diff options
| author | Jan Bobek <jbobek@nvidia.com> | 2023-01-21 06:58:32 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2023-02-04 11:53:59 +0000 |
| commit | 566cdfc675fa0da486af34cb12cb5f2e01578a5c (patch) | |
| tree | d41f99b37ed53b32eedb4f8dfaae3914adc15441 /SecurityPkg/Library | |
| parent | 7c138e400862a3a742489ca6f21d31afa9a3dd8a (diff) | |
| download | edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.zip edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.gz edk2-566cdfc675fa0da486af34cb12cb5f2e01578a5c.tar.bz2 | |
SecurityPkg: limit verification of enrolled PK in setup mode
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506
Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>
Diffstat (limited to 'SecurityPkg/Library')
| -rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthService.c | 9 | ||||
| -rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 3 |
2 files changed, 10 insertions, 2 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 9beeca0..452ed49 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -603,7 +603,10 @@ ProcessVarWithPk ( // Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {
+ if ( (InCustomMode () && UserPhysicalPresent ())
+ || ( (mPlatformMode == SETUP_MODE)
+ && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))
+ {
Payload = (UINT8 *)Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -627,7 +630,9 @@ ProcessVarWithPk ( return Status;
}
- if ((mPlatformMode != SETUP_MODE) || IsPk) {
+ if ( (mPlatformMode != SETUP_MODE)
+ || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))
+ {
Status = VendorKeyIsModified ();
}
} else if (mPlatformMode == USER_MODE) {
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8eadeeb..e5985c5 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -86,3 +86,6 @@ gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
+
+[FeaturePcd]
+ gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk
|