DXE_DRIVER Example: Replace Test Platform Key with a new Platform Key #247
+696
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
from
ead1b32 to
79cbb07
Compare
github-actions
bot
added
language:python
Flickdm
commented
Nov 25, 2024
apop5
reviewed
Nov 25, 2024
kenlautner
reviewed
Feb 14, 2025
kenlautner
reviewed
Feb 14, 2025
|
Need to write documentation and make sure it is not included in any builds by default. |
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
from
79cbb07 to
380d541
Compare
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
2 times, most recently
from
f549341 to
80644f1
Compare
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
from
80644f1 to
5481a71
Compare
Some platforms may have lost the private portion of the PlatformKey, or the PlatformKey may have been compromised. In these cases, it is necessary to replace the PlatformKey with a new one. This example demonstrates how to replace the old PlatformKey with a new one. That is intended to be used as a reference. Targets a Test certificate that is not provided to prevent accidents.
Flickdm
force-pushed
the
feature/OverridePlatformKey
branch
from
a65b7c7 to
96fa3d9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some platforms may have lost the private portion of the PK (Platform Key), or the PK may have been compromised (E.G Test Certificate). The former would prevent the operating system from updating the secure boot variables via a signed update. A Firmware update natively only updates the "Defaults" but not the active variables.
In these cases, it is necessary to replace the active PK with a new one via a firmware update. This example demonstrates how an OEM may replace the existing bad PK with a new one via firmware.
This shouldn't be included indefinitely in firmware and ideally is only transient. Do not arbitrarily add this to a platform's DSC without understanding the implications of it.
I've included a script that will generate a new Test PK on demand. However I am not providing a Test PK to prevent someone from adding that to their firmware. Additionally, I've set the payload to the windows PK so that if this driver does run it will replace the certificate with a well known good default.
By default there should be no reason for a platform to include this.
How This Was Tested
QemuQ35
Boot with Secure Boot disabled
exit from the shell
enable secure boot (with an appropriate target certificate)
Integration Instructions
N/A