[edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Wadhawan, Divneil R
divneil.r.wadhawan at intel.com
Fri Sep 18 19:41:11 UTC 2020
Hi Ray,
I saw that a patch merged few hours ago before my patch added RngLib in [LibraryClasses] section of OpensslLib.
This caused the EmulatorPkg Secure boot enable build to fail.
I have generated a PR for fixing it: https://github.com/tianocore/edk2/pull/942
Regards,
Divneil
From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Wadhawan, Divneil R
Sent: Friday, September 18, 2020 5:28 PM
To: Ni, Ray <ray.ni at intel.com>; devel at edk2.groups.io
Cc: gaoliming <gaoliming at byosoft.com.cn>; 'Andrew Fish' <afish at apple.com>; Justen, Jordan L <jordan.l.justen at intel.com>; Kinney, Michael D <michael.d.kinney at intel.com>; Wadhawan, Divneil R <divneil.r.wadhawan at intel.com>
Subject: Re: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Hi Ray,
Thanks for your help.
I see the patch is merged now. :)
Regards,
Divneil
From: Ni, Ray <ray.ni at intel.com<mailto:ray.ni at intel.com>>
Sent: Friday, September 18, 2020 5:17 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>; devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: gaoliming <gaoliming at byosoft.com.cn<mailto:gaoliming at byosoft.com.cn>>; 'Andrew Fish' <afish at apple.com<mailto:afish at apple.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Divneil,
pull request is created: https://github.com/tianocore/edk2/pull/941
If it succeeds, the patch will be merged automatically.
If it fails, please check the specific failure message and provide updated patch.
Thanks,
Ray
From: Ni, Ray
Sent: Thursday, September 17, 2020 4:19 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>; devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: gaoliming <gaoliming at byosoft.com.cn<mailto:gaoliming at byosoft.com.cn>>; 'Andrew Fish' <afish at apple.com<mailto:afish at apple.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Reviewed-by: Ray Ni <ray.ni at intel.com<mailto:ray.ni at intel.com>>
From: Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>
Sent: Thursday, September 17, 2020 3:43 PM
To: Ni, Ray <ray.ni at intel.com<mailto:ray.ni at intel.com>>; devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: gaoliming <gaoliming at byosoft.com.cn<mailto:gaoliming at byosoft.com.cn>>; 'Andrew Fish' <afish at apple.com<mailto:afish at apple.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Hi Ray,
Yes, I have tested the following:
1. SECURE_BOOT_ENABLE=true
* Key Enrollment (PK, KEK, db) via custom mode
* Execution of unit test shell application (signed one works okay, unsigned gives an Access denied)
1. SECURE_BOOT_ENABLE=false (default case)
* Secure Boot Configuration menu is not visible (Same as existing default case)
* Execution of Unit Test Application (Signed/Unsigned both works okay)
I am planning to post the script in BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=2949 in a day or too.
The script generates the full key hierarchy that makes it easy to test this patch.
The patch in BZ requires modifications as per Mike's comment, so, you can skip the patches in BZ for now.
Regards,
Divneil
From: Ni, Ray <ray.ni at intel.com<mailto:ray.ni at intel.com>>
Sent: Thursday, September 17, 2020 12:49 PM
To: Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>; devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: gaoliming <gaoliming at byosoft.com.cn<mailto:gaoliming at byosoft.com.cn>>; 'Andrew Fish' <afish at apple.com<mailto:afish at apple.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>
Subject: RE: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
Divneil,
Just want to double confirm: did you test the secure boot and non-secure boot?
Thanks,
Ray
From: Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>
Sent: Wednesday, September 16, 2020 11:53 PM
To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>
Cc: Ni, Ray <ray.ni at intel.com<mailto:ray.ni at intel.com>>; gaoliming <gaoliming at byosoft.com.cn<mailto:gaoliming at byosoft.com.cn>>; 'Andrew Fish' <afish at apple.com<mailto:afish at apple.com>>; Justen, Jordan L <jordan.l.justen at intel.com<mailto:jordan.l.justen at intel.com>>; Kinney, Michael D <michael.d.kinney at intel.com<mailto:michael.d.kinney at intel.com>>; Wadhawan, Divneil R <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>
Subject: [edk2-devel] [PATCH v2] EmulatorPkg: Enable support for Secure Boot
SECURE_BOOT_ENABLE feature flag is introduced to enable Secure Boot.
The following gets enabled with this patch:
o Secure Boot Menu in "Device Manager" for enrolling keys
o Storage space for Authenticated Variables
o Authenticated execution of 3rd party images
Signed-off-by: Divneil Rai Wadhawan <divneil.r.wadhawan at intel.com<mailto:divneil.r.wadhawan at intel.com>>
---
EmulatorPkg/EmulatorPkg.dsc | 37 +++++++++++++++++++++++++++++++++++--
EmulatorPkg/EmulatorPkg.fdf | 14 ++++++++++++++
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a6271735..c6e25c745e 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -32,6 +32,7 @@
DEFINE NETWORK_TLS_ENABLE = FALSE
DEFINE NETWORK_HTTP_BOOT_ENABLE = FALSE
DEFINE NETWORK_ISCSI_ENABLE = FALSE
+ DEFINE SECURE_BOOT_ENABLE = FALSE
[SkuIds]
0|DEFAULT
@@ -106,12 +107,20 @@
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
- AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+ PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecureLibNull.inf
+ AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+!else
+ AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
+!endif
+
[LibraryClasses.common.SEC]
PeiServicesLib|EmulatorPkg/Library/SecPeiServicesLib/SecPeiServicesLib.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@@ -162,6 +171,16 @@
TimerLib|EmulatorPkg/Library/DxeCoreTimerLib/DxeCoreTimerLib.inf
EmuThunkLib|EmulatorPkg/Library/DxeEmuLib/DxeEmuLib.inf
+[LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+!endif
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+!endif
+
[LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_DRIVER, LibraryClasses.common.UEFI_APPLICATION]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@@ -190,6 +209,10 @@
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareFdSize|0x002a0000
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareBlockSize|0x10000
gEmulatorPkgTokenSpaceGuid.PcdEmuFirmwareVolume|L"../FV/FV_RECOVERY.fd"
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+ gEfiSecurityPkgTokenSpaceGuid.PcdUserPhysicalPresence|TRUE
+!endif
gEmulatorPkgTokenSpaceGuid.PcdEmuMemorySize|L"64!64"
@@ -306,7 +329,14 @@
EmulatorPkg/ResetRuntimeDxe/Reset.inf
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
EmulatorPkg/FvbServicesRuntimeDxe/FvbServicesRuntimeDxe.inf
- MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
+
+ MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
+ <LibraryClasses>
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+!endif
+ }
+
MdeModulePkg/Universal/EbcDxe/EbcDxe.inf
MdeModulePkg/Universal/MemoryTest/NullMemoryTestDxe/NullMemoryTestDxe.inf
EmulatorPkg/EmuThunkDxe/EmuThunk.inf
@@ -315,6 +345,9 @@
EmulatorPkg/PlatformSmbiosDxe/PlatformSmbiosDxe.inf
EmulatorPkg/TimerDxe/Timer.inf
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
diff --git a/EmulatorPkg/EmulatorPkg.fdf b/EmulatorPkg/EmulatorPkg.fdf
index 295f6f1db8..b256aa9397 100644
--- a/EmulatorPkg/EmulatorPkg.fdf
+++ b/EmulatorPkg/EmulatorPkg.fdf
@@ -46,10 +46,17 @@ DATA = {
# Blockmap[1]: End
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
## This is the VARIABLE_STORE_HEADER
+!if $(SECURE_BOOT_ENABLE) == FALSE
#Signature: gEfiVariableGuid =
# { 0xddcf3616, 0x3275, 0x4164, { 0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d }}
0x16, 0x36, 0xcf, 0xdd, 0x75, 0x32, 0x64, 0x41,
0x98, 0xb6, 0xfe, 0x85, 0x70, 0x7f, 0xfe, 0x7d,
+!else
+ # Signature: gEfiAuthenticatedVariableGuid =
+ # { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 }}
+ 0x78, 0x2c, 0xf3, 0xaa, 0x7b, 0x94, 0x9a, 0x43,
+ 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92,
+!endif
#Size: 0xc000 (gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize) - 0x48 (size of EFI_FIRMWARE_VOLUME_HEADER) = 0xBFB8
# This can speed up the Variable Dispatch a bit.
0xB8, 0xBF, 0x00, 0x00,
@@ -186,6 +193,13 @@ INF RuleOverride = UI MdeModulePkg/Application/UiApp/UiApp.inf
INF MdeModulePkg/Application/BootManagerMenuApp/BootManagerMenuApp.inf
INF MdeModulePkg/Universal/DriverSampleDxe/DriverSampleDxe.inf
+#
+# Secure Boot Key Enroll
+#
+!if $(SECURE_BOOT_ENABLE) == TRUE
+INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+!endif
+
#
# Network stack drivers
#
--
2.24.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65405): https://edk2.groups.io/g/devel/message/65405
Mute This Topic: https://groups.io/mt/76890431/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20200918/05df8f6a/attachment.htm>
More information about the edk2-devel-archive
mailing list