Date
1 - 7 of 7
[PATCH v2 0/6] Secure Boot default keys
|
Grzegorz Bernacki
This patchset adds support for initialization of default
Secure Boot variables based on keys content embedded in flash binary. This feature is active only if Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist also application to enroll keys from default variables and secure boot menu change to allow user to reset key content to default values. Discussion on design can be found at: https://edk2.groups.io/g/rfc/topic/82139806#600 I also added patch for RPi4 which enables this feature for that platform. Changes since v1: - change names: SecBootVariableLib => SecureBootVariableLib SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp - change name of function CheckSetupMode to GetSetupMode - remove ShellPkg dependecy from EnrollFromDefaultKeysApp - rebase to master Grzegorz Bernacki (6): [edk2] SecurityPkg: Create library for setting Secure Boot variables. SecurityPkg: Create include file for default key content. SecurityPkg: Add SecureBootDefaultKeysDxe driver SecurityPkg: Add EnrollFromDefaultKeys application. SecurityPkg: Add new modules to Security package. SecurityPkg: Add option to reset secure boot keys. [edk2-platform] Platform/RaspberryPi: Enable default Secure Boot variables initialization SecurityPkg/SecurityPkg.dec | 14 + SecurityPkg/SecurityPkg.dsc | 5 + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 + SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 46 + SecurityPkg/Include/Library/SecureBootVariableLib.h | 252 +++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 +++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 979 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++--- SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 69 ++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 + SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 17 + 17 files changed, 1862 insertions(+), 188 deletions(-) create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni -- 2.25.1
|
|
|
|
Min Xu
Grzegorz
toggle quoted messageShow quoted text
Have you built this feature with different tool chains, such as VS2017/VS2019/GCC5? And test it in IA32/X64/AARCH64? Would you post your test result in the mail? Thanks much!
-----Original Message-----
|
|
|
|
Grzegorz Bernacki
Hi Min M,
toggle quoted messageShow quoted text
I tested it with Ovmf. I will try other compiler and provide you logs soon. thanks, greg pt., 4 cze 2021 o 10:17 Xu, Min M <min.m.xu@...> napisał(a):
|
|
|
|
Grzegorz Bernacki
Hi Min M,
toggle quoted messageShow quoted text
Please find log from tests of OvmfX64 built with VS2019 at: https://drive.google.com/file/d/18w7s6GxIz3aeId22xABMib7I3JX7G9X1/view?usp=sharing thanks, greg pon., 7 cze 2021 o 09:29 Grzegorz Bernacki <gjb@...> napisał(a):
|
|
|
|
Min Xu
On 06/14/2021 5:48 PM, Grzegorz Bernacki Wrote:
Hi Min M,Usually we summarize the test in a table which is posted in the mail thread, so that the test result is clear and easy to read. Also in this way the test result can be recorded in the review thread. I am afraid the test log in the google drive cannot be accessed one day. thanks,
|
|
|
|
Grzegorz Bernacki
Hi Min M,
toggle quoted messageShow quoted text
Sure, I will send the test result after I make changes for the v4 version. Can you please point me to a few mails with the test result table so I can copy the format? thanks, greg czw., 17 cze 2021 o 03:30 Xu, Min M <min.m.xu@...> napisał(a):
|
|
|
|
Min Xu
On 06/17/2021, Grzegorz Bernacki wrote:
Hi Min M,Please refer to https://edk2.groups.io/g/devel/message/74239 Just summarize the validation you do. Thanks Min
|
|
|