diff options
author | Jan Bobek <jbobek@nvidia.com> | 2023-01-21 06:58:32 +0800 |
---|---|---|
committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-02-04 11:53:59 +0000 |
commit | 566cdfc675fa0da486af34cb12cb5f2e01578a5c (patch) | |
tree | d41f99b37ed53b32eedb4f8dfaae3914adc15441 | |
parent | 7c138e400862a3a742489ca6f21d31afa9a3dd8a (diff) | |
download | edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.gz edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.bz2 edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.zip |
SecurityPkg: limit verification of enrolled PK in setup mode
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 | ||||
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 | ||||
-rw-r--r-- | SecurityPkg/SecurityPkg.dec | 7 |
3 files changed, 17 insertions, 2 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 9beeca09ae..452ed491ea 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -603,7 +603,10 @@ ProcessVarWithPk ( // Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {
+ if ( (InCustomMode () && UserPhysicalPresent ())
+ || ( (mPlatformMode == SETUP_MODE)
+ && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))
+ {
Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -627,7 +630,9 @@ ProcessVarWithPk ( return Status;
}
- if ((mPlatformMode != SETUP_MODE) || IsPk) {
+ if ( (mPlatformMode != SETUP_MODE)
+ || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))
+ {
Status = VendorKeyIsModified ();
}
} else if (mPlatformMode == USER_MODE) {
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8eadeebceb..e5985c5f8b 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -86,3 +86,6 @@ gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+
+[FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 8257f11d17..d3b7ad7ff6 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -580,5 +580,12 @@ ## This PCD records LASA field in CC EVENTLOG ACPI table.
gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026
+[PcdsFeatureFlag]
+ ## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.
+ # TRUE - Require PK to be self-signed.
+ # FALSE - Do not require PK to be self-signed.
+ # @Prompt Require PK to be self-signed
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027
+
[UserExtensions.TianoCore."ExtraFiles"]
SecurityPkgExtra.uni
|