Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: DFCI_CertChainingTest report fail when manufacturing mode #81

Closed
1 task done
NickWangInsyde opened this issue Apr 7, 2023 · 7 comments
Closed
1 task done

[Bug]: DFCI_CertChainingTest report fail when manufacturing mode #81

NickWangInsyde opened this issue Apr 7, 2023 · 7 comments
Assignees
@spbrogan
Labels
state:needs-submitter-info Needs more information from the submitter to determine next steps state:under-discussion Under discussion type:question Further information is requested urgency:medium Important with a moderate impact

Comments

@NickWangInsyde
Copy link

Is there an existing issue for this?

  • I have searched existing issues

Current Behavior

Follow the implementation of DfciUiDisplayAuthDialog function, DFCI_CertChainingTest reports 5 Fails when manufacturing mode.

DfciUiDisplayAuthDialog function will accept the enrollment without the proper key when manufacturing mode.

Expected Behavior

mu_oem_sample should provide the sample code which can pass all DFCI test cases.

Should the DfciUiDisplayAuthDialog function be changed as below:

if (DfciUiIsManufacturingMode ()) {
    *Result = DFCI_MB_IDCANCEL;
    return EFI_SUCCESS;
  }

Steps To Reproduce

BOOLEAN
EFIAPI
DfciUiIsManufacturingMode (
  VOID
  ) {
  return TRUE;
}
  1. Run DFCI_CertChainingTest test case and it will report 5 Fails.

Build Environment

- OS(s): Windows 10
- Tool Chain(s): VS2019
- Targets Impacted: RELEASE

Version Information

Commit: 1709eca4a7e17372b9d0c801cbd1fa8e7cbf7b83

Urgency

Medium

Are you going to fix this?

Someone else needs to fix it

Do you need maintainer feedback?

Maintainer feedback requested

Anything else?

No response
@NickWangInsyde NickWangInsyde added state:needs-triage Needs to triaged to determine next steps type:bug Something isn't working labels Apr 7, 2023
@github-actions github-actions bot added state:needs-maintainer-feedback Needs more information from a maintainer to determine next steps urgency:medium Important with a moderate impact state:needs-owner Needs an issue owner to be assigned labels Apr 7, 2023
@spbrogan
Copy link
Member

Not sure I understand what you are asking for. These tests fail because you declared the device in Manufacturing Mode. When a device is in Manufacturing Mode certain rules do not apply. Manufacturing Mode is a manufacturer defined state that should be cryptographically protected by the manufacturer's authority. We suggest something like https://github.com/microsoft/mu_plus/tree/release/202208/MfciPkg.

So for testing DFCI your device should not be in Manufacturing Mode.

Did I miss understand your question/request?

@spbrogan spbrogan added state:needs-submitter-info Needs more information from the submitter to determine next steps and removed state:needs-maintainer-feedback Needs more information from a maintainer to determine next steps state:needs-owner Needs an issue owner to be assigned labels Apr 27, 2023
@NickWangInsyde
Copy link
Author

Yes, I declared the device in Manufacturing Mode.

If I don't declare the device in Manufacturing Mode, DFCI_InitialState test case will report fail and shows " '${ZtdThumbprint}' != 'Cert not installed'". It forces user to manually select "Opt In" in "Management" VFR page to enroll ZTD. Is it a neccessary step before runnning DFCI test ?

And I have another question. If the OEM product with DFCI and not Manufacturing Mode, who should do the "Opt In" process in the DFCI Scenarios ?

@spbrogan
Copy link
Member

spbrogan commented May 5, 2023 via email

@NickWangInsyde
Copy link
Author

I want to know how to make your devices be opted in and they are not in manufacturing mode. I want to follow Microsoft standard way to do it. Do you change this by source code ? Or do you manually change device from opt-out to opt-in in DFCI Management VFR form ?

If adopt mu_feature_dfci into OEM project, the device will be opt-out and not in manufacturing mode. You can see the default behavior in mu_feature_dfci\DfciPkg\IdentityAndAuthManager\IdentityAndAuthManagerDxe.c

  ZeroTouchState = GetZeroTouchState ();  // In default, it will return ZERO_TOUCH_INACTIVE. It means device is opt-out.
  if (ZERO_TOUCH_INACTIVE == ZeroTouchState) {
    if (DfciUiIsManufacturingMode ()) {
      ZeroTouchState = ZERO_TOUCH_OPT_IN;
    }
  }

@spbrogan
Copy link
Member

We do not change the source code.

When the button shows text of "OPT_IN" it means the device is currently opted out (does not have ztd key installed).

In the factory the device is put into manufacturing mode so that the device can do its manufacturing required activity. This action automatically opts in the device (installs the ZTD key). The device then finishes the manufacturing process, and it exits manufacturing mode and then ships to the store/customer. The process of exiting from manufacturing mode does not clear the ZTD key.

mu_feature_dfci/DfciPkg/IdentityAndAuthManager/IdentityAndAuthManagerDxe.c

Line 71 in 7f8ee4c

// If user has not previously opted out of device management, and the system is

Does that make sense?

@NickWangInsyde
Copy link
Author

Hi Sean,

I got your point. I will confirm with my customer and then update info to you or close this issue. Thanks for explanation.

@spbrogan spbrogan added type:question Further information is requested state:under-discussion Under discussion and removed state:needs-triage Needs to triaged to determine next steps type:bug Something isn't working labels Jun 1, 2023
@makubacki
Copy link
Member

We'll close this for now. @NickWangInsyde, feel free to reopen if any more discussion is needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spbrogan spbrogan

Labels
state:needs-submitter-info Needs more information from the submitter to determine next steps state:under-discussion Under discussion type:question Further information is requested urgency:medium Important with a moderate impact
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spbrogan @makubacki @NickWangInsyde