From 566cdfc675fa0da486af34cb12cb5f2e01578a5c Mon Sep 17 00:00:00 2001 From: Jan Bobek Date: Sat, 21 Jan 2023 06:58:32 +0800 Subject: [PATCH] SecurityPkg: limit verification of enrolled PK in setup mode REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Per UEFI spec, enrolling a new PK in setup mode should not require a self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk to control this requirement. Default to TRUE in order to preserve the legacy behavior. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Co-authored-by: Matthew Carlson Signed-off-by: Jan Bobek Reviewed-by: Sean Brogan Acked-by: Jiewen Yao --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++-- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++ SecurityPkg/SecurityPkg.dec | 7 +++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 9beeca09ae..452ed491ea 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -603,7 +603,10 @@ ProcessVarWithPk ( // Init state of Del. State may change due to secure check // Del = FALSE; - if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) { + if ( (InCustomMode () && UserPhysicalPresent ()) + || ( (mPlatformMode == SETUP_MODE) + && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))) + { Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data); PayloadSize = DataSize - AUTHINFO2_SIZE (Data); if (PayloadSize == 0) { @@ -627,7 +630,9 @@ ProcessVarWithPk ( return Status; } - if ((mPlatformMode != SETUP_MODE) || IsPk) { + if ( (mPlatformMode != SETUP_MODE) + || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)) + { Status = VendorKeyIsModified (); } } else if (mPlatformMode == USER_MODE) { diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8eadeebceb..e5985c5f8b 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -86,3 +86,6 @@ gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate. gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate. gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. + +[FeaturePcd] + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 8257f11d17..d3b7ad7ff6 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -580,5 +580,12 @@ ## This PCD records LASA field in CC EVENTLOG ACPI table. gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026 +[PcdsFeatureFlag] + ## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode. + # TRUE - Require PK to be self-signed. + # FALSE - Do not require PK to be self-signed. + # @Prompt Require PK to be self-signed + gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027 + [UserExtensions.TianoCore."ExtraFiles"] SecurityPkgExtra.uni