MsCorePkg/SecureBootKeyStoreLib: Add Library implementation #377

Javagedes · 2023-12-04T21:25:30Z

Description

Adds SecureBootKeyStoreLib which provides secureboot key store options by consuming fixed at build PCDs that represent the Pk, Db, 3PDb, Kek, and Dbx.

Impacts functionality?
- Adds 5 new PCDs to represent the Pk, Db, 3PDb, Kek, and Dbx, which are consumed by SedcureBootKeyStoreLibOem when configuring SecureBoot.
Impacts security?
- Security - Does the change have a direct security impact on an application,
  flow, or firmware?
- Examples: Crypto algorithm change, buffer overflow fix, parameter
  validation improvement, ...
Breaking change?
- Breaking change - Will anyone consuming this change experience a break
  in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo, call
  a function in a new library class in a pre-existing module, ...
Includes tests?
- Tests - Does the change include any explicit test code?
- Examples: Unit tests, integration tests, robot tests, ...
Includes documentation?
- Documentation - Does the change contain explicit documentation additions
  outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to documentation
  on an a separate Web page, ...

How This Was Tested

Verified secureboot is properly enabled on Qemu35Pkg for Microsoft and Microsoft 3rd party.

Integration Instructions

Generate the following PCDs for your platform DSC:

gOemPkgTokenSpaceGuid.PcdDefaultKek
gOemPkgTokenSpaceGuid.PcdDefaultDb
gOemPkgTokenSpaceGuid.PcdDefault3PDb
gOemPkgTokenSpaceGuid.PcdDefaultDbx
gOemPkgTokenSpaceGuid.PcdDefaultPk

It is highly suggested, but not required, that each pcd is generated by running BaseTools BinToPcd over the binary blobs created in secureboot_objects, then including them in the platform's DSC file.

Updates SecureBootKeyStoreLibOem to consume fixed at build PCDs that represent the Pk, Db, 3PDb, Kek, and Dbx variables.

codecov-commenter · 2023-12-04T21:50:31Z

Codecov Report

Attention: 38 lines in your changes are missing coverage. Please review.

Comparison is base (b814597) 12.15% compared to head (3eb3071) 8.82%.

Files	Patch %	Lines
.../BaseSecureBootKeyStoreLib/SecureBootKeyStoreLib.c	0.00%	38 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##           release/202302    #377      +/-   ##
=================================================
- Coverage           12.15%   8.82%   -3.33%     
=================================================
  Files                 109      71      -38     
  Lines               18989    7521   -11468     
  Branches             1363     438     -925     
=================================================
- Hits                 2308     664    -1644     
+ Misses              16664    6847    -9817     
+ Partials               17      10       -7

Flag	Coverage Δ
HidPkg	`?`
MfciPkg	`38.25% <ø> (ø)`
MsCorePkg	`1.43% <0.00%> (-0.01%)`	⬇️
MsWheaPkg	`?`
XmlSupportPkg	`?`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

MsCorePkg/Library/SecureBootKeyStoreLib/SecureBootKeyStoreLib.c

Co-authored-by: Michael Kubacki <[email protected]>

MsCorePkg/Library/SecureBootKeyStoreLib/SecureBootKeyStoreLib.c

MsCorePkg/Library/SecureBootKeyStoreLib/SecureBootKeyStoreLib.inf

MsCorePkg/MsCorePkg.dec

## Description Adds SecureBootKeyStoreLib which provides secureboot key store options by consuming fixed at build PCDs that represent the Pk, Db, 3PDb, Kek, and Dbx. - [x] Impacts functionality? - Adds 5 new PCDs to represent the Pk, Db, 3PDb, Kek, and Dbx, which are consumed by SedcureBootKeyStoreLibOem when configuring SecureBoot. - [ ] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... ## How This Was Tested Verified secureboot is properly enabled on Qemu35Pkg for Microsoft and Microsoft 3rd party. ## Integration Instructions Generate the following PCDs for your platform DSC: 1. gOemPkgTokenSpaceGuid.PcdDefaultKek 2. gOemPkgTokenSpaceGuid.PcdDefaultDb 3. gOemPkgTokenSpaceGuid.PcdDefault3PDb 4. gOemPkgTokenSpaceGuid.PcdDefaultDbx 5. gOemPkgTokenSpaceGuid.PcdDefaultPk It is highly suggested, but not required, that each pcd is generated by running BaseTools `BinToPcd` over the binary blobs created in [secureboot_objects](https://github.com/microsoft/secureboot_objects), then including them in the platform's DSC file. --------- Co-authored-by: Michael Kubacki <[email protected]>

OemPkg/SecureBootKeyStoreLibOem: Update to use PCDs

9bcc5c6

Updates SecureBootKeyStoreLibOem to consume fixed at build PCDs that represent the Pk, Db, 3PDb, Kek, and Dbx variables.

Javagedes requested review from Flickdm, makubacki and kuqin12 December 4, 2023 21:26

Javagedes added 2 commits December 4, 2023 13:27

Update comments around the pcds

ae0fe44

Formatting

a4d1d8c

Javagedes changed the title ~~OemPkg/SecureBootKeyStoreLibOem: Update to use PCDs~~ MsCorePkg/SecureBootKeyStoreLib: Add Library implementation Dec 4, 2023