[edk2-devel] [PATCH v4 0/12] Secure Boot default keys
Grzegorz Bernacki
gjb at semihalf.com
Wed Jun 30 12:59:31 UTC 2021
Hi,
Please ignore this patchset, I was trying to create one patchset with
patches from edk2 and edk2-platfrom, but it didn't work too well.
Please let me send a new version of patches tomorrow
thanks,
greg
śr., 30 cze 2021 o 14:34 Grzegorz Bernacki via groups.io
<gjb=semihalf.com at groups.io> napisał(a):
>
>
> This patchset adds support for initialization of default
> Secure Boot variables based on keys content embedded in
> flash binary. This feature is active only if Secure Boot
> is enabled and DEFAULT_KEY is defined. The patchset
> consist also application to enroll keys from default
> variables and secure boot menu change to allow user
> to reset key content to default values.
> Discussion on design can be found at:
> https://edk2.groups.io/g/rfc/topic/82139806#600
>
> I also added patch for RPi4 which enables this feature for
> that platform.
>
> Built with:
> GCC
> - RISC-V (U500, U540) [requires fixes in dsc to build]
> - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg,
> EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32))
> - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4)
>
> RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built,
> will be post on edk2 maillist later
>
> VS2019
> - Intel (OvmfPkgX64)
>
> Test with:
> GCC5/RPi4
> VS2019/OvmfX64 (requires changes to enable feature)
>
> Tests:
> 1. Try to enroll key in incorrect format.
> 2. Enroll with only PKDefault keys specified.
> 3. Enroll with all keys specified.
> 4. Enroll when keys are enrolled.
> 5. Reset keys values.
> 6. Running signed & unsigned app after enrollment.
>
> Changes since v1:
> - change names:
> SecBootVariableLib => SecureBootVariableLib
> SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe
> SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp
> - change name of function CheckSetupMode to GetSetupMode
> - remove ShellPkg dependecy from EnrollFromDefaultKeysApp
> - rebase to master
>
> Changes since v2:
> - fix coding style for functions headers in SecureBootVariableLib.h
> - add header to SecureBootDefaultKeys.fdf.inc
> - remove empty line spaces in SecureBootDefaultKeysDxe files
> - revert FAIL macro in EnrollFromDefaultKeysApp
> - remove functions duplicates and add SecureBootVariableLib
> to platforms which used it
>
> Changes since v3:
> - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg
> - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib
> - fix typo in guid description
>
> Grzegorz Bernacki (12):
> [edk2]
> SecurityPkg: Create library for setting Secure Boot variables.
> ArmVirtPkg: add SecureBootVariableLib class resolution
> Intel Platforms: add SecureBootVariableLib class resolution
> ArmPlatformPkg: Create include file for default key content.
> SecurityPkg: Add SecureBootDefaultKeysDxe driver
> SecurityPkg: Add EnrollFromDefaultKeys application.
> SecurityPkg: Add new modules to Security package.
> SecurityPkg: Add option to reset secure boot keys.
> [edk2-platform]
> Intel Platforms: add SecureBootVariableLib class resolution
> ARM Silicon and Platforms: add SecureBootVariableLib class resolution
> RISC-V Platforms: add SecureBootVariableLib class resolution
> Platform/RaspberryPi: Enable default Secure Boot variables
> initialization
>
> SecurityPkg/SecurityPkg.dec | 14 +
> ArmVirtPkg/ArmVirt.dsc.inc | 1 +
> EmulatorPkg/EmulatorPkg.dsc | 1 +
> OvmfPkg/Bhyve/BhyveX64.dsc | 1 +
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> SecurityPkg/SecurityPkg.dsc | 4 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 79 ++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | 45 +
> SecurityPkg/Include/Library/SecureBootVariableLib.h | 251 +++++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 +
> SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 109 +++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 980 ++++++++++++++++++++
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++---
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c | 68 ++
> ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc | 70 ++
> SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 16 +
> SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 +
> SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni | 16 +
> Platform/ARM/VExpressPkg/ArmVExpress.dsc.inc | 1 +
> Platform/Intel/MinPlatformPkg/Include/Dsc/CoreCommonLib.dsc | 1 +
> Platform/Intel/QuarkPlatformPkg/Quark.dsc | 1 +
> Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgIA32.dsc | 1 +
> Platform/Intel/Vlv2TbltDevicePkg/PlatformPkgX64.dsc | 3 ++-
> Platform/Qemu/SbsaQemu/SbsaQemu.dsc | 1 +
> Platform/RaspberryPi/RPi3/RPi3.dsc | 1 +
> Platform/RaspberryPi/RPi4/RPi4.dsc | 4 ++++
> Platform/SiFive/U5SeriesPkg/FreedomU500VC707Board/U500.dsc | 1 +
> Platform/SiFive/U5SeriesPkg/FreedomU540HiFiveUnleashedBoard/U540.dsc | 1 +
> Platform/Socionext/DeveloperBox/DeveloperBox.dsc | 4 ++++
> Platform/RaspberryPi/RPi4/RPi4.fdf
> 35 files changed, 1894 insertions(+), 189 deletions(-)
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h
> create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
> create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
> create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni
> create mode 100644 SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
>
> --
> 2.25.1
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#77364): https://edk2.groups.io/g/devel/message/77364
Mute This Topic: https://groups.io/mt/83891027/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list