Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
ovmf.14651
ovmf-embed-default-keys.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ovmf-embed-default-keys.patch of Package ovmf.14651
From 9263239b037b71f81b14ac86746dafd582527b98 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 Subject: [PATCH 1/5] Add a stub to allow keys to be embedded at build time Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 180 ++++++++++++++++++ .../AuthVariableLib/AuthVariableLib.inf | 4 + .../Library/AuthVariableLib/Default_DB.h | 2 + .../Library/AuthVariableLib/Default_DBX.h | 2 + .../Library/AuthVariableLib/Default_KEK.h | 2 + .../Library/AuthVariableLib/Default_PK.h | 2 + 6 files changed, 192 insertions(+) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_KEK.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 00917eb37436..a7a46fc648ea 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ #include "AuthServiceInternal.h" +#include "Default_PK.h" +#include "Default_KEK.h" +#include "Default_DB.h" +#include "Default_DBX.h" /// /// Global database array for scratch @@ -131,6 +135,11 @@ AuthVariableLibInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; + EFI_GUID *SignatureGUID; + UINT32 Attr; if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) { return EFI_INVALID_PARAMETER; @@ -147,6 +156,177 @@ AuthVariableLibInitialize ( return EFI_OUT_OF_RESOURCES; } + //**** + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + // PK + if (Default_PK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // KEK + if (Default_KEK == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DB + if (Default_DB == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + Data, + SigSize, + Attr + ); + FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { + return Status; + } + } + + // DBX + if (Default_DBX == NULL) + goto SKIP_KEYS; + + Status = AuthServiceInternalFindVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + (VOID **) &Data, + &DataSize + ); + if (Status == EFI_NOT_FOUND) { + Status = AuthServiceInternalUpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + Default_DBX, + Default_DBX_len, + Attr + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + +SKIP_KEYS: // // Reserve runtime buffer for certificate database. The size excludes variable header and name size. // Use EFI_CERT_DB_VOLATILE_NAME size since it is longer. diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 572ba4e120d2..1a46019a5f42 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -33,6 +33,10 @@ [Sources] AuthVariableLib.c AuthService.c AuthServiceInternal.h + Default_PK.h + Default_KEK.h + Default_DB.h + Default_DBX.h [Packages] MdePkg/MdePkg.dec diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h new file mode 100644 index 000000000000..4d138942164e --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB = NULL; +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h new file mode 100644 index 000000000000..5fd3cdc0f43d --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DBX = NULL; +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h new file mode 100644 index 000000000000..80883de1aeeb --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h @@ -0,0 +1,2 @@ +unsigned char *Default_KEK = NULL; +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h new file mode 100644 index 000000000000..23b90e45f07d --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; -- 2.19.1 From a76f3966a97f51acfb83839aa3349f7af9966466 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Tue, 15 Dec 2015 16:54:54 +0800 Subject: [PATCH 2/5] Add DB_EX to include one more DB cert Signed-off-by: Gary Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++--- .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++ 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index a7a46fc648ea..114f3d84c68f 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Default_PK.h" #include "Default_KEK.h" #include "Default_DB.h" +#include "Default_DB_EX.h" #include "Default_DBX.h" /// @@ -267,19 +268,25 @@ AuthVariableLibInitialize ( &DataSize ); if (Status == EFI_NOT_FOUND) { + UINTN SigSize_1 = 0; + UINTN SigSize_2 = 0; + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); if (SignatureGUID == NULL) { return EFI_OUT_OF_RESOURCES; } - SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; - Data = AllocateZeroPool (SigSize); + SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + if (Default_DB_EX != NULL) { + SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len; + } + Data = AllocateZeroPool (SigSize_1 + SigSize_2); if (Data == NULL) { return EFI_OUT_OF_RESOURCES; } SigCert = (EFI_SIGNATURE_LIST*) Data; - SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureListSize = (UINT32) SigSize_1; SigCert->SignatureHeaderSize = 0; SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); @@ -288,11 +295,23 @@ AuthVariableLibInitialize ( CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + if (Default_DB_EX != NULL) { + SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1); + SigCert->SignatureListSize = (UINT32) SigSize_2; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len); + } + Status = AuthServiceInternalUpdateVariable ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, Data, - SigSize, + SigSize_1 + SigSize_2, Attr ); FreePool(SignatureGUID); diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h new file mode 100644 index 000000000000..001f12506530 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB_EX = NULL; +unsigned int Default_DB_EX_len = 0; -- 2.19.1 From ce3429b55bc96e80e194075f0fafc5163382e422 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Mon, 28 Aug 2017 16:18:00 +0800 Subject: [PATCH 3/5] Check the length of the certificate instead of the pointer Since "xxd -i" may produce a valid pointer for an empty file, it's safer to check the length of the certificate instead of the pointer. Signed-off-by: Gary Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 114f3d84c68f..641823216a39 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -164,7 +164,7 @@ AuthVariableLibInitialize ( EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; // PK - if (Default_PK == NULL) + if (Default_PK_len == 0) goto SKIP_KEYS; Status = AuthServiceInternalFindVariable ( @@ -211,7 +211,7 @@ AuthVariableLibInitialize ( } // KEK - if (Default_KEK == NULL) + if (Default_KEK_len == 0) goto SKIP_KEYS; Status = AuthServiceInternalFindVariable ( @@ -258,7 +258,7 @@ AuthVariableLibInitialize ( } // DB - if (Default_DB == NULL) + if (Default_DB_len == 0) goto SKIP_KEYS; Status = AuthServiceInternalFindVariable ( @@ -277,7 +277,7 @@ AuthVariableLibInitialize ( } SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; - if (Default_DB_EX != NULL) { + if (Default_DB_EX_len != 0) { SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len; } Data = AllocateZeroPool (SigSize_1 + SigSize_2); @@ -295,7 +295,7 @@ AuthVariableLibInitialize ( CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); - if (Default_DB_EX != NULL) { + if (Default_DB_EX_len != 0) { SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1); SigCert->SignatureListSize = (UINT32) SigSize_2; SigCert->SignatureHeaderSize = 0; @@ -323,7 +323,7 @@ AuthVariableLibInitialize ( } // DBX - if (Default_DBX == NULL) + if (Default_DBX_len == 0) goto SKIP_KEYS; Status = AuthServiceInternalFindVariable ( -- 2.19.1 From b64d3f5128cfbee3648d04a39820584d5798700b Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Fri, 30 Nov 2018 15:31:51 +0800 Subject: [PATCH 4/5] Add the DefaultOwnerGUID Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998 A new header file is added to set the default GUID for the signature owner. Signed-off-by: Gary Lin <glin@suse.com> --- .../Library/AuthVariableLib/AuthVariableLib.c | 28 ++++--------------- .../Library/AuthVariableLib/Default_Owner.h | 1 + 2 files changed, 6 insertions(+), 23 deletions(-) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_Owner.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 641823216a39..fc9bbd2ad392 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -28,6 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Default_DB.h" #include "Default_DB_EX.h" #include "Default_DBX.h" +#include "Default_Owner.h" /// /// Global database array for scratch @@ -139,7 +140,6 @@ AuthVariableLibInitialize ( EFI_SIGNATURE_LIST *SigCert; EFI_SIGNATURE_DATA *SigCertData; UINTN SigSize; - EFI_GUID *SignatureGUID; UINT32 Attr; if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) { @@ -174,11 +174,6 @@ AuthVariableLibInitialize ( &DataSize ); if (Status == EFI_NOT_FOUND) { - SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); - if (SignatureGUID == NULL) { - return EFI_OUT_OF_RESOURCES; - } - SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; Data = AllocateZeroPool (SigSize); if (Data == NULL) { @@ -192,7 +187,7 @@ AuthVariableLibInitialize ( CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); Status = AuthServiceInternalUpdateVariable ( @@ -202,7 +197,6 @@ AuthVariableLibInitialize ( SigSize, Attr ); - FreePool(SignatureGUID); FreePool(Data); if (EFI_ERROR (Status)) { @@ -221,11 +215,6 @@ AuthVariableLibInitialize ( &DataSize ); if (Status == EFI_NOT_FOUND) { - SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); - if (SignatureGUID == NULL) { - return EFI_OUT_OF_RESOURCES; - } - SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; Data = AllocateZeroPool (SigSize); if (Data == NULL) { @@ -239,7 +228,7 @@ AuthVariableLibInitialize ( CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); Status = AuthServiceInternalUpdateVariable ( @@ -249,7 +238,6 @@ AuthVariableLibInitialize ( SigSize, Attr ); - FreePool(SignatureGUID); FreePool(Data); if (EFI_ERROR (Status)) { @@ -271,11 +259,6 @@ AuthVariableLibInitialize ( UINTN SigSize_1 = 0; UINTN SigSize_2 = 0; - SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); - if (SignatureGUID == NULL) { - return EFI_OUT_OF_RESOURCES; - } - SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; if (Default_DB_EX_len != 0) { SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len; @@ -292,7 +275,7 @@ AuthVariableLibInitialize ( CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); if (Default_DB_EX_len != 0) { @@ -303,7 +286,7 @@ AuthVariableLibInitialize ( CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len); } @@ -314,7 +297,6 @@ AuthVariableLibInitialize ( SigSize_1 + SigSize_2, Attr ); - FreePool(SignatureGUID); FreePool(Data); if (EFI_ERROR (Status)) { diff --git a/SecurityPkg/Library/AuthVariableLib/Default_Owner.h b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h new file mode 100644 index 000000000000..6230ed7d9605 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h @@ -0,0 +1 @@ +EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}; -- 2.19.1 From 47d96fd043c2c4b2fc21864ec669f4542a4cfc30 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Mon, 3 Dec 2018 16:02:27 +0800 Subject: [PATCH 5/5] Check VendorKeysNv before creating PK/KEK/db Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998 We only need to create PK/KEK/db for the very first time. Signed-off-by: Gary Lin <glin@suse.com> --- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index fc9bbd2ad392..cea1dc7bfba5 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -158,6 +158,16 @@ AuthVariableLibInitialize ( } //**** + // Check VendorKeysNv and create PK/KEK/DB only for the "first boot" + Status = AuthServiceInternalFindVariable ( + EFI_VENDOR_KEYS_NV_VARIABLE_NAME, + &gEfiVendorKeysNvGuid, + (VOID **) &Data, + &DataSize + ); + if (Status != EFI_NOT_FOUND) + goto SKIP_KEYS; + // Create signature list for PK KEK DB Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | -- 2.19.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
