Re: [edk2-devel] [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
Internally reviewed this patch before sending the edk2 mailing list and It looks good to me. Please also address Min M's good catch/comment. Reviewed-by: Sunny Wang Hi Laszlo, if you have time, I think you can still review this patch because this patch is a simple one and is based on your valuable feedback in RFC. It would be good to get your review on this one. :) Thanks, Sunny -Original Message- From: Grzegorz Bernacki Sent: Tuesday, June 1, 2021 9:12 PM To: devel@edk2.groups.io Cc: l...@nuviainc.com; ardb+tianoc...@kernel.org; Samer El-Haj-Mahmoud ; Sunny Wang ; m...@semihalf.com; upstr...@semihalf.com; jiewen@intel.com; jian.j.w...@intel.com; min.m...@intel.com; ler...@redhat.com; Grzegorz Bernacki Subject: [PATCH v2 2/6] SecurityPkg: Create include file for default key content. This commits add file which can be included by platform Flash Description File. It allows to specify certificate files, which will be embedded into binary file. The content of these files can be used to initialize Secure Boot default keys and databases. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 1 file changed, 62 insertions(+) create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc new file mode 100644 index 00..056586b204 --- /dev/null +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc @@ -0,0 +1,62 @@ + +!if $(DEFAULT_KEYS) == TRUE + FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { + !ifdef $(PK_DEFAULT_FILE) +SECTION RAW = $(PK_DEFAULT_FILE) + !endif +SECTION UI = "PK Default" + } + + FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { + !ifdef $(KEK_DEFAULT_FILE1) +SECTION RAW = $(KEK_DEFAULT_FILE1) + !endif + !ifdef $(KEK_DEFAULT_FILE2) +SECTION RAW = $(KEK_DEFAULT_FILE2) + !endif + !ifdef $(KEK_DEFAULT_FILE3) +SECTION RAW = $(KEK_DEFAULT_FILE3) + !endif +SECTION UI = "KEK Default" + } + + FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { + !ifdef $(DB_DEFAULT_FILE1) +SECTION RAW = $(DB_DEFAULT_FILE1) + !endif + !ifdef $(DB_DEFAULT_FILE2) +SECTION RAW = $(DB_DEFAULT_FILE2) + !endif + !ifdef $(DB_DEFAULT_FILE3) +SECTION RAW = $(DB_DEFAULT_FILE3) + !endif +SECTION UI = "DB Default" + } + + FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 { + !ifdef $(DBT_DEFAULT_FILE1) +SECTION RAW = $(DBT_DEFAULT_FILE1) + !endif + !ifdef $(DBT_DEFAULT_FILE2) +SECTION RAW = $(DBT_DEFAULT_FILE2) + !endif + !ifdef $(DBT_DEFAULT_FILE3) +SECTION RAW = $(DBT_DEFAULT_FILE3) + !endif +SECTION UI = "DBT Default" + } + + FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f { + !ifdef $(DBX_DEFAULT_FILE1) +SECTION RAW = $(DBX_DEFAULT_FILE1) + !endif + !ifdef $(DBX_DEFAULT_FILE2) +SECTION RAW = $(DBX_DEFAULT_FILE2) + !endif + !ifdef $(DBX_DEFAULT_FILE3) +SECTION RAW = $(DBX_DEFAULT_FILE3) + !endif +SECTION UI = "DBX Default" + } + +!endif -- 2.25.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76046): https://edk2.groups.io/g/devel/message/76046 Mute This Topic: https://groups.io/mt/83232296/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
On Tuesday, June 1, 2021 9:12 PM, Grzegorz Bernacki Wrote: > This commits add file which can be included by platform Flash Description > File. It allows to specify certificate files, which will be embedded into > binary > file. The content of these files can be used to initialize Secure Boot default > keys and databases. > > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 > 1 file changed, 62 insertions(+) > create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc > > diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc > b/SecurityPkg/SecureBootDefaultKeys.fdf.inc > new file mode 100644 > index 00..056586b204 > --- /dev/null > +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc > @@ -0,0 +1,62 @@ File header should be included, for example, the file description, Copyright, License, etc. > + > +!if $(DEFAULT_KEYS) == TRUE > + FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { > + !ifdef $(PK_DEFAULT_FILE) > +SECTION RAW = $(PK_DEFAULT_FILE) > + !endif > +SECTION UI = "PK Default" > + } > + > + FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { !ifdef > + $(KEK_DEFAULT_FILE1) > +SECTION RAW = $(KEK_DEFAULT_FILE1) > + !endif > + !ifdef $(KEK_DEFAULT_FILE2) > +SECTION RAW = $(KEK_DEFAULT_FILE2) > + !endif > + !ifdef $(KEK_DEFAULT_FILE3) > +SECTION RAW = $(KEK_DEFAULT_FILE3) > + !endif > +SECTION UI = "KEK Default" > + } > + > + FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { !ifdef > + $(DB_DEFAULT_FILE1) > +SECTION RAW = $(DB_DEFAULT_FILE1) > + !endif > + !ifdef $(DB_DEFAULT_FILE2) > +SECTION RAW = $(DB_DEFAULT_FILE2) > + !endif > + !ifdef $(DB_DEFAULT_FILE3) > +SECTION RAW = $(DB_DEFAULT_FILE3) > + !endif > +SECTION UI = "DB Default" > + } > + > + FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 { !ifdef > + $(DBT_DEFAULT_FILE1) > +SECTION RAW = $(DBT_DEFAULT_FILE1) > + !endif > + !ifdef $(DBT_DEFAULT_FILE2) > +SECTION RAW = $(DBT_DEFAULT_FILE2) > + !endif > + !ifdef $(DBT_DEFAULT_FILE3) > +SECTION RAW = $(DBT_DEFAULT_FILE3) > + !endif > +SECTION UI = "DBT Default" > + } > + > + FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f { !ifdef > + $(DBX_DEFAULT_FILE1) > +SECTION RAW = $(DBX_DEFAULT_FILE1) > + !endif > + !ifdef $(DBX_DEFAULT_FILE2) > +SECTION RAW = $(DBX_DEFAULT_FILE2) > + !endif > + !ifdef $(DBX_DEFAULT_FILE3) > +SECTION RAW = $(DBX_DEFAULT_FILE3) > + !endif > +SECTION UI = "DBX Default" > + } > + > +!endif > -- > 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76014): https://edk2.groups.io/g/devel/message/76014 Mute This Topic: https://groups.io/mt/83232296/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
On 2021.06.01 14:12, Grzegorz Bernacki wrote: This commits add file which can be included by platform Flash Description File. It allows to specify certificate files, which will be embedded into binary file. The content of these files can be used to initialize Secure Boot default keys and databases. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 1 file changed, 62 insertions(+) create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc new file mode 100644 index 00..056586b204 --- /dev/null +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc @@ -0,0 +1,62 @@ + +!if $(DEFAULT_KEYS) == TRUE + FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { + !ifdef $(PK_DEFAULT_FILE) +SECTION RAW = $(PK_DEFAULT_FILE) + !endif +SECTION UI = "PK Default" + } + + FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { + !ifdef $(KEK_DEFAULT_FILE1) +SECTION RAW = $(KEK_DEFAULT_FILE1) + !endif + !ifdef $(KEK_DEFAULT_FILE2) +SECTION RAW = $(KEK_DEFAULT_FILE2) + !endif + !ifdef $(KEK_DEFAULT_FILE3) +SECTION RAW = $(KEK_DEFAULT_FILE3) + !endif +SECTION UI = "KEK Default" + } + + FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { + !ifdef $(DB_DEFAULT_FILE1) +SECTION RAW = $(DB_DEFAULT_FILE1) + !endif + !ifdef $(DB_DEFAULT_FILE2) +SECTION RAW = $(DB_DEFAULT_FILE2) + !endif + !ifdef $(DB_DEFAULT_FILE3) +SECTION RAW = $(DB_DEFAULT_FILE3) + !endif +SECTION UI = "DB Default" + } + + FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 { + !ifdef $(DBT_DEFAULT_FILE1) +SECTION RAW = $(DBT_DEFAULT_FILE1) + !endif + !ifdef $(DBT_DEFAULT_FILE2) +SECTION RAW = $(DBT_DEFAULT_FILE2) + !endif + !ifdef $(DBT_DEFAULT_FILE3) +SECTION RAW = $(DBT_DEFAULT_FILE3) + !endif +SECTION UI = "DBT Default" + } + + FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f { + !ifdef $(DBX_DEFAULT_FILE1) +SECTION RAW = $(DBX_DEFAULT_FILE1) + !endif + !ifdef $(DBX_DEFAULT_FILE2) +SECTION RAW = $(DBX_DEFAULT_FILE2) + !endif + !ifdef $(DBX_DEFAULT_FILE3) +SECTION RAW = $(DBX_DEFAULT_FILE3) + !endif +SECTION UI = "DBX Default" + } + +!endif Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75988): https://edk2.groups.io/g/devel/message/75988 Mute This Topic: https://groups.io/mt/83232296/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[edk2-devel] [PATCH v2 2/6] SecurityPkg: Create include file for default key content.
This commits add file which can be included by platform Flash Description File. It allows to specify certificate files, which will be embedded into binary file. The content of these files can be used to initialize Secure Boot default keys and databases. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecureBootDefaultKeys.fdf.inc | 62 1 file changed, 62 insertions(+) create mode 100644 SecurityPkg/SecureBootDefaultKeys.fdf.inc diff --git a/SecurityPkg/SecureBootDefaultKeys.fdf.inc b/SecurityPkg/SecureBootDefaultKeys.fdf.inc new file mode 100644 index 00..056586b204 --- /dev/null +++ b/SecurityPkg/SecureBootDefaultKeys.fdf.inc @@ -0,0 +1,62 @@ + +!if $(DEFAULT_KEYS) == TRUE + FILE FREEFORM = 85254ea7-4759-4fc4-82d4-5eed5fb0a4a0 { + !ifdef $(PK_DEFAULT_FILE) +SECTION RAW = $(PK_DEFAULT_FILE) + !endif +SECTION UI = "PK Default" + } + + FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { + !ifdef $(KEK_DEFAULT_FILE1) +SECTION RAW = $(KEK_DEFAULT_FILE1) + !endif + !ifdef $(KEK_DEFAULT_FILE2) +SECTION RAW = $(KEK_DEFAULT_FILE2) + !endif + !ifdef $(KEK_DEFAULT_FILE3) +SECTION RAW = $(KEK_DEFAULT_FILE3) + !endif +SECTION UI = "KEK Default" + } + + FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { + !ifdef $(DB_DEFAULT_FILE1) +SECTION RAW = $(DB_DEFAULT_FILE1) + !endif + !ifdef $(DB_DEFAULT_FILE2) +SECTION RAW = $(DB_DEFAULT_FILE2) + !endif + !ifdef $(DB_DEFAULT_FILE3) +SECTION RAW = $(DB_DEFAULT_FILE3) + !endif +SECTION UI = "DB Default" + } + + FILE FREEFORM = 36c513ee-a338-4976-a0fb-6ddba3dafe87 { + !ifdef $(DBT_DEFAULT_FILE1) +SECTION RAW = $(DBT_DEFAULT_FILE1) + !endif + !ifdef $(DBT_DEFAULT_FILE2) +SECTION RAW = $(DBT_DEFAULT_FILE2) + !endif + !ifdef $(DBT_DEFAULT_FILE3) +SECTION RAW = $(DBT_DEFAULT_FILE3) + !endif +SECTION UI = "DBT Default" + } + + FILE FREEFORM = 5740766a-718e-4dc0-9935-c36f7d3f884f { + !ifdef $(DBX_DEFAULT_FILE1) +SECTION RAW = $(DBX_DEFAULT_FILE1) + !endif + !ifdef $(DBX_DEFAULT_FILE2) +SECTION RAW = $(DBX_DEFAULT_FILE2) + !endif + !ifdef $(DBX_DEFAULT_FILE3) +SECTION RAW = $(DBX_DEFAULT_FILE3) + !endif +SECTION UI = "DBX Default" + } + +!endif -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75902): https://edk2.groups.io/g/devel/message/75902 Mute This Topic: https://groups.io/mt/83232296/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-