[edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries
Kun Qin
kuqin12 at gmail.com
Mon Jun 13 20:39:31 UTC 2022
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3910
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This is a revamp of a previously submitted patch series based on top of
master branch: https://edk2.groups.io/g/devel/message/89507. No changes
added.
Current SecureBootVariableLib provide great support for deleting secure
boot related variables, creating time-based payloads.
However, for secure boot enrollment, the SecureBootVariableProvisionLib
interfaces always assume the changes from variable storage, limiting the
usage, requiring existing platforms to change key initialization process
to adapt to the new methods, as well as bringing in extra dependencies
such as FV protocol, time protocols.
This patch series proposes to update the implementation for Secure Boot
Variable libraries and their consumers to better support the related
variables operations.
Patch v2 branch: https://github.com/kuqin12/edk2/tree/secure_boot_enhance_v2
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Sean Brogan <sean.brogan at microsoft.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Cc: Rebecca Cran <rebecca at bsdio.com>
Cc: Peter Grehan <grehan at freebsd.org>
Cc: Sebastien Boeuf <sebastien.boeuf at intel.com>
Cc: Andrew Fish <afish at apple.com>
Cc: Ray Ni <ray.ni at intel.com>
Kun Qin (8):
SecurityPkg: UefiSecureBoot: Definitions of cert and payload
structures
SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
SecurityPkg: SecureBootVariableLib: Updated time based payload creator
SecurityPkg: SecureBootVariableProvisionLib: Updated implementation
SecurityPkg: Secure Boot Drivers: Added common header files
SecurityPkg: SecureBootConfigDxe: Updated invocation pattern
OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency
EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency
kuqin (3):
SecurityPkg: SecureBootVariableLib: Updated signature list creator
SecurityPkg: SecureBootVariableLib: Added newly supported interfaces
SecurityPkg: SecureBootVariableLib: Added unit tests
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 1 +
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 486 ++++-
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c | 36 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c | 201 ++
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c | 13 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c | 2037 ++++++++++++++++++++
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 145 +-
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 128 +-
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 1 +
EmulatorPkg/EmulatorPkg.dsc | 1 +
OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 +
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 +
SecurityPkg/Include/Library/SecureBootVariableLib.h | 103 +-
SecurityPkg/Include/UefiSecureBoot.h | 94 +
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 +
SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 14 +-
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf | 33 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf | 45 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf | 25 +
SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf | 36 +
SecurityPkg/SecurityPkg.ci.yaml | 11 +
SecurityPkg/SecurityPkg.dec | 5 +
SecurityPkg/SecurityPkg.dsc | 2 +
SecurityPkg/Test/SecurityPkgHostTest.dsc | 38 +
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 +
31 files changed, 3468 insertions(+), 112 deletions(-)
create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.c
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.c
create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h
create mode 100644 SecurityPkg/Include/UefiSecureBoot.h
create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectionLib.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServicesTableLib.inf
create mode 100644 SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUnitTest.inf
create mode 100644 SecurityPkg/Test/SecurityPkgHostTest.dsc
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90491): https://edk2.groups.io/g/devel/message/90491
Mute This Topic: https://groups.io/mt/91735867/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list