Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supply unsigned xml based on system operation mode #31

Merged
merged 13 commits into from
Sep 1, 2022
Merged

Supply unsigned xml based on system operation mode #31

merged 13 commits into from
Sep 1, 2022

Conversation

kuqin12
Copy link
Contributor

@kuqin12 kuqin12 commented Sep 1, 2022

This change will change the DFCI unsigned setting's XML file GUID based on the current system mode. Such that on non-MFG mode, the DFCI will not accept unsigned settings. When the system is in MFG mode, the system will only block the settings listed in the XML file.

@kuqin12 kuqin12 requested review from apop5 and os-d September 1, 2022 00:38
@apop5
Copy link
Contributor

apop5 commented Sep 1, 2022

I'm confused as to the Peim's name, ConfDfciUnsignedListInit. The Peim is setting a Pcd buffer with a specific guid. Why is the peim named Unsigned List init?

@kuqin12
Copy link
Contributor Author

kuqin12 commented Sep 1, 2022

I'm confused as to the Peim's name, ConfDfciUnsignedListInit. The Peim is setting a Pcd buffer with a specific guid. Why is the peim named Unsigned List init?

Because this module is supposed to populate the file GUID of the xml that DFCI will look up for unsigned settings. The idea is that before the DFCI has a chance to look at the file guid PCD, this PEIM will update the PCD content based on the system operation mode. If this is MFG mode, that means the unsigned settings will be accepted, thus the file GUID PCD contains a legit value. Otherwise, it will be supplied with a bogus/null value so that DFCI will not be able to locate any xml and eventually not taking any unsigned settings.

@kuqin12
Copy link
Contributor Author

kuqin12 commented Sep 1, 2022

Tested on QEMU and verified that the system will not accept any unsigned settings when the system is in MFG mode.

@kuqin12 kuqin12 merged commit d2a08dc into microsoft:main Sep 1, 2022
os-d
os-d reviewed Sep 1, 2022
View reviewed changes
SetupDataPkg/ConfDfciUnsignedListInit/ConfDfciUnsignedListInit.inf
## @file
# Initialize DFCI unsigned list.
#
# Copyright (C) Microsoft Corporation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: (c)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shoot, i missed this one... sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@os-d os-d os-d approved these changes

@apop5 apop5 apop5 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kuqin12 @apop5 @os-d