Re: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration


Bret Barkelew
 

There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.

To get you started, I’d take a look at the implementation of these:
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).

- Bret

From: Vu Dinh via groups.io<mailto:vu.dinh=xelex.vn@groups.io>
Sent: Tuesday, April 6, 2021 7:58 AM
To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io>
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Dear all,

I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.

Please tell me what should I do to customize Secure Boot configurations.

Thanks,

Vu

Join discuss@edk2.groups.io to automatically receive all group messages.