diff options
author | Laszlo Ersek <lersek@redhat.com> | 2019-04-25 21:49:38 +0200 |
---|---|---|
committer | Laszlo Ersek <lersek@redhat.com> | 2019-04-30 14:26:40 +0200 |
commit | 7eeaa7585a98dafbc1523423f77185b4dd031393 (patch) | |
tree | 5ee234f974c30fb761d62de605791f25cd8d67f7 /OvmfPkg/Include | |
parent | a79b115adeab638feeedde2f3d3dcb141e4b445b (diff) | |
download | edk2-7eeaa7585a98dafbc1523423f77185b4dd031393.tar.gz edk2-7eeaa7585a98dafbc1523423f77185b4dd031393.tar.bz2 edk2-7eeaa7585a98dafbc1523423f77185b4dd031393.zip |
OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
The GUID
77FA9ABD-0359-4D32-BD60-28F4E78F784B
is specified in MSDN, at
<https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it
deserves an entry in the package DEC file, and a header file under
"Include/Guid".
(Arguably, this GUID declaration / definition could even live under
SecurityPkg, but the edk2 tradition has been to hoist GUIDs,
protocols/PPIs, and lib classes from OvmfPkg to a core package only when
dependent C code is added to the core package.)
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Gary Lin <glin@suse.com>
Diffstat (limited to 'OvmfPkg/Include')
-rw-r--r-- | OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h new file mode 100644 index 0000000000..db7a326c31 --- /dev/null +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h @@ -0,0 +1,55 @@ +/** @file
+ Declare the GUID that is expected:
+
+ - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
+ RSA2048 Secure Boot certificates issued by/for Microsoft,
+
+ - as UEFI variable vendor GUID in association with (unspecified)
+ Microsoft-owned variables.
+
+ Copyright (C) 2014-2019, Red Hat, Inc.
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+ @par Specification Reference:
+ - MSDN: System.Fundamentals.Firmware at
+ <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
+**/
+
+#ifndef MICROSOFT_VENDOR_H_
+#define MICROSOFT_VENDOR_H_
+
+#include <Uefi/UefiBaseType.h>
+
+//
+// The following test cases of the Secure Boot Logo Test in the Microsoft
+// Hardware Certification Kit:
+//
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
+// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
+//
+// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
+// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
+// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
+// certificates:
+//
+// - "Microsoft Corporation KEK CA 2011" (in KEK)
+// - "Microsoft Windows Production PCA 2011" (in db)
+// - "Microsoft Corporation UEFI CA 2011" (in db)
+//
+// This is despite the fact that the UEFI specification requires
+// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
+// application or driver) that enrolled and therefore owns
+// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
+// EFI_SIGNATURE_DATA.SignatureData.
+//
+#define MICROSOFT_VENDOR_GUID \
+ { 0x77fa9abd, \
+ 0x0359, \
+ 0x4d32, \
+ { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
+ }
+
+extern EFI_GUID gMicrosoftVendorGuid;
+
+#endif /* MICROSOFT_VENDOR_H_ */
|