[RFC,0/3] eficonfig: add UEFI Secure Boot key maintenance interface

Message ID	20220619052022.2694-1-masahisa.kojima@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; From: Masahisa Kojima <masahisa.kojima@linaro.org> To: u-boot@lists.denx.de Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>, Ilias Apalodimas <ilias.apalodimas@linaro.org>, Simon Glass <sjg@chromium.org>, Takahiro Akashi <takahiro.akashi@linaro.org>, Francois Ozog <francois.ozog@linaro.org>, Mark Kettenis <mark.kettenis@xs4all.nl>, Masahisa Kojima <masahisa.kojima@linaro.org> Subject: [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance interface Date: Sun, 19 Jun 2022 14:20:19 +0900 Message-Id: <20220619052022.2694-1-masahisa.kojima@linaro.org> Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	eficonfig: add UEFI Secure Boot key maintenance interface \| expand [RFC,0/3] eficonfig: add UEFI Secure Boot key maintenance interface [RFC,1/3] eficonfig: add UEFI Secure Boot Key enrollment interface [RFC,2/3] eficonfig: add "Show Signature Database" menu entry [RFC,3/3] eficonfig: add "Delete Key" menu entry

Message ID

20220619052022.2694-1-masahisa.kojima@linaro.org

Headers

Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61;
From: Masahisa Kojima <masahisa.kojima@linaro.org>
To: u-boot@lists.denx.de
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Simon Glass <sjg@chromium.org>,
 Takahiro Akashi <takahiro.akashi@linaro.org>,
 Francois Ozog <francois.ozog@linaro.org>,
 Mark Kettenis <mark.kettenis@xs4all.nl>,
 Masahisa Kojima <masahisa.kojima@linaro.org>
Subject: [RFC PATCH 0/3] eficonfig: add UEFI Secure Boot key maintenance
 interface
Date: Sun, 19 Jun 2022 14:20:19 +0900
Message-Id: <20220619052022.2694-1-masahisa.kojima@linaro.org>
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

eficonfig: add UEFI Secure Boot key maintenance interface | expand

Message

Masahisa Kojima June 19, 2022, 5:20 a.m. UTC

This series adds the UEFI Secure Boot key maintenance interface
to the eficonfig command.
User can enroll and delete the PK, KEK, db and dbx.

Note that this series is RFC since this series is implemented
on the top of the "enable menu-driven UEFI variable maintenance"
patch series still under review[1].

[1]https://lore.kernel.org/u-boot/20220619045607.1669-1-masahisa.kojima@linaro.org/T/#m7fe16b6044fbb2947b49c26051563c7cbb696fb3

Source code can be cloned with:
$ git clone https://git.linaro.org/people/masahisa.kojima/u-boot.git -b kojima/kojima/efi_seckey_menu_upstream_v1_0619

Masahisa Kojima (3):
  eficonfig: add UEFI Secure Boot Key enrollment interface
  eficonfig: add "Show Signature Database" menu entry
  eficonfig: add "Delete Key" menu entry

 cmd/Makefile          |   3 +
 cmd/eficonfig.c       |   3 +
 cmd/eficonfig_sbkey.c | 701 ++++++++++++++++++++++++++++++++++++++++++
 include/efi_config.h  |   3 +
 4 files changed, 710 insertions(+)
 create mode 100644 cmd/eficonfig_sbkey.c

Comments

Ilias Apalodimas July 8, 2022, 9:06 a.m. UTC | #1

On Sun, Jun 19, 2022 at 02:20:19PM +0900, Masahisa Kojima wrote:
> This series adds the UEFI Secure Boot key maintenance interface
> to the eficonfig command.
> User can enroll and delete the PK, KEK, db and dbx.
> 
> Note that this series is RFC since this series is implemented
> on the top of the "enable menu-driven UEFI variable maintenance"
> patch series still under review[1].
> 
> [1]https://lore.kernel.org/u-boot/20220619045607.1669-1-masahisa.kojima@linaro.org/T/#m7fe16b6044fbb2947b49c26051563c7cbb696fb3
> 
> Source code can be cloned with:
> $ git clone https://git.linaro.org/people/masahisa.kojima/u-boot.git -b kojima/kojima/efi_seckey_menu_upstream_v1_0619

Thanks Kojima-san.  This is an important step in removing console access
for EFI-enabled devices.

Regards
/Ilias
> 
> Masahisa Kojima (3):
>   eficonfig: add UEFI Secure Boot Key enrollment interface
>   eficonfig: add "Show Signature Database" menu entry
>   eficonfig: add "Delete Key" menu entry
> 
>  cmd/Makefile          |   3 +
>  cmd/eficonfig.c       |   3 +
>  cmd/eficonfig_sbkey.c | 701 ++++++++++++++++++++++++++++++++++++++++++
>  include/efi_config.h  |   3 +
>  4 files changed, 710 insertions(+)
>  create mode 100644 cmd/eficonfig_sbkey.c
> 
> -- 
> 2.17.1
>