[PATCH v2 0/6] Secure Boot default keys


Grzegorz Bernacki
 

This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in
flash binary. This feature is active only if Secure Boot
is enabled and DEFAULT_KEY is defined. The patchset
consist also application to enroll keys from default
variables and secure boot menu change to allow user
to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for
that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h | 252 +++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 979 ++++++++++++++++++++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-)
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

--
2.25.1


Min Xu
 

Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@...>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@...; ardb+tianocore@...; Samer.El-Haj-
Mahmoud@...; sunny.Wang@...; mw@...;
upstream@...; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J
<jian.j.wang@...>; Xu, Min M <min.m.xu@...>;
lersek@...; Grzegorz Bernacki <gjb@...>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure Boot variables
based on keys content embedded in flash binary. This feature is active only if
Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
also application to enroll keys from default variables and secure boot menu
change to allow user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni

--
2.25.1


Grzegorz Bernacki
 

Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@...> napisał(a):


Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@...>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@...; ardb+tianocore@...; Samer.El-Haj-
Mahmoud@...; sunny.Wang@...; mw@...;
upstream@...; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J
<jian.j.wang@...>; Xu, Min M <min.m.xu@...>;
lersek@...; Grzegorz Bernacki <gjb@...>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure Boot variables
based on keys content embedded in flash binary. This feature is active only if
Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
also application to enroll keys from default variables and secure boot menu
change to allow user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni

--
2.25.1


Grzegorz Bernacki
 

Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?usp=sharing

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@...> napisał(a):


Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@...> napisał(a):

Grzegorz
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@...>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@...; ardb+tianocore@...; Samer.El-Haj-
Mahmoud@...; sunny.Wang@...; mw@...;
upstream@...; Yao, Jiewen <jiewen.yao@...>; Wang, Jian J
<jian.j.wang@...>; Xu, Min M <min.m.xu@...>;
lersek@...; Grzegorz Bernacki <gjb@...>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure Boot variables
based on keys content embedded in flash binary. This feature is active only if
Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist
also application to enroll keys from default variables and secure boot menu
change to allow user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.inf
create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.uni

--
2.25.1


Min Xu
 

On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
sp=sharing
Usually we summarize the test in a table which is posted in the mail thread, so that
the test result is clear and easy to read. Also in this way the test result can be recorded in
the review thread. I am afraid the test log in the google drive cannot be accessed
one day.

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@...> napisał(a):

Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@...> napisał(a):

Grzegorz
Have you built this feature with different tool chains, such as
VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@...>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@...; ardb+tianocore@...; Samer.El-Haj-
Mahmoud@...; sunny.Wang@...; mw@...;
upstream@...; Yao, Jiewen <jiewen.yao@...>; Wang,
Jian J <jian.j.wang@...>; Xu, Min M <min.m.xu@...>;
lersek@...; Grzegorz Bernacki <gjb@...>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure
Boot variables based on keys content embedded in flash binary.
This feature is active only if Secure Boot is enabled and
DEFAULT_KEY is defined. The patchset consist also application to
enroll keys from default variables and secure boot menu change to allow
user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables
initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
f
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
i
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62
++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create
mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
f
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.inf
create mode 100644
SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
i create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.uni

--
2.25.1



Grzegorz Bernacki
 

Hi Min M,

Sure, I will send the test result after I make changes for the v4
version. Can you please point me to a few mails with the test result
table so I can copy the format?
thanks,
greg

czw., 17 cze 2021 o 03:30 Xu, Min M <min.m.xu@...> napisał(a):


On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
Hi Min M,

Please find log from tests of OvmfX64 built with VS2019 at:
https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?u
sp=sharing
Usually we summarize the test in a table which is posted in the mail thread, so that
the test result is clear and easy to read. Also in this way the test result can be recorded in
the review thread. I am afraid the test log in the google drive cannot be accessed
one day.

thanks,
greg

pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@...> napisał(a):

Hi Min M,

I tested it with Ovmf. I will try other compiler and provide you logs soon.

thanks,
greg

pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@...> napisał(a):

Grzegorz
Have you built this feature with different tool chains, such as
VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64?
Would you post your test result in the mail?
Thanks much!

-----Original Message-----
From: Grzegorz Bernacki <gjb@...>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: leif@...; ardb+tianocore@...; Samer.El-Haj-
Mahmoud@...; sunny.Wang@...; mw@...;
upstream@...; Yao, Jiewen <jiewen.yao@...>; Wang,
Jian J <jian.j.wang@...>; Xu, Min M <min.m.xu@...>;
lersek@...; Grzegorz Bernacki <gjb@...>
Subject: [PATCH v2 0/6] Secure Boot default keys

This patchset adds support for initialization of default Secure
Boot variables based on keys content embedded in flash binary.
This feature is active only if Secure Boot is enabled and
DEFAULT_KEY is defined. The patchset consist also application to
enroll keys from default variables and secure boot menu change to allow
user to reset key content to default values.
Discussion on design can be found at:
https://edk2.groups.io/g/rfc/topic/82139806#600

I also added patch for RPi4 which enables this feature for that platform.

Changes since v1:
- change names:
SecBootVariableLib => SecureBootVariableLib
SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
- change name of function CheckSetupMode to GetSetupMode
- remove ShellPkg dependecy from EnrollFromDefaultKeysApp
- rebase to master

Grzegorz Bernacki (6):
[edk2]
SecurityPkg: Create library for setting Secure Boot variables.
SecurityPkg: Create include file for default key content.
SecurityPkg: Add SecureBootDefaultKeysDxe driver
SecurityPkg: Add EnrollFromDefaultKeys application.
SecurityPkg: Add new modules to Security package.
SecurityPkg: Add option to reset secure boot keys.
[edk2-platform]
Platform/RaspberryPi: Enable default Secure Boot variables
initialization

SecurityPkg/SecurityPkg.dec | 14 +
SecurityPkg/SecurityPkg.dsc | 5 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
| 47 +

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
f
| 79 ++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
Dxe.inf | 2 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.inf | 46 +
SecurityPkg/Include/Library/SecureBootVariableLib.h |
252 +++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig
NvData.h | 2 +

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.
vfr | 6 +
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
| 107 +++
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
| 979 ++++++++++++++++++++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigI
mpl.c | 343 ++++---

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD
efaultKeysDxe.c | 69 ++

SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
i
| 16 +
SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62
++

SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigS
trings.uni | 4 +

SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.uni | 17 +
17 files changed, 1862 insertions(+), 188 deletions(-) create
mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in
f
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.inf
create mode 100644
SecurityPkg/Include/Library/SecureBootVariableLib.h
create mode 100644
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.c
create mode 100644
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un
i create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc
create mode 100644
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureB
ootD
efaultKeysDxe.uni

--
2.25.1



Min Xu
 

On 06/17/2021, Grzegorz Bernacki wrote:
Hi Min M,

Sure, I will send the test result after I make changes for the v4 version. Can
you please point me to a few mails with the test result table so I can copy the
format?
Please refer to https://edk2.groups.io/g/devel/message/74239
Just summarize the validation you do.

thanks,
greg
Thanks
Min