-
Notifications
You must be signed in to change notification settings - Fork 104
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Feature/MsApplicationPkg/SecureBootRecovery (#323)
Description This Secure Boot Recovery application, when ran will append a 2011 KEK signed 2023 Certificate to the DB. This may be used to fix the DB for in market devices in order to boot a 2023 signed Boot loader. Impacts functionality? N/A Impacts security? N/A validation improvement, ... Breaking change? N/A Includes tests? N/A Includes documentation? Readme.md Explains how to build the application How This Was Tested This was tested on a handful of in market devices (AARCH64 and X64) by different OEMS. This was tested using test payloads and the real payload in order to verify it would work as expected Integration Instructions N/A
- Loading branch information
Showing
14 changed files
with
841 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# MsApplicationPkg - Microsoft Application Package | ||
|
||
## About | ||
|
||
This package contains open source production applications that run prior to ExitBootServices(...) and perform some | ||
firmware independent function. | ||
|
||
## Applications | ||
|
||
* Secure Boot Recovery | ||
* EFI application is used to transition a system from the 2011 certificates to the 2023 certificates. | ||
|
||
## Copyright | ||
|
||
Copyright (C) Microsoft Corporation. All rights reserved. | ||
SPDX-License-Identifier: BSD-2-Clause-Patent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
## | ||
# CI configuration for MsApplicationPkg | ||
# | ||
# Copyright (c) Microsoft Corporation | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
## | ||
{ | ||
"PrEval": { | ||
"DscPath": "MsApplicationPkg.dsc", | ||
}, | ||
## options defined ci/Plugin/CompilerPlugin | ||
"CompilerPlugin": { | ||
"DscPath": "MsApplicationPkg.dsc" | ||
}, | ||
|
||
## options defined ci/Plugin/CharEncodingCheck | ||
"CharEncodingCheck": { | ||
"IgnoreFiles": [] | ||
}, | ||
|
||
## options defined ci/Plugin/DependencyCheck | ||
"DependencyCheck": { | ||
"AcceptableDependencies": [ | ||
"MdePkg/MdePkg.dec", | ||
"MdeModulePkg/MdeModulePkg.dec" | ||
], | ||
"AcceptableDependencies-HOST_APPLICATION":[ # for host based unit tests | ||
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec" | ||
], | ||
"AcceptableDependencies-UEFI_APPLICATION": [ | ||
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec" | ||
], | ||
"IgnoreInf": [] | ||
}, | ||
|
||
## options defined ci/Plugin/HostUnitTestCompilerPlugin | ||
"HostUnitTestCompilerPlugin": { | ||
}, | ||
|
||
## options defined .pytool/Plugin/HostUnitTestDscCompleteCheck | ||
"HostUnitTestDscCompleteCheck": { | ||
"IgnoreInf": [], | ||
}, | ||
|
||
## options defined ci/Plugin/DscCompleteCheck | ||
"DscCompleteCheck": { | ||
"IgnoreInf": [], | ||
"DscPath": "MsApplicationPkg.dsc" | ||
}, | ||
|
||
## options defined ci/Plugin/GuidCheck | ||
"GuidCheck": { | ||
"IgnoreGuidName": [], | ||
"IgnoreGuidValue": [], | ||
"IgnoreFoldersAndFiles": [], | ||
"IgnoreDuplicates": [] | ||
}, | ||
|
||
## options defined ci/Plugin/LibraryClassCheck | ||
"LibraryClassCheck": { | ||
"IgnoreLibraryClass": [], | ||
"IgnoreHeaderFile": [] | ||
}, | ||
|
||
## options defined ci/Plugin/SpellCheck | ||
"SpellCheck": { | ||
"IgnoreStandardPaths": [ # Standard Plugin defined paths that should be ignore | ||
], | ||
"IgnoreFiles": [ # use gitignore syntax to ignore errors in matching files | ||
SecureBootRecovery/RecoveryPayload.h | ||
], | ||
"ExtendWords": [ # words to extend to the dictionary for this package | ||
"checksumed", | ||
"FVDXE", | ||
"CMIIT", | ||
"JASTST", | ||
"mountvol", | ||
"EKU's", | ||
"bootable", | ||
"MSCHANGE", | ||
"UNRECOVERED", | ||
"hibit", | ||
"XIPFLAGS", | ||
"mstrict", | ||
"mgeneral", | ||
"frontpage", | ||
"mitigations", | ||
"AUTHREAD", | ||
"OWNERREAD", | ||
"BREAKASSERT", | ||
"CARDBUS", | ||
"PCIEXP", | ||
"DEADLOOP", | ||
"DEBUGPORT", | ||
"EXTENDMEM", | ||
"FILELOGGING", | ||
"Indexfor", | ||
"PLATFORMCREATE", | ||
"POLICYREAD", | ||
"POLICYWRITE", | ||
"SQRTUNSIGNED", | ||
"VARPOL", | ||
"SNP's", | ||
"UEFI's" | ||
], | ||
"AdditionalIncludePaths": [] # Additional paths to spell check relative to package root (wildcards supported) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
## @file MsApplicationPkg.dec | ||
# This package provides production standalone applications for the UEFI | ||
# Firmware. That do not depend on the shell or any other UEFI application. | ||
# This is targetted at promoting to open source and should be aligned with | ||
# Tianocore standards | ||
# | ||
# Copyright (C) Microsoft Corporation. All rights reserved. | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
## | ||
|
||
[Defines] | ||
DEC_SPECIFICATION = 0x00010005 | ||
PACKAGE_NAME = MsApplicationPkg | ||
PACKAGE_UNI_FILE = MsApplicationPkg.uni | ||
PACKAGE_GUID = 738E75C6-4EEE-4F63-A30D-8EEB08B1DE04 | ||
PACKAGE_VERSION = .10 | ||
|
||
|
||
[Includes] | ||
|
||
[LibraryClasses] | ||
|
||
[Guids] | ||
# {2714338E-616A-4AC1-8F3E-B58F078D6E35} | ||
gMsApplicationPkgTokenSpaceGuid = { 0x2714338e, 0x616a, 0x4ac1, { 0x8f, 0x3e, 0xb5, 0x8f, 0x7, 0x8d, 0x6e, 0x35 }} | ||
|
||
[Protocols] | ||
|
||
[PcdsFeatureFlag] | ||
|
||
[PcdsFixedAtBuild] | ||
|
||
[PcdsDynamic, PcdsDynamicEx] | ||
|
||
[UserExtensions.TianoCore."ExtraFiles"] | ||
MsApplicationPkgExtra.uni |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
## @file | ||
# MsApplication Package Localized Strings and Content | ||
# | ||
# Copyright (C) Microsoft Corporation. All rights reserved. | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
## | ||
|
||
[Defines] | ||
PLATFORM_NAME = MsApplication | ||
PLATFORM_GUID = BE19B49A-53F6-43CB-AED4-FB86334E665A | ||
PLATFORM_VERSION = .10 | ||
DSC_SPECIFICATION = 0x00010005 | ||
OUTPUT_DIRECTORY = Build/MsApplicationPkg | ||
SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64 | ||
BUILD_TARGETS = DEBUG|RELEASE | ||
SKUID_IDENTIFIER = DEFAULT | ||
|
||
[PcdsFeatureFlag] | ||
|
||
[PcdsFixedAtBuild] | ||
|
||
!include MdePkg/MdeLibs.dsc.inc | ||
|
||
[LibraryClasses.common] | ||
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf | ||
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf | ||
RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf | ||
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf | ||
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf | ||
UefiLib|MdePkg/Library/UefiLib/UefiLib.inf | ||
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf | ||
UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf | ||
|
||
[LibraryClasses.X64] | ||
|
||
!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022 | ||
# Provide StackCookie support lib so that we can link to /GS exports for VS builds | ||
NULL|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf | ||
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf | ||
!else | ||
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibNull/BaseBinSecurityLibNull.inf | ||
!endif | ||
|
||
[LibraryClasses.AARCH64] | ||
# Add support for GCC stack protector | ||
NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf | ||
|
||
|
||
################################################################################################### | ||
# | ||
# Components Section - list of the modules and components that will be processed by compilation | ||
# tools and the EDK II tools to generate PE32/PE32+/Coff image files. | ||
# | ||
# Note: The EDK II DSC file is not used to specify how compiled binary images get placed | ||
# into firmware volume images. This section is just a list of modules to compile from | ||
# source into UEFI-compliant binaries. | ||
# It is the FDF file that contains information on combining binary files into firmware | ||
# volume images, whose concept is beyond UEFI and is described in PI specification. | ||
# Binary modules do not need to be listed in this section, as they should be | ||
# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi), | ||
# Logo (Logo.bmp), and etc. | ||
# There may also be modules listed in this section that are not required in the FDF file, | ||
# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be | ||
# generated for it, but the binary will not be put into any firmware volume. | ||
# | ||
################################################################################################### | ||
|
||
[Components] | ||
MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf | ||
|
||
[BuildOptions] | ||
#force deprecated interfaces off | ||
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
// /** @file | ||
// This package provides production independent applications for the UEFI | ||
// Firmware. That do not depend on the shell or any other UEFI application. | ||
// This is targetted at promoting to open source and should be aligned with | ||
// Tianocore standards | ||
// | ||
// Copyright (C) Microsoft Corporation. All rights reserved. | ||
// SPDX-License-Identifier: BSD-2-Clause-Patent | ||
// **/ | ||
|
||
|
||
#string STR_PACKAGE_ABSTRACT #language en-US "This Package provides all applications for MsApplication." | ||
|
||
#string STR_PACKAGE_DESCRIPTION #language en-US "MsApplication is open source independent applications used by Microsoft" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
## @file | ||
# MsApplication Package Localized Strings and Content | ||
# | ||
# Copyright (C) Microsoft Corporation. All rights reserved. | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
## | ||
|
||
#string STR_PROPERTIES_PACKAGE_NAME | ||
#language en-US | ||
"MsApplication Package" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
============================================================ | ||
Independent applications for UEFI | ||
============================================================ | ||
|
||
Summary | ||
======= | ||
This package provides independent applications for UEFI. | ||
That may be used in production environment to perform | ||
various independent operations. They should be built with | ||
minimal dependencies. | ||
|
||
Documentation | ||
============= | ||
Documentation can be found in the `Docs directory <./Docs>`_ |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# Secure Boot Recovery | ||
|
||
The Microsoft 2011 Secure Boot Certificates used to boot Windows OS and Third Party applications, drivers, option roms, | ||
through Secure Boot are expiring on 10/19/2026. New certificates have been created and are available at | ||
[Keys Required for Secure Boot on all PCs | Learn Microsoft.](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11). | ||
|
||
This EFI application is used to transition a system from the 2011 certificates to the 2023 certificates. | ||
|
||
## Files | ||
|
||
* SecureBootRecovery.c | ||
* Recovery Logic | ||
* SecureBootRecovery.inf | ||
* Setup Information | ||
* Payload/dbUpdate.bin | ||
* Raw Recovery Payload - This file is an authenticated variable with a payload to update the DB | ||
* Attributes: | ||
* NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS | TIME_BASED_AUTHENTICATED_WRITE_ACCESS | APPEND_WRITE | ||
* Note: The signer must have it's public certificate found in the L"KEK" variable | ||
* Note: The payload found in this repo is the Microsoft Windows Production PCA 2011 signed Windows UEFI CA 2023 DB payload | ||
* RecoveryPayload.h | ||
* The C representation of the dbUpdate.bin file auto generated by Helper.py | ||
* Helper.py | ||
* Generates RecoveryPayload.h from Payload/dbUpdate.bin | ||
|
||
## Build | ||
|
||
```pwsh | ||
stuart_ci_setup -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg | ||
stuart_update -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg | ||
stuart_ci_build -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg | ||
``` | ||
|
||
## Update the payload | ||
|
||
If the recovery payload needs to be updated, replace the file `Payload/dbUpdate.bin` with a KEK signed payload. | ||
|
||
Then execute: | ||
|
||
```pwsh | ||
python helper.py | ||
``` |
Oops, something went wrong.