summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Bobek <jbobek@nvidia.com>2023-01-21 06:58:32 +0800
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2023-02-04 11:53:59 +0000
commit566cdfc675fa0da486af34cb12cb5f2e01578a5c (patch)
treed41f99b37ed53b32eedb4f8dfaae3914adc15441
parent7c138e400862a3a742489ca6f21d31afa9a3dd8a (diff)
downloadedk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.gz
edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.bz2
edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.zip
SecurityPkg: limit verification of enrolled PK in setup mode
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506 Per UEFI spec, enrolling a new PK in setup mode should not require a self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk to control this requirement. Default to TRUE in order to preserve the legacy behavior. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Min Xu <min.m.xu@intel.com> Co-authored-by: Matthew Carlson <macarl@microsoft.com> Signed-off-by: Jan Bobek <jbobek@nvidia.com> Reviewed-by: Sean Brogan <sean.brogan@microsoft.com> Acked-by: Jiewen Yao <jiewen.yao@intel.com>
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthService.c9
-rw-r--r--SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf3
-rw-r--r--SecurityPkg/SecurityPkg.dec7
3 files changed, 17 insertions, 2 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 9beeca09ae..452ed491ea 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -603,7 +603,10 @@ ProcessVarWithPk (
// Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {
+ if ( (InCustomMode () && UserPhysicalPresent ())
+ || ( (mPlatformMode == SETUP_MODE)
+ && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))
+ {
Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -627,7 +630,9 @@ ProcessVarWithPk (
return Status;
}
- if ((mPlatformMode != SETUP_MODE) || IsPk) {
+ if ( (mPlatformMode != SETUP_MODE)
+ || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))
+ {
Status = VendorKeyIsModified ();
}
} else if (mPlatformMode == USER_MODE) {
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8eadeebceb..e5985c5f8b 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -86,3 +86,6 @@
gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+
+[FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8257f11d17..d3b7ad7ff6 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -580,5 +580,12 @@
## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
+[PcdsFeatureFlag]
+ ## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
+ # TRUE - Require PK to be self-signed.
+ # FALSE - Do not require PK to be self-signed.
+ # @Prompt Require PK to be self-signed
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027
+
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni