UefiPayloadPkg: Add Secure Boot support
Cc: Guo Dong <guo.dong@intel.com> Cc: Ray Ni <ray.ni@intel.com> Cc: Maurice Ma <maurice.ma@intel.com> Cc: Benjamin You <benjamin.you@intel.com> Signed-off-by: Sean Rhodes <sean@starlabs.systems> Change-Id: I4f44e29bc967b7d2208193e21aeeef8b96afcc69
This commit is contained in:
		
				
					committed by
					
						 Tim Crawford
						Tim Crawford
					
				
			
			
				
	
			
			
			
						parent
						
							35dde2452d
						
					
				
				
					commit
					2dc1e51593
				
			| @@ -19,6 +19,7 @@ | |||||||
| #include <Library/UefiRuntimeServicesTableLib.h> | #include <Library/UefiRuntimeServicesTableLib.h> | ||||||
| #include <Library/SecureBootVariableLib.h> | #include <Library/SecureBootVariableLib.h> | ||||||
| #include <Library/SecureBootVariableProvisionLib.h> | #include <Library/SecureBootVariableProvisionLib.h> | ||||||
|  | #include <Library/DxeServicesLib.h> | ||||||
|  |  | ||||||
| /** | /** | ||||||
|   Enroll a key/certificate based on a default variable. |   Enroll a key/certificate based on a default variable. | ||||||
| @@ -117,6 +118,7 @@ SecureBootInitPKDefault ( | |||||||
|   } |   } | ||||||
|  |  | ||||||
|   if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { |   if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { | ||||||
|  |     DEBUG ((DEBUG_INFO, "Variable %s read error.\n", EFI_PK_DEFAULT_VARIABLE_NAME)); | ||||||
|     return Status; |     return Status; | ||||||
|   } |   } | ||||||
|  |  | ||||||
| @@ -264,10 +266,10 @@ SecureBootInitDbxDefault ( | |||||||
|   IN VOID |   IN VOID | ||||||
|   ) |   ) | ||||||
| { | { | ||||||
|   EFI_SIGNATURE_LIST  *EfiSig; |   UINTN               Size; | ||||||
|   UINTN               SigListsSize; |  | ||||||
|   EFI_STATUS          Status; |   EFI_STATUS          Status; | ||||||
|   UINT8              *Data; |   UINT8              *Data; | ||||||
|  |   VOID               *Buffer; | ||||||
|   UINTN               DataSize; |   UINTN               DataSize; | ||||||
|  |  | ||||||
|   // |   // | ||||||
| @@ -289,7 +291,13 @@ SecureBootInitDbxDefault ( | |||||||
|   // |   // | ||||||
|   DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); |   DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); | ||||||
|  |  | ||||||
|   Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig); |   Status = GetSectionFromAnyFv ( | ||||||
|  |              &gDefaultdbxFileGuid, | ||||||
|  |              EFI_SECTION_RAW, | ||||||
|  |              0, | ||||||
|  |              &Buffer, | ||||||
|  |              &Size | ||||||
|  |              ); | ||||||
|   if (EFI_ERROR (Status)) { |   if (EFI_ERROR (Status)) { | ||||||
|     DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); |     DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); | ||||||
|     return Status; |     return Status; | ||||||
| @@ -299,15 +307,13 @@ SecureBootInitDbxDefault ( | |||||||
|                   EFI_DBX_DEFAULT_VARIABLE_NAME, |                   EFI_DBX_DEFAULT_VARIABLE_NAME, | ||||||
|                   &gEfiGlobalVariableGuid, |                   &gEfiGlobalVariableGuid, | ||||||
|                   EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, |                   EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, | ||||||
|                   SigListsSize, |                   Size, | ||||||
|                   (VOID *)EfiSig |                   (VOID *)Buffer | ||||||
|                   ); |                   ); | ||||||
|   if (EFI_ERROR (Status)) { |   if (EFI_ERROR (Status)) { | ||||||
|     DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); |     DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME)); | ||||||
|   } |   } | ||||||
|  |  | ||||||
|   FreePool (EfiSig); |  | ||||||
|  |  | ||||||
|   return Status; |   return Status; | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										410
									
								
								UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										410
									
								
								UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.c
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,410 @@ | |||||||
|  | /** @file | ||||||
|  |    Enroll default PK, KEK, DB and DBX | ||||||
|  |  | ||||||
|  |    Copyright (C) 2014, Red Hat, Inc. | ||||||
|  |  | ||||||
|  |    This program and the accompanying materials are licensed and made available | ||||||
|  |    under the terms and conditions of the BSD License which accompanies this | ||||||
|  |    distribution. The full text of the license may be found at | ||||||
|  |    http://opensource.org/licenses/bsd-license. | ||||||
|  |  | ||||||
|  |    THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT | ||||||
|  |    WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. | ||||||
|  |  **/ | ||||||
|  |  | ||||||
|  | #include <Guid/AuthenticatedVariableFormat.h> | ||||||
|  | #include <Guid/GlobalVariable.h> | ||||||
|  | #include <Guid/ImageAuthentication.h> | ||||||
|  | #include <Library/BaseMemoryLib.h> | ||||||
|  | #include <Library/DebugLib.h> | ||||||
|  | #include <Library/MemoryAllocationLib.h> | ||||||
|  | #include <Library/UefiRuntimeServicesTableLib.h> | ||||||
|  | #include <Library/DxeServicesLib.h> | ||||||
|  | #include <Library/UefiBootServicesTableLib.h> | ||||||
|  | #include <Library/UefiLib.h> | ||||||
|  | #include <Library/SecureBootVariableProvisionLib.h> | ||||||
|  | #include <Library/SecureBootVariableLib.h> | ||||||
|  |  | ||||||
|  | STATIC | ||||||
|  | EFI_STATUS | ||||||
|  | EFIAPI | ||||||
|  | GetExact ( | ||||||
|  |   IN CHAR16    *VariableName, | ||||||
|  |   IN EFI_GUID  *VendorGuid, | ||||||
|  |   OUT VOID     *Data, | ||||||
|  |   IN UINTN     DataSize, | ||||||
|  |   IN BOOLEAN   AllowMissing | ||||||
|  |   ) | ||||||
|  | { | ||||||
|  |   UINTN       Size; | ||||||
|  |   EFI_STATUS  Status; | ||||||
|  |  | ||||||
|  |   Size   = DataSize; | ||||||
|  |   Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     if ((Status == EFI_NOT_FOUND) && AllowMissing) { | ||||||
|  |       ZeroMem (Data, DataSize); | ||||||
|  |       return EFI_SUCCESS; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     DEBUG (( | ||||||
|  |       EFI_D_ERROR, | ||||||
|  |       "SecureBootSetup: GetVariable(\"%s\", %g): %r\n", | ||||||
|  |       VariableName, | ||||||
|  |       VendorGuid, | ||||||
|  |       Status | ||||||
|  |       )); | ||||||
|  |     return Status; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   if (Size != DataSize) { | ||||||
|  |     DEBUG (( | ||||||
|  |       EFI_D_INFO, | ||||||
|  |       "SecureBootSetup: GetVariable(\"%s\", %g): expected size 0x%Lx, " | ||||||
|  |       "got 0x%Lx\n", | ||||||
|  |       VariableName, | ||||||
|  |       VendorGuid, | ||||||
|  |       (UINT64)DataSize, | ||||||
|  |       (UINT64)Size | ||||||
|  |       )); | ||||||
|  |     return EFI_PROTOCOL_ERROR; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   return EFI_SUCCESS; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | typedef struct { | ||||||
|  |   UINT8    SetupMode; | ||||||
|  |   UINT8    SecureBoot; | ||||||
|  |   UINT8    SecureBootEnable; | ||||||
|  |   UINT8    CustomMode; | ||||||
|  |   UINT8    VendorKeys; | ||||||
|  | } SETTINGS; | ||||||
|  |  | ||||||
|  | STATIC | ||||||
|  | EFI_STATUS | ||||||
|  | EFIAPI | ||||||
|  | GetSettings ( | ||||||
|  |   OUT SETTINGS  *Settings, | ||||||
|  |   BOOLEAN       AllowMissing | ||||||
|  |   ) | ||||||
|  | { | ||||||
|  |   EFI_STATUS  Status; | ||||||
|  |  | ||||||
|  |   ZeroMem (Settings, sizeof (SETTINGS)); | ||||||
|  |  | ||||||
|  |   Status = GetExact ( | ||||||
|  |              EFI_SETUP_MODE_NAME, | ||||||
|  |              &gEfiGlobalVariableGuid, | ||||||
|  |              &Settings->SetupMode, | ||||||
|  |              sizeof Settings->SetupMode, | ||||||
|  |              AllowMissing | ||||||
|  |              ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     return Status; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetExact ( | ||||||
|  |              EFI_SECURE_BOOT_MODE_NAME, | ||||||
|  |              &gEfiGlobalVariableGuid, | ||||||
|  |              &Settings->SecureBoot, | ||||||
|  |              sizeof Settings->SecureBoot, | ||||||
|  |              AllowMissing | ||||||
|  |              ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     return Status; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetExact ( | ||||||
|  |              EFI_SECURE_BOOT_ENABLE_NAME, | ||||||
|  |              &gEfiSecureBootEnableDisableGuid, | ||||||
|  |              &Settings->SecureBootEnable, | ||||||
|  |              sizeof Settings->SecureBootEnable, | ||||||
|  |              AllowMissing | ||||||
|  |              ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     return Status; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetExact ( | ||||||
|  |              EFI_CUSTOM_MODE_NAME, | ||||||
|  |              &gEfiCustomModeEnableGuid, | ||||||
|  |              &Settings->CustomMode, | ||||||
|  |              sizeof Settings->CustomMode, | ||||||
|  |              AllowMissing | ||||||
|  |              ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     return Status; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetExact ( | ||||||
|  |              EFI_VENDOR_KEYS_VARIABLE_NAME, | ||||||
|  |              &gEfiGlobalVariableGuid, | ||||||
|  |              &Settings->VendorKeys, | ||||||
|  |              sizeof Settings->VendorKeys, | ||||||
|  |              AllowMissing | ||||||
|  |              ); | ||||||
|  |   return Status; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | STATIC | ||||||
|  | VOID | ||||||
|  | EFIAPI | ||||||
|  | PrintSettings ( | ||||||
|  |   IN CONST SETTINGS  *Settings | ||||||
|  |   ) | ||||||
|  | { | ||||||
|  |   DEBUG (( | ||||||
|  |     EFI_D_INFO, | ||||||
|  |     "SecureBootSetup: SetupMode=%d SecureBoot=%d SecureBootEnable=%d " | ||||||
|  |     "CustomMode=%d VendorKeys=%d\n", | ||||||
|  |     Settings->SetupMode, | ||||||
|  |     Settings->SecureBoot, | ||||||
|  |     Settings->SecureBootEnable, | ||||||
|  |     Settings->CustomMode, | ||||||
|  |     Settings->VendorKeys | ||||||
|  |     )); | ||||||
|  | } | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |   Install SecureBoot certificates once the VariableDriver is running. | ||||||
|  |  | ||||||
|  |   @param[in]  Event     Event whose notification function is being invoked | ||||||
|  |   @param[in]  Context   Pointer to the notification function's context | ||||||
|  | **/ | ||||||
|  | VOID | ||||||
|  | EFIAPI | ||||||
|  | InstallSecureBootHook ( | ||||||
|  |   IN EFI_EVENT  Event, | ||||||
|  |   IN VOID       *Context | ||||||
|  |   ) | ||||||
|  | { | ||||||
|  |   EFI_STATUS  Status; | ||||||
|  |   VOID        *Protocol; | ||||||
|  |   SETTINGS    Settings; | ||||||
|  |  | ||||||
|  |   Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL, (VOID **)&Protocol); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     return; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetSettings (&Settings, TRUE); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((EFI_D_ERROR, "SecureBootSetup: Failed to get current settings\n")); | ||||||
|  |     return; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   if (Settings.SetupMode != SETUP_MODE) { | ||||||
|  |     DEBUG ((EFI_D_ERROR, "SecureBootSetup: already in User Mode\n")); | ||||||
|  |     return; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   if (Settings.SecureBootEnable != SECURE_BOOT_MODE_ENABLE) { | ||||||
|  |     DEBUG ((EFI_D_ERROR, "SecureBootSetup: SecureBootEnable is disabled.\n")); | ||||||
|  |     return; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   PrintSettings (&Settings); | ||||||
|  |  | ||||||
|  |   if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) { | ||||||
|  |     Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE; | ||||||
|  |     Status              = gRT->SetVariable ( | ||||||
|  |                                  EFI_CUSTOM_MODE_NAME, | ||||||
|  |                                  &gEfiCustomModeEnableGuid, | ||||||
|  |                                  (EFI_VARIABLE_NON_VOLATILE | | ||||||
|  |                                   EFI_VARIABLE_BOOTSERVICE_ACCESS), | ||||||
|  |                                  sizeof Settings.CustomMode, | ||||||
|  |                                  &Settings.CustomMode | ||||||
|  |                                  ); | ||||||
|  |     if (EFI_ERROR (Status)) { | ||||||
|  |       DEBUG (( | ||||||
|  |         EFI_D_ERROR, | ||||||
|  |         "SecureBootSetup: SetVariable(\"%s\", %g): %r\n", | ||||||
|  |         EFI_CUSTOM_MODE_NAME, | ||||||
|  |         &gEfiCustomModeEnableGuid, | ||||||
|  |         Status | ||||||
|  |         )); | ||||||
|  |       ASSERT_EFI_ERROR (Status); | ||||||
|  |     } | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   // Enroll all the keys from default variables | ||||||
|  |   Status = EnrollDbFromDefault (); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot enroll db: %r\n", Status)); | ||||||
|  |     goto error; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = EnrollDbxFromDefault (); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot enroll dbx: %r\n", Status)); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = EnrollDbtFromDefault (); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot enroll dbt: %r\n", Status)); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = EnrollKEKFromDefault (); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot enroll KEK: %r\n", Status)); | ||||||
|  |     goto cleardbs; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = EnrollPKFromDefault (); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot enroll PK: %r\n", Status)); | ||||||
|  |     goto clearKEK; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG (( | ||||||
|  |       DEBUG_ERROR, | ||||||
|  |       "Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n" | ||||||
|  |       "Please do it manually, otherwise system can be easily compromised\n" | ||||||
|  |       )); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   // FIXME: Force SecureBoot to ON. The AuthService will do this if authenticated variables | ||||||
|  |   // are supported, which aren't as the SMM handler isn't able to verify them. | ||||||
|  |  | ||||||
|  |   Settings.SecureBootEnable = SECURE_BOOT_ENABLE; | ||||||
|  |   Status                    = gRT->SetVariable ( | ||||||
|  |                                      EFI_SECURE_BOOT_ENABLE_NAME, | ||||||
|  |                                      &gEfiSecureBootEnableDisableGuid, | ||||||
|  |                                      EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, | ||||||
|  |                                      sizeof Settings.SecureBootEnable, | ||||||
|  |                                      &Settings.SecureBootEnable | ||||||
|  |                                      ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG (( | ||||||
|  |       EFI_D_ERROR, | ||||||
|  |       "SecureBootSetup: SetVariable(\"%s\", %g): %r\n", | ||||||
|  |       EFI_SECURE_BOOT_ENABLE_NAME, | ||||||
|  |       &gEfiSecureBootEnableDisableGuid, | ||||||
|  |       Status | ||||||
|  |       )); | ||||||
|  |     ASSERT_EFI_ERROR (Status); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Settings.SecureBoot = SECURE_BOOT_ENABLE; | ||||||
|  |   Status              = gRT->SetVariable ( | ||||||
|  |                                EFI_SECURE_BOOT_MODE_NAME, | ||||||
|  |                                &gEfiGlobalVariableGuid, | ||||||
|  |                                EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, | ||||||
|  |                                sizeof Settings.SecureBoot, | ||||||
|  |                                &Settings.SecureBoot | ||||||
|  |                                ); | ||||||
|  |   if (EFI_ERROR (Status)) { | ||||||
|  |     DEBUG (( | ||||||
|  |       EFI_D_ERROR, | ||||||
|  |       "SecureBootSetup: SetVariable(\"%s\", %g): %r\n", | ||||||
|  |       EFI_SECURE_BOOT_MODE_NAME, | ||||||
|  |       &gEfiGlobalVariableGuid, | ||||||
|  |       Status | ||||||
|  |       )); | ||||||
|  |     ASSERT_EFI_ERROR (Status); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   Status = GetSettings (&Settings, FALSE); | ||||||
|  |   ASSERT_EFI_ERROR (Status); | ||||||
|  |  | ||||||
|  |   // | ||||||
|  |   // Final sanity check: | ||||||
|  |   // | ||||||
|  |   //                                 [SetupMode] | ||||||
|  |   //                        (read-only, standardized by UEFI) | ||||||
|  |   //                                /                \_ | ||||||
|  |   //                               0               1, default | ||||||
|  |   //                              /                    \_ | ||||||
|  |   //                      PK enrolled                   no PK enrolled yet, | ||||||
|  |   //              (this is called "User Mode")          PK enrollment possible | ||||||
|  |   //                             | | ||||||
|  |   //                             | | ||||||
|  |   //                     [SecureBootEnable] | ||||||
|  |   //         (read-write, edk2-specific, boot service only) | ||||||
|  |   //                /                           \_ | ||||||
|  |   //               0                         1, default | ||||||
|  |   //              /                               \_ | ||||||
|  |   //       [SecureBoot]=0                     [SecureBoot]=1 | ||||||
|  |   // (read-only, standardized by UEFI)  (read-only, standardized by UEFI) | ||||||
|  |   //     images are not verified         images are verified, platform is | ||||||
|  |   //                                      operating in Secure Boot mode | ||||||
|  |   //                                                 | | ||||||
|  |   //                                                 | | ||||||
|  |   //                                           [CustomMode] | ||||||
|  |   //                          (read-write, edk2-specific, boot service only) | ||||||
|  |   //                                /                           \_ | ||||||
|  |   //                          0, default                         1 | ||||||
|  |   //                              /                               \_ | ||||||
|  |   //                      PK, KEK, db, dbx                PK, KEK, db, dbx | ||||||
|  |   //                    updates are verified          updates are not verified | ||||||
|  |   // | ||||||
|  |  | ||||||
|  |   PrintSettings (&Settings); | ||||||
|  |  | ||||||
|  |   if ((Settings.SetupMode != 0) || (Settings.SecureBoot != 1) || | ||||||
|  |       (Settings.SecureBootEnable != 1) || (Settings.CustomMode != 0) || | ||||||
|  |       (Settings.VendorKeys != 0)) | ||||||
|  |   { | ||||||
|  |     DEBUG ((EFI_D_ERROR, "SecureBootSetup: disabled\n")); | ||||||
|  |     return; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   DEBUG ((EFI_D_INFO, "SecureBootSetup: SecureBoot enabled\n")); | ||||||
|  |   return; | ||||||
|  |  | ||||||
|  | clearKEK: | ||||||
|  |   DeleteKEK (); | ||||||
|  |  | ||||||
|  | cleardbs: | ||||||
|  |   DeleteDbt (); | ||||||
|  |   DeleteDbx (); | ||||||
|  |   DeleteDb (); | ||||||
|  |  | ||||||
|  | error: | ||||||
|  |   if (SetSecureBootMode (STANDARD_SECURE_BOOT_MODE) != EFI_SUCCESS) { | ||||||
|  |     DEBUG ((DEBUG_ERROR, "Cannot set mode to Secure: %r\n", Status)); | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   DEBUG ((EFI_D_ERROR, "SecureBootSetup: disabled\n")); | ||||||
|  | } | ||||||
|  |  | ||||||
|  | EFI_STATUS | ||||||
|  | EFIAPI | ||||||
|  | DriverEntry ( | ||||||
|  |   IN EFI_HANDLE        ImageHandle, | ||||||
|  |   IN EFI_SYSTEM_TABLE  *SystemTable | ||||||
|  |   ) | ||||||
|  | { | ||||||
|  |   EFI_STATUS  Status; | ||||||
|  |  | ||||||
|  |   VOID  *TcgProtocol; | ||||||
|  |   VOID  *Registration; | ||||||
|  |  | ||||||
|  |   Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol); | ||||||
|  |   if (!EFI_ERROR (Status)) { | ||||||
|  |     DEBUG (( | ||||||
|  |       EFI_D_ERROR, | ||||||
|  |       "SecureBootSetup: Started too late." | ||||||
|  |       "TPM is already running!\n" | ||||||
|  |       )); | ||||||
|  |     return EFI_DEVICE_ERROR; | ||||||
|  |   } | ||||||
|  |  | ||||||
|  |   // | ||||||
|  |   // Create event callback, because we need access variable on SecureBootPolicyVariable | ||||||
|  |   // We should use VariableWriteArch instead of VariableArch, because Variable driver | ||||||
|  |   // may update SecureBoot value based on last setting. | ||||||
|  |   // | ||||||
|  |   EfiCreateProtocolNotifyEvent ( | ||||||
|  |     &gEfiVariableWriteArchProtocolGuid, | ||||||
|  |     TPL_CALLBACK, | ||||||
|  |     InstallSecureBootHook, | ||||||
|  |     NULL, | ||||||
|  |     &Registration | ||||||
|  |     ); | ||||||
|  |  | ||||||
|  |   return EFI_SUCCESS; | ||||||
|  | } | ||||||
| @@ -0,0 +1,56 @@ | |||||||
|  | ## @file | ||||||
|  | # This file handels SecureBoot setup. | ||||||
|  | # | ||||||
|  | #  Copyright (c) 2013 - 2019, Intel Corporation. All rights reserved.<BR> | ||||||
|  | # | ||||||
|  | #  SPDX-License-Identifier: BSD-2-Clause-Patent | ||||||
|  | # | ||||||
|  | # | ||||||
|  | ## | ||||||
|  |  | ||||||
|  | [Defines] | ||||||
|  |   INF_VERSION                    = 0x00010005 | ||||||
|  |   BASE_NAME                      = SecureBootSetup | ||||||
|  |   MODULE_UNI_FILE                = SecureBootSetup.uni | ||||||
|  |   FILE_GUID                      = 14693BD4-D114-4177-979E-37F279BAD620 | ||||||
|  |   MODULE_TYPE                    = DXE_DRIVER | ||||||
|  |   VERSION_STRING                 = 0.1 | ||||||
|  |   ENTRY_POINT                    = DriverEntry | ||||||
|  |  | ||||||
|  | # | ||||||
|  | #  VALID_ARCHITECTURES           = IA32 X64 | ||||||
|  | # | ||||||
|  |  | ||||||
|  | [Sources] | ||||||
|  |   SecureBootSetup.c | ||||||
|  |  | ||||||
|  | [Packages] | ||||||
|  |   MdePkg/MdePkg.dec | ||||||
|  |   MdeModulePkg/MdeModulePkg.dec | ||||||
|  |   SecurityPkg/SecurityPkg.dec | ||||||
|  |  | ||||||
|  | [Guids] | ||||||
|  |   gEfiCertPkcs7Guid | ||||||
|  |   gEfiCertX509Guid | ||||||
|  |   gEfiCustomModeEnableGuid | ||||||
|  |   gEfiGlobalVariableGuid | ||||||
|  |   gEfiImageSecurityDatabaseGuid | ||||||
|  |   gEfiSecureBootEnableDisableGuid | ||||||
|  |  | ||||||
|  | [LibraryClasses] | ||||||
|  |   BaseMemoryLib | ||||||
|  |   DebugLib | ||||||
|  |   MemoryAllocationLib | ||||||
|  |   UefiRuntimeServicesTableLib | ||||||
|  |   UefiDriverEntryPoint | ||||||
|  |   DxeServicesLib | ||||||
|  |   UefiBootServicesTableLib | ||||||
|  |   SecureBootVariableProvisionLib | ||||||
|  |   SecureBootVariableLib | ||||||
|  |  | ||||||
|  | [Protocols] | ||||||
|  |   gEfiTcgProtocolGuid                                ## CONSUMES | ||||||
|  |   gEfiVariableWriteArchProtocolGuid                  ## CONSUMES | ||||||
|  |  | ||||||
|  | [Depex] | ||||||
|  |   TRUE | ||||||
| @@ -0,0 +1,21 @@ | |||||||
|  | // /** @file | ||||||
|  | // Provides authenticated variable service for IPF platform | ||||||
|  | // | ||||||
|  | // This module installs variable arch protocol and variable write arch protocol to provide | ||||||
|  | // four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo. | ||||||
|  | // | ||||||
|  | // Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR> | ||||||
|  | // | ||||||
|  | // This program and the accompanying materials | ||||||
|  | // are licensed and made available under the terms and conditions of the BSD License | ||||||
|  | // which accompanies this distribution. The full text of the license may be found at | ||||||
|  | // http://opensource.org/licenses/bsd-license.php | ||||||
|  | // THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, | ||||||
|  | // WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. | ||||||
|  | // | ||||||
|  | // **/ | ||||||
|  |  | ||||||
|  |  | ||||||
|  | #string STR_MODULE_ABSTRACT             #language en-US "Provides authenticated variable service for IPF platform" | ||||||
|  |  | ||||||
|  | #string STR_MODULE_DESCRIPTION          #language en-US "This module installs variable arch protocol and variable write arch protocol to provide four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo." | ||||||
| @@ -0,0 +1,17 @@ | |||||||
|  | // /** @file | ||||||
|  | // EsalVariableDxeSal Localized Strings and Content | ||||||
|  | // | ||||||
|  | // Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR> | ||||||
|  | // | ||||||
|  | // This program and the accompanying materials | ||||||
|  | // are licensed and made available under the terms and conditions of the BSD License | ||||||
|  | // which accompanies this distribution. The full text of the license may be found at | ||||||
|  | // http://opensource.org/licenses/bsd-license.php | ||||||
|  | // THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, | ||||||
|  | // WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. | ||||||
|  | // | ||||||
|  | // **/ | ||||||
|  |  | ||||||
|  | #string STR_PROPERTIES_MODULE_NAME | ||||||
|  | #language en-US | ||||||
|  | "9elements Secure Boot DXE" | ||||||
| @@ -99,6 +99,11 @@ | |||||||
|   # |   # | ||||||
|   DEFINE SHELL_TYPE                   = BUILD_SHELL |   DEFINE SHELL_TYPE                   = BUILD_SHELL | ||||||
|  |  | ||||||
|  |   # | ||||||
|  |   # Security options: | ||||||
|  |   # | ||||||
|  |   DEFINE SECURE_BOOT_ENABLE           = FALSE | ||||||
|  |  | ||||||
|   # |   # | ||||||
|   # EMU:      UEFI payload with EMU variable |   # EMU:      UEFI payload with EMU variable | ||||||
|   # SPI:      UEFI payload with SPI NV variable support |   # SPI:      UEFI payload with SPI NV variable support | ||||||
| @@ -186,6 +191,10 @@ | |||||||
|   CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf |   CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf | ||||||
|   SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf |   SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf | ||||||
|   DxeHobListLib|UefiPayloadPkg/Library/DxeHobListLib/DxeHobListLib.inf |   DxeHobListLib|UefiPayloadPkg/Library/DxeHobListLib/DxeHobListLib.inf | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | ||||||
|  |   SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf | ||||||
|  | !endif | ||||||
|   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf |   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | ||||||
|   TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf |   TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf | ||||||
|   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf |   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf | ||||||
| @@ -272,7 +281,6 @@ | |||||||
|   DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf |   DebugLib|MdeModulePkg/Library/PeiDxeDebugLibReportStatusCode/PeiDxeDebugLibReportStatusCode.inf | ||||||
|   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf |   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf | ||||||
|   FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf |   FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf | ||||||
|   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf |  | ||||||
| !if $(VARIABLE_SUPPORT) == "EMU" | !if $(VARIABLE_SUPPORT) == "EMU" | ||||||
|   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf |   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf | ||||||
| !elseif $(VARIABLE_SUPPORT) == "SMMSTORE" | !elseif $(VARIABLE_SUPPORT) == "SMMSTORE" | ||||||
| @@ -291,6 +299,9 @@ | |||||||
|   VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf |   VmgExitLib|UefiCpuPkg/Library/VmgExitLibNull/VmgExitLibNull.inf | ||||||
|   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf |   ReportStatusCodeLib|MdeModulePkg/Library/DxeReportStatusCodeLib/DxeReportStatusCodeLib.inf | ||||||
|  |  | ||||||
|  | [LibraryClasses.common] | ||||||
|  |   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf | ||||||
|  |  | ||||||
| [LibraryClasses.common.SEC] | [LibraryClasses.common.SEC] | ||||||
|   HobLib|UefiPayloadPkg/Library/PayloadEntryHobLib/HobLib.inf |   HobLib|UefiPayloadPkg/Library/PayloadEntryHobLib/HobLib.inf | ||||||
|   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf |   PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf | ||||||
| @@ -311,6 +322,18 @@ | |||||||
| !if $(PERFORMANCE_MEASUREMENT_ENABLE) | !if $(PERFORMANCE_MEASUREMENT_ENABLE) | ||||||
|   PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf |   PerformanceLib|MdeModulePkg/Library/DxeCorePerformanceLib/DxeCorePerformanceLib.inf | ||||||
| !endif | !endif | ||||||
|  |   SmbusLib|MdePkg/Library/DxeSmbusLib/DxeSmbusLib.inf | ||||||
|  |   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | ||||||
|  |   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf | ||||||
|  |   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | ||||||
|  |  | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | ||||||
|  |   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree | ||||||
|  |   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf | ||||||
|  | !else | ||||||
|  |   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf | ||||||
|  | !endif | ||||||
|  |  | ||||||
| [LibraryClasses.common.DXE_DRIVER] | [LibraryClasses.common.DXE_DRIVER] | ||||||
|   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf |   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf | ||||||
| @@ -325,6 +348,17 @@ | |||||||
| !if $(PERFORMANCE_MEASUREMENT_ENABLE) | !if $(PERFORMANCE_MEASUREMENT_ENABLE) | ||||||
|   PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf |   PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf | ||||||
| !endif | !endif | ||||||
|  |   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | ||||||
|  |   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf | ||||||
|  |   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | ||||||
|  |  | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | ||||||
|  |   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree | ||||||
|  |   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf | ||||||
|  | !else | ||||||
|  |   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf | ||||||
|  | !endif | ||||||
|  |  | ||||||
| [LibraryClasses.common.DXE_RUNTIME_DRIVER] | [LibraryClasses.common.DXE_RUNTIME_DRIVER] | ||||||
|   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf |   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf | ||||||
| @@ -334,6 +368,19 @@ | |||||||
| !if $(PERFORMANCE_MEASUREMENT_ENABLE) | !if $(PERFORMANCE_MEASUREMENT_ENABLE) | ||||||
|   PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf |   PerformanceLib|MdeModulePkg/Library/DxePerformanceLib/DxePerformanceLib.inf | ||||||
| !endif | !endif | ||||||
|  |   SmbusLib|MdePkg/Library/DxeSmbusLib/DxeSmbusLib.inf | ||||||
|  |   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf | ||||||
|  |   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | ||||||
|  |   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf | ||||||
|  |   RngLib|MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf | ||||||
|  |  | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | ||||||
|  |   # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree | ||||||
|  |   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf | ||||||
|  | !else | ||||||
|  |   AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf | ||||||
|  | !endif | ||||||
|  |  | ||||||
| [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] | [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] | ||||||
|   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf |   PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf | ||||||
| @@ -573,7 +620,19 @@ | |||||||
|   # Components that produce the architectural protocols |   # Components that produce the architectural protocols | ||||||
|   # |   # | ||||||
| !if $(SECURITY_STUB_ENABLE) == TRUE | !if $(SECURITY_STUB_ENABLE) == TRUE | ||||||
|   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf |   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf { | ||||||
|  |     <LibraryClasses> | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |       NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf | ||||||
|  | !endif | ||||||
|  |   } | ||||||
|  |  | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | ||||||
|  |   SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | ||||||
|  |   UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf | ||||||
|  | !endif | ||||||
|  |  | ||||||
| !endif | !endif | ||||||
|   UefiCpuPkg/CpuDxe/CpuDxe.inf |   UefiCpuPkg/CpuDxe/CpuDxe.inf | ||||||
|   MdeModulePkg/Universal/BdsDxe/BdsDxe.inf |   MdeModulePkg/Universal/BdsDxe/BdsDxe.inf | ||||||
| @@ -598,7 +657,10 @@ | |||||||
| !endif | !endif | ||||||
|   PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf |   PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf | ||||||
| !if $(EMU_VARIABLE_ENABLE) == TRUE | !if $(EMU_VARIABLE_ENABLE) == TRUE | ||||||
|   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf |   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf { | ||||||
|  |     <LibraryClasses> | ||||||
|  |       NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf | ||||||
|  |   } | ||||||
| !endif | !endif | ||||||
|   # |   # | ||||||
|   # Following are the DXE drivers |   # Following are the DXE drivers | ||||||
|   | |||||||
| @@ -61,7 +61,6 @@ FILE FV_IMAGE = 4E35FD93-9C72-4c15-8C4B-E77F1DB2D793 { | |||||||
| } | } | ||||||
|  |  | ||||||
| ################################################################################ | ################################################################################ | ||||||
|  |  | ||||||
| [FV.DXEFV] | [FV.DXEFV] | ||||||
| FvNameGuid         = 8063C21A-8E58-4576-95CE-089E87975D23 | FvNameGuid         = 8063C21A-8E58-4576-95CE-089E87975D23 | ||||||
| BlockSize          = $(FD_BLOCK_SIZE) | BlockSize          = $(FD_BLOCK_SIZE) | ||||||
| @@ -89,6 +88,11 @@ APRIORI DXE { | |||||||
|   INF  MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf |   INF  MdeModulePkg/Universal/ReportStatusCodeRouter/RuntimeDxe/ReportStatusCodeRouterRuntimeDxe.inf | ||||||
|   INF  MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf |   INF  MdeModulePkg/Universal/StatusCodeHandler/RuntimeDxe/StatusCodeHandlerRuntimeDxe.inf | ||||||
|   INF  UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf |   INF  UefiPayloadPkg/BlSupportDxe/BlSupportDxe.inf | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   INF  PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcatRealTimeClockRuntimeDxe.inf | ||||||
|  |   INF  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf # After SMBusConfigLoader and PcatRealTimeClockRuntimeDxe, before Tcg2Dxe | ||||||
|  |   INF  UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf | ||||||
|  | !endif | ||||||
| } | } | ||||||
|  |  | ||||||
| # | # | ||||||
| @@ -272,6 +276,19 @@ INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf | |||||||
|   !include NetworkPkg/Network.fdf.inc |   !include NetworkPkg/Network.fdf.inc | ||||||
| !endif | !endif | ||||||
|  |  | ||||||
|  | # | ||||||
|  | # Security | ||||||
|  | # | ||||||
|  | !if $(SECURE_BOOT_ENABLE) == TRUE | ||||||
|  |   INF  SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | ||||||
|  |   INF  SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf | ||||||
|  |   INF  UefiPayloadPkg/SecureBootEnrollDefaultKeys/SecureBootSetup.inf | ||||||
|  |  | ||||||
|  |   FILE FREEFORM = PCD(gUefiPayloadPkgTokenSpaceGuid.PcdNvsDataFile) { | ||||||
|  |     SECTION RAW = UefiVariableBinary/SECUREBOOT.Fv | ||||||
|  |   } | ||||||
|  | !endif | ||||||
|  |  | ||||||
| # | # | ||||||
| # Shell | # Shell | ||||||
| # | # | ||||||
| @@ -415,3 +432,17 @@ INF ShellPkg/Application/Shell/Shell.inf | |||||||
|     UI        STRING="Enter Setup" |     UI        STRING="Enter Setup" | ||||||
|     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) |     VERSION   STRING="$(INF_VERSION)" Optional BUILD_NUM=$(BUILD_NUMBER) | ||||||
|   } |   } | ||||||
|  |  | ||||||
|  | [RULE.COMMON.USER_DEFINED] | ||||||
|  |   FILE FREEFORM = $(NAMED_GUID) { | ||||||
|  |     RAW BIN                |.crt | ||||||
|  |     RAW BIN                |.bin | ||||||
|  |   } | ||||||
|  |  | ||||||
|  | [RULE.COMMON.USER_DEFINED.BINARY] | ||||||
|  |   FILE FREEFORM = $(NAMED_GUID) { | ||||||
|  |     RAW BIN                |.crt | ||||||
|  |     RAW BIN                |.bin | ||||||
|  |     UI       STRING="$(MODULE_NAME)" Optional | ||||||
|  |   } | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										20
									
								
								UefiVariableBinary/UefiVariableBinary.dsc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								UefiVariableBinary/UefiVariableBinary.dsc
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | |||||||
|  | ## @file | ||||||
|  | # Secure Boot Variable File | ||||||
|  | # | ||||||
|  | # Builds a firmware volume to contain Secure Boot keys | ||||||
|  | # | ||||||
|  | # Copyright (c) 2021, Star Labs Online Limited. All rights reserved.<BR> | ||||||
|  | # SPDX-License-Identifier: BSD-2-Clause-Patent | ||||||
|  | # | ||||||
|  | ## | ||||||
|  | [Defines] | ||||||
|  |   PLATFORM_NAME                  = SecureBoot | ||||||
|  |   PLATFORM_GUID                  = 1035eeff-543e-4abb-ac7e-bcd68cb530f8 | ||||||
|  |   PLATFORM_VERSION               = 0.1 | ||||||
|  |   OUTPUT_DIRECTORY               = Build/UefiVariableBinary | ||||||
|  |   SUPPORTED_ARCHITECTURES        = IA32|X64 | ||||||
|  |   BUILD_TARGETS                  = DEBUG|RELEASE|NOOPT | ||||||
|  |   SKUID_IDENTIFIER               = DEFAULT | ||||||
|  |   FLASH_DEFINITION               = UefiVariableBinary/UefiVariableBinary.fdf | ||||||
|  |  | ||||||
|  |  | ||||||
							
								
								
									
										31
									
								
								UefiVariableBinary/UefiVariableBinary.fdf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								UefiVariableBinary/UefiVariableBinary.fdf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | |||||||
|  | ## @file | ||||||
|  | # FDF include file which allows to embed Secure Boot keys | ||||||
|  | # | ||||||
|  | #  Copyright (c) 2021, Star Labs Online Limited. All rights reserved. | ||||||
|  | # | ||||||
|  | #  SPDX-License-Identifier: BSD-2-Clause-Patent | ||||||
|  | # | ||||||
|  | [Defines] | ||||||
|  | DEFINE FD_SIZE     = 0x00850000 | ||||||
|  | DEFINE NUM_BLOCKS  = 0x850 | ||||||
|  |  | ||||||
|  | [FV.SecureBoot] | ||||||
|  | FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { | ||||||
|  |   SECTION RAW = UefiVariableBinary/keys/pk.crt | ||||||
|  |   SECTION UI  = "PK Default" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { | ||||||
|  |   SECTION RAW = UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt | ||||||
|  |   SECTION UI  = "KEK Default" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { | ||||||
|  |   SECTION RAW = UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt | ||||||
|  |   SECTION UI  = "DB Default" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f { | ||||||
|  |   SECTION RAW = UefiVariableBinary/keys/dbxupdate_x64.bin | ||||||
|  |   SECTION UI  = "DBX Default" | ||||||
|  | } | ||||||
							
								
								
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/MicCorKEKCA2011_2011-06-24.crt
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/MicWinProPCA2011_2011-10-19.crt
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										8
									
								
								UefiVariableBinary/keys/README
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								UefiVariableBinary/keys/README
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | # PK certificate generation | ||||||
|  |  | ||||||
|  | * Do not save private key for re-usage. | ||||||
|  | * Generate a RSA 2048 / SHA256 x509 certificate | ||||||
|  | * Exponent should be 65537 | ||||||
|  | * Microsoft certificates can be found here: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance | ||||||
|  |  | ||||||
|  | openssl req -outform DER -newkey rsa:2048 -keyout /dev/null -passout file:<(head -c 40 /dev/urandom) -x509 -days 365 -out pk.crt | ||||||
							
								
								
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/dbxupdate_x64.bin
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/dbxupdate_x64.bin
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/pk.crt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								UefiVariableBinary/keys/pk.crt
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							
		Reference in New Issue
	
	Block a user