OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function

The entry point function of EnrollDefaultKeys finishes with a sanity check, verifying the values of the Secure Boot-related "control" variables. Add a diagram to explain why we expect the values we do. While at it, write comments on the rest of the entry point function. Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Julien Grall <julien.grall@arm.com> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Gary Lin <glin@suse.com>
author: Laszlo Ersek <lersek@redhat.com> 2019-04-25 22:19:36 +0200
committer: Laszlo Ersek <lersek@redhat.com> 2019-04-30 14:26:43 +0200
commit: c9727ff1df0d45fb4a18212292f5b07288e48d22 (patch)
tree: 925d63af5e1256bfefd1c115a654cb96ece38440 /OvmfPkg/EnrollDefaultKeys
parent: 86bf2672a35a6a86f99add1ff976d590896dcbdd (diff)
download: edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.gz
edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.bz2
edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.zip
1 files changed, 54 insertions, 0 deletions
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 07297c631f..9c4a0f06fb 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -361,6 +361,9 @@ ShellAppMain (
   EFI_STATUS Status;
   SETTINGS   Settings;
 
+  //
+  // If we're not in Setup Mode, we can't do anything.
+  //
   Status = GetSettings (&Settings);
   if (EFI_ERROR (Status)) {
     return 1;
@@ -372,6 +375,10 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
+  // checks on those variable writes.
+  //
   if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
     Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
     Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
@@ -385,6 +392,9 @@ ShellAppMain (
     }
   }
 
+  //
+  // Enroll db.
+  //
   Status = EnrollListOfCerts (
              EFI_IMAGE_SECURITY_DATABASE,
              &gEfiImageSecurityDatabaseGuid,
@@ -396,6 +406,9 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Enroll dbx.
+  //
   Status = EnrollListOfCerts (
              EFI_IMAGE_SECURITY_DATABASE1,
              &gEfiImageSecurityDatabaseGuid,
@@ -406,6 +419,9 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Enroll KEK.
+  //
   Status = EnrollListOfCerts (
              EFI_KEY_EXCHANGE_KEY_NAME,
              &gEfiGlobalVariableGuid,
@@ -417,6 +433,9 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Enroll PK, leaving Setup Mode (entering User Mode) at once.
+  //
   Status = EnrollListOfCerts (
              EFI_PLATFORM_KEY_NAME,
              &gEfiGlobalVariableGuid,
@@ -427,6 +446,10 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
+  // signatures.
+  //
   Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
   Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
                   EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
@@ -437,6 +460,37 @@ ShellAppMain (
     return 1;
   }
 
+  //
+  // Final sanity check:
+  //
+  //                                 [SetupMode]
+  //                        (read-only, standardized by UEFI)
+  //                                /                \_
+  //                               0               1, default
+  //                              /                    \_
+  //                      PK enrolled                   no PK enrolled yet,
+  //              (this is called "User Mode")          PK enrollment possible
+  //                             |
+  //                             |
+  //                     [SecureBootEnable]
+  //         (read-write, edk2-specific, boot service only)
+  //                /                           \_
+  //               0                         1, default
+  //              /                               \_
+  //       [SecureBoot]=0                     [SecureBoot]=1
+  // (read-only, standardized by UEFI)  (read-only, standardized by UEFI)
+  //     images are not verified         images are verified, platform is
+  //                                      operating in Secure Boot mode
+  //                                                 |
+  //                                                 |
+  //                                           [CustomMode]
+  //                          (read-write, edk2-specific, boot service only)
+  //                                /                           \_
+  //                          0, default                         1
+  //                              /                               \_
+  //                      PK, KEK, db, dbx                PK, KEK, db, dbx
+  //                    updates are verified          updates are not verified
+  //
   Status = GetSettings (&Settings);
   if (EFI_ERROR (Status)) {
     return 1;
author	Laszlo Ersek <lersek@redhat.com>	2019-04-25 22:19:36 +0200
committer	Laszlo Ersek <lersek@redhat.com>	2019-04-30 14:26:43 +0200
commit	c9727ff1df0d45fb4a18212292f5b07288e48d22 (patch)
tree	925d63af5e1256bfefd1c115a654cb96ece38440 /OvmfPkg/EnrollDefaultKeys
parent	86bf2672a35a6a86f99add1ff976d590896dcbdd (diff)
download	edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.gz edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.bz2 edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.zip