Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecurityPkg/SecureBootConfigDxe: require reset on all SB changes #137

Merged
merged 1 commit into from
Jun 14, 2024
Merged

SecurityPkg/SecureBootConfigDxe: require reset on all SB changes #137

merged 1 commit into from
Jun 14, 2024

Commits on Jun 14, 2024

  1. SecurityPkg/SecureBootConfigDxe: require reset on all SB changes 

    Enrolling or removing any signature should require a reset to avoid
booting a system with some weird value of PCR-7.  The PCR is extended
on writes into SecureBoot-related variables (see SecureBootHook() in
SecurityPkg/DxeImageVerificationLib) and then right before booting (in
TcgDxe or Tcg2Dxe in OnReadyToBoot() handler), meaning that editing
SecureBoot configuration and continuing boot process without a reset
results in an unexpected value of PCR-7 even if the end result of
changes is the same as it would be without any changes.

Now reset is required in the following cases as well:
 * enrolling/deletion of a KEK signature
 * enrolling/deletion of a DB signature
 * enrolling/deletion of a DBX signature (one or all of them)
 * enrolling/deletion of a DBT signature

Addition cases are handled in VFR while deletion options are checkboxes
generated in C and that's where the flags get set (number of updated
places is fewer than number of handled cases because functions are
shared by menus).

Signed-off-by: Sergii Dmytruk <[email protected]>
    @SergiiDmytruk @miczyg1
    SergiiDmytruk authored and miczyg1 committed Jun 14, 2024
    Configuration menu
    Copy the full SHA
    9756808 View commit details
    Browse the repository at this point in the history