[edk2-devel] [PATCH 1/1] OvmfPkg/EnrollDefaultKeys: import the non-default key into db
Laszlo Ersek
lersek at redhat.com
Thu May 16 13:47:57 UTC 2019
On 05/16/19 05:08, Gary Lin wrote:
> For QA test and development, we may need to test Secure Boot with a
> devel key instead of UEFI CA.
>
> This commit adds an argument, "--no-default", to EnrollDefaultKeys.efi.
> With the argument, the key from SMBIOS Type 11 will also be enrolled
> into db. Besides, the keys in AuthData.c, i.e. Microsoft KEK CA,
> Microsoft PCA, and Microsoft UEFI CA will be excluded, so the developer
> can easily create a varstore template for a specific key.
>
> Cc: Laszlo Ersek <lersek at redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel at linaro.org>
> Cc: Jordan Justen <jordan.l.justen at intel.com>
> Signed-off-by: Gary Lin <glin at suse.com>
> ---
> OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 53 ++++++++++++++-----
> 1 file changed, 39 insertions(+), 14 deletions(-)
>
> diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> index 75f2749dc84a..f45cb799f726 100644
> --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
> @@ -538,6 +538,13 @@ ShellAppMain (
> SETTINGS Settings;
> UINT8 *PkKek1;
> UINTN SizeOfPkKek1;
> + BOOLEAN NoDefault;
> +
> + if (Argc == 2 && StrCmp (Argv[1], L"--no-default") == 0) {
> + NoDefault = TRUE;
> + } else {
> + NoDefault = FALSE;
> + }
>
> //
> // Prepare for failure.
> @@ -594,13 +601,22 @@ ShellAppMain (
> //
> // Enroll db.
> //
> - Status = EnrollListOfCerts (
> - EFI_IMAGE_SECURITY_DATABASE,
> - &gEfiImageSecurityDatabaseGuid,
> - &gEfiCertX509Guid,
> - mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
> - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
> - NULL);
> + if (NoDefault) {
> + Status = EnrollListOfCerts (
> + EFI_IMAGE_SECURITY_DATABASE,
> + &gEfiImageSecurityDatabaseGuid,
> + &gEfiCertX509Guid,
> + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
> + NULL);
> + } else {
> + Status = EnrollListOfCerts (
> + EFI_IMAGE_SECURITY_DATABASE,
> + &gEfiImageSecurityDatabaseGuid,
> + &gEfiCertX509Guid,
> + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
> + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
> + NULL);
> + }
> if (EFI_ERROR (Status)) {
> goto FreePkKek1;
> }
> @@ -621,13 +637,22 @@ ShellAppMain (
> //
> // Enroll KEK.
> //
> - Status = EnrollListOfCerts (
> - EFI_KEY_EXCHANGE_KEY_NAME,
> - &gEfiGlobalVariableGuid,
> - &gEfiCertX509Guid,
> - PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
> - mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
> - NULL);
> + if (NoDefault) {
> + Status = EnrollListOfCerts (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + &gEfiGlobalVariableGuid,
> + &gEfiCertX509Guid,
> + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
> + NULL);
> + } else {
> + Status = EnrollListOfCerts (
> + EFI_KEY_EXCHANGE_KEY_NAME,
> + &gEfiGlobalVariableGuid,
> + &gEfiCertX509Guid,
> + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,
> + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
> + NULL);
> + }
> if (EFI_ERROR (Status)) {
> goto FreePkKek1;
> }
>
Reviewed-by: Laszlo Ersek <lersek at redhat.com>
Pushed as commit 89d7c543cf71.
Thanks,
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#40793): https://edk2.groups.io/g/devel/message/40793
Mute This Topic: https://groups.io/mt/31637219/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list