[EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration


Bret Barkelew
 

There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.

To get you started, I’d take a look at the implementation of these:
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).

- Bret

From: Vu Dinh via groups.io<mailto:vu.dinh=xelex.vn@groups.io>
Sent: Tuesday, April 6, 2021 7:58 AM
To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io>
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Dear all,

I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.

Please tell me what should I do to customize Secure Boot configurations.

Thanks,

Vu


Yao, Jiewen
 

Good point Bret. I could think some ways

1) you can construct a read only fv for variable storage and provision the pk kek db there. Just use a read only FVB.

2) you can embed pk kek db to FFS. Then use a special provision driver to create these variable during boot. You just need an emulator variable driver.

You can make decision based upon current fvb driver or variable driver.

thank you!
Yao, Jiewen

在 2021年4月7日,上午12:07,Bret Barkelew via groups.io <bret.barkelew=microsoft.com@groups.io> 写道:

There’s a few ways you could accomplish this, but I’m not aware of any “built-in” mechanism.

To get you started, I’d take a look at the implementation of these:
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf

The built-in version refers to database variables, but you could easily write your own that just referred to PCDs for PK and KEK (in the AuthVariableLib) and db,dbx (aka, EFI_IMAGE_SECURITY_DATABASE and EFI_IMAGE_SECURITY_DATABASE2 in DxeImageVerificationLib).

- Bret

From: Vu Dinh via groups.io<mailto:vu.dinh=xelex.vn@groups.io>
Sent: Tuesday, April 6, 2021 7:58 AM
To: discuss@edk2.groups.io<mailto:discuss@edk2.groups.io>
Subject: [EXTERNAL] [edk2-discuss] Customize Secure Boot Configuration

Dear all,

I'm currently developing UEFI payload with Secure Boot enabled. I want
to customize Secure Boot configuration (PK, KEK, DB, DBX) at build time
of Edk2 instead of changing Secure Boot in BIOS Setup.

Please tell me what should I do to customize Secure Boot configurations.

Thanks,

Vu











Vu Dinh
 

Hi Yao,

The "read only FV" that you mentioned is generated by a tool? I had PK, KEK, DB, DBX .cer and don't know how to merge them to a FV file to include it to FDF file in edk2.

Thank you!
Vu


Yao, Jiewen
 

We generate the FD image with an empty var storage FV.

Then use a tool to enroll the PK, KEK, DB - https://github.com/tianocore/edk2-staging/blob/TDVF/TdvfPkg/scripts/VarEnroll.py

Thank you
Yao Jiewen

-----Original Message-----
From: discuss@edk2.groups.io <discuss@edk2.groups.io> On Behalf Of Vu Dinh
Sent: Thursday, April 8, 2021 5:03 PM
To: Yao; Yao, Jiewen <jiewen.yao@intel.com>; discuss@edk2.groups.io
Subject: Re: [edk2-discuss] [EXTERNAL] [edk2-discuss] Customize Secure Boot
Configuration

Hi Yao,

The "read only FV" that you mentioned is generated by a tool? I had PK, KEK, DB,
DBX .cer and don't know how to merge them to a FV file to include it to FDF file
in edk2.

Thank you!
Vu