Jan,
From looking over the patch 1/4 email i have a concern.
In AuthService.c on the conditional change you made. Aren't we losing a
case where we are evaluating a nonPK payload signed by the PK? Given
the system is in SetupMode that means there is no PK but is this the
conditional path that is used when installing Secure boot keys in
reverse (DBX,DX,KEK,PK) order?
Is there testing you have done? This code should be pretty easy to do
host based unit testing on. Any chance you have authored that to
confirm use cases are not unexpectedly impacted? Example of host based
unit test of library is here:
edk2/SecurityPkg/Library/SecureBootVariableLib/UnitTest at master ·
tianocore/edk2 (github.com)
<https://github.com/tianocore/edk2/tree/master/SecurityPkg/Library/SecureBootVariableLib/UnitTest>
Thanks
Sean
On 1/22/2023 10:13 PM, Yao, Jiewen wrote:
Hi Sean
I would like to hear your feedback, since it is a little different from the
original MSFT patch.
Would you please take a look?
Thank you
Yao, Jiewen
-----Original Message-----
From: Jan Bobek<jbo...@nvidia.com>
Sent: Saturday, January 21, 2023 6:59 AM
To:devel@edk2.groups.io
Cc: Jan Bobek<jbo...@nvidia.com>; Laszlo Ersek<ler...@redhat.com>; Yao,
Jiewen<jiewen....@intel.com>
Subject: [PATCH v1 0/4] Don't require self-signed PK in setup mode
Hi all,
I'm sending out v1 of my patch series that addresses a UEFI spec
non-compliance when enrolling PK in setup mode. Additional info can be
found in bugzilla [1]; the changes are split into 4 patches as
suggested by Laszlo Ersek in comment #4.
I've based my work on the patch by Matthew Carlson; I've credited him
with co-authorship of the first patch even though in the end I decided
to do the implementation a bit differently.
Comments & reviews welcome!
Cheers,
-Jan
References:
1.https://bugzilla.tianocore.org/show_bug.cgi?id=2506
Jan Bobek (4):
SecurityPkg: limit verification of enrolled PK in setup mode
OvmfPkg: require self-signed PK when secure boot is enabled
ArmVirtPkg: require self-signed PK when secure boot is enabled
SecurityPkg: don't require PK to be self-signed by default
SecurityPkg/SecurityPkg.dec | 7 +++++++
ArmVirtPkg/ArmVirtCloudHv.dsc | 4 ++++
ArmVirtPkg/ArmVirtQemu.dsc | 4 ++++
ArmVirtPkg/ArmVirtQemuKernel.dsc | 4 ++++
OvmfPkg/Bhyve/BhyveX64.dsc | 3 +++
OvmfPkg/CloudHv/CloudHvX64.dsc | 3 +++
OvmfPkg/IntelTdx/IntelTdxX64.dsc | 3 +++
OvmfPkg/Microvm/MicrovmX64.dsc | 3 +++
OvmfPkg/OvmfPkgIa32.dsc | 3 +++
OvmfPkg/OvmfPkgIa32X64.dsc | 3 +++
OvmfPkg/OvmfPkgX64.dsc | 3 +++
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 +++
SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 +++++++--
13 files changed, 50 insertions(+), 2 deletions(-)
--
2.30.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#99001): https://edk2.groups.io/g/devel/message/99001
Mute This Topic: https://groups.io/mt/96412382/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-