OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID

The GUID

  77FA9ABD-0359-4D32-BD60-28F4E78F784B

is specified in MSDN, at
<https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it
deserves an entry in the package DEC file, and a header file under
"Include/Guid".

(Arguably, this GUID declaration / definition could even live under
SecurityPkg, but the edk2 tradition has been to hoist GUIDs,
protocols/PPIs, and lib classes from OvmfPkg to a core package only when
dependent C code is added to the core package.)

Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Gary Lin <glin@suse.com>
This commit is contained in:
Laszlo Ersek 2019-04-25 21:49:38 +02:00
parent a79b115ade
commit 7eeaa7585a
6 changed files with 62 additions and 33 deletions

View File

@ -523,31 +523,3 @@ CONST UINT8 mSha256OfDevNull[] = {
}; };
CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull; CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
//
// The following test cases of the Secure Boot Logo Test in the Microsoft
// Hardware Certification Kit:
//
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
//
// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
// certificates:
//
// - "Microsoft Corporation KEK CA 2011" (in KEK)
// - "Microsoft Windows Production PCA 2011" (in db)
// - "Microsoft Corporation UEFI CA 2011" (in db)
//
// This is despite the fact that the UEFI specification requires
// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
// application or driver) that enrolled and therefore owns
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
// EFI_SIGNATURE_DATA.SignatureData.
//
CONST EFI_GUID mMicrosoftOwnerGuid = {
0x77fa9abd, 0x0359, 0x4d32,
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
};

View File

@ -8,6 +8,7 @@
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
#include <Library/BaseMemoryLib.h> // CopyGuid() #include <Library/BaseMemoryLib.h> // CopyGuid()
#include <Library/DebugLib.h> // ASSERT() #include <Library/DebugLib.h> // ASSERT()
#include <Library/MemoryAllocationLib.h> // FreePool() #include <Library/MemoryAllocationLib.h> // FreePool()
@ -315,8 +316,8 @@ ShellAppMain (
EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid, &gEfiImageSecurityDatabaseGuid,
&gEfiCertX509Guid, &gEfiCertX509Guid,
mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid, mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid, mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
NULL); NULL);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return 1; return 1;
@ -337,7 +338,7 @@ ShellAppMain (
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
&gEfiCertX509Guid, &gEfiCertX509Guid,
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
NULL); NULL);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return 1; return 1;

View File

@ -138,6 +138,4 @@ extern CONST UINTN mSizeOfMicrosoftUefiCa;
extern CONST UINT8 mSha256OfDevNull[]; extern CONST UINT8 mSha256OfDevNull[];
extern CONST UINTN mSizeOfSha256OfDevNull; extern CONST UINTN mSizeOfSha256OfDevNull;
extern CONST EFI_GUID mMicrosoftOwnerGuid;
#endif /* ENROLL_DEFAULT_KEYS_H_ */ #endif /* ENROLL_DEFAULT_KEYS_H_ */

View File

@ -22,6 +22,7 @@
[Packages] [Packages]
MdeModulePkg/MdeModulePkg.dec MdeModulePkg/MdeModulePkg.dec
MdePkg/MdePkg.dec MdePkg/MdePkg.dec
OvmfPkg/OvmfPkg.dec
SecurityPkg/SecurityPkg.dec SecurityPkg/SecurityPkg.dec
ShellPkg/ShellPkg.dec ShellPkg/ShellPkg.dec
@ -33,6 +34,7 @@
gEfiGlobalVariableGuid gEfiGlobalVariableGuid
gEfiImageSecurityDatabaseGuid gEfiImageSecurityDatabaseGuid
gEfiSecureBootEnableDisableGuid gEfiSecureBootEnableDisableGuid
gMicrosoftVendorGuid
[LibraryClasses] [LibraryClasses]
BaseMemoryLib BaseMemoryLib

View File

@ -0,0 +1,55 @@
/** @file
Declare the GUID that is expected:
- as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
RSA2048 Secure Boot certificates issued by/for Microsoft,
- as UEFI variable vendor GUID in association with (unspecified)
Microsoft-owned variables.
Copyright (C) 2014-2019, Red Hat, Inc.
SPDX-License-Identifier: BSD-2-Clause-Patent
@par Specification Reference:
- MSDN: System.Fundamentals.Firmware at
<https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
**/
#ifndef MICROSOFT_VENDOR_H_
#define MICROSOFT_VENDOR_H_
#include <Uefi/UefiBaseType.h>
//
// The following test cases of the Secure Boot Logo Test in the Microsoft
// Hardware Certification Kit:
//
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
//
// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
// certificates:
//
// - "Microsoft Corporation KEK CA 2011" (in KEK)
// - "Microsoft Windows Production PCA 2011" (in db)
// - "Microsoft Corporation UEFI CA 2011" (in db)
//
// This is despite the fact that the UEFI specification requires
// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
// application or driver) that enrolled and therefore owns
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
// EFI_SIGNATURE_DATA.SignatureData.
//
#define MICROSOFT_VENDOR_GUID \
{ 0x77fa9abd, \
0x0359, \
0x4d32, \
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
}
extern EFI_GUID gMicrosoftVendorGuid;
#endif /* MICROSOFT_VENDOR_H_ */

View File

@ -77,6 +77,7 @@
gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
[Protocols] [Protocols]
gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}