On 2021.06.01 14:12, Grzegorz Bernacki wrote:
This application allows user to force key enrollment from Secure Boot default variables.Signed-off-by: Grzegorz Bernacki <g...@semihalf.com> --- SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf | 47 +++++++++ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c | 107 ++++++++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf create mode 100644 SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf new file mode 100644 index 0000000000..4d79ca3844 --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf @@ -0,0 +1,47 @@ +## @file +# Enroll PK, KEK, db, dbx from Default variables +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> +# Copyright (c) 2021, Semihalf All rights reserved.<BR> +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 1.28 + BASE_NAME = EnrollFromDefaultKeysApp + FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E + MODULE_TYPE = UEFI_APPLICATION + VERSION_STRING = 0.1 + ENTRY_POINT = UefiMain + +[Sources] + EnrollFromDefaultKeysApp.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[Guids] + gEfiCertPkcs7Guid + gEfiCertSha256Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiGlobalVariableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[Protocols] + gEfiSmbiosProtocolGuid ## CONSUMES + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + PrintLib + UefiApplicationEntryPoint + UefiBootServicesTableLib + UefiLib + UefiRuntimeServicesTableLib + SecureBootVariableLib diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c new file mode 100644 index 0000000000..1907ce1d4e --- /dev/null +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c @@ -0,0 +1,107 @@ +/** @file + Enroll default PK, KEK, db, dbx. + +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> +Copyright (c) 2021, Semihalf All rights reserved.<BR> + +SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid +#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME +#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE +#include <Library/BaseLib.h> // GUID_STRING_LENGTH +#include <Library/BaseMemoryLib.h> // CopyGuid() +#include <Library/DebugLib.h> // ASSERT() +#include <Library/MemoryAllocationLib.h> // FreePool() +#include <Library/PrintLib.h> // AsciiSPrint() +#include <Library/UefiBootServicesTableLib.h> // gBS +#include <Library/UefiLib.h> // AsciiPrint() +#include <Library/UefiRuntimeServicesTableLib.h> // gRT +#include <Uefi/UefiMultiPhase.h> +#include <Library/SecureBootVariableLib.h> + +#define FAIL(fmt...) AsciiPrint("EnrollFromDefaultKeysApp: " fmt) + +/** + Entry point function of this shell application. +**/ +EFI_STATUS +EFIAPI +UefiMain ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + UINT8 SetupMode; + + Status = GetSetupMode (&SetupMode); + if (EFI_ERROR (Status)) { + FAIL ("Cannot get SetupMode variable: %r\n", Status); + return 1; + } + + if (SetupMode == USER_MODE) { + FAIL ("Skipped - USER_MODE\n"); + return 1; + } + + Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + FAIL ("Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status); + return 1; + } + + Status = EnrollDbFromDefault (); + if (EFI_ERROR (Status)) { + FAIL ("Cannot enroll db: %r\n", Status); + goto error; + } + + Status = EnrollDbxFromDefault (); + if (EFI_ERROR (Status)) { + FAIL ("Cannot enroll dbt: %r\n", Status); + } + + Status = EnrollDbtFromDefault (); + if (EFI_ERROR (Status)) { + FAIL ("Cannot enroll dbx: %r\n", Status); + } + + Status = EnrollKEKFromDefault (); + if (EFI_ERROR (Status)) { + FAIL ("Cannot enroll KEK: %r\n", Status); + goto cleardbs; + } + + Status = EnrollPKFromDefault (); + if (EFI_ERROR (Status)) { + FAIL ("Cannot enroll PK: %r\n", Status); + goto clearKEK; + } + + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n"); + } + return 0; + +clearKEK: + DeleteKEK (); + +cleardbs: + DeleteDbt (); + DeleteDbx (); + DeleteDb (); + +error: + Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + FAIL ("Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" + "Please do it manually, otherwise system can be easily compromised\n"); + } + + return 1; +}
Reviewed-by: Pete Batard <p...@akeo.ie> Tested-by: Pete Batard <p...@akeo.ie> on Raspberry Pi 4 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75990): https://edk2.groups.io/g/devel/message/75990 Mute This Topic: https://groups.io/mt/83232300/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
