OvmfPkg/EnrollDefaultKeys: import the non-default key into db

For QA test and development, we may need to test Secure Boot with a
devel key instead of UEFI CA.

This commit adds an argument, "--no-default", to EnrollDefaultKeys.efi.
With the argument, the key from SMBIOS Type 11 will also be enrolled
into db. Besides, the keys in AuthData.c, i.e. Microsoft KEK CA,
Microsoft PCA, and Microsoft UEFI CA will be excluded, so the developer
can easily create a varstore template for a specific key.

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Signed-off-by: Gary Lin <glin@suse.com>
Message-Id: <20190516030834.12203-1-glin@suse.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 75f2749dc84acc7c518f6ffe98fec9e50f21aac1..f45cb799f7261ba5b926287a1b4b54f9c07fa7a5 100644 (file)
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -538,6 +538,13 @@ ShellAppMain (
   SETTINGS   Settings;\r
   UINT8      *PkKek1;\r
   UINTN      SizeOfPkKek1;\r
+  BOOLEAN    NoDefault;\r
+\r
+  if (Argc == 2 && StrCmp (Argv[1], L"--no-default") == 0) {\r
+    NoDefault = TRUE;\r
+  } else {\r
+    NoDefault = FALSE;\r
+  }\r
 \r
   //\r
   // Prepare for failure.\r
@@ -594,13 +601,22 @@ ShellAppMain (
   //\r
   // Enroll db.\r
   //\r
-  Status = EnrollListOfCerts (\r
-             EFI_IMAGE_SECURITY_DATABASE,\r
-             &gEfiImageSecurityDatabaseGuid,\r
-             &gEfiCertX509Guid,\r
-             mMicrosoftPca,    mSizeOfMicrosoftPca,    &gMicrosoftVendorGuid,\r
-             mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,\r
-             NULL);\r
+  if (NoDefault) {\r
+    Status = EnrollListOfCerts (\r
+               EFI_IMAGE_SECURITY_DATABASE,\r
+               &gEfiImageSecurityDatabaseGuid,\r
+               &gEfiCertX509Guid,\r
+               PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,\r
+               NULL);\r
+  } else {\r
+    Status = EnrollListOfCerts (\r
+               EFI_IMAGE_SECURITY_DATABASE,\r
+               &gEfiImageSecurityDatabaseGuid,\r
+               &gEfiCertX509Guid,\r
+               mMicrosoftPca,    mSizeOfMicrosoftPca,    &gMicrosoftVendorGuid,\r
+               mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,\r
+               NULL);\r
+  }\r
   if (EFI_ERROR (Status)) {\r
     goto FreePkKek1;\r
   }\r
@@ -621,13 +637,22 @@ ShellAppMain (
   //\r
   // Enroll KEK.\r
   //\r
-  Status = EnrollListOfCerts (\r
-             EFI_KEY_EXCHANGE_KEY_NAME,\r
-             &gEfiGlobalVariableGuid,\r
-             &gEfiCertX509Guid,\r
-             PkKek1,        SizeOfPkKek1,        &gEfiCallerIdGuid,\r
-             mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,\r
-             NULL);\r
+  if (NoDefault) {\r
+    Status = EnrollListOfCerts (\r
+               EFI_KEY_EXCHANGE_KEY_NAME,\r
+               &gEfiGlobalVariableGuid,\r
+               &gEfiCertX509Guid,\r
+               PkKek1, SizeOfPkKek1, &gEfiCallerIdGuid,\r
+               NULL);\r
+  } else {\r
+    Status = EnrollListOfCerts (\r
+               EFI_KEY_EXCHANGE_KEY_NAME,\r
+               &gEfiGlobalVariableGuid,\r
+               &gEfiCertX509Guid,\r
+               PkKek1,        SizeOfPkKek1,        &gEfiCallerIdGuid,\r
+               mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,\r
+               NULL);\r
+  }\r
   if (EFI_ERROR (Status)) {\r
     goto FreePkKek1;\r
   }\r