From 7eeaa7585a98dafbc1523423f77185b4dd031393 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Thu, 25 Apr 2019 21:49:38 +0200 Subject: [PATCH] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID The GUID 77FA9ABD-0359-4D32-BD60-28F4E78F784B is specified in MSDN, at , therefore it deserves an entry in the package DEC file, and a header file under "Include/Guid". (Arguably, this GUID declaration / definition could even live under SecurityPkg, but the edk2 tradition has been to hoist GUIDs, protocols/PPIs, and lib classes from OvmfPkg to a core package only when dependent C code is added to the core package.) Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Julien Grall Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daude Acked-by: Ard Biesheuvel Reviewed-by: Gary Lin --- OvmfPkg/EnrollDefaultKeys/AuthData.c | 28 ---------- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 7 ++- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 - .../EnrollDefaultKeys/EnrollDefaultKeys.inf | 2 + OvmfPkg/Include/Guid/MicrosoftVendor.h | 55 +++++++++++++++++++ OvmfPkg/OvmfPkg.dec | 1 + 6 files changed, 62 insertions(+), 33 deletions(-) create mode 100644 OvmfPkg/Include/Guid/MicrosoftVendor.h diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c index e0a543785f..9a96dcc440 100644 --- a/OvmfPkg/EnrollDefaultKeys/AuthData.c +++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c @@ -523,31 +523,3 @@ CONST UINT8 mSha256OfDevNull[] = { }; CONST UINTN mSizeOfSha256OfDevNull = sizeof mSha256OfDevNull; - - -// -// The following test cases of the Secure Boot Logo Test in the Microsoft -// Hardware Certification Kit: -// -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent -// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB -// -// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be -// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the -// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 -// certificates: -// -// - "Microsoft Corporation KEK CA 2011" (in KEK) -// - "Microsoft Windows Production PCA 2011" (in db) -// - "Microsoft Corporation UEFI CA 2011" (in db) -// -// This is despite the fact that the UEFI specification requires -// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, -// application or driver) that enrolled and therefore owns -// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued -// EFI_SIGNATURE_DATA.SignatureData. -// -CONST EFI_GUID mMicrosoftOwnerGuid = { - 0x77fa9abd, 0x0359, 0x4d32, - { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, -}; diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index 528718b15a..e4f6a50e00 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -8,6 +8,7 @@ #include // gEfiCustomModeEnableGuid #include // EFI_SETUP_MODE_NAME #include // EFI_IMAGE_SECURITY_DATABASE +#include // gMicrosoftVendorGuid #include // CopyGuid() #include // ASSERT() #include // FreePool() @@ -315,8 +316,8 @@ ShellAppMain ( EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid, &gEfiCertX509Guid, - mMicrosoftPca, mSizeOfMicrosoftPca, &mMicrosoftOwnerGuid, - mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &mMicrosoftOwnerGuid, + mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid, + mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; @@ -337,7 +338,7 @@ ShellAppMain ( &gEfiGlobalVariableGuid, &gEfiCertX509Guid, mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid, - mMicrosoftKek, mSizeOfMicrosoftKek, &mMicrosoftOwnerGuid, + mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid, NULL); if (EFI_ERROR (Status)) { return 1; diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h index 07f4aa04e4..e3a7e43da4 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h @@ -138,6 +138,4 @@ extern CONST UINTN mSizeOfMicrosoftUefiCa; extern CONST UINT8 mSha256OfDevNull[]; extern CONST UINTN mSizeOfSha256OfDevNull; -extern CONST EFI_GUID mMicrosoftOwnerGuid; - #endif /* ENROLL_DEFAULT_KEYS_H_ */ diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf index 3f093c7685..28db52586a 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf @@ -22,6 +22,7 @@ [Packages] MdeModulePkg/MdeModulePkg.dec MdePkg/MdePkg.dec + OvmfPkg/OvmfPkg.dec SecurityPkg/SecurityPkg.dec ShellPkg/ShellPkg.dec @@ -33,6 +34,7 @@ gEfiGlobalVariableGuid gEfiImageSecurityDatabaseGuid gEfiSecureBootEnableDisableGuid + gMicrosoftVendorGuid [LibraryClasses] BaseMemoryLib diff --git a/OvmfPkg/Include/Guid/MicrosoftVendor.h b/OvmfPkg/Include/Guid/MicrosoftVendor.h new file mode 100644 index 0000000000..db7a326c31 --- /dev/null +++ b/OvmfPkg/Include/Guid/MicrosoftVendor.h @@ -0,0 +1,55 @@ +/** @file + Declare the GUID that is expected: + + - as EFI_SIGNATURE_DATA.SignatureOwner GUID in association with X509 and + RSA2048 Secure Boot certificates issued by/for Microsoft, + + - as UEFI variable vendor GUID in association with (unspecified) + Microsoft-owned variables. + + Copyright (C) 2014-2019, Red Hat, Inc. + + SPDX-License-Identifier: BSD-2-Clause-Patent + + @par Specification Reference: + - MSDN: System.Fundamentals.Firmware at + . +**/ + +#ifndef MICROSOFT_VENDOR_H_ +#define MICROSOFT_VENDOR_H_ + +#include + +// +// The following test cases of the Secure Boot Logo Test in the Microsoft +// Hardware Certification Kit: +// +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxVerifyMicrosoftKEKpresent +// - Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB +// +// expect the EFI_SIGNATURE_DATA.SignatureOwner GUID to be +// 77FA9ABD-0359-4D32-BD60-28F4E78F784B, when the +// EFI_SIGNATURE_DATA.SignatureData field carries any of the following X509 +// certificates: +// +// - "Microsoft Corporation KEK CA 2011" (in KEK) +// - "Microsoft Windows Production PCA 2011" (in db) +// - "Microsoft Corporation UEFI CA 2011" (in db) +// +// This is despite the fact that the UEFI specification requires +// EFI_SIGNATURE_DATA.SignatureOwner to reflect the agent (i.e., OS, +// application or driver) that enrolled and therefore owns +// EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued +// EFI_SIGNATURE_DATA.SignatureData. +// +#define MICROSOFT_VENDOR_GUID \ + { 0x77fa9abd, \ + 0x0359, \ + 0x4d32, \ + { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b }, \ + } + +extern EFI_GUID gMicrosoftVendorGuid; + +#endif /* MICROSOFT_VENDOR_H_ */ diff --git a/OvmfPkg/OvmfPkg.dec b/OvmfPkg/OvmfPkg.dec index cc2a4909af..922e061cc8 100644 --- a/OvmfPkg/OvmfPkg.dec +++ b/OvmfPkg/OvmfPkg.dec @@ -77,6 +77,7 @@ gQemuRamfbGuid = {0x557423a1, 0x63ab, 0x406c, {0xbe, 0x7e, 0x91, 0xcd, 0xbc, 0x08, 0xc4, 0x57}} gXenBusRootDeviceGuid = {0xa732241f, 0x383d, 0x4d9c, {0x8a, 0xe1, 0x8e, 0x09, 0x83, 0x75, 0x89, 0xd7}} gRootBridgesConnectedEventGroupGuid = {0x24a2d66f, 0xeedd, 0x4086, {0x90, 0x42, 0xf2, 0x6e, 0x47, 0x97, 0xee, 0x69}} + gMicrosoftVendorGuid = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}} [Protocols] gVirtioDeviceProtocolGuid = {0xfa920010, 0x6785, 0x4941, {0xb6, 0xec, 0x49, 0x8c, 0x57, 0x9f, 0x16, 0x0a}} -- 2.39.2