Thank you very much Grzegorz. SecurityPkg: Reviewed-by: Jiewen Yao <jiewen....@intel.com>
> -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Grzegorz > Bernacki > Sent: Wednesday, July 14, 2021 8:30 PM > To: devel@edk2.groups.io > Cc: l...@nuviainc.com; ardb+tianoc...@kernel.org; Samer.El-Haj- > mahm...@arm.com; sunny.w...@arm.com; m...@semihalf.com; > upstr...@semihalf.com; Yao, Jiewen <jiewen....@intel.com>; Wang, Jian J > <jian.j.w...@intel.com>; Xu, Min M <min.m...@intel.com>; > ler...@redhat.com; sami.muja...@arm.com; af...@apple.com; Ni, Ray > <ray...@intel.com>; Justen, Jordan L <jordan.l.jus...@intel.com>; > rebe...@bsdio.com; gre...@freebsd.org; thomas.abra...@arm.com; Chiu, > Chasel <chasel.c...@intel.com>; Desimone, Nathaniel L > <nathaniel.l.desim...@intel.com>; gaolim...@byosoft.com.cn; Dong, Eric > <eric.d...@intel.com>; Kinney, Michael D <michael.d.kin...@intel.com>; Sun, > Zailiang <zailiang....@intel.com>; Qian, Yi <yi.q...@intel.com>; > gra...@nuviainc.com; r...@semihalf.com; p...@akeo.ie; Grzegorz Bernacki > <g...@semihalf.com> > Subject: [edk2-devel] [PATCH v6 00/11] Secure Boot default keys > > This patchset adds support for initialization of default > Secure Boot variables based on keys content embedded in > flash binary. This feature is active only if Secure Boot > is enabled and DEFAULT_KEY is defined. The patchset > consist also application to enroll keys from default > variables and secure boot menu change to allow user > to reset key content to default values. > Discussion on design can be found at: > https://edk2.groups.io/g/rfc/topic/82139806#600 > > Built with: > GCC > - RISC-V (U500, U540) [requires fixes in dsc to build] > - Intel (Vlv2TbltDevicePkg (X64/IA32), Quark, MinPlatformPkg, > EmulatorPkg (X64), Bhyve, OvmfPkg (X64/IA32)) > - ARM (Sgi75,SbsaQemu,DeveloperBox, RPi3/RPi4) > > RISC-V, Quark, Vlv2TbltDevicePkg, Bhyve requires additional fixes to be built, > will be post on edk2 maillist later > > VS2019 > - Intel (OvmfPkgX64) > > Test with: > GCC5/RPi4 > VS2019/OvmfX64 (requires changes to enable feature) > > Tests: > 1. Try to enroll key in incorrect format. > 2. Enroll with only PKDefault keys specified. > 3. Enroll with all keys specified. > 4. Enroll when keys are enrolled. > 5. Reset keys values. > 6. Running signed & unsigned app after enrollment. > > Changes since v1: > - change names: > SecBootVariableLib => SecureBootVariableLib > SecBootDefaultKeysDxe => SecureBootDefaultKeysDxe > SecEnrollDefaultKeysApp => EnrollFromDefaultKeysApp > - change name of function CheckSetupMode to GetSetupMode > - remove ShellPkg dependecy from EnrollFromDefaultKeysApp > - rebase to master > > Changes since v2: > - fix coding style for functions headers in SecureBootVariableLib.h > - add header to SecureBootDefaultKeys.fdf.inc > - remove empty line spaces in SecureBootDefaultKeysDxe files > - revert FAIL macro in EnrollFromDefaultKeysApp > - remove functions duplicates and add SecureBootVariableLib > to platforms which used it > > Changes since v3: > - move SecureBootDefaultKeys.fdf.inc to ArmPlatformPkg > - leave duplicate of CreateTimeBasedPayload in PlatformVarCleanupLib > - fix typo in guid description > > Changes since v4: > - reorder patches to make it bisectable > - split commits related to more than one platform > - move edk2-platform commits to separate patchset > > Changes since v5: > - split SecureBootVariableLib into SecureBootVariableLib and > SecureBootVariableProvisionLib > > Grzegorz Bernacki (11): > SecurityPkg: Create SecureBootVariableLib. > SecurityPkg: Create library for enrolling Secure Boot variables. > ArmVirtPkg: add SecureBootVariableLib class resolution > OvmfPkg: add SecureBootVariableLib class resolution > EmulatorPkg: add SecureBootVariableLib class resolution > SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. > ArmPlatformPkg: Create include file for default key content. > SecurityPkg: Add SecureBootDefaultKeysDxe driver > SecurityPkg: Add EnrollFromDefaultKeys application. > SecurityPkg: Add new modules to Security package. > SecurityPkg: Add option to reset secure boot keys. > > SecurityPkg/SecurityPkg.dec > | 14 + > ArmVirtPkg/ArmVirt.dsc.inc > | 2 + > EmulatorPkg/EmulatorPkg.dsc > | 2 + > OvmfPkg/Bhyve/BhyveX64.dsc > | 2 + > OvmfPkg/OvmfPkgIa32.dsc > | 2 + > OvmfPkg/OvmfPkgIa32X64.dsc > | 2 + > OvmfPkg/OvmfPkgX64.dsc > | 2 + > SecurityPkg/SecurityPkg.dsc > | 5 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > | 48 ++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > | 80 +++ > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.inf | 80 +++ > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDx > e.inf | 3 + > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.inf | 46 ++ > SecurityPkg/Include/Library/SecureBootVariableLib.h > | 153 > ++++++ > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > | > 134 +++++ > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNv > Data.h | 2 + > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr > | 6 + > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > | 110 +++++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > | 511 ++++++++++++++++++++ > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.c | 491 +++++++++++++++++++ > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigIm > pl.c | 344 ++++++------- > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.c | 69 +++ > ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > | 70 > +++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > | 17 + > > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.uni | 16 + > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStri > ngs.uni | 4 + > > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.uni | 16 + > 27 files changed, 2043 insertions(+), 188 deletions(-) > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.inf > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 > SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > create mode 100644 > SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.c > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.c > create mode 100644 ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > create mode 100644 > SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisi > onLib.uni > create mode 100644 > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefa > ultKeysDxe.uni > > -- > 2.25.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77799): https://edk2.groups.io/g/devel/message/77799 Mute This Topic: https://groups.io/mt/84200211/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
