ENROLL_KEY_ERROR EnrollKeyErrorCode;
+ EFI_HII_POPUP_PROTOCOL *HiiPopup;
+ EFI_HII_POPUP_SELECTION UserSelection;

Status = EFI_SUCCESS;
SecureBootEnable = NULL;
@@ -4755,6 +4884,31 @@ SecureBootCallback (
FreePool (SetupMode);
}
break;
+ case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
+ {
+ Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ Status = HiiPopup->CreatePopup (
+ HiiPopup,
+ EfiHiiPopupStyleInfo,
+ EfiHiiPopupTypeYesNo,
+ Private->HiiHandle,
+ STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
+ &UserSelection
+ );
+ if (UserSelection == EfiHiiPopupSelectionYes) {
+ Status = KeyEnrollReset ();
+ }
+ //
+ // Update secure boot strings after key reset
+ //
+ if (Status == EFI_SUCCESS) {
+ Status = UpdateSecureBootString (Private);
+ SecureBootExtractConfigFromVariable (Private, IfrNvData);
+ }
+ }
default:
break;
}
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
index ac783453cc..0d01701de7 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
@@ -21,6 +21,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"

+#string STR_SECURE_RESET_TO_DEFAULTS_HELP #language en-US "Enroll keys with data from default variables"
+#string STR_SECURE_RESET_TO_DEFAULTS #language en-US "Reset Secure Boot Keys"
+#string STR_RESET_TO_DEFAULTS_POPUP #language en-US "Secure Boot Keys & databases will be initialized from defaults.\n Are you sure?"
+
#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
#string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signature List Form"
--
2.25.1


[PATCH v3 6/8] SecurityPkg: Add new modules to Security package.

Grzegorz Bernacki
 

This commits adds modules related to initialization and
usage of default Secure Boot key variables to SecurityPkg.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4
---
SecurityPkg/SecurityPkg.dec | 14 ++++++++++++++
SecurityPkg/SecurityPkg.dsc | 3 +++
2 files changed, 17 insertions(+)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 4001650fa2..dad3cae0ba 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -190,6 +190,20 @@
## GUID used to enforce loading order between Tcg2Acpi and Tcg2Smm
gTcg2MmSwSmiRegisteredGuid = { 0x9d4548b9, 0xa48d, 0x4db4, { 0x9a, 0x68, 0x32, 0xc5, 0x13, 0x9e, 0x20, 0x18 } }

+ ## GUID used to specify section with default PK content
+ gDefaultPKFileGuid = { 0x85254ea7, 0x4759, 0x4fc4, { 0x82, 0xd4, 0x5e, 0xed, 0x5f, 0xb0, 0xa4, 0xa0 } }
+
+ ## GUID used to specify section with default KEK content
+ gDefaultKEKFileGuid = { 0x6f64916e, 0x9f7a, 0x4c35, { 0xb9, 0x52, 0xcd, 0x04, 0x1e, 0xfb, 0x05, 0xa3 } }
+
+ ## GUID used to specify section with default db content
+ gDefaultdbFileGuid = { 0xc491d352, 0x7623, 0x4843, { 0xac, 0xcc, 0x27, 0x91, 0xa7, 0x57, 0x44, 0x21 } }
+
+ ## GUID used to specify section with default dbt content
+ gDefaultdbxFileGuid = { 0x5740766a, 0x718e, 0x4dc0, { 0x99, 0x35, 0xc3, 0x6f, 0x7d, 0x3f, 0x88, 0x4f } }
+
+ ## GUID used to specify section with default dbx content
+ gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } }

[Ppis]
## The PPI GUID for that TPM physical presence should be locked.
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 854f250625..f2f90f49de 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -259,6 +259,9 @@

[Components.IA32, Components.X64, Components.ARM, Components.AARCH64]
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ SecurityPkg/EnrollFromDefaultKeys/EnrollFromDefaultKeys.inf
+ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeys/SecureBootDefaultKeys.inf

[Components.IA32, Components.X64, Components.AARCH64]
#
--
2.25.1

4381 - 4400 of 80786