Skip to content

Commit

Permalink
Feature/MsApplicationPkg/SecureBootRecovery (#323)
Browse files Browse the repository at this point in the history
Description
This Secure Boot Recovery application, when ran will append a 2011 KEK
signed 2023 Certificate to the DB. This may be used to fix the DB for in
market devices in order to boot a 2023 signed Boot loader.

 Impacts functionality?
N/A
 Impacts security?
N/A
validation improvement, ...
 Breaking change?
N/A
 Includes tests?
N/A
 Includes documentation?
Readme.md
Explains how to build the application
How This Was Tested
This was tested on a handful of in market devices (AARCH64 and X64) by
different OEMS.

This was tested using test payloads and the real payload in order to
verify it would work as expected

Integration Instructions
N/A
  • Loading branch information
Flickdm authored Oct 2, 2023
1 parent ba9870b commit ea1d372
Show file tree
Hide file tree
Showing 14 changed files with 841 additions and 0 deletions.
1 change: 1 addition & 0 deletions .pytool/CISettings.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ def GetPackagesSupported(self):
"AdvLoggerPkg",
"MfciPkg",
"HidPkg",
"MsApplicationPkg",
"MsCorePkg",
"MsGraphicsPkg",
"MsWheaPkg",
Expand Down
16 changes: 16 additions & 0 deletions MsApplicationPkg/Docs/Readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# MsApplicationPkg - Microsoft Application Package

## About

This package contains open source production applications that run prior to ExitBootServices(...) and perform some
firmware independent function.

## Applications

* Secure Boot Recovery
* EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.

## Copyright

Copyright (C) Microsoft Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
108 changes: 108 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
##
# CI configuration for MsApplicationPkg
#
# Copyright (c) Microsoft Corporation
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
{
"PrEval": {
"DscPath": "MsApplicationPkg.dsc",
},
## options defined ci/Plugin/CompilerPlugin
"CompilerPlugin": {
"DscPath": "MsApplicationPkg.dsc"
},

## options defined ci/Plugin/CharEncodingCheck
"CharEncodingCheck": {
"IgnoreFiles": []
},

## options defined ci/Plugin/DependencyCheck
"DependencyCheck": {
"AcceptableDependencies": [
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec"
],
"AcceptableDependencies-HOST_APPLICATION":[ # for host based unit tests
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec"
],
"AcceptableDependencies-UEFI_APPLICATION": [
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec"
],
"IgnoreInf": []
},

## options defined ci/Plugin/HostUnitTestCompilerPlugin
"HostUnitTestCompilerPlugin": {
},

## options defined .pytool/Plugin/HostUnitTestDscCompleteCheck
"HostUnitTestDscCompleteCheck": {
"IgnoreInf": [],
},

## options defined ci/Plugin/DscCompleteCheck
"DscCompleteCheck": {
"IgnoreInf": [],
"DscPath": "MsApplicationPkg.dsc"
},

## options defined ci/Plugin/GuidCheck
"GuidCheck": {
"IgnoreGuidName": [],
"IgnoreGuidValue": [],
"IgnoreFoldersAndFiles": [],
"IgnoreDuplicates": []
},

## options defined ci/Plugin/LibraryClassCheck
"LibraryClassCheck": {
"IgnoreLibraryClass": [],
"IgnoreHeaderFile": []
},

## options defined ci/Plugin/SpellCheck
"SpellCheck": {
"IgnoreStandardPaths": [ # Standard Plugin defined paths that should be ignore
],
"IgnoreFiles": [ # use gitignore syntax to ignore errors in matching files
SecureBootRecovery/RecoveryPayload.h
],
"ExtendWords": [ # words to extend to the dictionary for this package
"checksumed",
"FVDXE",
"CMIIT",
"JASTST",
"mountvol",
"EKU's",
"bootable",
"MSCHANGE",
"UNRECOVERED",
"hibit",
"XIPFLAGS",
"mstrict",
"mgeneral",
"frontpage",
"mitigations",
"AUTHREAD",
"OWNERREAD",
"BREAKASSERT",
"CARDBUS",
"PCIEXP",
"DEADLOOP",
"DEBUGPORT",
"EXTENDMEM",
"FILELOGGING",
"Indexfor",
"PLATFORMCREATE",
"POLICYREAD",
"POLICYWRITE",
"SQRTUNSIGNED",
"VARPOL",
"SNP's",
"UEFI's"
],
"AdditionalIncludePaths": [] # Additional paths to spell check relative to package root (wildcards supported)
}
}
36 changes: 36 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.dec
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
## @file MsApplicationPkg.dec
# This package provides production standalone applications for the UEFI
# Firmware. That do not depend on the shell or any other UEFI application.
# This is targetted at promoting to open source and should be aligned with
# Tianocore standards
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

[Defines]
DEC_SPECIFICATION = 0x00010005
PACKAGE_NAME = MsApplicationPkg
PACKAGE_UNI_FILE = MsApplicationPkg.uni
PACKAGE_GUID = 738E75C6-4EEE-4F63-A30D-8EEB08B1DE04
PACKAGE_VERSION = .10


[Includes]

[LibraryClasses]

[Guids]
# {2714338E-616A-4AC1-8F3E-B58F078D6E35}
gMsApplicationPkgTokenSpaceGuid = { 0x2714338e, 0x616a, 0x4ac1, { 0x8f, 0x3e, 0xb5, 0x8f, 0x7, 0x8d, 0x6e, 0x35 }}

[Protocols]

[PcdsFeatureFlag]

[PcdsFixedAtBuild]

[PcdsDynamic, PcdsDynamicEx]

[UserExtensions.TianoCore."ExtraFiles"]
MsApplicationPkgExtra.uni
73 changes: 73 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.dsc
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
## @file
# MsApplication Package Localized Strings and Content
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

[Defines]
PLATFORM_NAME = MsApplication
PLATFORM_GUID = BE19B49A-53F6-43CB-AED4-FB86334E665A
PLATFORM_VERSION = .10
DSC_SPECIFICATION = 0x00010005
OUTPUT_DIRECTORY = Build/MsApplicationPkg
SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
BUILD_TARGETS = DEBUG|RELEASE
SKUID_IDENTIFIER = DEFAULT

[PcdsFeatureFlag]

[PcdsFixedAtBuild]

!include MdePkg/MdeLibs.dsc.inc

[LibraryClasses.common]
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf

[LibraryClasses.X64]

!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
# Provide StackCookie support lib so that we can link to /GS exports for VS builds
NULL|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf
!else
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibNull/BaseBinSecurityLibNull.inf
!endif

[LibraryClasses.AARCH64]
# Add support for GCC stack protector
NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf


###################################################################################################
#
# Components Section - list of the modules and components that will be processed by compilation
# tools and the EDK II tools to generate PE32/PE32+/Coff image files.
#
# Note: The EDK II DSC file is not used to specify how compiled binary images get placed
# into firmware volume images. This section is just a list of modules to compile from
# source into UEFI-compliant binaries.
# It is the FDF file that contains information on combining binary files into firmware
# volume images, whose concept is beyond UEFI and is described in PI specification.
# Binary modules do not need to be listed in this section, as they should be
# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi),
# Logo (Logo.bmp), and etc.
# There may also be modules listed in this section that are not required in the FDF file,
# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be
# generated for it, but the binary will not be put into any firmware volume.
#
###################################################################################################

[Components]
MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf

[BuildOptions]
#force deprecated interfaces off
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
14 changes: 14 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.uni
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// /** @file
// This package provides production independent applications for the UEFI
// Firmware. That do not depend on the shell or any other UEFI application.
// This is targetted at promoting to open source and should be aligned with
// Tianocore standards
//
// Copyright (C) Microsoft Corporation. All rights reserved.
// SPDX-License-Identifier: BSD-2-Clause-Patent
// **/


#string STR_PACKAGE_ABSTRACT #language en-US "This Package provides all applications for MsApplication."

#string STR_PACKAGE_DESCRIPTION #language en-US "MsApplication is open source independent applications used by Microsoft"
10 changes: 10 additions & 0 deletions MsApplicationPkg/MsApplicationPkgExtra.uni
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
## @file
# MsApplication Package Localized Strings and Content
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

#string STR_PROPERTIES_PACKAGE_NAME
#language en-US
"MsApplication Package"
14 changes: 14 additions & 0 deletions MsApplicationPkg/ReadMe.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
============================================================
Independent applications for UEFI
============================================================

Summary
=======
This package provides independent applications for UEFI.
That may be used in production environment to perform
various independent operations. They should be built with
minimal dependencies.

Documentation
=============
Documentation can be found in the `Docs directory <./Docs>`_
Binary file not shown.
42 changes: 42 additions & 0 deletions MsApplicationPkg/SecureBootRecovery/Readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Secure Boot Recovery

The Microsoft 2011 Secure Boot Certificates used to boot Windows OS and Third Party applications, drivers, option roms,
through Secure Boot are expiring on 10/19/2026. New certificates have been created and are available at
[Keys Required for Secure Boot on all PCs | Learn Microsoft.](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11).

This EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.

## Files

* SecureBootRecovery.c
* Recovery Logic
* SecureBootRecovery.inf
* Setup Information
* Payload/dbUpdate.bin
* Raw Recovery Payload - This file is an authenticated variable with a payload to update the DB
* Attributes:
* NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS | TIME_BASED_AUTHENTICATED_WRITE_ACCESS | APPEND_WRITE
* Note: The signer must have it's public certificate found in the L"KEK" variable
* Note: The payload found in this repo is the Microsoft Windows Production PCA 2011 signed Windows UEFI CA 2023 DB payload
* RecoveryPayload.h
* The C representation of the dbUpdate.bin file auto generated by Helper.py
* Helper.py
* Generates RecoveryPayload.h from Payload/dbUpdate.bin

## Build

```pwsh
stuart_ci_setup -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_update -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_ci_build -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
```

## Update the payload

If the recovery payload needs to be updated, replace the file `Payload/dbUpdate.bin` with a KEK signed payload.

Then execute:

```pwsh
python helper.py
```
Loading

0 comments on commit ea1d372

Please sign in to comment.