Hey Laszlo,

On 12.06.2018 15:59, Laszlo Ersek wrote:
> On 06/12/18 15:12, Philipp Deppenwiese wrote:
>> Hey people,
>>
>> We are experiencing issues with UEFI secure boot enabled
>> on UDK 2018 for the OvmfPkg.
> UDK2018 does not include OvmfPkg; no UDK does, to my knowledge.
I mean the UDK2018 branch of https://github.com/tianocore/edk2/tree/UDK2018
>
>> Reproducible issue:
>>
>> 1) Add following code + files as dxe driver.
>> https://gist.github.com/zaolin/976d0d2ad68bcd05c10ffdb2530341fc
> This looks like a modified copy of (a possibly older version of) my
> EnrollDefaultKeys module. The latest source for that is available from
> the "edk2-20180529gitee3198e672e2-1.fc29" SRPM at
> <https://koji.fedoraproject.org/koji/buildinfo?buildID=1087595>.
Correct, I just moved it into a DXE driver and load certificates from
the FFS.
Do you know if there is a more common/normal/better way for populating
vendor certificates?
>
>> 2) Build OvmfPkg with -DSECURE_BOOT_ENABLE=TRUE
>> 3) Windows 10 boots and crashes in Qemu with a
>> /KMODE_EXCEPTION_NOT_HANDLED./
>>
>> If we don't populate the keys or use Linux in with secure boot turned on
>> everything is totally fine.
> Relative to the EnrollDefaultKeys.c source that I know, your variant
> does not include the certificates as UINT8 arrays in the source code;
> instead it seems to include them in firmware filesystem (FFS) files, and
> to look them up with GetSectionFromAnyFv(). I assume you have some INF
> file changes as well, where you build the certificates as binary blobs
> into DXEFV.
>
> Did you verify that the exact same blobs (and same other arguments) are
> passed to the gRT->SetVariable() calls in your variant?
>
> I've now retested my variant with Windows 10 Enterprise N 2015 LTSB; it
> works as expected.
Thanks for the help. I am going to check if I do something wrong. But I
have ran
the FWTS testsuite and checked the certificates with the mokutil under
Linux, everything
looks fine so far. Also Windows 10 in safe mode with secure boot works
but not the normal mode.

We use the 14393.0.160715-1616.RS1_RELEASE_CLIENTENTERPRISE_S_EVAL_X64
LTSB release for testing.
>
> Thanks,
> Laszlo

Best Regards, Philipp
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to