devel@edk2.groups.io

Home Messages Hashtags Subgroups Calendar

Expanded

Between

and

Re: [PATCH v2 2/2] ArmVirtPkg/ArmVirtQemu: Avoid early ID map on ThunderX Marc Zyngier <maz@...> #98962 On Thu, 19 Jan 2023 11:11:34 +0000, Ard Biesheuvel <ardb@...> wrote: (cc Marc) Context: - on my TX2 (with the S1PTW r/o memslot fix applied), the new version of ArmVirtQemu that uses an initial ID map in emulated NOR flash works fine. - in Oliver's case (which is a slightly different flavor of TX2), it crashes extremely early, presumably at the point where this ID map is activated. Oliver seems to have a vintage ThunderX (aka the worst arm64 implementation in history!), so it is indeed a very different beat from TX2. Without the kernel patch[1], I can trigger the issue pretty reliably, specially in the absence of THP. It all depends on the layout of the EDK2 object and the order in which pages get mapped. The first course of action would be to make sure that the patch is applied to the host kernel. If this still fails to boot, I'm happy to help investigating it. M. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch?id=406504c7b0405d74d74c15a667cd4c4620c3e7a9 -- Without deviation from the norm, progress is not possible.
More
Re: [PATCH V2] MdeModulePkg/Decompress: Add missing source file to Brotli library Timothy Lin #98961 This patch tried to fix following build failure when linking the Brotli decompress lib. Steps to replicate the issue: 1 - Attach a NULL lib to DxeIpl.inf in any project's .DSC, say OvmfPkgX64.dsc MdeModulePkg/Core/DxeIplPeim/DxeIpl.inf { <LibraryClasses> NULL\|MdeModulePkg/Library/BrotliCustomDecompressLib/BrotliCustomDecompressLib.inf } 2 - Follow the EDKII'2 package build steps to build that project. Build.py would compliain with following errors. ... /home/edk2/edk2-stable202211/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c:879: undefined reference to `_kBrotliPrefixCodeRanges' /usr/bin/ld: /home/edk2/edk2-stable202211/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c:1193: undefined reference to `_kBrotliContextLookupTable' /usr/bin/ld: /tmp/ccKzzHN0.ltrans0.ltrans.o: in function `DecodeCommandBlockSwitch': ... /usr/bin/ld: /tmp/ccKzzHN0.ltrans0.ltrans.o: in function `BrotliUefiDecompress': /home/edk2/edk2-stable202211/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c:898: undefined reference to `_kBrotliPrefixCodeRanges' /usr/bin/ld: /home/edk2/edk2-stable202211/MdeModulePkg/Library/BrotliCustomDecompressLib/brotli/c/dec/decode.c:1193: undefined reference to `_kBrotliContextLookupTable' -- Timothy
More All Messages By This Member
Re: [PATCH v1 1/1] .devcontainer/devcontainer.json: Add devcontainer file Ard Biesheuvel #98960 On Mon, 23 Jan 2023 at 10:23, Oliver Steffen <osteffen@...> wrote: Quoting Rebecca Cran (2023-01-20 22:22:55) Related to this, I've been wondering if we might want to commit a .vscode directory with project configuration file(s)? As long as project settings for other IDEs (should there be a reasonable user base) would be accepted in the future, why not? Also perhaps a .editorconfig file? I like the idea, because it is understood by many IDEs and text editors. Yes, please, this would be very useful.
More All Messages By This Member
Re: [PATCH v1 1/1] .devcontainer/devcontainer.json: Add devcontainer file Oliver Steffen #98959 Quoting Rebecca Cran (2023-01-20 22:22:55) Related to this, I've been wondering if we might want to commit a .vscode directory with project configuration file(s)? As long as project settings for other IDEs (should there be a reasonable user base) would be accepted in the future, why not? Also perhaps a .editorconfig file? I like the idea, because it is understood by many IDEs and text editors. -- Rebecca Cran On 1/20/23 13:51, Michael Kubacki wrote: From: Michael Kubacki [1]<michael.kubacki@...> Tianocore maintains container images in the tianocore/containers repo and stores container images within the GitHub container registry. [2]https://github.com/tianocore/containers This change adds a devcontainer.json file to the edk2 repo. This file's metadata and settings to configurate a development container for a given well-defined tool and runtime stack. More information about the devcontainer.json file is available here: [3]https://containers.dev/implementors/json_reference/ This file is recognized by popular tools such as GitHub Codespaces and VS Code. In VS Code in particular, it makes it much easier for a user to be aware a dev container exists (via UI notifications) and to load the container. A minimal number of VS Code extensions are specified that are useful for edk2 development or to assist in complying with CI checks in place in edk2. Cc: Andrew Fish [4]<afish@...> Cc: Chris Fernald [5]<chris.fernald@...> Cc: Leif Lindholm [6]<quic_llindhol@...> Cc: Michael D Kinney [7]<michael.d.kinney@...> Cc: Oliver Steffen [8]<osteffen@...> Signed-off-by: Michael Kubacki [9]<michael.kubacki@...> --- .devcontainer/devcontainer.json \| 16 ++++++++++++++++ Maintainers.txt \| 5 +++++ 2 files changed, 21 insertions(+) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000000..592bb8cf6626 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,16 @@ +{ + "image": "ghcr.io/tianocore/containers/fedora-35-dev:latest", + "postCreateCommand": "git config --global --add safe.directory * && pip install --upgrade -r pip-requirements.txt", + "customizations": { + "vscode": { + "extensions": [ + "DavidAnson.vscode-markdownlint", + "ms-azuretools.vscode-docker", + "ms-vscode-remote.remote-containers", + "ms-vscode.cpptools", + "walonli.edk2-vscode", + "zachflower.uncrustify" + ] + } + } +} diff --git a/Maintainers.txt b/Maintainers.txt index 68f603b48398..4aa7973d5156 100644 --- a/Maintainers.txt +++ b/Maintainers.txt @@ -117,6 +117,11 @@ M: Michael Kubacki [10]<mikuback@...> [makubacki] R: Michael D Kinney [11]<michael.d.kinney@...> [mdkinney] R: Liming Gao [12]<gaoliming@...> [lgao4] +.devcontainer/ +F: .devcontainer/ +M: Michael Kubacki [13]<mikuback@...> [makubacki] +R: Chris Fernald [14]<chris.fernald@...> [cfernald] + .github/ F: .github/ M: Sean Brogan [15]<sean.brogan@...> [spbrogan] -Oliver
More All Messages By This Member
Re: [PATCH edk2-platforms v1 1/1] Platform/Hisilicon: Fix missing dependency on VariableFlashInfoLib PierreGondois #98958 Hi Sami, I think other platforms have the same library missing: - Platform/Hisilicon/D03/D03.dsc - Platform/Hisilicon/D06/D06.dsc - Platform/Hisilicon/HiKey960/HiKey960.dsc - Platform/Hisilicon/HiKey/HiKey.dsc If the library definition is done in Silicon/Hisilicon/Hisilicon.dsc.inc, I think it solves all the definitions at once, Regards, Pierre toggle quoted message Show quoted text On 1/19/23 17:14, Sami Mujawar wrote: From: Guillaume Gardet <Guillaume.Gardet@...> The Hisilicon/HiKey and Hisilicon/HiKey960 platform firmware builds break due to a missing dependency on VariableFlashInfoLib. Therefore, include VariableFlashInfoLib in the [LibraryClasses.common] section to satisfy the dependency. Cc: Leif Lindholm <quic_llindhol@...> Cc: Ard Biesheuvel <ardb+tianocore@...> Cc: Wenyi Xie <xiewenyi2@...> Cc: Guillaume Gardet <Guillaume.Gardet@...> Cc: Pierre Gondois <pierre.gondois@...> Signed-off-by: Sami Mujawar <sami.mujawar@...> --- Platform/Hisilicon/HiKey/HiKey.dsc \| 1 + Platform/Hisilicon/HiKey960/HiKey960.dsc \| 1 + 2 files changed, 2 insertions(+) diff --git a/Platform/Hisilicon/HiKey/HiKey.dsc b/Platform/Hisilicon/HiKey/HiKey.dsc index 375b29375d75cec37eb7410a8ea4396b6cdf89a4..c0de67fce8fe3a76cb6eca7f54814d676939f3e9 100644 --- a/Platform/Hisilicon/HiKey/HiKey.dsc +++ b/Platform/Hisilicon/HiKey/HiKey.dsc @@ -62,6 +62,7 @@ [LibraryClasses.common] AuthVariableLib\|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf TpmMeasurementLib\|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf VarCheckLib\|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariableFlashInfoLib\|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf [LibraryClasses.common.SEC] PrePiLib\|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf diff --git a/Platform/Hisilicon/HiKey960/HiKey960.dsc b/Platform/Hisilicon/HiKey960/HiKey960.dsc index 1d09e3f5da74824af3b988a55c646c1b127a3a93..b821f0be60e31507bee8d4358e15fc5eedaf133e 100644 --- a/Platform/Hisilicon/HiKey960/HiKey960.dsc +++ b/Platform/Hisilicon/HiKey960/HiKey960.dsc @@ -63,6 +63,7 @@ [LibraryClasses.common] AuthVariableLib\|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf TpmMeasurementLib\|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf VarCheckLib\|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariableFlashInfoLib\|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf [LibraryClasses.common.SEC] PrePiLib\|EmbeddedPkg/Library/PrePiLib/PrePiLib.inf
More All Messages By This Member
Re: [PATCH v1 0/4] Don't require self-signed PK in setup mode Yao, Jiewen #98957 Hi Sean I would like to hear your feedback, since it is a little different from the original MSFT patch. Would you please take a look? Thank you Yao, Jiewen toggle quoted message Show quoted text -----Original Message----- From: Jan Bobek <jbobek@...> Sent: Saturday, January 21, 2023 6:59 AM To: devel@edk2.groups.io Cc: Jan Bobek <jbobek@...>; Laszlo Ersek <lersek@...>; Yao, Jiewen <jiewen.yao@...> Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode Hi all, I'm sending out v1 of my patch series that addresses a UEFI spec non-compliance when enrolling PK in setup mode. Additional info can be found in bugzilla [1]; the changes are split into 4 patches as suggested by Laszlo Ersek in comment #4. I've based my work on the patch by Matthew Carlson; I've credited him with co-authorship of the first patch even though in the end I decided to do the implementation a bit differently. Comments & reviews welcome! Cheers, -Jan References: 1. https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Jan Bobek (4): SecurityPkg: limit verification of enrolled PK in setup mode OvmfPkg: require self-signed PK when secure boot is enabled ArmVirtPkg: require self-signed PK when secure boot is enabled SecurityPkg: don't require PK to be self-signed by default SecurityPkg/SecurityPkg.dec \| 7 +++++++ ArmVirtPkg/ArmVirtCloudHv.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemu.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemuKernel.dsc \| 4 ++++ OvmfPkg/Bhyve/BhyveX64.dsc \| 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc \| 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc \| 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc \| 3 +++ OvmfPkg/OvmfPkgX64.dsc \| 3 +++ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf \| 3 +++ SecurityPkg/Library/AuthVariableLib/AuthService.c \| 9 +++++++-- 13 files changed, 50 insertions(+), 2 deletions(-) -- 2.30.2
More All Messages By This Member
Re: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Yao, Jiewen #98956 Merged https://github.com/tianocore/edk2/pull/3940 toggle quoted message Show quoted text From: Yao, Jiewen <jiewen.yao@...> Sent: Monday, January 23, 2023 10:38 AM To: Jan Bobek <jbobek@...>; devel@edk2.groups.io Cc: Jan Bobek <jbobek@...>; Wang, Jian J <jian.j.wang@...>; Xu, Min M <min.m.xu@...> Subject: Re: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present reviewed-by: Jiewen Yao <Jiewen.yao@...> 发件人: Jan Bobek <jbobek@...> 发送时间: Monday, January 23, 2023 5:53:48 AM 收件人: devel@edk2.groups.io <devel@edk2.groups.io> 抄送: Jan Bobek <jbobek@...>; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J <jian.j.wang@...>; Xu, Min M <min.m.xu@...> 主题: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4305 Based on whether the DER-encoded ContentInfo structure is present in authenticated SetVariable payload or not, the SHA-256 OID can be located at different places. UEFI specification explicitly states the driver shall support both cases, but the old code assumed ContentInfo was not present and incorrectly rejected authenticated variable updates when it were present. Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Cc: Min Xu <min.m.xu@...> Signed-off-by: Jan Bobek <jbobek@...> --- .../Library/AuthVariableLib/AuthService.c \| 50 ++++++++++++++++--- 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 054ee4d1d988..9beeca09aeba 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -1925,7 +1925,7 @@ VerifyTimeBasedPayload ( // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the // signature. Only a digest algorithm of SHA-256 is accepted. // - // According to PKCS#7 Definition: + // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315): // SignedData ::= SEQUENCE { // version Version, // digestAlgorithms DigestAlgorithmIdentifiers, @@ -1933,15 +1933,49 @@ VerifyTimeBasedPayload ( // .... } // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm // in VARIABLE_AUTHENTICATION_2 descriptor. - // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding. + // This field has the fixed offset (+13) or (+32) based on whether the DER-encoded + // ContentInfo structure is present or not, and can be calculated based on two + // bytes of length encoding. + // + // Both condition can be handled in WrapPkcs7Data() in CryptPkcs7VerifyCommon.c. + // + // See below examples: + // + // 1. Without ContentInfo + // 30 82 0c da // SEQUENCE (5 element) (3294 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (2 element) (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example from: https://uefi.org/revocationlistfile + // + // 2. With ContentInfo + // 30 82 05 90 // SEQUENCE (1424 BYTES) -- ContentInfo + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- ContentType + // 2a 86 48 86 f7 0d 01 07 02 // signedData [1.2.840.113549.1.7.2] + // a0 82 05 81 // CONTEXT-SPECIFIC CONSTRUCTED TAG 0 (1409 BYTES) -- content + // 30 82 05 7d // SEQUENCE (1405 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process // if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { - if ((((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) \|\| - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) - { - return EFI_SECURITY_VIOLATION; - } + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) + && ( (((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))) + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))) + { + return EFI_SECURITY_VIOLATION; } } -- 2.30.2
More All Messages By This Member
Re: [PATCH 1/1] MdeModulePkg: Fix typo of "event" in a comment in Core/Dxe/Event/Event.c Michael D Kinney #98955 Reviewed-by: Michael D Kinney <michael.d.kinney@...> toggle quoted message Show quoted text -----Original Message----- From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Rebecca Cran Sent: Sunday, January 22, 2023 7:25 PM To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@...>; Gao, Liming <gaoliming@...> Cc: Rebecca Cran <rebecca@...> Subject: [edk2-devel] [PATCH 1/1] MdeModulePkg: Fix typo of "event" in a comment in Core/Dxe/Event/Event.c Signed-off-by: Rebecca Cran <rebecca@...> --- MdeModulePkg/Core/Dxe/Event/Event.c \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Event/Event.c b/MdeModulePkg/Core/Dxe/Event/Event.c index dc82abb02130..7506803b0b38 100644 --- a/MdeModulePkg/Core/Dxe/Event/Event.c +++ b/MdeModulePkg/Core/Dxe/Event/Event.c @@ -606,7 +606,7 @@ CoreCheckEvent ( } // - // If the even looks signalled, get the lock and clear it + // If the event looks signalled, get the lock and clear it // if (Event->SignalCount != 0) { -- 2.34.1
More All Messages By This Member
[PATCH 1/1] MdeModulePkg: Fix typo of "event" in a comment in Core/Dxe/Event/Event.c Rebecca Cran #98954 Signed-off-by: Rebecca Cran <rebecca@...> --- MdeModulePkg/Core/Dxe/Event/Event.c \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MdeModulePkg/Core/Dxe/Event/Event.c b/MdeModulePkg/Core/Dxe/Event/Event.c index dc82abb02130..7506803b0b38 100644 --- a/MdeModulePkg/Core/Dxe/Event/Event.c +++ b/MdeModulePkg/Core/Dxe/Event/Event.c @@ -606,7 +606,7 @@ CoreCheckEvent ( } // - // If the even looks signalled, get the lock and clear it + // If the event looks signalled, get the lock and clear it // if (Event->SignalCount != 0) { -- 2.34.1
More All Messages By This Member
Re: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Yao, Jiewen #98953 reviewed-by: Jiewen Yao <Jiewen.yao@...> 发件人: Jan Bobek <jbobek@...> 发送时间: Monday, January 23, 2023 5:53:48 AM 收件人: devel@edk2.groups.io <devel@edk2.groups.io> 抄送: Jan Bobek <jbobek@...>; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J <jian.j.wang@...>; Xu, Min M <min.m.xu@...> 主题: [PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4305 Based on whether the DER-encoded ContentInfo structure is present in authenticated SetVariable payload or not, the SHA-256 OID can be located at different places. UEFI specification explicitly states the driver shall support both cases, but the old code assumed ContentInfo was not present and incorrectly rejected authenticated variable updates when it were present. Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Cc: Min Xu <min.m.xu@...> Signed-off-by: Jan Bobek <jbobek@...> --- .../Library/AuthVariableLib/AuthService.c \| 50 ++++++++++++++++--- 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 054ee4d1d988..9beeca09aeba 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -1925,7 +1925,7 @@ VerifyTimeBasedPayload ( // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the // signature. Only a digest algorithm of SHA-256 is accepted. // - // According to PKCS#7 Definition: + // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315): // SignedData ::= SEQUENCE { // version Version, // digestAlgorithms DigestAlgorithmIdentifiers, @@ -1933,15 +1933,49 @@ VerifyTimeBasedPayload ( // .... } // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm // in VARIABLE_AUTHENTICATION_2 descriptor. - // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding. + // This field has the fixed offset (+13) or (+32) based on whether the DER-encoded + // ContentInfo structure is present or not, and can be calculated based on two + // bytes of length encoding. + // + // Both condition can be handled in WrapPkcs7Data() in CryptPkcs7VerifyCommon.c. + // + // See below examples: + // + // 1. Without ContentInfo + // 30 82 0c da // SEQUENCE (5 element) (3294 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (2 element) (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example from: https://uefi.org/revocationlistfile + // + // 2. With ContentInfo + // 30 82 05 90 // SEQUENCE (1424 BYTES) -- ContentInfo + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- ContentType + // 2a 86 48 86 f7 0d 01 07 02 // signedData [1.2.840.113549.1.7.2] + // a0 82 05 81 // CONTEXT-SPECIFIC CONSTRUCTED TAG 0 (1409 BYTES) -- content + // 30 82 05 7d // SEQUENCE (1405 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process // if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { - if ((((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) \|\| - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) - { - return EFI_SECURITY_VIOLATION; - } + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) + && ( (((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))) + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))) + { + return EFI_SECURITY_VIOLATION; } } -- 2.30.2
More All Messages By This Member
Event: Tools, CI, Code base construction meeting series - Monday, January 23, 2023 #cal-reminder Group Notification <noreply@...> #98952 Reminder: Tools, CI, Code base construction meeting series When: Monday, January 23, 2023 4:30pm to 5:30pm (UTC-08:00) America/Los Angeles Where: https://github.com/tianocore/edk2/discussions/2614 View Event Description: TianoCore community, Microsoft and Intel will be hosting a series of open meetings to discuss build, CI, tools, and other related topics. If you are interested, have ideas/opinions please join us. These meetings will be Monday 4:30pm Pacific Time on Microsoft Teams. MS Teams Link in following discussion: * https://github.com/tianocore/edk2/discussions/2614 Anyone is welcome to join. tianocore/edk2: EDK II (github.com) tianocore/edk2-basetools: EDK II BaseTools Python tools as a PIP module (github.com) https://github.com/tianocore/edk2-basetools tianocore/edk2-pytool-extensions: Extensions to the edk2 build system allowing for a more robust and plugin based build system and tool execution environment (github.com) https://github.com/tianocore/edk2-pytool-extensions tianocore/edk2-pytool-library: Python library package that supports UEFI development (github.com) https://github.com/tianocore/edk2-pytool-library MS Teams Browser Clients * https://docs.microsoft.com/en-us/microsoftteams/get-clients?tabs=Windows#browser-client
More
[PATCH v2 1/1] SecurityPkg/AuthVariableLib: Check SHA-256 OID with ContentInfo present Jan Bobek #98951 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4305 Based on whether the DER-encoded ContentInfo structure is present in authenticated SetVariable payload or not, the SHA-256 OID can be located at different places. UEFI specification explicitly states the driver shall support both cases, but the old code assumed ContentInfo was not present and incorrectly rejected authenticated variable updates when it were present. Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Cc: Min Xu <min.m.xu@...> Signed-off-by: Jan Bobek <jbobek@...> --- .../Library/AuthVariableLib/AuthService.c \| 50 ++++++++++++++++--- 1 file changed, 42 insertions(+), 8 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 054ee4d1d988..9beeca09aeba 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -1925,7 +1925,7 @@ VerifyTimeBasedPayload ( // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the // signature. Only a digest algorithm of SHA-256 is accepted. // - // According to PKCS#7 Definition: + // According to PKCS#7 Definition (https://www.rfc-editor.org/rfc/rfc2315): // SignedData ::= SEQUENCE { // version Version, // digestAlgorithms DigestAlgorithmIdentifiers, @@ -1933,15 +1933,49 @@ VerifyTimeBasedPayload ( // .... } // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm // in VARIABLE_AUTHENTICATION_2 descriptor. - // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding. + // This field has the fixed offset (+13) or (+32) based on whether the DER-encoded + // ContentInfo structure is present or not, and can be calculated based on two + // bytes of length encoding. + // + // Both condition can be handled in WrapPkcs7Data() in CryptPkcs7VerifyCommon.c. + // + // See below examples: + // + // 1. Without ContentInfo + // 30 82 0c da // SEQUENCE (5 element) (3294 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (2 element) (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example from: https://uefi.org/revocationlistfile + // + // 2. With ContentInfo + // 30 82 05 90 // SEQUENCE (1424 BYTES) -- ContentInfo + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- ContentType + // 2a 86 48 86 f7 0d 01 07 02 // signedData [1.2.840.113549.1.7.2] + // a0 82 05 81 // CONTEXT-SPECIFIC CONSTRUCTED TAG 0 (1409 BYTES) -- content + // 30 82 05 7d // SEQUENCE (1405 BYTES) -- SignedData + // 02 01 01 // INTEGER 1 -- Version + // 31 0f // SET (1 element) (15 BYTES) -- DigestAlgorithmIdentifiers + // 30 0d // SEQUENCE (13 BYTES) -- AlgorithmIdentifier + // 06 09 // OBJECT-IDENTIFIER (9 BYTES) -- algorithm + // 60 86 48 01 65 03 04 02 01 // sha256 [2.16.840.1.101.3.4.2.1] + // 05 00 // NULL (0 BYTES) -- parameters + // + // Example generated with: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Manual_process // if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - if (SigDataSize >= (13 + sizeof (mSha256OidValue))) { - if ((((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) \|\| - (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) - { - return EFI_SECURITY_VIOLATION; - } + if ( ( (SigDataSize >= (13 + sizeof (mSha256OidValue))) + && ( (((SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0))) + && ( (SigDataSize >= (32 + sizeof (mSha256OidValue))) + && ( ((*(SigData + 20) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) + \|\| (CompareMem (SigData + 32, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)))) + { + return EFI_SECURITY_VIOLATION; } } -- 2.30.2
More All Messages By This Member
Re: [PATCH V2 04/10] OvmfPkg/IntelTdx: Implement other helper functions in SecTdxHelperLib Min Xu #98950 On January 20, 2023 9:51 PM, Gerd Hoffmann wrote: [Jiewen] No. We cannot move to MdePkg. TCG defines the field to be variable length. Something like below: typedef struct { UINT8 TableDescriptionSize; UINT8 TableDescription[TableDescriptionSize]; UINT64 NumberOfTables; EFI_CONFIGURATION_TABLE TableEntry[NumberOfTables]; } HANDOFF_TABLE_POINTERS2; typedef struct { UINT8 BlobDescriptionSize; UINT8 BlobDescription[BlobDescriptionSize]; EFI_PHYSICAL_ADDRESS BlobBase; UINT64 BlobLength; } HANDOFF_TABLE_POINTERS2; The implementation can choose its own length as they wish. Why doesn't follow TDX standard TCG practices here? As Jiewen mentioned TCG defines the field to be variable length. The implementation can choose its own length. Below are some examples. Tcg2Pei defines its FV_HANDOFF_TABLE_POINTERS2. (https://github.com/tianocore/edk2/blob/master/SecurityPkg/Tcg/Tcg2Pei /Tcg2Pei.c#L126-L136) SmbiosMeasurementDxe defines its SMBIOS_HANDOFF_TABLE_POINTERS2 (https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/ SmbiosMeasurementDxe/SmbiosMeasurementDxe.c#L113-L123) TcgEventLogRecordLib defines the PLATFORM_FIRMWARE_BLOB2_STRUCT and HANDOFF_TABLE_POINTERS2_STRUCT. https://github.com/tianocore/edk2/blob/master/SecurityPkg/Include/Libr ary/TcgEventLogRecordLib.h#L14-L32 I think TDX follow the same practice above to define its own TDX_HANDOFF_TABLE_POINTERS2 and FV_HANDOFF_TABLE_POINTERS2. (FV_HANDOFF_TABLE_POINTERS2 happens to be same as the one in Tcg2Pei.) Ok, that makes sense. The TdHob is tdx-specific, measuring a firmware volume is not. I'm still wondering why the structs for standard events (like the firmware volume) are not in some shared header file ... Hi, Gerd Actually I tried to find some common header file to define the events (the firmware volume). But it seems there is no such header file. Let me check the code again and see if there is such header file. Thanks Min
More All Messages By This Member
[PATCH v1 4/4] SecurityPkg: don't require PK to be self-signed by default Jan Bobek #98949 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Change the default value of PcdRequireSelfSignedPk to FALSE in accordance with UEFI spec, which states that PK need not be self-signed when enrolling in setup mode. Note that this relaxes the legacy behavior, which required the PK to be self-signed in this case. Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Signed-off-by: Jan Bobek <jbobek@...> --- SecurityPkg/SecurityPkg.dec \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index d3b7ad7ff6fb..0382090f4e75 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -585,7 +585,7 @@ [PcdsFeatureFlag] # TRUE - Require PK to be self-signed. # FALSE - Do not require PK to be self-signed. # @Prompt Require PK to be self-signed - gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE\|BOOLEAN\|0x00010027 + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|FALSE\|BOOLEAN\|0x00010027 [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni -- 2.30.2
More All Messages By This Member
[PATCH v1 2/4] OvmfPkg: require self-signed PK when secure boot is enabled Jan Bobek #98948 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel <ardb+tianocore@...> Cc: Jiewen Yao <jiewen.yao@...> Cc: Jordan Justen <jordan.l.justen@...> Cc: Gerd Hoffmann <kraxel@...> Cc: Rebecca Cran <rebecca@...> Cc: Peter Grehan <grehan@...> Cc: Sebastien Boeuf <sebastien.boeuf@...> Signed-off-by: Jan Bobek <jbobek@...> --- OvmfPkg/Bhyve/BhyveX64.dsc \| 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc \| 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc \| 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc \| 3 +++ OvmfPkg/OvmfPkgX64.dsc \| 3 +++ 7 files changed, 21 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index befec670d4f3..66a2ae8868e5 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -422,6 +422,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport\|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol\|TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdPciDisableBusEnumeration\|TRUE diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index 7326417eab62..9cb267f98942 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -480,6 +480,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache\|FALSE !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX64.dsc index 0f1e970fbbb3..93918b55b1a5 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -390,6 +390,9 @@ [PcdsFeatureFlag] !ifdef $(CSM_ENABLE) gUefiOvmfPkgTokenSpaceGuid.PcdCsmEnable\|TRUE !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 diff --git a/OvmfPkg/Microvm/MicrovmX64.dsc b/OvmfPkg/Microvm/MicrovmX64.dsc index 2d53b5c2950d..3c988f3e65e0 100644 --- a/OvmfPkg/Microvm/MicrovmX64.dsc +++ b/OvmfPkg/Microvm/MicrovmX64.dsc @@ -476,6 +476,9 @@ [PcdsFeatureFlag] gEfiMdeModulePkgTokenSpaceGuid.PcdConOutGopSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdConOutUgaSupport\|FALSE gEfiMdeModulePkgTokenSpaceGuid.PcdInstallAcpiSdtProtocol\|TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index f232de13a7b6..22dc29330d2d 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -488,6 +488,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache\|FALSE !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index a9d422bd9169..6b539814bdb0 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -493,6 +493,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache\|FALSE !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 3f970a79a08a..f6b8b342c4ed 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -513,6 +513,9 @@ [PcdsFeatureFlag] gUefiCpuPkgTokenSpaceGuid.PcdCpuHotPlugSupport\|TRUE gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache\|FALSE !endif +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdStatusCodeMemorySize\|1 -- 2.30.2
More All Messages By This Member
[PATCH v1 3/4] ArmVirtPkg: require self-signed PK when secure boot is enabled Jan Bobek #98947 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 In all DSC files that define SECURE_BOOT_ENABLE, opt-in into requiring self-signed PK when SECURE_BOOT_ENABLE is TRUE. Cc: Ard Biesheuvel <ardb+tianocore@...> Cc: Leif Lindholm <quic_llindhol@...> Cc: Sami Mujawar <sami.mujawar@...> Cc: Gerd Hoffmann <kraxel@...> Signed-off-by: Jan Bobek <jbobek@...> --- ArmVirtPkg/ArmVirtCloudHv.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemu.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemuKernel.dsc \| 4 ++++ 3 files changed, 12 insertions(+) diff --git a/ArmVirtPkg/ArmVirtCloudHv.dsc b/ArmVirtPkg/ArmVirtCloudHv.dsc index 7ca7a391d9cf..dc33936d6f03 100644 --- a/ArmVirtPkg/ArmVirtCloudHv.dsc +++ b/ArmVirtPkg/ArmVirtCloudHv.dsc @@ -85,6 +85,10 @@ [PcdsFeatureFlag.common] gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport\|TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) == AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled\|1 diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc index 0f1c6395488a..31fd0e5279ab 100644 --- a/ArmVirtPkg/ArmVirtQemu.dsc +++ b/ArmVirtPkg/ArmVirtQemu.dsc @@ -145,6 +145,10 @@ [PcdsFeatureFlag.common] gArmVirtTokenSpaceGuid.PcdTpm2SupportEnabled\|$(TPM2_ENABLE) +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) == AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled\|1 diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKernel.dsc index 807c85d48285..1e0f06c91137 100644 --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc @@ -114,6 +114,10 @@ [PcdsFeatureFlag.common] gEfiMdeModulePkgTokenSpaceGuid.PcdTurnOffUsbLegacySupport\|TRUE +!if $(SECURE_BOOT_ENABLE) == TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE +!endif + [PcdsFixedAtBuild.common] !if $(ARCH) == AARCH64 gArmTokenSpaceGuid.PcdVFPEnabled\|1 -- 2.30.2
More All Messages By This Member
[PATCH v1 1/4] SecurityPkg: limit verification of enrolled PK in setup mode Jan Bobek #98946 REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Per UEFI spec, enrolling a new PK in setup mode should not require a self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk to control this requirement. Default to TRUE in order to preserve the legacy behavior. Cc: Jiewen Yao <jiewen.yao@...> Cc: Jian J Wang <jian.j.wang@...> Cc: Min Xu <min.m.xu@...> Co-authored-by: Matthew Carlson <macarl@...> Signed-off-by: Jan Bobek <jbobek@...> --- SecurityPkg/SecurityPkg.dec \| 7 +++++++ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf \| 3 +++ SecurityPkg/Library/AuthVariableLib/AuthService.c \| 9 +++++++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 8257f11d17c7..d3b7ad7ff6fb 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -580,5 +580,12 @@ [PcdsDynamic, PcdsDynamicEx] ## This PCD records LASA field in CC EVENTLOG ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa\|0\|UINT64\|0x00010026 +[PcdsFeatureFlag] + ## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode. + # TRUE - Require PK to be self-signed. + # FALSE - Do not require PK to be self-signed. + # @Prompt Require PK to be self-signed + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\|TRUE\|BOOLEAN\|0x00010027 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8eadeebcebd7..e5985c5f8b60 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -86,3 +86,6 @@ [Guids] gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate. gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate. gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. + +[FeaturePcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 054ee4d1d988..e9989695626e 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -603,7 +603,10 @@ ProcessVarWithPk ( // Init state of Del. State may change due to secure check // Del = FALSE; - if ((InCustomMode () && UserPhysicalPresent ()) \|\| ((mPlatformMode == SETUP_MODE) && !IsPk)) { + if ( (InCustomMode () && UserPhysicalPresent ()) + \|\| ( (mPlatformMode == SETUP_MODE) + && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))) + { Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data); PayloadSize = DataSize - AUTHINFO2_SIZE (Data); if (PayloadSize == 0) { @@ -627,7 +630,9 @@ ProcessVarWithPk ( return Status; } - if ((mPlatformMode != SETUP_MODE) \|\| IsPk) { + if ( (mPlatformMode != SETUP_MODE) + \|\| (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)) + { Status = VendorKeyIsModified (); } } else if (mPlatformMode == USER_MODE) { -- 2.30.2
More All Messages By This Member
[PATCH v1 0/4] Don't require self-signed PK in setup mode Jan Bobek #98945 Hi all, I'm sending out v1 of my patch series that addresses a UEFI spec non-compliance when enrolling PK in setup mode. Additional info can be found in bugzilla [1]; the changes are split into 4 patches as suggested by Laszlo Ersek in comment #4. I've based my work on the patch by Matthew Carlson; I've credited him with co-authorship of the first patch even though in the end I decided to do the implementation a bit differently. Comments & reviews welcome! Cheers, -Jan References: 1. https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Jan Bobek (4): SecurityPkg: limit verification of enrolled PK in setup mode OvmfPkg: require self-signed PK when secure boot is enabled ArmVirtPkg: require self-signed PK when secure boot is enabled SecurityPkg: don't require PK to be self-signed by default SecurityPkg/SecurityPkg.dec \| 7 +++++++ ArmVirtPkg/ArmVirtCloudHv.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemu.dsc \| 4 ++++ ArmVirtPkg/ArmVirtQemuKernel.dsc \| 4 ++++ OvmfPkg/Bhyve/BhyveX64.dsc \| 3 +++ OvmfPkg/CloudHv/CloudHvX64.dsc \| 3 +++ OvmfPkg/IntelTdx/IntelTdxX64.dsc \| 3 +++ OvmfPkg/Microvm/MicrovmX64.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32.dsc \| 3 +++ OvmfPkg/OvmfPkgIa32X64.dsc \| 3 +++ OvmfPkg/OvmfPkgX64.dsc \| 3 +++ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf \| 3 +++ SecurityPkg/Library/AuthVariableLib/AuthService.c \| 9 +++++++-- 13 files changed, 50 insertions(+), 2 deletions(-) -- 2.30.2
More All Messages By This Member
Re: [PATCH v1 1/1] .devcontainer/devcontainer.json: Add devcontainer file Michael Kubacki #98944 I think that's a good idea. edk2-pytool-extensions has a .vscode/settings.json file that has been useful for local python linting and testing that helps catch issues before CI. For example: https://github.com/tianocore/edk2-pytool-extensions/blob/master/.vscode/settings.json toggle quoted message Show quoted text On 1/20/2023 4:22 PM, Rebecca Cran wrote: Related to this, I've been wondering if we might want to commit a .vscode directory with project configuration file(s)? Also perhaps a .editorconfig file? -- Rebecca Cran On 1/20/23 13:51, Michael Kubacki wrote: From: Michael Kubacki<michael.kubacki@...> Tianocore maintains container images in the tianocore/containers repo and stores container images within the GitHub container registry. https://github.com/tianocore/containers This change adds a devcontainer.json file to the edk2 repo. This file's metadata and settings to configurate a development container for a given well-defined tool and runtime stack. More information about the devcontainer.json file is available here: https://containers.dev/implementors/json_reference/ This file is recognized by popular tools such as GitHub Codespaces and VS Code. In VS Code in particular, it makes it much easier for a user to be aware a dev container exists (via UI notifications) and to load the container. A minimal number of VS Code extensions are specified that are useful for edk2 development or to assist in complying with CI checks in place in edk2. Cc: Andrew Fish<afish@...> Cc: Chris Fernald<chris.fernald@...> Cc: Leif Lindholm<quic_llindhol@...> Cc: Michael D Kinney<michael.d.kinney@...> Cc: Oliver Steffen<osteffen@...> Signed-off-by: Michael Kubacki<michael.kubacki@...> --- .devcontainer/devcontainer.json \| 16 ++++++++++++++++ Maintainers.txt \| 5 +++++ 2 files changed, 21 insertions(+) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000000..592bb8cf6626 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,16 @@ +{ + "image": "ghcr.io/tianocore/containers/fedora-35-dev:latest", + "postCreateCommand": "git config --global --add safe.directory * && pip install --upgrade -r pip-requirements.txt", + "customizations": { + "vscode": { + "extensions": [ + "DavidAnson.vscode-markdownlint", + "ms-azuretools.vscode-docker", + "ms-vscode-remote.remote-containers", + "ms-vscode.cpptools", + "walonli.edk2-vscode", + "zachflower.uncrustify" + ] + } + } +} diff --git a/Maintainers.txt b/Maintainers.txt index 68f603b48398..4aa7973d5156 100644 --- a/Maintainers.txt +++ b/Maintainers.txt @@ -117,6 +117,11 @@ M: Michael Kubacki<mikuback@...> [makubacki] R: Michael D Kinney<michael.d.kinney@...> [mdkinney] R: Liming Gao<gaoliming@...> [lgao4] +.devcontainer/ +F: .devcontainer/ +M: Michael Kubacki<mikuback@...> [makubacki] +R: Chris Fernald<chris.fernald@...> [cfernald] + .github/ F: .github/ M: Sean Brogan<sean.brogan@...> [spbrogan]
More All Messages By This Member
Re: [PATCH 1/3] UsbNetworkPkg/UsbRndis: Add USB RNDIS devices support Rebecca Cran #98943 Hi Richard, I've continued working on my USB EEM support, and just pushed my changes to https://github.com/bcran/edk2/tree/usb-net . I was wondering when you think you might have the next set of patches ready for review? Thanks. Rebecca Cran toggle quoted message Show quoted text On 1/12/23 01:36, RichardHo [何明忠] via groups.io wrote: Hi Michael, We add this patch in my X86 platform and use the NCM device to test IPV4 PXE boot from 1330MB ISO file. No this patch: 35 sec to download 1330M ISO file Add this patch: 181 sec to download 1330M ISO file The patch will increase boot time in my X86 platform. Thanks, Richard -----Original Message----- From: Michael Brown <mcb30@...> Sent: 2023年1月10日 7:50 AM To: devel@edk2.groups.io; tinhnguyen@...; Richard Ho (何明忠) <RichardHo@...> Subject: [EXTERNAL] Re: [edk2-devel] [PATCH 1/3] UsbNetworkPkg/UsbRndis: Add USB RNDIS devices support CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance. On 08/01/2023 10:41, tinhnguyen via groups.io wrote: The root cause is that we spend a long time waiting for USB UsbBulkTransfer to complete, but if there is no data to communicate -> it will always time out. Coincidentally, I have just implemented a fix for this. It works by implementing a simple credit-based rate limiter. Calls to UsbEthReceive() are limited to 10 per second while the receive datapath is idle. No limiting takes place while the receive datapath is active. I have tried to match the existing code style (i.e. zero explanatory comments). Richard Ho: please consider using this rate limiting approach (or something very similar). Patch inline below: diff --git a/UsbNetworkPkg/Include/Protocol/EdkIIUsbEthernetProtocol.h b/UsbNetworkPkg/Include/Protocol/EdkIIUsbEthernetProtocol.h index df6ebc64ef..d0e2048114 100644 --- a/UsbNetworkPkg/Include/Protocol/EdkIIUsbEthernetProtocol.h +++ b/UsbNetworkPkg/Include/Protocol/EdkIIUsbEthernetProtocol.h @@ -160,6 +160,8 @@ typedef struct { UINT8 CurrentNodeAddress[PXE_MAC_LENGTH]; UINT8 BroadcastNodeAddress[PXE_MAC_LENGTH]; EFI_USB_DEVICE_REQUEST Request; + EFI_EVENT RateLimiter; + UINTN RateLimitCredit; } NIC_DATA; #define NIC_DATA_SIGNATURE SIGNATURE_32('n', 'i', 'c', 'd') diff --git a/UsbNetworkPkg/NetworkCommon/DriverBinding.h b/UsbNetworkPkg/NetworkCommon/DriverBinding.h index 946727ffc9..ae1d3c201e 100644 --- a/UsbNetworkPkg/NetworkCommon/DriverBinding.h +++ b/UsbNetworkPkg/NetworkCommon/DriverBinding.h @@ -25,6 +25,8 @@ #define RX_BUFFER_COUNT 32 #define TX_BUFFER_COUNT 32 #define MEMORY_REQUIRE 0 +#define RATE_LIMITER_INTERVAL 1000000 // 10Hz +#define RATE_LIMITER_BURST 10 #define UNDI_DEV_SIGNATURE SIGNATURE_32('u','n','d','i') #define UNDI_DEV_FROM_THIS(a) CR(a, NIC_DEVICE, NiiProtocol, UNDI_DEV_SIGNATURE) diff --git a/UsbNetworkPkg/NetworkCommon/PxeFunction.c b/UsbNetworkPkg/NetworkCommon/PxeFunction.c index fd53a215a4..2a9b4f6111 100644 --- a/UsbNetworkPkg/NetworkCommon/PxeFunction.c +++ b/UsbNetworkPkg/NetworkCommon/PxeFunction.c @@ -29,6 +29,21 @@ API_FUNC gUndiApiTable[] = { UndiReceive }; +STATIC +VOID +EFIAPI +UndiRateLimiterCallback ( + IN EFI_EVENT Event, + IN VOID Context + ) +{ + NIC_DATA Nic = Context; + + if (Nic->RateLimitCredit < RATE_LIMITER_BURST) { + Nic->RateLimitCredit++; + } +} + / This command is used to determine the operational state of the UNDI. @@ -100,9 +115,6 @@ UndiStart ( Cdb->StatFlags = PXE_STATFLAGS_COMMAND_FAILED; Cdb->StatCode = PXE_STATCODE_INVALID_CDB; return; - } else { - Cdb->StatFlags = PXE_STATFLAGS_COMMAND_COMPLETE; - Cdb->StatCode = PXE_STATCODE_SUCCESS; } if (Nic->State != PXE_STATFLAGS_GET_STATE_STOPPED) { @@ -120,14 +132,46 @@ UndiStart ( Nic->PxeStart.UnMap_Mem = 0; Nic->PxeStart.Sync_Mem = Cpb->Sync_Mem; Nic->PxeStart.Unique_ID = Cpb->Unique_ID; - Nic->State = PXE_STATFLAGS_GET_STATE_STARTED; + + Status = gBS->CreateEvent ( + EVT_TIMER \| EVT_NOTIFY_SIGNAL, + TPL_CALLBACK, + UndiRateLimiterCallback, + Nic, + &Nic->RateLimiter + ); + if (EFI_ERROR (Status)) { + goto ErrorCreateEvent; + } + + Status = gBS->SetTimer ( + Nic->RateLimiter, + TimerPeriodic, + RATE_LIMITER_INTERVAL + ); + if (EFI_ERROR (Status)) { + goto ErrorSetTimer; + } if (Nic->UsbEth->UsbEthUndi.UsbEthUndiStart != NULL) { Status = Nic->UsbEth->UsbEthUndi.UsbEthUndiStart (Cdb, Nic); if (EFI_ERROR (Status)) { - Cdb->StatFlags = PXE_STATFLAGS_COMMAND_FAILED; + goto ErrorUndiStart; } } + + Nic->State = PXE_STATFLAGS_GET_STATE_STARTED; + Cdb->StatFlags = PXE_STATFLAGS_COMMAND_COMPLETE; Cdb->StatCode = + PXE_STATCODE_SUCCESS; return; + + ErrorUndiStart: + gBS->SetTimer (&Nic->RateLimiter, TimerCancel, 0); + ErrorSetTimer: + gBS->CloseEvent (&Nic->RateLimiter); + ErrorCreateEvent: + Cdb->StatFlags = PXE_STATFLAGS_COMMAND_FAILED; Cdb->StatCode = + PXE_STATCODE_DEVICE_FAILURE; } / @@ -183,6 +227,10 @@ UndiStop ( Nic->PxeStart.Sync_Mem = 0; Nic->State = PXE_STATFLAGS_GET_STATE_STOPPED; + gBS->SetTimer (&Nic->RateLimiter, TimerCancel, 0); + + gBS->CloseEvent (&Nic->RateLimiter); + if (Nic->UsbEth->UsbEthUndi.UsbEthUndiStop != NULL) { Status = Nic->UsbEth->UsbEthUndi.UsbEthUndiStop (Cdb, Nic); if (EFI_ERROR (Status)) { @@ -1506,8 +1554,13 @@ Receive ( } while (1) { + if (Nic->RateLimitCredit == 0) { + break; + } + Status = Nic->UsbEth->UsbEthReceive (Cdb, Nic->UsbEth, (VOID *)BulkInData, &DataLength); if (EFI_ERROR (Status)) { + Nic->RateLimitCredit--; break; } Thanks, Michael -The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.
More All Messages By This Member

6721 - 6740 of 105588

Home Hashtags Subgroups Calendar About Features Pricing Updates Terms Help Twitter