Re: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration


Yao, Jiewen
 

Good point Bret. I could think some ways

1) you can construct a read only fv for variable storage and provision the pk kek db there. Just use a read only FVB.

2) you can embed pk kek db to FFS. Then use a special provision driver to create these variable during boot. You just need an emulator variable driver.

You can make decision based upon current fvb driver or variable driver.

thank you!
Yao, Jiewen

在 2021年4月7日,上午12:07,Bret Barkelew via groups.io <bret.barkelew=microsoft.com@groups.io> 写道:

There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.

To get you started, I’d take a look at the implementation of these:
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).

- Bret

From: Vu Dinh via groups.io<mailto:vu.dinh=xelex.vn@groups.io>
Sent: Tuesday, April 6, 2021 7:58 AM
To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io>
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Dear all,

I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.

Please tell me what should I do to customize Secure Boot configurations.

Thanks,

Vu










Join discuss@edk2.groups.io to automatically receive all group messages.