On 05/16/19 05:08, Gary Lin wrote: > For QA test and development, we may need to test Secure Boot with a > devel key instead of UEFI CA. > > This commit adds an argument, "--no-default", to EnrollDefaultKeys.efi. > With the argument, the key from SMBIOS Type 11 will also be enrolled > into db. Besides, the keys in AuthData.c, i.e. Microsoft KEK CA, > Microsoft PCA, and Microsoft UEFI CA will be excluded, so the developer > can easily create a varstore template for a specific key. > > Cc: Laszlo Ersek <ler...@redhat.com> > Cc: Ard Biesheuvel <ard.biesheu...@linaro.org> > Cc: Jordan Justen <jordan.l.jus...@intel.com> > Signed-off-by: Gary Lin <g...@suse.com> > --- > OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 53 ++++++++++++++----- > 1 file changed, 39 insertions(+), 14 deletions(-) > > diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > index 75f2749dc84a..f45cb799f726 100644 > --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c > @@ -538,6 +538,13 @@ ShellAppMain ( > SETTINGS Settings; > UINT8 *PkKek1; > UINTN SizeOfPkKek1; > + BOOLEAN NoDefault; > + > + if (Argc == 2 && StrCmp (Argv[1], L"--no-default") == 0) { > + NoDefault = TRUE; > + } else { > + NoDefault = FALSE; > + } > > // > // Prepare for failure. > @@ -594,13 +601,22 @@ ShellAppMain ( > // > // Enroll db. > // > - Status = EnrollListOfCerts ( > - EFI_IMAGE_SECURITY_DATABASE, > - &gEfiImageSecurityDatabaseGuid, > - &gEfiCertX509Guid, > - mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid, > - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid, > - NULL); > + if (NoDefault) { > + Status = EnrollListOfCerts ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid, > + &gEfiCertX509Guid, > + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid, > + NULL); > + } else { > + Status = EnrollListOfCerts ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid, > + &gEfiCertX509Guid, > + mMicrosoftPca, mSizeOfMicrosoftPca, > &gMicrosoftVendorGuid, > + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, > &gMicrosoftVendorGuid, > + NULL); > + } > if (EFI_ERROR (Status)) { > goto FreePkKek1; > } > @@ -621,13 +637,22 @@ ShellAppMain ( > // > // Enroll KEK. > // > - Status = EnrollListOfCerts ( > - EFI_KEY_EXCHANGE_KEY_NAME, > - &gEfiGlobalVariableGuid, > - &gEfiCertX509Guid, > - PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid, > - mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, > - NULL); > + if (NoDefault) { > + Status = EnrollListOfCerts ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid, > + &gEfiCertX509Guid, > + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid, > + NULL); > + } else { > + Status = EnrollListOfCerts ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid, > + &gEfiCertX509Guid, > + PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid, > + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, > + NULL); > + } > if (EFI_ERROR (Status)) { > goto FreePkKek1; > } >
Reviewed-by: Laszlo Ersek <ler...@redhat.com> Pushed as commit 89d7c543cf71. Thanks, Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#40793): https://edk2.groups.io/g/devel/message/40793 Mute This Topic: https://groups.io/mt/31637219/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-