[Bug]: DFCI_CertChainingTest report fail when manufacturing mode

[NickWangInsyde]

Is there an existing issue for this?

• [X] I have searched existing issues

Current Behavior

Follow the implementation of DfciUiDisplayAuthDialog function, DFCI_CertChainingTest reports 5 Fails when manufacturing mode.

DfciUiDisplayAuthDialog function will accept the enrollment without the proper key when manufacturing mode.

Expected Behavior

mu_oem_sample should provide the sample code which can pass all DFCI test cases.

Should the DfciUiDisplayAuthDialog function be changed as below:

if (DfciUiIsManufacturingMode ()) {
    *Result = DFCI_MB_IDCANCEL;
    return EFI_SUCCESS;
  }

Steps To Reproduce

1.

BOOLEAN
EFIAPI
DfciUiIsManufacturingMode (
  VOID
  ) {
  return TRUE;
}

2. Run DFCI_CertChainingTest test case and it will report 5 Fails.

Build Environment

- OS(s): Windows 10
- Tool Chain(s): VS2019
- Targets Impacted: RELEASE

Version Information

Commit: 1709eca4a7e17372b9d0c801cbd1fa8e7cbf7b83

Urgency

Medium

Are you going to fix this?

Someone else needs to fix it

Do you need maintainer feedback?

Maintainer feedback requested

Anything else?

No response

[spbrogan]

Not sure I understand what you are asking for. These tests fail because you declared the device in Manufacturing Mode. When a device is in Manufacturing Mode certain rules do not apply. Manufacturing Mode is a manufacturer defined state that should be cryptographically protected by the manufacturer's authority. We suggest something like https://github.com/microsoft/mu_plus/tree/release/202208/MfciPkg.

So for testing DFCI your device should not be in Manufacturing Mode.

Did I miss understand your question/request?

[NickWangInsyde]

Yes, I declared the device in Manufacturing Mode.

If I don't declare the device in Manufacturing Mode, DFCI_InitialState test case will report fail and shows " '${ZtdThumbprint}' != 'Cert not installed'". It forces user to manually select "Opt In" in "Management" VFR page to enroll ZTD. Is it a neccessary step before runnning DFCI test ?

And I have another question. If the OEM product with DFCI and not Manufacturing Mode, who should do the "Opt In" process in the DFCI Scenarios ?

[spbrogan]

this is a product level decision. For the product teams that I have talked about and the intent of ZTD is that the devices ships from manufacturer with ZTD opted in. The whole point of ZTD is so that users don't have to touch the device and a centralized IT department can deploy DFCI without user interaction.

So in our testing our devices are already opted in and they are not in manufacturing mode. This allows the tests to run.

Does that answer your question?

Thanks Sean

---

From: NickWangInsyde @.> Sent: Tuesday, May 2, 2023 2:02 AM To: microsoft/mu_feature_dfci @.> Cc: Sean Brogan @.>; Assign @.> Subject: Re: [microsoft/mu_feature_dfci] [Bug]: DFCI_CertChainingTest report fail when manufacturing mode (Issue #81)

Yes, I declared the device in Manufacturing Mode.

If I don't declare the device in Manufacturing Mode, DFCI_InitialState test case will report fail and shows " '${ZtdThumbprint}' != 'Cert not installed'". It forces user to manually select "Opt In" in "Management" VFR page to enroll ZTD. Is it a neccessary step before runnning DFCI testhttps://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/UnitTests/DfciTests/readme/#testing-dfci ?

And I have another question. If the OEM product with DFCI and not Manufacturing Mode, who should do the "Opt In" process in the DFCI Scenarioshttps://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/#lifecycle ?

— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/mu_feature_dfci/issues/81#issuecomment-1531125999, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAWRJSNBR4BM7I6LE7USCZ3XEDERXANCNFSM6AAAAAAWWMH34Y. You are receiving this because you were assigned.Message ID: @.***>

[NickWangInsyde]

I want to know how to make your devices be opted in and they are not in manufacturing mode. I want to follow Microsoft standard way to do it. Do you change this by source code ? Or do you manually change device from opt-out to opt-in in DFCI Management VFR form ?

If adopt mu_feature_dfci into OEM project, the device will be opt-out and not in manufacturing mode. You can see the default behavior in mu_feature_dfci\DfciPkg\IdentityAndAuthManager\IdentityAndAuthManagerDxe.c

  ZeroTouchState = GetZeroTouchState ();  // In default, it will return ZERO_TOUCH_INACTIVE. It means device is opt-out.
  if (ZERO_TOUCH_INACTIVE == ZeroTouchState) {
    if (DfciUiIsManufacturingMode ()) {
      ZeroTouchState = ZERO_TOUCH_OPT_IN;
    }
  }

[spbrogan]

We do not change the source code.

When the button shows text of "OPT_IN" it means the device is currently opted out (does not have ztd key installed).

In the factory the device is put into manufacturing mode so that the device can do its manufacturing required activity. This action automatically opts in the device (installs the ZTD key). The device then finishes the manufacturing process, and it exits manufacturing mode and then ships to the store/customer. The process of exiting from manufacturing mode does not clear the ZTD key.

https://github.com/microsoft/mu_feature_dfci/blob/7f8ee4c53330cef141b8efe1e2cd91dcabba9f1c/DfciPkg/IdentityAndAuthManager/IdentityAndAuthManagerDxe.c#L71

Does that make sense?

[NickWangInsyde]

Hi Sean,

I got your point. I will confirm with my customer and then update info to you or close this issue. Thanks for explanation.

[makubacki]

We'll close this for now. @NickWangInsyde, feel free to reopen if any more discussion is needed.