AuthVariableLib: Set SB to enabled during transition to USER_MODE #151
Conversation
Is option "do not change whatever has been set prior to resetting" on the table? Otherwise, set the default for platform, if not possible, keep disabled?
I'd vote to keep it as is. If F9 would reset keys as well, the option of restoring default keys would be questionable to exist in the first place, if functionally equivalent to F9. |
Exactly this. Do we want the "reset keys to default" change the Secure Boot state or not? |
Then, I'd say it should not change, and keep whatever was set before. If user wants to change, they should do it. |
|
@miczyg1 We can proceed with the decisions discussed here. |
I'm assuming we aren't talking about Summing up, Please add some description to the commit message, like the firs paragraph of this PR description. Also, how does it relate to this? |
Yes, when keys are erased, SB is being disabled. That's perfectly understandable.
Yes, I think we want to retain SecureBootEnable value, because if someone had all keys enrolled and SB disbalde, resetting the keys would enable SB automatically. We enforce reboot/reset after every change in the menu, so SecureBoot variable will always have a proper value after reboot. |
miczyg1
force-pushed
the
auto_sb_enable
branch
4 times, most recently
from
3b03021 to
2146220
Compare
|
Now when resetting the keys, Enable Secure Boot checkbox remains unchanged. Only the Current Secure Boot State changes from Disabled to Enabled, but there is now way around it. SecureBoot variable becomes locked after enrolling PK. |
There was a problem hiding this comment.
From technical point of view it works more or less as discussed, but UX is poor due to Enable Secure Boot [ ] when SecureBootEnable is true, but no PK.
However, I don't think this by itself meets the expectations described by the vendor. Enrolling PK from OS does not enable SB without setting SecureBootEnable in setup menu, at least with current CONFIG_EDK2_SECURE_BOOT_DEFAULT_ENABLE state. It is acceptable, but:
- Should be documented (https://docs.dasharo.com -> guides?)
- preferably with instructions for extracting current/default KEK, db and dbx, and signing them with new PK to not have to sign existing bootloaders,
- similar instructions for users that want to build edk2 with custom keys, maybe?
- It would be easier for us to have the same default across all platforms.
- Currently, SMMSTORE region is cleared with each update, which makes whole custom SB configuration tedious, but it may be fixed in the future with the help of capsules (in the wider meaning, not necessarily capsule updates).
Also, please add commit messages.
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
Show resolved
Hide resolved
|
@macpijan @BeataZdunczyk I'm not sure what is the context of these changes, but they seem to be closely related to planned Arch4221: UEFI Secure Boot so if you could link that effort internally, it would be great. |
Do not use PcdSecureBootDefaultEnable to initialize SecureBootEnable variable value when platform is in USER_MODE, because it will prevent enabling Secure Boot from OS when enrolling the keys and transitioning from SETUP_MODE to USER_MODE. PcdSecureBootDefaultEnable is used when settings are reset in UI and in the SecureBootDefaultKeysDxe where the default keys are being restored. Signed-off-by: Michał Żygowski <[email protected]>
Reset Secure Boot Keys option should only touch the keys and nothing else. Keep the SecureBootEnable variable value from before selecting to reset the keys as re-enrolling PK would unconditionally enable Secure Boot. Signed-off-by: Michał Żygowski <[email protected]>
When the system is booted, the AuthVariableLibInitialize runs before SecureBootDefaultKeysDxe. When the system is booted for the first time, AuthVariableLibInitialize will not set SB to enabled state, because there are no keys yet. So the SecureBootEnable does not need to be set depending on PCD, even shouldn't. It is the SecureBootDefaultKeysDxe task to set the proper SB state when system boots with default settings. The PCD is still used there and in the UI when restoring default settings.
Quick tests:
When SB Default State PCD is
FALSE:When SB Default State PCD is
TRUE:Questions:
Resetting Secure Boot keys to defaults causes the SB state to become enabled, but it can also set the state to disabled if we want to. Is it the behavior we want?Done, now when resetting the keys, Enable Secure Boot checkbox remains unchanged. Only the Current Secure Boot State changes from Disabled to Enabled, but there is now way around it. SecureBoot variable becomes locked after enrolling PK.