REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Min Xu <min.m...@intel.com>
Co-authored-by: Matthew Carlson <mac...@microsoft.com>
Signed-off-by: Jan Bobek <jbo...@nvidia.com>
---
SecurityPkg/SecurityPkg.dec | 7 +++++++
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++--
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8257f11d17c7..d3b7ad7ff6fb 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -580,5 +580,12 @@ [PcdsDynamic, PcdsDynamicEx]
## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
+[PcdsFeatureFlag]
+ ## Indicates if the platform requires PK to be self-signed when setting the
PK in setup mode.
+ # TRUE - Require PK to be self-signed.
+ # FALSE - Do not require PK to be self-signed.
+ # @Prompt Require PK to be self-signed
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027
+
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8eadeebcebd7..e5985c5f8b60 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -86,3 +86,6 @@ [Guids]
gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID
for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID
for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID
for the type of the signature.
+
+[FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 054ee4d1d988..e9989695626e 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -603,7 +603,10 @@ ProcessVarWithPk (
// Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode ==
SETUP_MODE) && !IsPk)) {
+ if ( (InCustomMode () && UserPhysicalPresent ())
+ || ( (mPlatformMode == SETUP_MODE)
+ && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))
+ {
Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -627,7 +630,9 @@ ProcessVarWithPk (
return Status;
}
- if ((mPlatformMode != SETUP_MODE) || IsPk) {
+ if ( (mPlatformMode != SETUP_MODE)
+ || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))
+ {
Status = VendorKeyIsModified ();
}
} else if (mPlatformMode == USER_MODE) {
--
2.30.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#98946): https://edk2.groups.io/g/devel/message/98946
Mute This Topic: https://groups.io/mt/96412383/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
