mirror of https://github.com/acidanthera/audk.git
OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID
The GUID 77FA9ABD-0359-4D32-BD60-28F4E78F784B is specified in MSDN, at <https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>, therefore it deserves an entry in the package DEC file, and a header file under "Include/Guid". (Arguably, this GUID declaration / definition could even live under SecurityPkg, but the edk2 tradition has been to hoist GUIDs, protocols/PPIs, and lib classes from OvmfPkg to a core package only when dependent C code is added to the core package.) Cc: Anthony Perard <anthony.perard@citrix.com> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Jordan Justen <jordan.l.justen@intel.com> Cc: Julien Grall <julien.grall@arm.com> Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Reviewed-by: Gary Lin <glin@suse.com>
This commit is contained in:
parent
a79b115ade
commit
7eeaa7585a
|
@ -523,31 +523,3 @@ CONST UINT8 mSha256OfDevNull[] = {
|
||||||
};
|
};
|
||||||
|
|
||||||
CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
|
CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull;
|
||||||
|
|
||||||
|
|
||||||
//
|
|
||||||
// The following test cases of the Secure Boot Logo Test in the Microsoft
|
|
||||||
// Hardware Certification Kit:
|
|
||||||
//
|
|
||||||
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
|
|
||||||
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
|
|
||||||
//
|
|
||||||
// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
|
|
||||||
// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
|
|
||||||
// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
|
|
||||||
// certificates:
|
|
||||||
//
|
|
||||||
// - "Microsoft Corporation KEK CA 2011" (in KEK)
|
|
||||||
// - "Microsoft Windows Production PCA 2011" (in db)
|
|
||||||
// - "Microsoft Corporation UEFI CA 2011" (in db)
|
|
||||||
//
|
|
||||||
// This is despite the fact that the UEFI specification requires
|
|
||||||
// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
|
|
||||||
// application or driver) that enrolled and therefore owns
|
|
||||||
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
|
|
||||||
// EFI_SIGNATURE_DATA.SignatureData.
|
|
||||||
//
|
|
||||||
CONST EFI_GUID mMicrosoftOwnerGuid = {
|
|
||||||
0x77fa9abd, 0x0359, 0x4d32,
|
|
||||||
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
|
|
||||||
};
|
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
|
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
|
||||||
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
|
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
|
||||||
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
|
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
|
||||||
|
#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid
|
||||||
#include <Library/BaseMemoryLib.h> // CopyGuid()
|
#include <Library/BaseMemoryLib.h> // CopyGuid()
|
||||||
#include <Library/DebugLib.h> // ASSERT()
|
#include <Library/DebugLib.h> // ASSERT()
|
||||||
#include <Library/MemoryAllocationLib.h> // FreePool()
|
#include <Library/MemoryAllocationLib.h> // FreePool()
|
||||||
|
@ -315,8 +316,8 @@ ShellAppMain (
|
||||||
EFI_IMAGE_SECURITY_DATABASE,
|
EFI_IMAGE_SECURITY_DATABASE,
|
||||||
&gEfiImageSecurityDatabaseGuid,
|
&gEfiImageSecurityDatabaseGuid,
|
||||||
&gEfiCertX509Guid,
|
&gEfiCertX509Guid,
|
||||||
mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid,
|
mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,
|
||||||
mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid,
|
mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,
|
||||||
NULL);
|
NULL);
|
||||||
if (EFI_ERROR (Status)) {
|
if (EFI_ERROR (Status)) {
|
||||||
return 1;
|
return 1;
|
||||||
|
@ -337,7 +338,7 @@ ShellAppMain (
|
||||||
&gEfiGlobalVariableGuid,
|
&gEfiGlobalVariableGuid,
|
||||||
&gEfiCertX509Guid,
|
&gEfiCertX509Guid,
|
||||||
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
|
mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,
|
||||||
mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid,
|
mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,
|
||||||
NULL);
|
NULL);
|
||||||
if (EFI_ERROR (Status)) {
|
if (EFI_ERROR (Status)) {
|
||||||
return 1;
|
return 1;
|
||||||
|
|
|
@ -138,6 +138,4 @@ extern CONST UINTN mSizeOfMicrosoftUefiCa;
|
||||||
extern CONST UINT8 mSha256OfDevNull[];
|
extern CONST UINT8 mSha256OfDevNull[];
|
||||||
extern CONST UINTN mSizeOfSha256OfDevNull;
|
extern CONST UINTN mSizeOfSha256OfDevNull;
|
||||||
|
|
||||||
extern CONST EFI_GUID mMicrosoftOwnerGuid;
|
|
||||||
|
|
||||||
#endif /* ENROLL_DEFAULT_KEYS_H_ */
|
#endif /* ENROLL_DEFAULT_KEYS_H_ */
|
||||||
|
|
|
@ -22,6 +22,7 @@
|
||||||
[Packages]
|
[Packages]
|
||||||
MdeModulePkg/MdeModulePkg.dec
|
MdeModulePkg/MdeModulePkg.dec
|
||||||
MdePkg/MdePkg.dec
|
MdePkg/MdePkg.dec
|
||||||
|
OvmfPkg/OvmfPkg.dec
|
||||||
SecurityPkg/SecurityPkg.dec
|
SecurityPkg/SecurityPkg.dec
|
||||||
ShellPkg/ShellPkg.dec
|
ShellPkg/ShellPkg.dec
|
||||||
|
|
||||||
|
@ -33,6 +34,7 @@
|
||||||
gEfiGlobalVariableGuid
|
gEfiGlobalVariableGuid
|
||||||
gEfiImageSecurityDatabaseGuid
|
gEfiImageSecurityDatabaseGuid
|
||||||
gEfiSecureBootEnableDisableGuid
|
gEfiSecureBootEnableDisableGuid
|
||||||
|
gMicrosoftVendorGuid
|
||||||
|
|
||||||
[LibraryClasses]
|
[LibraryClasses]
|
||||||
BaseMemoryLib
|
BaseMemoryLib
|
||||||
|
|
|
@ -0,0 +1,55 @@
|
||||||
|
/** @file
|
||||||
|
Declare the GUID that is expected:
|
||||||
|
|
||||||
|
- as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and
|
||||||
|
RSA2048 Secure Boot certificates issued by/for Microsoft,
|
||||||
|
|
||||||
|
- as UEFI variable vendor GUID in association with (unspecified)
|
||||||
|
Microsoft-owned variables.
|
||||||
|
|
||||||
|
Copyright (C) 2014-2019, Red Hat, Inc.
|
||||||
|
|
||||||
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||||
|
|
||||||
|
@par Specification Reference:
|
||||||
|
- MSDN: System.Fundamentals.Firmware at
|
||||||
|
<https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)>.
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef MICROSOFT_VENDOR_H_
|
||||||
|
#define MICROSOFT_VENDOR_H_
|
||||||
|
|
||||||
|
#include <Uefi/UefiBaseType.h>
|
||||||
|
|
||||||
|
//
|
||||||
|
// The following test cases of the Secure Boot Logo Test in the Microsoft
|
||||||
|
// Hardware Certification Kit:
|
||||||
|
//
|
||||||
|
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent
|
||||||
|
// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
|
||||||
|
//
|
||||||
|
// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be
|
||||||
|
// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the
|
||||||
|
// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509
|
||||||
|
// certificates:
|
||||||
|
//
|
||||||
|
// - "Microsoft Corporation KEK CA 2011" (in KEK)
|
||||||
|
// - "Microsoft Windows Production PCA 2011" (in db)
|
||||||
|
// - "Microsoft Corporation UEFI CA 2011" (in db)
|
||||||
|
//
|
||||||
|
// This is despite the fact that the UEFI specification requires
|
||||||
|
// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS,
|
||||||
|
// application or driver) that enrolled and therefore owns
|
||||||
|
// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
|
||||||
|
// EFI_SIGNATURE_DATA.SignatureData.
|
||||||
|
//
|
||||||
|
#define MICROSOFT_VENDOR_GUID \
|
||||||
|
{ 0x77fa9abd, \
|
||||||
|
0x0359, \
|
||||||
|
0x4d32, \
|
||||||
|
{ 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \
|
||||||
|
}
|
||||||
|
|
||||||
|
extern EFI_GUID gMicrosoftVendorGuid;
|
||||||
|
|
||||||
|
#endif /* MICROSOFT_VENDOR_H_ */
|
|
@ -77,6 +77,7 @@
|
||||||
gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
|
gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}}
|
||||||
gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
|
gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}}
|
||||||
gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
|
gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}}
|
||||||
|
gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}}
|
||||||
|
|
||||||
[Protocols]
|
[Protocols]
|
||||||
gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
|
gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}}
|
||||||
|
|
Loading…
Reference in New Issue