[edk2-devel] [PATCH v6 00/11] Secure Boot default keys
Ard Biesheuvel
ardb at kernel.org
Wed Jul 28 11:07:28 UTC 2021
On Wed, 28 Jul 2021 at 12:39, Ard Biesheuvel <ardb at kernel.org> wrote:
>
> On Wed, 28 Jul 2021 at 09:44, gaoliming <gaoliming at byosoft.com.cn> wrote:
> >
> > Sunny:
> > Yes. This patch set is ready to be merged.
> >
> > Samer:
> > Would you help merge this patch set?
> >
>
> I can pick it up if you could please create the release notes entry? Thanks.
>
Submitted here:
https://github.com/tianocore/edk2/pull/1839
and failed with some errors. Could someone please diagnose/fix and submit a v7?
> > Thanks
> > Liming
> > > -----邮件原件-----
> > > 发件人: devel at edk2.groups.io <devel at edk2.groups.io> 代表 Sunny Wang
> > > 发送时间: 2021年7月21日 11:41
> > > 收件人: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud at arm.com>;
> > > devel at edk2.groups.io; gjb at semihalf.com; Ard Biesheuvel
> > > <ardb+tianocore at kernel.org>; gaoliming at byosoft.com.cn; ray.ni at intel.com
> > > 抄送: leif at nuviainc.com; mw at semihalf.com; upstream at semihalf.com;
> > > jiewen.yao at intel.com; jian.j.wang at intel.com; min.m.xu at intel.com;
> > > lersek at redhat.com; Sami Mujawar <Sami.Mujawar at arm.com>;
> > > afish at apple.com; jordan.l.justen at intel.com; rebecca at bsdio.com;
> > > grehan at freebsd.org; Thomas Abraham <thomas.abraham at arm.com>;
> > > chasel.chiu at intel.com; nathaniel.l.desimone at intel.com;
> > > eric.dong at intel.com; michael.d.kinney at intel.com; zailiang.sun at intel.com;
> > > yi.qian at intel.com; graeme at nuviainc.com; rad at semihalf.com; pete at akeo.ie;
> > > Sunny Wang <Sunny.Wang at arm.com>
> > > 主题: Re: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> > >
> > > Ard, Liming, Ray, Thanks for your review for ArmVirtPkg, ArmPlatformPkg,
> > and
> > > EmulatorPkg patches.
> > >
> > > As for the patch for Intel Platforms below, it is in another series for
> > > edk2-platforms.
> > > - [edk2-platforms PATCH v6 1/4] Intel Platforms: add
> > > SecureBootVariableLib class resolution
> > > https://edk2.groups.io/g/devel/message/77781
> > >
> > > Therefore, I think this series already got all the necessary Reviewed-By
> > and
> > > Acked-By of all parts and is ready to be pushed now.
> > >
> > > Best Regards,
> > > Sunny Wang
> > >
> > > -----Original Message-----
> > > From: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud at arm.com>
> > > Sent: Friday, July 16, 2021 8:00 PM
> > > To: devel at edk2.groups.io; gjb at semihalf.com
> > > Cc: leif at nuviainc.com; ardb+tianocore at kernel.org; Sunny Wang
> > > <Sunny.Wang at arm.com>; mw at semihalf.com; upstream at semihalf.com;
> > > jiewen.yao at intel.com; jian.j.wang at intel.com; min.m.xu at intel.com;
> > > lersek at redhat.com; Sami Mujawar <Sami.Mujawar at arm.com>;
> > > afish at apple.com; ray.ni at intel.com; jordan.l.justen at intel.com;
> > > rebecca at bsdio.com; grehan at freebsd.org; Thomas Abraham
> > > <thomas.abraham at arm.com>; chasel.chiu at intel.com;
> > > nathaniel.l.desimone at intel.com; gaoliming at byosoft.com.cn;
> > > eric.dong at intel.com; michael.d.kinney at intel.com; zailiang.sun at intel.com;
> > > yi.qian at intel.com; graeme at nuviainc.com; rad at semihalf.com; pete at akeo.ie;
> > > Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud at arm.com>
> > > Subject: RE: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> > >
> > > The v6 of this series seems to have all the necessary Reviewed-By (and
> > some
> > > Tested-By) of all parts, except the following platform specific parts.
> > Could we
> > > get help from maintainers to review these please?
> > >
> > > Much appreciated!
> > >
> > > - ArmVirtPkg : https://edk2.groups.io/g/devel/message/77772
> > > - ArmPlatformPkg: https://edk2.groups.io/g/devel/message/77775
> > > - EmulatorPkg: https://edk2.groups.io/g/devel/message/77773
> > > - Intel Platforms (Platform/Intel/QuarkPlatformPkg,
> > > Platform/Intel/MinPlatformPkg, Platform/Intel/Vlv2TbltDevicePkg):
> > > https://edk2.groups.io/g/devel/message/77781
> > >
> > > Thanks,
> > > --Samer
> > >
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of
> > > > Grzegorz Bernacki via groups.io
> > > > Sent: Wednesday, July 14, 2021 8:30 AM
> > > > To: devel at edk2.groups.io
> > > > Cc: leif at nuviainc.com; ardb+tianocore at kernel.org; Samer
> > > El-Haj-Mahmoud
> > > > <Samer.El-Haj-Mahmoud at arm.com>; Sunny Wang
> > > > <Sunny.Wang at arm.com>; mw at semihalf.com; upstream at semihalf.com;
> > > > jiewen.yao at intel.com; jian.j.wang at intel.com; min.m.xu at intel.com;
> > > > lersek at redhat.com; Sami Mujawar <Sami.Mujawar at arm.com>;
> > > > afish at apple.com; ray.ni at intel.com; jordan.l.justen at intel.com;
> > > > rebecca at bsdio.com; grehan at freebsd.org; Thomas Abraham
> > > > <thomas.abraham at arm.com>; chasel.chiu at intel.com;
> > > > nathaniel.l.desimone at intel.com; gaoliming at byosoft.com.cn;
> > > > eric.dong at intel.com; michael.d.kinney at intel.com; zailiang.sun at intel.com;
> > > > yi.qian at intel.com; graeme at nuviainc.com; rad at semihalf.com;
> > > > pete at akeo.ie; Grzegorz Bernacki <gjb at semihalf.com>
> > > > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys
> > > >
> > > > This patchset adds support for initialization of default
> > > > Secure Boot variables based on keys content embedded in
> > > > flash binary. This feature is active only if Secure Boot
> > > > is enabled and DEFAULT_KEY is defined. The patchset
> > > > consist also application to enroll keys from default
> > > > variables and secure boot menu change to allow user
> > > > to reset key content to default values.
> > > > Discussion on design can be found at:
> > > > https://edk2.groups.io/g/rfc/topic/82139806#600
> > > >
> > > > Built with:
> > > > GCC
> > > > - RISC-V (U500, U540) [requires fixes in dsc to build]
> > > > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> > > > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> > > > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
> > > >
> > > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be
> > > built,
> > > > will be post on edk2 maillist later
> > > >
> > > > VS2019
> > > > - Intel (OvmfPkgX64)
> > > >
> > > > Test with:
> > > > GCC5/RPi4
> > > > VS2019/OvmfX64 (requires changes to enable feature)
> > > >
> > > > Tests:
> > > > 1. Try to enroll key in incorrect format.
> > > > 2. Enroll with only PKDefault keys specified.
> > > > 3. Enroll with all keys specified.
> > > > 4. Enroll when keys are enrolled.
> > > > 5. Reset keys values.
> > > > 6. Running signed & unsigned app after enrollment.
> > > >
> > > > Changes since v1:
> > > > - change names:
> > > > SecBootVariableLib => SecureBootVariableLib
> > > > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> > > > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> > > > - change name of function CheckSetupMode to GetSetupMode
> > > > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> > > > - rebase to master
> > > >
> > > > Changes since v2:
> > > > - fix coding style for functions headers in SecureBootVariableLib.h
> > > > - add header to SecureBootDefaultKeys.fdf.inc
> > > > - remove empty line spaces in SecureBootDefaultKeysDxe files
> > > > - revert FAIL macro in EnrollFromDefaultKeysApp
> > > > - remove functions duplicates and add SecureBootVariableLib
> > > > to platforms which used it
> > > >
> > > > Changes since v3:
> > > > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> > > > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> > > > - fix typo in guid description
> > > >
> > > > Changes since v4:
> > > > - reorder patches to make it bisectable
> > > > - split commits related to more than one platform
> > > > - move edk2-platform commits to separate patchset
> > > >
> > > > Changes since v5:
> > > > - split SecureBootVariableLib into SecureBootVariableLib and
> > > > SecureBootVariableProvisionLib
> > > >
> > > > Grzegorz Bernacki (11):
> > > > SecurityPkg: Create SecureBootVariableLib.
> > > > SecurityPkg: Create library for enrolling Secure Boot variables.
> > > > ArmVirtPkg: add SecureBootVariableLib class resolution
> > > > OvmfPkg: add SecureBootVariableLib class resolution
> > > > EmulatorPkg: add SecureBootVariableLib class resolution
> > > > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe.
> > > > ArmPlatformPkg: Create include file for default key content.
> > > > SecurityPkg: Add SecureBootDefaultKeysDxe driver
> > > > SecurityPkg: Add EnrollFromDefaultKeys application.
> > > > SecurityPkg: Add new modules to Security package.
> > > > SecurityPkg: Add option to reset secure boot keys.
> > > >
> > > > SecurityPkg/SecurityPkg.dec
> > > | 14 +
> > > > ArmVirtPkg/ArmVirt.dsc.inc
> > > | 2 +
> > > > EmulatorPkg/EmulatorPkg.dsc
> > > | 2 +
> > > > OvmfPkg/Bhyve/BhyveX64.dsc
> > > | 2 +
> > > > OvmfPkg/OvmfPkgIa32.dsc
> > > | 2 +
> > > > OvmfPkg/OvmfPkgIa32X64.dsc
> > > | 2 +
> > > > OvmfPkg/OvmfPkgX64.dsc
> > > | 2 +
> > > > SecurityPkg/SecurityPkg.dsc
> > > | 5 +
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > | 48 ++
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > > | 80 +++
> > > >
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.inf | 80 +++
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gDxe.inf | 3 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.inf | 46 ++
> > > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > | 153
> > > > ++++++
> > > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> > > > | 134 +++++
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gNvData.h | 2 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > g.vfr | 6 +
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > | 110 +++++
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > | 511 ++++++++++++++++++++
> > > >
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.c | 491 +++++++++++++++++++
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gImpl.c | 344 ++++++-------
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.c | 69 +++
> > > > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > > | 70
> > > > +++
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > > | 17 +
> > > >
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.uni | 16 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi
> > > > gStrings.uni | 4 +
> > > >
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.uni | 16 +
> > > > 27 files changed, 2043 insertions(+), 188 deletions(-)
> > > > create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> > > > create mode 100644
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.inf
> > > > create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.inf
> > > > create mode 100644
> > > SecurityPkg/Include/Library/SecureBootVariableLib.h
> > > > create mode 100644
> > > > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
> > > > create mode 100644
> > > > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> > > > create mode 100644
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.c
> > > > create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.c
> > > > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> > > > create mode 100644
> > > > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> > > > create mode 100644
> > > >
> > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePro
> > > > visionLib.uni
> > > > create mode 100644
> > > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot
> > > > DefaultKeysDxe.uni
> > > >
> > > > --
> > > > 2.25.1
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > IMPORTANT NOTICE: The contents of this email and any attachments are
> > > confidential and may also be privileged. If you are not the intended
> > recipient,
> > > please notify the sender immediately and do not disclose the contents to
> > any
> > > other person, use it for any purpose, or store or copy the information in
> > any
> > > medium. Thank you.
> > >
> > >
> > >
> > >
> >
> >
> >
> >
> >
> >
> >
> >
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#78281): https://edk2.groups.io/g/devel/message/78281
Mute This Topic: https://groups.io/mt/84502244/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list