DXE_DRIVER Example: Replace Test Platform Key with a new Platform Key #247
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some platforms may have lost the private portion of the PlatformKey, or the PlatformKey may have been compromised. In these cases, it is necessary to replace the PlatformKey with a new one. This example demonstrates how to replace the old PlatformKey with a new one. That is intended to be used as a reference. Targets a Test certificate that is not provided to prevent accidents.
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
from
ead1b32 to
79cbb07
Compare
github-actions
bot
added
language:python
Flickdm
commented
Nov 25, 2024
| * | ||
| * @param[in] Hash Pointer to the hash to compare against the existing PK. | ||
| * @param[in] HashSize Size of the hash in bytes. | ||
| * |
apop5
reviewed
Nov 25, 2024
| @@ -0,0 +1,271 @@ | |||
| #include <Uefi.h> | |||
kenlautner
reviewed
Feb 14, 2025
| #ifndef PLATFORM_KEY_H_ | ||
| #define PLATFORM_KEY_H_ | ||
|
|
||
| #include <Uefi.h> |
There was a problem hiding this comment.
The included headers in this file need to be removed. They cause symbols to collide,
kenlautner
reviewed
Feb 14, 2025
| #include <Guid/ImageAuthentication.h> | ||
| #include <Guid/VariableFormat.h> | ||
| #include "PlatformKey.h" | ||
|
|
There was a problem hiding this comment.
#include <UefiSecureBoot.h> will need to be added. I'd just put it under <Uefi.h>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
**** THIS SHOULD BE USED WITH CAUTION - PLEASE READ ****
Some platforms may have lost the private portion of the PK (Platform Key), or the PK may have been compromised (E.G Test Certificate). The former would prevent the operating system from updating the secure boot variables via a signed update. A Firmware update natively only updates the "Defaults" but not the active variables.
In these cases, it is necessary to replace the active PK with a new one via a firmware update. This example demonstrates how an OEM may replace the existing bad PK with a new one via firmware.
This shouldn't be included indefinitely in firmware and ideally is only transient. Do not arbitrarily add this to a platform's DSC without understanding the implications of it.
I've included a script that will generate a new Test PK on demand. However I am not providing a Test PK to prevent someone from adding that to their firmware. Additionally, I've set the payload to the windows PK so that if this driver does run it will replace the certificate with a well known good default.
How This Was Tested
QemuQ35
Boot with Secure Boot disabled
exit from the shell
enable secure boot (with an appropriate target certificate)
Integration Instructions
N/A