This patchset adds support for initialization of default Secure Boot variables based on keys content embedded in flash binary. This feature is active only if Secure Boot is enabled and DEFAULT_KEY is defined. The patchset consist also application to enroll keys from default variables and secure boot menu change to allow user to reset key content to default values. Discussion on design can be found at: https://edk2.groups.io/g/rfc/topic/82139806#600
I also added patch for RPi4 which enables this feature for that platform. Grzegorz Bernacki (6): [edk2] SecurityPkg: Create library for setting Secure Boot variables. SecurityPkg: Create include file for default key content. SecurityPkg: Add SecBootDefaultKeysDxe driver SecurityPkg: Add SecEnrollDefaultKeys application. SecurityPkg: Add new modules to Security package. SecurityPkg: Add option to reset secure boot keys. [edk2-platforms] Platform/RaspberryPi: Enable default Secure Boot variables initialization SecurityPkg/SecurityPkg.dec | 14 + SecurityPkg/SecurityPkg.dsc | 5 + SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf | 79 ++ SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf | 48 + SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf | 46 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + SecurityPkg/Include/Library/SecBootVariableLib.h | 252 +++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr | 6 + SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c | 979 ++++++++++++++++++++ SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c | 108 +++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c | 69 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 343 ++++--- SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni | 16 + SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 ++ SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni | 17 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni | 4 + 17 files changed, 1864 insertions(+), 188 deletions(-) create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.inf create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.inf create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c create mode 100644 SecurityPkg/SecEnrollDefaultKeysApp/SecEnrollDefaultKeysApp.c create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.c create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc create mode 100644 SecurityPkg/VariableAuthenticated/SecBootDefaultKeysDxe/SecBootDefaultKeysDxe.uni -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75649): https://edk2.groups.io/g/devel/message/75649 Mute This Topic: https://groups.io/mt/83098443/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
