Re: [edk2-devel] [RFC] Secure boot default key
Hi Min Xu,toggle quoted messageShow quoted text
Yeah, the standalone tool is good and can bring the benefits you mentioned, but I'm still not clear on the standalone tool. Could you give us more information about the standalone tool? Do you mean to have a standalone tool to directly add/modify default secure boot keys in the pre-build Var Store FD image/FV? If so, we thought about that. However, some platforms like RPi4 don't have the pre-build Var Store FD image/FV and may not want to add this to take additional flash space, so I think we can still go with the current proposal first to cover this case and generally cover all the cases. Then, we can separately work on the standalone tool. What do you guys think?
Moreover, there is another thing I'm confused about. We found https://github.com/jyao1/edk2-staging/blob/TDVF/TdvfPkg/scripts/VarEnroll.py that is in the branch owned by you and Jiewen. Is VarEnroll.py the standalone tool you mentioned?
From: email@example.com <firstname.lastname@example.org> On Behalf Of Min Xu via groups.io
Sent: Monday, April 26, 2021 10:18 AM
To: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Laszlo Ersek <email@example.com>; firstname.lastname@example.org; email@example.com
Cc: Marcin Wojtas <firstname.lastname@example.org>; Sunny Wang <Sunny.Wang@arm.com>; Paul Yang <Paul.Yang@arm.com>; email@example.com; Leif Lindholm <firstname.lastname@example.org>; Wang, Jian J <email@example.com>; Yao, Jiewen <firstname.lastname@example.org>
Subject: Re: [edk2-rfc] [edk2-devel] [RFC] Secure boot default key
Agree that it is a good idea to provide a mechanism to enroll the Secure boot keys.
But why not add a standalone tool in BaseTools? For example a Python scripts to enroll the Secure Boot keys. I think there are below benefits:
- The usage of the tool can be flexible. For example, the developer,
validation guys can invoke this tool to enroll keys to do the test.
Even the CI can leverage this tool to enroll keys in post build phase.
- Secure Boot keys can be easily updated. Furthermore the tool can do
more checking on the keys, such as the cert format, key strength, etc.
- Keep EDK2 focusing on the key functions. Some other nice-to-have
functions can be implemented by the tools in BaseTools.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.