OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function

The entry point function of EnrollDefaultKeys finishes with a sanity
check, verifying the values of the Secure Boot-related "control"
variables. Add a diagram to explain why we expect the values we do.

While at it, write comments on the rest of the entry point function.

Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Gary Lin <glin@suse.com>
This commit is contained in:
Laszlo Ersek 2019-04-25 22:19:36 +02:00
parent 86bf2672a3
commit c9727ff1df
1 changed files with 54 additions and 0 deletions

View File

@ -361,6 +361,9 @@ ShellAppMain (
EFI_STATUS Status; EFI_STATUS Status;
SETTINGS Settings; SETTINGS Settings;
//
// If we're not in Setup Mode, we can't do anything.
//
Status = GetSettings (&Settings); Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return 1; return 1;
@ -372,6 +375,10 @@ ShellAppMain (
return 1; return 1;
} }
//
// Enter Custom Mode so we can enroll PK, KEK, db, and dbx without signature
// checks on those variable writes.
//
if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) { if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {
Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE; Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
@ -385,6 +392,9 @@ ShellAppMain (
} }
} }
//
// Enroll db.
//
Status = EnrollListOfCerts ( Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid, &gEfiImageSecurityDatabaseGuid,
@ -396,6 +406,9 @@ ShellAppMain (
return 1; return 1;
} }
//
// Enroll dbx.
//
Status = EnrollListOfCerts ( Status = EnrollListOfCerts (
EFI_IMAGE_SECURITY_DATABASE1, EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid, &gEfiImageSecurityDatabaseGuid,
@ -406,6 +419,9 @@ ShellAppMain (
return 1; return 1;
} }
//
// Enroll KEK.
//
Status = EnrollListOfCerts ( Status = EnrollListOfCerts (
EFI_KEY_EXCHANGE_KEY_NAME, EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
@ -417,6 +433,9 @@ ShellAppMain (
return 1; return 1;
} }
//
// Enroll PK, leaving Setup Mode (entering User Mode) at once.
//
Status = EnrollListOfCerts ( Status = EnrollListOfCerts (
EFI_PLATFORM_KEY_NAME, EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid, &gEfiGlobalVariableGuid,
@ -427,6 +446,10 @@ ShellAppMain (
return 1; return 1;
} }
//
// Leave Custom Mode, so that updates to PK, KEK, db, and dbx require valid
// signatures.
//
Settings.CustomMode = STANDARD_SECURE_BOOT_MODE; Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
@ -437,6 +460,37 @@ ShellAppMain (
return 1; return 1;
} }
//
// Final sanity check:
//
// [SetupMode]
// (read-only, standardized by UEFI)
// / \_
// 0 1, default
// / \_
// PK enrolled no PK enrolled yet,
// (this is called "User Mode") PK enrollment possible
// |
// |
// [SecureBootEnable]
// (read-write, edk2-specific, boot service only)
// / \_
// 0 1, default
// / \_
// [SecureBoot]=0 [SecureBoot]=1
// (read-only, standardized by UEFI) (read-only, standardized by UEFI)
// images are not verified images are verified, platform is
// operating in Secure Boot mode
// |
// |
// [CustomMode]
// (read-write, edk2-specific, boot service only)
// / \_
// 0, default 1
// / \_
// PK, KEK, db, dbx PK, KEK, db, dbx
// updates are verified updates are not verified
//
Status = GetSettings (&Settings); Status = GetSettings (&Settings);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return 1; return 1;