JadePkg: Add secure boot default keys initialization

Nhi Pham via groups.io Tue, 04 Jun 2024 18:00:28 -0700

This allows to initialize secure boot with the default factory keys
embedded in firmware flash image.


For example, to incorporate PK, KEK, and DB default keys, specify the
corresponding key files in the Jade.dsc as follows:

DEFINE DEFAULT_KEYS        = TRUE
DEFINE PK_DEFAULT_FILE     = path/to/PK.crt
DEFINE KEK_DEFAULT_FILE1   = path/to/KEK.crt
DEFINE DB_DEFAULT_FILE1    = path/to/DB1.crt
DEFINE DB_DEFAULT_FILE2    = path/to/DB2.crt

Signed-off-by: Nhi Pham <n...@os.amperecomputing.com>
---
 Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc | 2 ++
 Platform/Ampere/JadePkg/Jade.fdf                     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc 
b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
index 23579497661d..93b4d1d99dcd 100644
--- a/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
+++ b/Silicon/Ampere/AmpereAltraPkg/AmpereAltraPkg.dsc.inc
@@ -590,6 +590,8 @@ [Components.common]
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+  
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
   
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
diff --git a/Platform/Ampere/JadePkg/Jade.fdf b/Platform/Ampere/JadePkg/Jade.fdf
index 7795f0e11115..1e2df5ba6142 100644
--- a/Platform/Ampere/JadePkg/Jade.fdf
+++ b/Platform/Ampere/JadePkg/Jade.fdf
@@ -219,7 +219,9 @@ [FV.FvMain]
   INF MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
   INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
 !if $(SECURE_BOOT_ENABLE) == TRUE
+!include ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc
   INF 
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+  INF 
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
 !endif
   INF 
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
   INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119455): https://edk2.groups.io/g/devel/message/119455
Mute This Topic: https://groups.io/mt/106495161/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [edk2-platforms][PATCH 1/1] Ampere/JadePkg: Add secure boot default keys initialization

Reply via email to