Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/MsApplicationPkg/SecureBootRecovery #323

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .pytool/CISettings.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ def GetPackagesSupported(self):
"AdvLoggerPkg",
"MfciPkg",
"HidPkg",
"MsApplicationPkg",
"MsCorePkg",
"MsGraphicsPkg",
"MsWheaPkg",
Expand Down
16 changes: 16 additions & 0 deletions MsApplicationPkg/Docs/Readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# MsApplicationPkg - Microsoft Application Package

## About

This package contains open source production applications that run prior to ExitBootServices(...) and perform some
firmware independent function.

## Applications

* Secure Boot Recovery
* EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.

## Copyright

Copyright (C) Microsoft Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
108 changes: 108 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.ci.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
##
# CI configuration for MsApplicationPkg
#
# Copyright (c) Microsoft Corporation
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
{
"PrEval": {
"DscPath": "MsApplicationPkg.dsc",
},
## options defined ci/Plugin/CompilerPlugin
"CompilerPlugin": {
"DscPath": "MsApplicationPkg.dsc"
},

## options defined ci/Plugin/CharEncodingCheck
"CharEncodingCheck": {
"IgnoreFiles": []
},

## options defined ci/Plugin/DependencyCheck
"DependencyCheck": {
"AcceptableDependencies": [
"MdePkg/MdePkg.dec",
"MdeModulePkg/MdeModulePkg.dec"
],
"AcceptableDependencies-HOST_APPLICATION":[ # for host based unit tests
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec"
],
"AcceptableDependencies-UEFI_APPLICATION": [
"UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec"
],
"IgnoreInf": []
},

## options defined ci/Plugin/HostUnitTestCompilerPlugin
"HostUnitTestCompilerPlugin": {
},

## options defined .pytool/Plugin/HostUnitTestDscCompleteCheck
"HostUnitTestDscCompleteCheck": {
"IgnoreInf": [],
},

## options defined ci/Plugin/DscCompleteCheck
"DscCompleteCheck": {
"IgnoreInf": [],
"DscPath": "MsApplicationPkg.dsc"
},

## options defined ci/Plugin/GuidCheck
"GuidCheck": {
"IgnoreGuidName": [],
"IgnoreGuidValue": [],
"IgnoreFoldersAndFiles": [],
"IgnoreDuplicates": []
},

## options defined ci/Plugin/LibraryClassCheck
"LibraryClassCheck": {
"IgnoreLibraryClass": [],
"IgnoreHeaderFile": []
},

## options defined ci/Plugin/SpellCheck
"SpellCheck": {
"IgnoreStandardPaths": [ # Standard Plugin defined paths that should be ignore
],
"IgnoreFiles": [ # use gitignore syntax to ignore errors in matching files
SecureBootRecovery/RecoveryPayload.h
],
"ExtendWords": [ # words to extend to the dictionary for this package
"checksumed",
"FVDXE",
"CMIIT",
"JASTST",
"mountvol",
"EKU's",
"bootable",
"MSCHANGE",
"UNRECOVERED",
"hibit",
"XIPFLAGS",
"mstrict",
"mgeneral",
"frontpage",
"mitigations",
"AUTHREAD",
"OWNERREAD",
"BREAKASSERT",
"CARDBUS",
"PCIEXP",
"DEADLOOP",
"DEBUGPORT",
"EXTENDMEM",
"FILELOGGING",
"Indexfor",
"PLATFORMCREATE",
"POLICYREAD",
"POLICYWRITE",
"SQRTUNSIGNED",
"VARPOL",
"SNP's",
"UEFI's"
],
"AdditionalIncludePaths": [] # Additional paths to spell check relative to package root (wildcards supported)
}
}
36 changes: 36 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.dec
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
## @file MsApplicationPkg.dec
# This package provides production standalone applications for the UEFI
# Firmware. That do not depend on the shell or any other UEFI application.
# This is targetted at promoting to open source and should be aligned with
# Tianocore standards
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

[Defines]
DEC_SPECIFICATION = 0x00010005
PACKAGE_NAME = MsApplicationPkg
PACKAGE_UNI_FILE = MsApplicationPkg.uni
PACKAGE_GUID = 738E75C6-4EEE-4F63-A30D-8EEB08B1DE04
PACKAGE_VERSION = .10


[Includes]

[LibraryClasses]

[Guids]
# {2714338E-616A-4AC1-8F3E-B58F078D6E35}
gMsApplicationPkgTokenSpaceGuid = { 0x2714338e, 0x616a, 0x4ac1, { 0x8f, 0x3e, 0xb5, 0x8f, 0x7, 0x8d, 0x6e, 0x35 }}

[Protocols]

[PcdsFeatureFlag]

[PcdsFixedAtBuild]

[PcdsDynamic, PcdsDynamicEx]

[UserExtensions.TianoCore."ExtraFiles"]
MsApplicationPkgExtra.uni
73 changes: 73 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.dsc
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
## @file
# MsApplication Package Localized Strings and Content
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

[Defines]
PLATFORM_NAME = MsApplication
PLATFORM_GUID = BE19B49A-53F6-43CB-AED4-FB86334E665A
PLATFORM_VERSION = .10
DSC_SPECIFICATION = 0x00010005
OUTPUT_DIRECTORY = Build/MsApplicationPkg
SUPPORTED_ARCHITECTURES = IA32|X64|AARCH64
BUILD_TARGETS = DEBUG|RELEASE
SKUID_IDENTIFIER = DEFAULT

[PcdsFeatureFlag]

[PcdsFixedAtBuild]

!include MdePkg/MdeLibs.dsc.inc

[LibraryClasses.common]
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf
BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf
BaseLib|MdePkg/Library/BaseLib/BaseLib.inf
UefiLib|MdePkg/Library/UefiLib/UefiLib.inf
UefiApplicationEntryPoint|MdePkg/Library/UefiApplicationEntryPoint/UefiApplicationEntryPoint.inf
UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBootServicesTableLib.inf

[LibraryClasses.X64]

!if $(TOOL_CHAIN_TAG) == VS2019 or $(TOOL_CHAIN_TAG) == VS2022
# Provide StackCookie support lib so that we can link to /GS exports for VS builds
NULL|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibRng/BaseBinSecurityLibRng.inf
!else
BaseBinSecurityLib|MdePkg/Library/BaseBinSecurityLibNull/BaseBinSecurityLibNull.inf
!endif

[LibraryClasses.AARCH64]
# Add support for GCC stack protector
NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf


###################################################################################################
#
# Components Section - list of the modules and components that will be processed by compilation
# tools and the EDK II tools to generate PE32/PE32+/Coff image files.
#
# Note: The EDK II DSC file is not used to specify how compiled binary images get placed
# into firmware volume images. This section is just a list of modules to compile from
# source into UEFI-compliant binaries.
# It is the FDF file that contains information on combining binary files into firmware
# volume images, whose concept is beyond UEFI and is described in PI specification.
# Binary modules do not need to be listed in this section, as they should be
# specified in the FDF file. For example: Shell binary (Shell_Full.efi), FAT binary (Fat.efi),
# Logo (Logo.bmp), and etc.
# There may also be modules listed in this section that are not required in the FDF file,
# When a module listed here is excluded from FDF file, then UEFI-compliant binary will be
# generated for it, but the binary will not be put into any firmware volume.
#
###################################################################################################

[Components]
MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf

[BuildOptions]
#force deprecated interfaces off
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
14 changes: 14 additions & 0 deletions MsApplicationPkg/MsApplicationPkg.uni
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
// /** @file
// This package provides production independent applications for the UEFI
// Firmware. That do not depend on the shell or any other UEFI application.
// This is targetted at promoting to open source and should be aligned with
// Tianocore standards
//
// Copyright (C) Microsoft Corporation. All rights reserved.
// SPDX-License-Identifier: BSD-2-Clause-Patent
// **/


#string STR_PACKAGE_ABSTRACT #language en-US "This Package provides all applications for MsApplication."

#string STR_PACKAGE_DESCRIPTION #language en-US "MsApplication is open source independent applications used by Microsoft"
10 changes: 10 additions & 0 deletions MsApplicationPkg/MsApplicationPkgExtra.uni
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
## @file
# MsApplication Package Localized Strings and Content
#
# Copyright (C) Microsoft Corporation. All rights reserved.
# SPDX-License-Identifier: BSD-2-Clause-Patent
##

#string STR_PROPERTIES_PACKAGE_NAME
#language en-US
"MsApplication Package"
14 changes: 14 additions & 0 deletions MsApplicationPkg/ReadMe.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
============================================================
Independent applications for UEFI
============================================================

Summary
=======
This package provides independent applications for UEFI.
That may be used in production environment to perform
various independent operations. They should be built with
minimal dependencies.

Documentation
=============
Documentation can be found in the `Docs directory <./Docs>`_
Binary file not shown.
42 changes: 42 additions & 0 deletions MsApplicationPkg/SecureBootRecovery/Readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Secure Boot Recovery

The Microsoft 2011 Secure Boot Certificates used to boot Windows OS and Third Party applications, drivers, option roms,
through Secure Boot are expiring on 10/19/2026. New certificates have been created and are available at
[Keys Required for Secure Boot on all PCs | Learn Microsoft.](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11).

This EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.

## Files

* SecureBootRecovery.c
* Recovery Logic
* SecureBootRecovery.inf
* Setup Information
* Payload/dbUpdate.bin
* Raw Recovery Payload - This file is an authenticated variable with a payload to update the DB
* Attributes:
* NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS | TIME_BASED_AUTHENTICATED_WRITE_ACCESS | APPEND_WRITE
* Note: The signer must have it's public certificate found in the L"KEK" variable
* Note: The payload found in this repo is the Microsoft Windows Production PCA 2011 signed Windows UEFI CA 2023 DB payload
* RecoveryPayload.h
* The C representation of the dbUpdate.bin file auto generated by Helper.py
* Helper.py
* Generates RecoveryPayload.h from Payload/dbUpdate.bin

## Build

```pwsh
stuart_ci_setup -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_update -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_ci_build -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
```

## Update the payload

If the recovery payload needs to be updated, replace the file `Payload/dbUpdate.bin` with a KEK signed payload.

Then execute:

```pwsh
python helper.py
```
Loading