<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I don’t think this sort of implied concatenation works on all compilers.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">- Bret <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="border:none;padding:0in"><b>From: </b><a href="mailto:pete=akeo.ie@groups.io">Pete Batard via groups.io</a><br>
<b>Sent: </b>Wednesday, June 2, 2021 10:40 AM<br>
<b>To: </b><a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a>; <a href="mailto:gjb@semihalf.com">
gjb@semihalf.com</a><br>
<b>Cc: </b><a href="mailto:leif@nuviainc.com">Lindholm, Leif</a>; <a href="mailto:ardb+tianocore@kernel.org">
ardb+tianocore@kernel.org</a>; <a href="mailto:Samer.El-Haj-Mahmoud@arm.com">Samer El-Haj-Mahmoud</a>;
<a href="mailto:sunny.Wang@arm.com">sunny.Wang@arm.com</a>; <a href="mailto:mw@semihalf.com">
mw@semihalf.com</a>; <a href="mailto:upstream@semihalf.com">upstream@semihalf.com</a>;
<a href="mailto:jiewen.yao@intel.com">Yao, Jiewen</a>; <a href="mailto:jian.j.wang@intel.com">
jian.j.wang@intel.com</a>; <a href="mailto:min.m.xu@intel.com">min.m.xu@intel.com</a>;
<a href="mailto:lersek@redhat.com">lersek@redhat.com</a><br>
<b>Subject: </b>[EXTERNAL] Re: [edk2-devel] [PATCH v2 4/6] SecurityPkg: Add EnrollFromDefaultKeys application.</p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">On 2021.06.01 14:12, Grzegorz Bernacki wrote:<br>
> This application allows user to force key enrollment from<br>
> Secure Boot default variables.<br>
> <br>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com><br>
> ---<br>
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++<br>
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++<br>
> 2 files changed, 154 insertions(+)<br>
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf<br>
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c<br>
> <br>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf<br>
> new file mode 100644<br>
> index 0000000000..4d79ca3844<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf<br>
> @@ -0,0 +1,47 @@<br>
> +## @file<br>
> +# Enroll PK, KEK, db, dbx from Default variables<br>
> +#<br>
> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +# Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +##<br>
> +<br>
> +[Defines]<br>
> + INF_VERSION = 1.28<br>
> + BASE_NAME = EnrollFromDefaultKeysApp<br>
> + FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E<br>
> + MODULE_TYPE = UEFI_APPLICATION<br>
> + VERSION_STRING = 0.1<br>
> + ENTRY_POINT = UefiMain<br>
> +<br>
> +[Sources]<br>
> + EnrollFromDefaultKeysApp.c<br>
> +<br>
> +[Packages]<br>
> + MdeModulePkg/MdeModulePkg.dec<br>
> + MdePkg/MdePkg.dec<br>
> + SecurityPkg/SecurityPkg.dec<br>
> +<br>
> +[Guids]<br>
> + gEfiCertPkcs7Guid<br>
> + gEfiCertSha256Guid<br>
> + gEfiCertX509Guid<br>
> + gEfiCustomModeEnableGuid<br>
> + gEfiGlobalVariableGuid<br>
> + gEfiImageSecurityDatabaseGuid<br>
> + gEfiSecureBootEnableDisableGuid<br>
> +<br>
> +[Protocols]<br>
> + gEfiSmbiosProtocolGuid ## CONSUMES<br>
> +<br>
> +[LibraryClasses]<br>
> + BaseLib<br>
> + BaseMemoryLib<br>
> + DebugLib<br>
> + MemoryAllocationLib<br>
> + PrintLib<br>
> + UefiApplicationEntryPoint<br>
> + UefiBootServicesTableLib<br>
> + UefiLib<br>
> + UefiRuntimeServicesTableLib<br>
> + SecureBootVariableLib<br>
> diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c<br>
> new file mode 100644<br>
> index 0000000000..1907ce1d4e<br>
> --- /dev/null<br>
> +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c<br>
> @@ -0,0 +1,107 @@<br>
> +/** @file<br>
> + Enroll default PK, KEK, db, dbx.<br>
> +<br>
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><br>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR><br>
> +<br>
> +SPDX-License-Identifier: BSD-2-Clause-Patent<br>
> +**/<br>
> +<br>
> +#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid<br>
> +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME<br>
> +#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE<br>
> +#include <Library/BaseLib.h> // GUID_STRING_LENGTH<br>
> +#include <Library/BaseMemoryLib.h> // CopyGuid()<br>
> +#include <Library/DebugLib.h> // ASSERT()<br>
> +#include <Library/MemoryAllocationLib.h> // FreePool()<br>
> +#include <Library/PrintLib.h> // AsciiSPrint()<br>
> +#include <Library/UefiBootServicesTableLib.h> // gBS<br>
> +#include <Library/UefiLib.h> // AsciiPrint()<br>
> +#include <Library/UefiRuntimeServicesTableLib.h> // gRT<br>
> +#include <Uefi/UefiMultiPhase.h><br>
> +#include <Library/SecureBootVariableLib.h><br>
> +<br>
> +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt)<br>
> +<br>
> +/**<br>
> + Entry point function of this shell application.<br>
> +**/<br>
> +EFI_STATUS<br>
> +EFIAPI<br>
> +UefiMain (<br>
> + IN EFI_HANDLE ImageHandle,<br>
> + IN EFI_SYSTEM_TABLE *SystemTable<br>
> + )<br>
> +{<br>
> + EFI_STATUS Status;<br>
> + UINT8 SetupMode;<br>
> +<br>
> + Status = GetSetupMode (&SetupMode);<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot get SetupMode variable: %r\n", Status);<br>
> + return 1;<br>
> + }<br>
> +<br>
> + if (SetupMode == USER_MODE) {<br>
> + FAIL ("Skipped - USER_MODE\n");<br>
> + return 1;<br>
> + }<br>
> +<br>
> + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);<br>
> + return 1;<br>
> + }<br>
> +<br>
> + Status = EnrollDbFromDefault ();<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot enroll db: %r\n", Status);<br>
> + goto error;<br>
> + }<br>
> +<br>
> + Status = EnrollDbxFromDefault ();<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot enroll dbt: %r\n", Status);<br>
> + }<br>
> +<br>
> + Status = EnrollDbtFromDefault ();<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot enroll dbx: %r\n", Status);<br>
> + }<br>
> +<br>
> + Status = EnrollKEKFromDefault ();<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot enroll KEK: %r\n", Status);<br>
> + goto cleardbs;<br>
> + }<br>
> +<br>
> + Status = EnrollPKFromDefault ();<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot enroll PK: %r\n", Status);<br>
> + goto clearKEK;<br>
> + }<br>
> +<br>
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"<br>
> + "Please do it manually, otherwise system can be easily compromised\n");<br>
> + }<br>
> + return 0;<br>
> +<br>
> +clearKEK:<br>
> + DeleteKEK ();<br>
> +<br>
> +cleardbs:<br>
> + DeleteDbt ();<br>
> + DeleteDbx ();<br>
> + DeleteDb ();<br>
> +<br>
> +error:<br>
> + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);<br>
> + if (EFI_ERROR (Status)) {<br>
> + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"<br>
> + "Please do it manually, otherwise system can be easily compromised\n");<br>
> + }<br>
> +<br>
> + return 1;<br>
> +}<br>
> <br>
<br>
Reviewed-by: Pete Batard <pete@akeo.ie><br>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/75997">View/Reply Online (#75997)</a> | | <a target="_blank" href="https://groups.io/mt/83267548/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>