discuss@edk2.groups.io | [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Home Messages Hashtags

Date Date 1 - 4 of 4

[EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Yao, Jiewen #703 We generate the FD image with an empty var storage FV. Then use a tool to enroll the PK, KEK, DB - https://github.com/tianocore/edk2-staging/blob/TDVF/TdvfPkg/scripts/VarEnroll.py Thank you Yao Jiewen toggle quoted message Show quoted text -----Original Message----- From: discuss@edk2.groups.io <discuss@edk2.groups.io> On Behalf Of Vu Dinh Sent: Thursday, April 8, 2021 5:03 PM To: Yao; Yao, Jiewen <jiewen.yao@...>; discuss@edk2.groups.io Subject: Re: [edk2-discuss] [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration Hi Yao, The "read only FV" that you mentioned is generated by a tool? I had PK, KEK, DB, DBX .cer and don't know how to merge them to a FV file to include it to FDF file in edk2. Thank you! Vu
More All Messages By This Member
Vu Dinh #702 Hi Yao, The "read only FV" that you mentioned is generated by a tool? I had PK, KEK, DB, DBX .cer and don't know how to merge them to a FV file to include it to FDF file in edk2. Thank you! Vu
More All Messages By This Member
Yao, Jiewen #701 Good point Bret. I could think some ways 1) you can construct a read only fv for variable storage and provision the pk kek db there. Just use a read only FVB. 2) you can embed pk kek db to FFS. Then use a special provision driver to create these variable during boot. You just need an emulator variable driver. You can make decision based upon current fvb driver or variable driver. thank you! Yao, Jiewen toggle quoted message Show quoted text 在 2021年4月7日，上午12:07，Bret Barkelew via groups.io <bret.barkelew@...> 写道： There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism. To get you started, I’d take a look at the implementation of these: SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib). - Bret From: Vu Dinh via groups.io<mailto:vu.dinh@...> Sent: Tuesday, April 6, 2021 7:58 AM To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io> Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration Dear all, I'm currently developing UEFI payload with Secure Boot enabled. I want to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time of Edk2 instead of changing Secure Boot in BIOS Setup. Please tell me what should I do to customize Secure Boot configurations. Thanks, Vu
More All Messages By This Member
Bret Barkelew <bret.barkelew@...> #700 There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism. To get you started, I’d take a look at the implementation of these: SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib). - Bret From: Vu Dinh via groups.io<mailto:vu.dinh@...> Sent: Tuesday, April 6, 2021 7:58 AM To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io> Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration Dear all, I'm currently developing UEFI payload with Secure Boot enabled. I want to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time of Edk2 instead of changing Secure Boot in BIOS Setup. Please tell me what should I do to customize Secure Boot configurations. Thanks, Vu
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags About Features Pricing Updates Terms Help Twitter