diff options
author | Laszlo Ersek <lersek@redhat.com> | 2019-04-25 22:19:36 +0200 |
---|---|---|
committer | Laszlo Ersek <lersek@redhat.com> | 2019-04-30 14:26:43 +0200 |
commit | c9727ff1df0d45fb4a18212292f5b07288e48d22 (patch) | |
tree | 925d63af5e1256bfefd1c115a654cb96ece38440 /OvmfPkg | |
parent | 86bf2672a35a6a86f99add1ff976d590896dcbdd (diff) | |
download | edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.gz edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.tar.bz2 edk2-c9727ff1df0d45fb4a18212292f5b07288e48d22.zip |
OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function
The entry point function of EnrollDefaultKeys finishes with a sanity
check, verifying the values of the Secure Boot-related "control"
variables. Add a diagram to explain why we expect the values we do.
While at it, write comments on the rest of the entry point function.
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Gary Lin <glin@suse.com>
Diffstat (limited to 'OvmfPkg')
-rw-r--r-- | OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 07297c631f..9c4a0f06fb 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -361,6 +361,9 @@ ShellAppMain ( EFI_STATUS Status;
SETTINGS Settings;
+ //
+ // If we're not in Setup Mode, we can't do anything.
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
@@ -372,6 +375,10 @@ ShellAppMain ( return 1;
}
+ //
+ // Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
+ // checks on those variable writes.
+ //
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
@@ -385,6 +392,9 @@ ShellAppMain ( }
}
+ //
+ // Enroll db.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
@@ -396,6 +406,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll dbx.
+ //
Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid,
@@ -406,6 +419,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll KEK.
+ //
Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid,
@@ -417,6 +433,9 @@ ShellAppMain ( return 1;
}
+ //
+ // Enroll PK, leaving Setup Mode (entering User Mode) at once.
+ //
Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid,
@@ -427,6 +446,10 @@ ShellAppMain ( return 1;
}
+ //
+ // Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
+ // signatures.
+ //
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
@@ -437,6 +460,37 @@ ShellAppMain ( return 1;
}
+ //
+ // Final sanity check:
+ //
+ // [SetupMode]
+ // (read-only, standardized by UEFI)
+ // / \_
+ // 0 1, default
+ // / \_
+ // PK enrolled no PK enrolled yet,
+ // (this is called "User Mode") PK enrollment possible
+ // |
+ // |
+ // [SecureBootEnable]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0 1, default
+ // / \_
+ // [SecureBoot]=0 [SecureBoot]=1
+ // (read-only, standardized by UEFI) (read-only, standardized by UEFI)
+ // images are not verified images are verified, platform is
+ // operating in Secure Boot mode
+ // |
+ // |
+ // [CustomMode]
+ // (read-write, edk2-specific, boot service only)
+ // / \_
+ // 0, default 1
+ // / \_
+ // PK, KEK, db, dbx PK, KEK, db, dbx
+ // updates are verified updates are not verified
+ //
Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) {
return 1;
|