Re: [edk2-devel] [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver

Fri, 04 Jun 2021 01:15:51 -0700 

Internally reviewed this patch before sending the edk2 mailing list and It 
looks good to me. Please also address Pete's good catches/comments.
Reviewed-by: Sunny Wang <sunny.w...@arm.com>

-----Original Message-----
From: Grzegorz Bernacki <g...@semihalf.com>
Sent: Tuesday, June 1, 2021 9:12 PM
To: devel@edk2.groups.io
Cc: l...@nuviainc.com; ardb+tianoc...@kernel.org; Samer El-Haj-Mahmoud 
<samer.el-haj-mahm...@arm.com>; Sunny Wang <sunny.w...@arm.com>; 
m...@semihalf.com; upstr...@semihalf.com; jiewen....@intel.com; 
jian.j.w...@intel.com; min.m...@intel.com; ler...@redhat.com; Grzegorz Bernacki 
<g...@semihalf.com>
Subject: [PATCH v2 3/6] SecurityPkg: Add SecureBootDefaultKeysDxe driver

This driver initializes default Secure Boot keys and databases
based on keys embedded in flash.

Signed-off-by: Grzegorz Bernacki <g...@semihalf.com>
---
 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 | 46 +++++++++++++
 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
   | 69 ++++++++++++++++++++
 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
 | 17 +++++
 3 files changed, 132 insertions(+)
 create mode 100644 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 create mode 100644 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 create mode 100644 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni

diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
new file mode 100644
index 0000000000..27345eab2e
--- /dev/null
+++ 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
@@ -0,0 +1,46 @@
+## @file
+#  Initializes Secure Boot default keys
+#
+#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+#  Copyright (c) 2021, Semihalf All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+[Defines]
+  INF_VERSION = 0x00010005
+  BASE_NAME   = SecureBootDefaultKeysDxe
+  FILE_GUID   = C937FCB7-25AC-4376-89A2-4EA8B317DE83
+  MODULE_TYPE = DXE_DRIVER
+  ENTRY_POINT = SecureBootDefaultKeysEntryPoint
+
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+[Sources]
+  SecureBootDefaultKeysDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  BaseMemoryLib
+  MemoryAllocationLib
+  UefiDriverEntryPoint
+  DebugLib
+  SecureBootVariableLib
+
+[Guids]
+  ## SOMETIMES_PRODUCES      ## Variable:L"PKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"KEKDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbtDefault"
+  ## SOMETIMES_PRODUCES      ## Variable:L"dbxDefault"
+  gEfiGlobalVariableGuid
+
+[Depex]
+  gEfiVariableArchProtocolGuid      AND
+  gEfiVariableWriteArchProtocolGuid
+
diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
new file mode 100644
index 0000000000..0928489e15
--- /dev/null
+++ 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.c
@@ -0,0 +1,69 @@
+/** @file
+  This driver init default Secure Boot variables
+
+Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+Copyright (c) 2021, Semihalf All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/ImageAuthentication.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/SecureBootVariableLib.h>
+
+/**
+  The entry point for SecureBootDefaultKeys driver.
+
+  @param[in]  ImageHandle        The image handle of the driver.
+  @param[in]  SystemTable        The system table.
+
+  @retval EFI_ALREADY_STARTED    The driver already exists in system.
+  @retval EFI_OUT_OF_RESOURCES   Fail to execute entry point due to lack of 
resources.
+  @retval EFI_SUCCESS            All the related protocols are installed on 
the driver.
+  @retval Others                 Fail to get the SecureBootEnable variable.
+
+**/
+EFI_STATUS
+EFIAPI
+SecureBootDefaultKeysEntryPoint (
+  IN EFI_HANDLE          ImageHandle,
+  IN EFI_SYSTEM_TABLE    *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+
+  Status = SecureBootInitPKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __FUNCTION__, 
Status));
+    return Status;
+  }
+
+  Status = SecureBootInitKEKDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", 
__FUNCTION__, Status));
+    return Status;
+  }
+  Status = SecureBootInitdbDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", 
__FUNCTION__, Status));
+    return Status;
+  }
+
+  Status = SecureBootInitdbtDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbtDefault not initialized\n", __FUNCTION__));
+  }
+
+  Status = SecureBootInitdbxDefault ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((DEBUG_INFO, "%a: dbxDefault not initialized\n", __FUNCTION__));
+  }
+
+  return Status;
+}
+
diff --git 
a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
new file mode 100644
index 0000000000..30f03aee5d
--- /dev/null
+++ 
b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.uni
@@ -0,0 +1,17 @@
+// /** @file
+// Provides the capability to intialize Secure Boot default variables
+//
+// Module which initializes Secure boot default variables.
+//
+// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
+// Copyright (c) 2021, Semihalf All rights reserved.<BR>
+//
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT             #language en-US "Module which 
initializes Secure boot default variables"
+
+#string STR_MODULE_DESCRIPTION          #language en-US "This module reads 
embedded keys and initializes Secure Boot default variables."
+
--
2.25.1

IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76047): https://edk2.groups.io/g/devel/message/76047
Mute This Topic: https://groups.io/mt/83232299/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to