From c9727ff1df0d45fb4a18212292f5b07288e48d22 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 25 Apr 2019 22:19:36 +0200 Subject: [PATCH] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function The entry point function of EnrollDefaultKeys finishes with a sanity check, verifying the values of the Secure Boot-related "control" variables. Add a diagram to explain why we expect the values we do. While at it, write comments on the rest of the entry point function. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude Acked-by: Ard Biesheuvel Reviewed-by: Gary Lin --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 07297c631f..9c4a0f06fb 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -361,6 +361,9 @@ ShellAppMain ( EFI_STATUS Status; SETTINGS Settings; + // + // If we're not in Setup Mode, we can't do anything. + // Status = GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1; @@ -372,6 +375,10 @@ ShellAppMain ( return 1; } + // + // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature + // checks on those variable writes. + // if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) { Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE; Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, @@ -385,6 +392,9 @@ ShellAppMain ( } } + // + // Enroll db. + // Status = EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, @@ -396,6 +406,9 @@ ShellAppMain ( return 1; } + // + // Enroll dbx. + // Status = EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -406,6 +419,9 @@ ShellAppMain ( return 1; } + // + // Enroll KEK. + // Status = EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, @@ -417,6 +433,9 @@ ShellAppMain ( return 1; } + // + // Enroll PK, leaving Setup Mode (entering User Mode) at once. + // Status = EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, @@ -427,6 +446,10 @@ ShellAppMain ( return 1; } + // + // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid + // signatures. + // Settings.CustomMode = STANDARD_SECURE_BOOT_MODE; Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, @@ -437,6 +460,37 @@ ShellAppMain ( return 1; } + // + // Final sanity check: + // + // [SetupMode] + // (read-only, standardized by UEFI) + // / \_ + // 0 1, default + // / \_ + // PK enrolled no PK enrolled yet, + // (this is called "User Mode") PK enrollment possible + // | + // | + // [SecureBootEnable] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0 1, default + // / \_ + // [SecureBoot]=0 [SecureBoot]=1 + // (read-only, standardized by UEFI) (read-only, standardized by UEFI) + // images are not verified images are verified, platform is + // operating in Secure Boot mode + // | + // | + // [CustomMode] + // (read-write, edk2-specific, boot service only) + // / \_ + // 0, default 1 + // / \_ + // PK, KEK, db, dbx PK, KEK, db, dbx + // updates are verified updates are not verified + // Status = GetSettings (&Settings); if (EFI_ERROR (Status)) { return 1;