The GUID 77FA9ABD-0359-4D32-BD60-28F4E78F784B
is specified in MSDN, at <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it deserves an entry in the package DEC file, and a header file under "Include/Guid". (Arguably, this GUID declaration / definition could even live under SecurityPkg, but the edk2 tradition has been to hoist GUIDs, protocols/PPIs, and lib classes from OvmfPkg to a core package only when dependent C code is added to the core package.) Cc: Anthony Perard <anthony.per...@citrix.com> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org> Cc: Jordan Justen <jordan.l.jus...@intel.com> Cc: Julien Grall <julien.gr...@arm.com> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek <ler...@redhat.com> --- OvmfPkg/OvmfPkg.dec | 1 + OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 ++++++++++++++++++++ OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 + OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 - OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ---------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 +-- 6 files changed, 62 insertions(+), 33 deletions(-) diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index cc2a4909afd4..922e061cc85c 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -72,16 +72,17 @@ [LibraryClasses] [Guids] gUefiOvmfPkgTokenSpaceGuid = {0x93bb96af, 0xb9f2, 0x4eb8, {0x94, 0x62, 0xe0, 0xba, 0x74, 0x56, 0x42, 0x36}} gEfiXenInfoGuid = {0xd3b46f3b, 0xd441, 0x1244, {0x9a, 0x12, 0x0, 0x12, 0x27, 0x3f, 0xc1, 0x4d}} gOvmfPlatformConfigGuid = {0x7235c51c, 0x0c80, 0x4cab, {0x87, 0xac, 0x3b, 0x08, 0x4a, 0x63, 0x04, 0xb1}} gVirtioMmioTransportGuid = {0x837dca9e, 0xe874, 0x4d82, {0xb2, 0x9a, 0x23, 0xfe, 0x0e, 0x23, 0xd1, 0xe2}} gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} + gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} [Protocols] gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} gXenBusProtocolGuid = {0x3d3ca290, 0xb9a5, 0x11e3, {0xb7, 0x5d, 0xb8, 0xac, 0x6f, 0x7d, 0x65, 0xe6}} gXenIoProtocolGuid = {0x6efac84f, 0x0ab0, 0x4747, {0x81, 0xbe, 0x85, 0x55, 0x62, 0x59, 0x04, 0x49}} gIoMmuAbsentProtocolGuid = {0xf8775d50, 0x8abd, 0x4adf, {0x92, 0xac, 0x85, 0x3e, 0x51, 0xf6, 0xc8, 0xdc}} gEfiLegacy8259ProtocolGuid = {0x38321dba, 0x4fe0, 0x4e17, {0x8a, 0xec, 0x41, 0x30, 0x55, 0xea, 0xed, 0xc1}} diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h new file mode 100644 index 000000000000..db7a326c3194 --- /dev/null +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h @@ -0,0 +1,55 @@ +/** @file + Declare the GUID that is expected: + + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and + RSA2048 Secure Boot certificates issued by/for Microsoft, + + - as UEFI variable vendor GUID in association with (unspecified) + Microsoft-owned variables. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - MSDN: System.Fundamentals.Firmware at + <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>. +**/ + +#ifndef MICROSOFT_VENDOR_H_ +#define MICROSOFT_VENDOR_H_ + +#include <Uefi/UefiBaseType.h> + +// +// The following test cases of the Secure Boot Logo Test in the Microsoft +// Hardware Certification Kit: +// +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB +// +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 +// certificates: +// +// - "Microsoft Corporation KEK CA 2011" (in KEK) +// - "Microsoft Windows Production PCA 2011" (in db) +// - "Microsoft Corporation UEFI CA 2011" (in db) +// +// This is despite the fact that the UEFI specification requires +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, +// application or driver) that enrolled and therefore owns +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued +// EFI_SIGNATURE_DATA.SignatureData. +// +#define MICROSOFT_VENDOR_GUID \ + { 0x77fa9abd, \ + 0x0359, \ + 0x4d32, \ + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \ + } + +extern EFI_GUID gMicrosoftVendorGuid; + +#endif /* MICROSOFT_VENDOR_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf index 3f093c768585..28db52586a9b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -17,27 +17,29 @@ [Defines] [Sources] AuthData.c EnrollDefaultKeys.c EnrollDefaultKeys.h [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec [Guids] gEfiCertPkcs7Guid gEfiCertSha256Guid gEfiCertX509Guid gEfiCustomModeEnableGuid gEfiGlobalVariableGuid gEfiImageSecurityDatabaseGuid gEfiSecureBootEnableDisableGuid + gMicrosoftVendorGuid [LibraryClasses] BaseMemoryLib DebugLib MemoryAllocationLib ShellCEntryLib UefiLib UefiRuntimeServicesTableLib diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h index 07f4aa04e469..e3a7e43da4e3 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -133,11 +133,9 @@ extern CONST UINT8 mMicrosoftPca[]; extern CONST UINTN mSizeOfMicrosoftPca; extern CONST UINT8 mMicrosoftUefiCa[]; extern CONST UINTN mSizeOfMicrosoftUefiCa; extern CONST UINT8 mSha256OfDevNull[]; extern CONST UINTN mSizeOfSha256OfDevNull; -extern CONST EFI_GUID mMicrosoftOwnerGuid; - #endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c index e0a543785fb5..9a96dcc440b3 100644 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -518,36 +518,8 @@ CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa; // CONST UINT8 mSha256OfDevNull[] = { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }; CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull; - - -// -// The following test cases of the Secure Boot Logo Test in the Microsoft -// Hardware Certification Kit: -// -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB -// -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 -// certificates: -// -// - "Microsoft Corporation KEK CA 2011" (in KEK) -// - "Microsoft Windows Production PCA 2011" (in db) -// - "Microsoft Corporation UEFI CA 2011" (in db) -// -// This is despite the fact that the UEFI specification requires -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, -// application or driver) that enrolled and therefore owns -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued -// EFI_SIGNATURE_DATA.SignatureData. -// -CONST EFI_GUID mMicrosoftOwnerGuid = { - 0x77fa9abd, 0x0359, 0x4d32, - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, -}; diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 528718b15ae9..e4f6a50e008b 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -3,16 +3,17 @@ Copyright (C) 2014-2019, Red Hat, Inc. SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE +#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid #include <Library/BaseMemoryLib.h> // CopyGuid() #include <Library/DebugLib.h> // ASSERT() #include <Library/MemoryAllocationLib.h> // FreePool() #include <Library/ShellCEntryLib.h> // ShellAppMain() #include <Library/UefiLib.h> // AsciiPrint() #include <Library/UefiRuntimeServicesTableLib.h> // gRT #include "EnrollDefaultKeys.h" @@ -310,18 +311,18 @@ ShellAppMain ( return 1; } } Status = EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid, - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid, + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid, + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } Status = EnrollListOfCerts ( EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, @@ -332,17 +333,17 @@ ShellAppMain ( return 1; } Status = EnrollListOfCerts ( EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; } Status = EnrollListOfCerts ( EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, -- 2.19.1.3.g30247aa5d201 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39686): https://edk2.groups.io/g/devel/message/39686 Mute This Topic: https://groups.io/mt/31359383/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-