SecurityPkg: limit verification of enrolled PK in setup mode

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2506

Per UEFI spec, enrolling a new PK in setup mode should not require a
self-signature. Introduce a feature PCD called PcdRequireSelfSignedPk
to control this requirement. Default to TRUE in order to preserve the
legacy behavior.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Co-authored-by: Matthew Carlson <macarl@microsoft.com>
Signed-off-by: Jan Bobek <jbobek@nvidia.com>
Reviewed-by: Sean Brogan <sean.brogan@microsoft.com>
Acked-by: Jiewen Yao <jiewen.yao@intel.com>

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 9beeca09aebaf5dfa0afd1040a2b43b4ed5575f1..452ed491eaac90530e003ca6f67487b5fee5e0c1 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -603,7 +603,10 @@ ProcessVarWithPk (
   // Init state of Del. State may change due to secure check\r
   //\r
   Del = FALSE;\r
-  if ((InCustomMode () && UserPhysicalPresent ()) || ((mPlatformMode == SETUP_MODE) && !IsPk)) {\r
+  if (  (InCustomMode () && UserPhysicalPresent ())\r
+     || (  (mPlatformMode == SETUP_MODE)\r
+        && !(FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk)))\r
+  {\r
     Payload     = (UINT8 *)Data + AUTHINFO2_SIZE (Data);\r
     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
     if (PayloadSize == 0) {\r
@@ -627,7 +630,9 @@ ProcessVarWithPk (
       return Status;\r
     }\r
 \r
-    if ((mPlatformMode != SETUP_MODE) || IsPk) {\r
+    if (  (mPlatformMode != SETUP_MODE)\r
+       || (FeaturePcdGet (PcdRequireSelfSignedPk) && IsPk))\r
+    {\r
       Status = VendorKeyIsModified ();\r
     }\r
   } else if (mPlatformMode == USER_MODE) {\r

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8eadeebcebd70c5aed551a9be10043de78ef7c0c..e5985c5f8b60fc2c71ac3614e547498be59c5fdd 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -86,3 +86,6 @@
   gEfiCertTypeRsa2048Sha256Guid  ## SOMETIMES_CONSUMES   ## GUID  # Unique ID for the type of the certificate.\r
   gEfiCertPkcs7Guid              ## SOMETIMES_CONSUMES   ## GUID  # Unique ID for the type of the certificate.\r
   gEfiCertX509Guid               ## SOMETIMES_CONSUMES   ## GUID  # Unique ID for the type of the signature.\r
+\r
+[FeaturePcd]\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk\r

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8257f11d17c7677293a19c68c8fa6a230bac4542..d3b7ad7ff6fb895f7e2fb8c909ca6a62041185e4 100644 (file)
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -580,5 +580,12 @@
   ## This PCD records LASA field in CC EVENTLOG ACPI table.\r
   gEfiSecurityPkgTokenSpaceGuid.PcdCcEventlogAcpiTableLasa|0|UINT64|0x00010026\r
 \r
+[PcdsFeatureFlag]\r
+  ## Indicates if the platform requires PK to be self-signed when setting the PK in setup mode.\r
+  #   TRUE  - Require PK to be self-signed.\r
+  #   FALSE - Do not require PK to be self-signed.\r
+  # @Prompt Require PK to be self-signed\r
+  gEfiMdeModulePkgTokenSpaceGuid.PcdRequireSelfSignedPk|TRUE|BOOLEAN|0x00010027\r
+\r
 [UserExtensions.TianoCore."ExtraFiles"]\r
   SecurityPkgExtra.uni\r