File ovmf-embed-default-keys.patch of Package ovmf.17512
From 9263239b037b71f81b14ac86746dafd582527b98 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 10 May 2013 10:27:51 +0800
Subject: [PATCH 1/5] Add a stub to allow keys to be embedded at build time
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
.../Library/AuthVariableLib/AuthVariableLib.c | 180 ++++++++++++++++++
.../AuthVariableLib/AuthVariableLib.inf | 4 +
.../Library/AuthVariableLib/Default_DB.h | 2 +
.../Library/AuthVariableLib/Default_DBX.h | 2 +
.../Library/AuthVariableLib/Default_KEK.h | 2 +
.../Library/AuthVariableLib/Default_PK.h | 2 +
6 files changed, 192 insertions(+)
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_KEK.h
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 00917eb37436..a7a46fc648ea 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "AuthServiceInternal.h"
+#include "Default_PK.h"
+#include "Default_KEK.h"
+#include "Default_DB.h"
+#include "Default_DBX.h"
///
/// Global database array for scratch
@@ -131,6 +135,11 @@ AuthVariableLibInitialize (
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT32 ListSize;
+ EFI_SIGNATURE_LIST *SigCert;
+ EFI_SIGNATURE_DATA *SigCertData;
+ UINTN SigSize;
+ EFI_GUID *SignatureGUID;
+ UINT32 Attr;
if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
return EFI_INVALID_PARAMETER;
@@ -147,6 +156,177 @@ AuthVariableLibInitialize (
return EFI_OUT_OF_RESOURCES;
}
+ //****
+ // Create signature list for PK KEK DB
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
+
+ // PK
+ if (Default_PK == NULL)
+ goto SKIP_KEYS;
+
+ Status = AuthServiceInternalFindVariable (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ (VOID **) &Data,
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+ if (SignatureGUID == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
+ Data = AllocateZeroPool (SigSize);
+ if (Data == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
+ SigCert->SignatureListSize = (UINT32) SigSize;
+ SigCert->SignatureHeaderSize = 0;
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len);
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
+
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_PLATFORM_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ Data,
+ SigSize,
+ Attr
+ );
+ FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ // KEK
+ if (Default_KEK == NULL)
+ goto SKIP_KEYS;
+
+ Status = AuthServiceInternalFindVariable (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ (VOID **) &Data,
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+ if (SignatureGUID == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
+ Data = AllocateZeroPool (SigSize);
+ if (Data == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
+ SigCert->SignatureListSize = (UINT32) SigSize;
+ SigCert->SignatureHeaderSize = 0;
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len);
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
+
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_KEY_EXCHANGE_KEY_NAME,
+ &gEfiGlobalVariableGuid,
+ Data,
+ SigSize,
+ Attr
+ );
+ FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ // DB
+ if (Default_DB == NULL)
+ goto SKIP_KEYS;
+
+ Status = AuthServiceInternalFindVariable (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid,
+ (VOID **) &Data,
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+ SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+ if (SignatureGUID == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+ Data = AllocateZeroPool (SigSize);
+ if (Data == NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ SigCert = (EFI_SIGNATURE_LIST*) Data;
+ SigCert->SignatureListSize = (UINT32) SigSize;
+ SigCert->SignatureHeaderSize = 0;
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
+
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_IMAGE_SECURITY_DATABASE,
+ &gEfiImageSecurityDatabaseGuid,
+ Data,
+ SigSize,
+ Attr
+ );
+ FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ // DBX
+ if (Default_DBX == NULL)
+ goto SKIP_KEYS;
+
+ Status = AuthServiceInternalFindVariable (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid,
+ (VOID **) &Data,
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+ Status = AuthServiceInternalUpdateVariable (
+ EFI_IMAGE_SECURITY_DATABASE1,
+ &gEfiImageSecurityDatabaseGuid,
+ Default_DBX,
+ Default_DBX_len,
+ Attr
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+SKIP_KEYS:
//
// Reserve runtime buffer for certificate database. The size excludes variable header and name size.
// Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 572ba4e120d2..1a46019a5f42 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -33,6 +33,10 @@ [Sources]
AuthVariableLib.c
AuthService.c
AuthServiceInternal.h
+ Default_PK.h
+ Default_KEK.h
+ Default_DB.h
+ Default_DBX.h
[Packages]
MdePkg/MdePkg.dec
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
new file mode 100644
index 000000000000..4d138942164e
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB = NULL;
+unsigned int Default_DB_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
new file mode 100644
index 000000000000..5fd3cdc0f43d
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DBX = NULL;
+unsigned int Default_DBX_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
new file mode 100644
index 000000000000..80883de1aeeb
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_KEK = NULL;
+unsigned int Default_KEK_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
new file mode 100644
index 000000000000..23b90e45f07d
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_PK = NULL;
+unsigned int Default_PK_len = 0;
--
2.19.1
From a76f3966a97f51acfb83839aa3349f7af9966466 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 15 Dec 2015 16:54:54 +0800
Subject: [PATCH 2/5] Add DB_EX to include one more DB cert
Signed-off-by: Gary Lin <glin@suse.com>
---
.../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++---
.../Library/AuthVariableLib/Default_DB_EX.h | 2 ++
2 files changed, 25 insertions(+), 4 deletions(-)
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index a7a46fc648ea..114f3d84c68f 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include "Default_PK.h"
#include "Default_KEK.h"
#include "Default_DB.h"
+#include "Default_DB_EX.h"
#include "Default_DBX.h"
///
@@ -267,19 +268,25 @@ AuthVariableLibInitialize (
&DataSize
);
if (Status == EFI_NOT_FOUND) {
+ UINTN SigSize_1 = 0;
+ UINTN SigSize_2 = 0;
+
SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
if (SignatureGUID == NULL) {
return EFI_OUT_OF_RESOURCES;
}
- SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
- Data = AllocateZeroPool (SigSize);
+ SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+ if (Default_DB_EX != NULL) {
+ SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
+ }
+ Data = AllocateZeroPool (SigSize_1 + SigSize_2);
if (Data == NULL) {
return EFI_OUT_OF_RESOURCES;
}
SigCert = (EFI_SIGNATURE_LIST*) Data;
- SigCert->SignatureListSize = (UINT32) SigSize;
+ SigCert->SignatureListSize = (UINT32) SigSize_1;
SigCert->SignatureHeaderSize = 0;
SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len);
CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
@@ -288,11 +295,23 @@ AuthVariableLibInitialize (
CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
+ if (Default_DB_EX != NULL) {
+ SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1);
+ SigCert->SignatureListSize = (UINT32) SigSize_2;
+ SigCert->SignatureHeaderSize = 0;
+ SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len);
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+ CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len);
+ }
+
Status = AuthServiceInternalUpdateVariable (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid,
Data,
- SigSize,
+ SigSize_1 + SigSize_2,
Attr
);
FreePool(SignatureGUID);
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
new file mode 100644
index 000000000000..001f12506530
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB_EX = NULL;
+unsigned int Default_DB_EX_len = 0;
--
2.19.1
From ce3429b55bc96e80e194075f0fafc5163382e422 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 28 Aug 2017 16:18:00 +0800
Subject: [PATCH 3/5] Check the length of the certificate instead of the
pointer
Since "xxd -i" may produce a valid pointer for an empty file, it's safer
to check the length of the certificate instead of the pointer.
Signed-off-by: Gary Lin <glin@suse.com>
---
.../Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 114f3d84c68f..641823216a39 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -164,7 +164,7 @@ AuthVariableLibInitialize (
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
// PK
- if (Default_PK == NULL)
+ if (Default_PK_len == 0)
goto SKIP_KEYS;
Status = AuthServiceInternalFindVariable (
@@ -211,7 +211,7 @@ AuthVariableLibInitialize (
}
// KEK
- if (Default_KEK == NULL)
+ if (Default_KEK_len == 0)
goto SKIP_KEYS;
Status = AuthServiceInternalFindVariable (
@@ -258,7 +258,7 @@ AuthVariableLibInitialize (
}
// DB
- if (Default_DB == NULL)
+ if (Default_DB_len == 0)
goto SKIP_KEYS;
Status = AuthServiceInternalFindVariable (
@@ -277,7 +277,7 @@ AuthVariableLibInitialize (
}
SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
- if (Default_DB_EX != NULL) {
+ if (Default_DB_EX_len != 0) {
SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
}
Data = AllocateZeroPool (SigSize_1 + SigSize_2);
@@ -295,7 +295,7 @@ AuthVariableLibInitialize (
CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
- if (Default_DB_EX != NULL) {
+ if (Default_DB_EX_len != 0) {
SigCert = (EFI_SIGNATURE_LIST*) (Data + SigSize_1);
SigCert->SignatureListSize = (UINT32) SigSize_2;
SigCert->SignatureHeaderSize = 0;
@@ -323,7 +323,7 @@ AuthVariableLibInitialize (
}
// DBX
- if (Default_DBX == NULL)
+ if (Default_DBX_len == 0)
goto SKIP_KEYS;
Status = AuthServiceInternalFindVariable (
--
2.19.1
From b64d3f5128cfbee3648d04a39820584d5798700b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 30 Nov 2018 15:31:51 +0800
Subject: [PATCH 4/5] Add the DefaultOwnerGUID
Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998
A new header file is added to set the default GUID for the signature
owner.
Signed-off-by: Gary Lin <glin@suse.com>
---
.../Library/AuthVariableLib/AuthVariableLib.c | 28 ++++---------------
.../Library/AuthVariableLib/Default_Owner.h | 1 +
2 files changed, 6 insertions(+), 23 deletions(-)
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_Owner.h
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 641823216a39..fc9bbd2ad392 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -28,6 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include "Default_DB.h"
#include "Default_DB_EX.h"
#include "Default_DBX.h"
+#include "Default_Owner.h"
///
/// Global database array for scratch
@@ -139,7 +140,6 @@ AuthVariableLibInitialize (
EFI_SIGNATURE_LIST *SigCert;
EFI_SIGNATURE_DATA *SigCertData;
UINTN SigSize;
- EFI_GUID *SignatureGUID;
UINT32 Attr;
if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
@@ -174,11 +174,6 @@ AuthVariableLibInitialize (
&DataSize
);
if (Status == EFI_NOT_FOUND) {
- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
- if (SignatureGUID == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
Data = AllocateZeroPool (SigSize);
if (Data == NULL) {
@@ -192,7 +187,7 @@ AuthVariableLibInitialize (
CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
Status = AuthServiceInternalUpdateVariable (
@@ -202,7 +197,6 @@ AuthVariableLibInitialize (
SigSize,
Attr
);
- FreePool(SignatureGUID);
FreePool(Data);
if (EFI_ERROR (Status)) {
@@ -221,11 +215,6 @@ AuthVariableLibInitialize (
&DataSize
);
if (Status == EFI_NOT_FOUND) {
- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
- if (SignatureGUID == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
Data = AllocateZeroPool (SigSize);
if (Data == NULL) {
@@ -239,7 +228,7 @@ AuthVariableLibInitialize (
CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
Status = AuthServiceInternalUpdateVariable (
@@ -249,7 +238,6 @@ AuthVariableLibInitialize (
SigSize,
Attr
);
- FreePool(SignatureGUID);
FreePool(Data);
if (EFI_ERROR (Status)) {
@@ -271,11 +259,6 @@ AuthVariableLibInitialize (
UINTN SigSize_1 = 0;
UINTN SigSize_2 = 0;
- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
- if (SignatureGUID == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
if (Default_DB_EX_len != 0) {
SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
@@ -292,7 +275,7 @@ AuthVariableLibInitialize (
CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
if (Default_DB_EX_len != 0) {
@@ -303,7 +286,7 @@ AuthVariableLibInitialize (
CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
+ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len);
}
@@ -314,7 +297,6 @@ AuthVariableLibInitialize (
SigSize_1 + SigSize_2,
Attr
);
- FreePool(SignatureGUID);
FreePool(Data);
if (EFI_ERROR (Status)) {
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_Owner.h b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h
new file mode 100644
index 000000000000..6230ed7d9605
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h
@@ -0,0 +1 @@
+EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}};
--
2.19.1
From 47d96fd043c2c4b2fc21864ec669f4542a4cfc30 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 3 Dec 2018 16:02:27 +0800
Subject: [PATCH 5/5] Check VendorKeysNv before creating PK/KEK/db
Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998
We only need to create PK/KEK/db for the very first time.
Signed-off-by: Gary Lin <glin@suse.com>
---
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index fc9bbd2ad392..cea1dc7bfba5 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -158,6 +158,16 @@ AuthVariableLibInitialize (
}
//****
+ // Check VendorKeysNv and create PK/KEK/DB only for the "first boot"
+ Status = AuthServiceInternalFindVariable (
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+ &gEfiVendorKeysNvGuid,
+ (VOID **) &Data,
+ &DataSize
+ );
+ if (Status != EFI_NOT_FOUND)
+ goto SKIP_KEYS;
+
// Create signature list for PK KEK DB
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_BOOTSERVICE_ACCESS |
--
2.19.1
