On 2/1/2024 9:09 AM, Yao, Jiewen via groups.io wrote:
Hi Nhi
Would you please:
1) File an issue in Bugzilla - https://bugzilla.tianocore.org/
2) Share with us the usage of this new API.
We are trying to understand why it is needed.
Hi Jiewen,
Sorry for late response. I've just been back from vacation. Happy Lunar
New Year!
Let me try to explain the demand. This new API is consumed by Ampere
Altra EDK2 [1] for enrolling platform UEFI boot/update keys managed by
secure storage service in secure world. That is Ampere Trusted Firmware
Secure Boot/Update Design [2] which provides platform firmware owners a
way to generate the pair of keys, sign their UEFI firmware, and enroll
their public key under the UEFI Secure Variable Format.
Any update (modify/append/delete) must be authenticated in secure world.
Hence, that is the reason we have to extract the key and pass the
signature to secure storage service.
I wonder whether it would be possible to have this API in the CryptLib
before opening the Bugzilla ticket?
[1]
https://github.com/AmpereComputing/edk2-platforms/blob/ampere/Silicon/Ampere/AmpereAltraPkg/Library/SecVarLib/SecVarLib.c#L613
[2] https://blog.cloudflare.com/armed-to-boot
Thanks,
Nhi
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#115583): https://edk2.groups.io/g/devel/message/115583
Mute This Topic: https://groups.io/mt/104048629/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
