sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

UefiPayloadPkg: Add Secure Boot support

Browse Source 
Cc: Guo Dong <guo.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Maurice Ma <maurice.ma@intel.com>
Cc: Benjamin You <benjamin.you@intel.com>
Signed-off-by: Sean Rhodes <sean@starlabs.systems>
Change-Id: I4f44e29bc967b7d2208193e21aeeef8b96afcc69
This commit is contained in:
Sean Rhodes
2022-01-03 15:56:05 +00:00
committed by Tim Crawford
parent 35dde2452d
commit 2dc1e51593
14 changed files with 674 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
View File

@ -19,6 +19,7 @@
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
#include <Library/SecureBootVariableProvisionLib.h>
#include <Library/DxeServicesLib.h>
/**
Enroll a key/certificate based on a default variable.
@ -117,6 +118,7 @@ SecureBootInitPKDefault (
}
if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
DEBUG ((DEBUG_INFO, "Variable %s read error.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
return Status;
}
@ -264,10 +266,10 @@ SecureBootInitDbxDefault (
IN VOID
)
{
EFI_SIGNATURE_LIST *EfiSig;
UINTN SigListsSize;
UINTN Size;
EFI_STATUS Status;
UINT8 *Data;
UINT8 *Data;
VOID *Buffer;
UINTN DataSize;
//
@ -289,7 +291,13 @@ SecureBootInitDbxDefault (
//
DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
Status = GetSectionFromAnyFv (
&gDefaultdbxFileGuid,
EFI_SECTION_RAW,
0,
&Buffer,
&Size
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
return Status;
@ -299,15 +307,13 @@ SecureBootInitDbxDefault (
EFI_DBX_DEFAULT_VARIABLE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
SigListsSize,
(VOID *)EfiSig
Size,
(VOID *)Buffer
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
}
FreePool (EfiSig);
return Status;
}

410
UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.c Normal file
View File

@ -0,0 +1,410 @@
/** @file
Enroll default PK, KEK, DB and DBX
Copyright (C) 2014, Red Hat, Inc.
This program and the accompanying materials are licensed and made available
under the terms and conditions of the BSD License which accompanies this
distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/GlobalVariable.h>
#include <Guid/ImageAuthentication.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/DxeServicesLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiLib.h>
#include <Library/SecureBootVariableProvisionLib.h>
#include <Library/SecureBootVariableLib.h>
STATIC
EFI_STATUS
EFIAPI
GetExact (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT VOID *Data,
IN UINTN DataSize,
IN BOOLEAN AllowMissing
)
{
UINTN Size;
EFI_STATUS Status;
Size = DataSize;
Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);
if (EFI_ERROR (Status)) {
if ((Status == EFI_NOT_FOUND) && AllowMissing) {
ZeroMem (Data, DataSize);
return EFI_SUCCESS;
}
DEBUG ((
EFI_D_ERROR,
"SecureBootSetup: GetVariable(\"%s\", %g): %r\n",
VariableName,
VendorGuid,
Status
));
return Status;
}
if (Size != DataSize) {
DEBUG ((
EFI_D_INFO,
"SecureBootSetup: GetVariable(\"%s\", %g): expected size 0x%Lx, "
"got 0x%Lx\n",
VariableName,
VendorGuid,
(UINT64)DataSize,
(UINT64)Size
));
return EFI_PROTOCOL_ERROR;
}
return EFI_SUCCESS;
}
typedef struct {
UINT8 SetupMode;
UINT8 SecureBoot;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT8 VendorKeys;
} SETTINGS;
STATIC
EFI_STATUS
EFIAPI
GetSettings (
OUT SETTINGS *Settings,
BOOLEAN AllowMissing
)
{
EFI_STATUS Status;
ZeroMem (Settings, sizeof (SETTINGS));
Status = GetExact (
EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid,
&Settings->SetupMode,
sizeof Settings->SetupMode,
AllowMissing
);
if (EFI_ERROR (Status)) {
return Status;
}
Status = GetExact (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&Settings->SecureBoot,
sizeof Settings->SecureBoot,
AllowMissing
);
if (EFI_ERROR (Status)) {
return Status;
}
Status = GetExact (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&Settings->SecureBootEnable,
sizeof Settings->SecureBootEnable,
AllowMissing
);
if (EFI_ERROR (Status)) {
return Status;
}
Status = GetExact (
EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid,
&Settings->CustomMode,
sizeof Settings->CustomMode,
AllowMissing
);
if (EFI_ERROR (Status)) {
return Status;
}
Status = GetExact (
EFI_VENDOR_KEYS_VARIABLE_NAME,
&gEfiGlobalVariableGuid,
&Settings->VendorKeys,
sizeof Settings->VendorKeys,
AllowMissing
);
return Status;
}
STATIC
VOID
EFIAPI
PrintSettings (
IN CONST SETTINGS *Settings
)
{
DEBUG ((
EFI_D_INFO,
"SecureBootSetup: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "
"CustomMode=%d VendorKeys=%d\n",
Settings->SetupMode,
Settings->SecureBoot,
Settings->SecureBootEnable,
Settings->CustomMode,
Settings->VendorKeys
));
}
/**
Install SecureBoot certificates once the VariableDriver is running.
@param[in] Event Event whose notification function is being invoked
@param[in] Context Pointer to the notification function's context
**/
VOID
EFIAPI
InstallSecureBootHook (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STATUS Status;
VOID *Protocol;
SETTINGS Settings;
Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol);
if (EFI_ERROR (Status)) {
return;
}
Status = GetSettings (&Settings, TRUE);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "SecureBootSetup: Failed to get current settings\n"));
return;
}
if (Settings.SetupMode != SETUP_MODE) {
DEBUG ((EFI_D_ERROR, "SecureBootSetup: already in User Mode\n"));
return;
}
if (Settings.SecureBootEnable != SECURE_BOOT_MODE_ENABLE) {
DEBUG ((EFI_D_ERROR, "SecureBootSetup: SecureBootEnable is disabled.\n"));
return;
}
PrintSettings (&Settings);
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (
EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid,
(EFI_VARIABLE_NON_VOLATILE |
EFI_VARIABLE_BOOTSERVICE_ACCESS),
sizeof Settings.CustomMode,
&Settings.CustomMode
);
if (EFI_ERROR (Status)) {
DEBUG ((
EFI_D_ERROR,
"SecureBootSetup: SetVariable(\"%s\", %g): %r\n",
EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid,
Status
));
ASSERT_EFI_ERROR (Status);
}
}
// Enroll all the keys from default variables
Status = EnrollDbFromDefault ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status));
goto error;
}
Status = EnrollDbxFromDefault ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status));
}
Status = EnrollDbtFromDefault ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status));
}
Status = EnrollKEKFromDefault ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status));
goto cleardbs;
}
Status = EnrollPKFromDefault ();
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status));
goto clearKEK;
}
Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
if (EFI_ERROR (Status)) {
DEBUG ((
DEBUG_ERROR,
"Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
"Please do it manually, otherwise system can be easily compromised\n"
));
}
// FIXME: Force SecureBoot to ON. The AuthService will do this if authenticated variables
// are supported, which aren't as the SMM handler isn't able to verify them.
Settings.SecureBootEnable = SECURE_BOOT_ENABLE;
Status = gRT->SetVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
sizeof Settings.SecureBootEnable,
&Settings.SecureBootEnable
);
if (EFI_ERROR (Status)) {
DEBUG ((
EFI_D_ERROR,
"SecureBootSetup: SetVariable(\"%s\", %g): %r\n",
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
Status
));
ASSERT_EFI_ERROR (Status);
}
Settings.SecureBoot = SECURE_BOOT_ENABLE;
Status = gRT->SetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof Settings.SecureBoot,
&Settings.SecureBoot
);
if (EFI_ERROR (Status)) {
DEBUG ((
EFI_D_ERROR,
"SecureBootSetup: SetVariable(\"%s\", %g): %r\n",
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
Status
));
ASSERT_EFI_ERROR (Status);
}
Status = GetSettings (&Settings, FALSE);
ASSERT_EFI_ERROR (Status);
//
// Final sanity check:
//
// [SetupMode]
// (read-only, standardized by UEFI)
// / \_
// 0 1, default
// / \_
// PK enrolled no PK enrolled yet,
// (this is called "User Mode") PK enrollment possible
// |
// |
// [SecureBootEnable]
// (read-write, edk2-specific, boot service only)
// / \_
// 0 1, default
// / \_
// [SecureBoot]=0 [SecureBoot]=1
// (read-only, standardized by UEFI) (read-only, standardized by UEFI)
// images are not verified images are verified, platform is
// operating in Secure Boot mode
// |
// |
// [CustomMode]
// (read-write, edk2-specific, boot service only)
// / \_
// 0, default 1
// / \_
// PK, KEK, db, dbx PK, KEK, db, dbx
// updates are verified updates are not verified
//
PrintSettings (&Settings);
if ((Settings.SetupMode != 0) || (Settings.SecureBoot != 1) ||
(Settings.SecureBootEnable != 1) || (Settings.CustomMode != 0) ||
(Settings.VendorKeys != 0))
{
DEBUG ((EFI_D_ERROR, "SecureBootSetup: disabled\n"));
return;
}
DEBUG ((EFI_D_INFO, "SecureBootSetup: SecureBoot enabled\n"));
return;
clearKEK:
DeleteKEK ();
cleardbs:
DeleteDbt ();
DeleteDbx ();
DeleteDb ();
error:
if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) {
DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status));
}
DEBUG ((EFI_D_ERROR, "SecureBootSetup: disabled\n"));
}
EFI_STATUS
EFIAPI
DriverEntry (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
VOID *TcgProtocol;
VOID *Registration;
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol);
if (!EFI_ERROR (Status)) {
DEBUG ((
EFI_D_ERROR,
"SecureBootSetup: Started too late."
"TPM is already running!\n"
));
return EFI_DEVICE_ERROR;
}
//
// Create event callback, because we need access variable on SecureBootPolicyVariable
// We should use VariableWriteArch instead of VariableArch, because Variable driver
// may update SecureBoot value based on last setting.
//
EfiCreateProtocolNotifyEvent (
&gEfiVariableWriteArchProtocolGuid,
TPL_CALLBACK,
InstallSecureBootHook,
NULL,
&Registration
);
return EFI_SUCCESS;
}

56
UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf Normal file
View File

@ -0,0 +1,56 @@
## @file
# This file handels SecureBoot setup.
#
# Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.<BR>
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = SecureBootSetup
MODULE_UNI_FILE = SecureBootSetup.uni
FILE_GUID = 14693BD4-D114-4177-979E-37F279BAD620
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 0.1
ENTRY_POINT = DriverEntry
#
# VALID_ARCHITECTURES = IA32 X64
#
[Sources]
SecureBootSetup.c
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
SecurityPkg/SecurityPkg.dec
[Guids]
gEfiCertPkcs7Guid
gEfiCertX509Guid
gEfiCustomModeEnableGuid
gEfiGlobalVariableGuid
gEfiImageSecurityDatabaseGuid
gEfiSecureBootEnableDisableGuid
[LibraryClasses]
BaseMemoryLib
DebugLib
MemoryAllocationLib
UefiRuntimeServicesTableLib
UefiDriverEntryPoint
DxeServicesLib
UefiBootServicesTableLib
SecureBootVariableProvisionLib
SecureBootVariableLib
[Protocols]
gEfiTcgProtocolGuid ## CONSUMES
gEfiVariableWriteArchProtocolGuid ## CONSUMES
[Depex]
TRUE

21
UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.uni Normal file
View File

@ -0,0 +1,21 @@
// /** @file
// Provides authenticated variable service for IPF platform
//
// This module installs variable arch protocol and variable write arch protocol to provide
// four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo.
//
// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions of the BSD License
// which accompanies this distribution. The full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "Provides authenticated variable service for IPF platform"
#string STR_MODULE_DESCRIPTION #language en-US "This module installs variable arch protocol and variable write arch protocol to provide four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo."

17
UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetupExtra.uni Normal file
View File

@ -0,0 +1,17 @@
// /** @file
// EsalVariableDxeSal Localized Strings and Content
//
// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions of the BSD License
// which accompanies this distribution. The full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#string STR_PROPERTIES_MODULE_NAME
#language en-US
"9elements Secure Boot DXE"

68
UefiPayloadPkg/UefiPayloadPkg.dsc
View File

@ -99,6 +99,11 @@
#
DEFINE SHELL_TYPE = BUILD_SHELL
#
# Security options:
#
DEFINE SECURE_BOOT_ENABLE = FALSE
#
# EMU: UEFI payload with EMU variable
# SPI: UEFI payload with SPI NV variable support
@ -186,6 +191,10 @@
CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf
SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf
DxeHobListLib|UefiPayloadPkg/Library/DxeHobListLib/DxeHobListLib.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
!endif
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
@ -272,7 +281,6 @@
DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!if $(VARIABLE_SUPPORT) == "EMU"
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
!elseif $(VARIABLE_SUPPORT) == "SMMSTORE"
@ -291,6 +299,9 @@
VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf
ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf
[LibraryClasses.common]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
[LibraryClasses.common.SEC]
HobLib|UefiPayloadPkg/Library/PayloadEntryHobLib/HobLib.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
@ -311,6 +322,18 @@
!if $(PERFORMANCE_MEASUREMENT_ENABLE)
PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf
!endif
SmbusLib|MdePkg/Library/DxeSmbusLib/DxeSmbusLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
[LibraryClasses.common.DXE_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@ -325,6 +348,17 @@
!if $(PERFORMANCE_MEASUREMENT_ENABLE)
PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
!endif
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
[LibraryClasses.common.DXE_RUNTIME_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@ -334,6 +368,19 @@
!if $(PERFORMANCE_MEASUREMENT_ENABLE)
PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf
!endif
SmbusLib|MdePkg/Library/DxeSmbusLib/DxeSmbusLib.inf
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
!else
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
@ -573,7 +620,19 @@
# Components that produce the architectural protocols
#
!if $(SECURITY_STUB_ENABLE) == TRUE
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
!if $(SECURE_BOOT_ENABLE) == TRUE
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
!endif
}
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf
!endif
!endif
UefiCpuPkg/CpuDxe/CpuDxe.inf
MdeModulePkg/Universal/BdsDxe/BdsDxe.inf
@ -598,7 +657,10 @@
!endif
PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
!if $(EMU_VARIABLE_ENABLE) == TRUE
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf {
<LibraryClasses>
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
}
!endif
#
# Following are the DXE drivers

33
UefiPayloadPkg/UefiPayloadPkg.fdf
View File

@ -61,7 +61,6 @@ FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 {
}
################################################################################
[FV.DXEFV]
FvNameGuid = 8063C21A-8E58-4576-95CE-089E87975D23
BlockSize = $(FD_BLOCK_SIZE)
@ -89,6 +88,11 @@ APRIORI DXE {
INF MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf
INF MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf
INF UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
INF PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf # After SMBusConfigLoader and PcatRealTimeClockRuntimeDxe, before Tcg2Dxe
INF UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf
!endif
}
#
@ -272,6 +276,19 @@ INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
!include NetworkPkg/Network.fdf.inc
!endif
#
# Security
#
!if $(SECURE_BOOT_ENABLE) == TRUE
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
INF UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf
FILE FREEFORM = PCD(gUefiPayloadPkgTokenSpaceGuid.PcdNvsDataFile) {
SECTION RAW = UefiVariableBinary/SECUREBOOT.Fv
}
!endif
#
# Shell
#
@ -415,3 +432,17 @@ INF ShellPkg/Application/Shell/Shell.inf
UI STRING="Enter Setup"
VERSION STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER)
}
[RULE.COMMON.USER_DEFINED]
FILE FREEFORM = $(NAMED_GUID) {
RAW BIN |.crt
RAW BIN |.bin
}
[RULE.COMMON.USER_DEFINED.BINARY]
FILE FREEFORM = $(NAMED_GUID) {
RAW BIN |.crt
RAW BIN |.bin
UI STRING="$(MODULE_NAME)" Optional
}

20
UefiVariableBinary/UefiVariableBinary.dsc Normal file
View File

@ -0,0 +1,20 @@
## @file
# Secure Boot Variable File
#
# Builds a firmware volume to contain Secure Boot keys
#
# Copyright (c) 2021, Star Labs Online Limited. All rights reserved.<BR>
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
[Defines]
PLATFORM_NAME = SecureBoot
PLATFORM_GUID = 1035eeff-543e-4abb-ac7e-bcd68cb530f8
PLATFORM_VERSION = 0.1
OUTPUT_DIRECTORY = Build/UefiVariableBinary
SUPPORTED_ARCHITECTURES = IA32|X64
BUILD_TARGETS = DEBUG|RELEASE|NOOPT
SKUID_IDENTIFIER = DEFAULT
FLASH_DEFINITION = UefiVariableBinary/UefiVariableBinary.fdf

31
UefiVariableBinary/UefiVariableBinary.fdf Normal file
View File

@ -0,0 +1,31 @@
## @file
# FDF include file which allows to embed Secure Boot keys
#
# Copyright (c) 2021, Star Labs Online Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
[Defines]
DEFINE FD_SIZE = 0x00850000
DEFINE NUM_BLOCKS = 0x850
[FV.SecureBoot]
FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 {
SECTION RAW = UefiVariableBinary/keys/pk.crt
SECTION UI = "PK Default"
}
FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
SECTION RAW = UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
SECTION UI = "KEK Default"
}
FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
SECTION RAW = UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
SECTION UI = "DB Default"
}
FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f {
SECTION RAW = UefiVariableBinary/keys/dbxupdate_x64.bin
SECTION UI = "DBX Default"
}

BIN
UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt Normal file
View File

Binary file not shown.

BIN
UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt Normal file
View File

Binary file not shown.

8
UefiVariableBinary/keys/README Normal file
View File

@ -0,0 +1,8 @@
# PK certificate generation
* Do not save private key for re-usage.
* Generate a RSA 2048 / SHA256 x509 certificate
* Exponent should be 65537
* Microsoft certificates can be found here: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
openssl req -outform DER -newkey rsa:2048 -keyout /dev/null -passout file:<(head -c 40 /dev/urandom) -x509 -days 365 -out pk.crt

BIN
UefiVariableBinary/keys/dbxupdate_x64.bin Normal file
View File

Binary file not shown.

BIN
UefiVariableBinary/keys/pk.crt Normal file
View File

Binary file not shown.