diff options
| author | Guo Mang <mang.guo@intel.com> | 2018-04-25 17:23:25 +0800 |
|---|---|---|
| committer | Guo Mang <mang.guo@intel.com> | 2018-04-25 17:23:25 +0800 |
| commit | d33896d88d9d32d516129e92e25b80f8fddc6f7b (patch) | |
| tree | 8b38b8c52d2305d88d5c484959bbc5fbf3193b34 /Core/SecurityPkg/VariableAuthenticated | |
| parent | d937b4f03f776eeec0be8860e99e7f4c487125e8 (diff) | |
| download | edk2-platforms-d33896d88d9d32d516129e92e25b80f8fddc6f7b.tar.xz | |
Remove Core Package
Remove Core Package since we will use EDK2 code from edk2 repository: https://github.com/tianocore/edk2
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Guo Mang <mang.guo@intel.com>
Diffstat (limited to 'Core/SecurityPkg/VariableAuthenticated')
21 files changed, 0 insertions, 11875 deletions
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c deleted file mode 100644 index 490a8b3417..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c +++ /dev/null @@ -1,886 +0,0 @@ -/** @file
- Implement authentication services for the authenticated variable
- service in UEFI2.2.
-
-Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Variable.h"
-#include "AuthService.h"
-
-///
-/// Global database array for scratch
-///
-UINT32 mPubKeyNumber;
-UINT32 mPlatformMode;
-EFI_GUID mSignatureSupport[SIGSUPPORT_NUM] = {EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_RSA2048_SHA1_GUID};
-//
-// Public Exponent of RSA Key.
-//
-CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
-
-/**
- Initializes for authenticated varibale service.
-
- @retval EFI_SUCCESS The function successfully executed.
- @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resources.
-
-**/
-EFI_STATUS
-AutenticatedVariableServiceInitialize (
- VOID
- )
-{
- EFI_STATUS Status;
- VARIABLE_POINTER_TRACK Variable;
- UINT8 VarValue;
- UINT32 VarAttr;
- UINTN DataSize;
- UINTN CtxSize;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN Valid;
-
- ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER));
-
- mVariableModuleGlobal->AuthenticatedVariableGuid[Physical] = &gEfiAuthenticatedVariableGuid;
- mVariableModuleGlobal->CertRsa2048Sha256Guid[Physical] = &gEfiCertRsa2048Sha256Guid;
- mVariableModuleGlobal->ImageSecurityDatabaseGuid[Physical] = &gEfiImageSecurityDatabaseGuid;
-
- //
- // Initialize hash context.
- //
- CtxSize = Sha256GetContextSize ();
- mVariableModuleGlobal->HashContext[Physical] = AllocateRuntimePool (CtxSize);
- ASSERT (mVariableModuleGlobal->HashContext[Physical] != NULL);
- //
- // Check "AuthVarKeyDatabase" variable's existence.
- // If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- //
- Status = FindVariable (
- mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB],
- &gEfiAuthenticatedVariableGuid,
- &Variable,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance
- );
-
- if (Variable.CurrPtr == 0x0) {
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
- VarValue = 0;
- mPubKeyNumber = 0;
- Status = UpdateVariable (
- mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB],
- &gEfiAuthenticatedVariableGuid,
- &VarValue,
- sizeof(UINT8),
- VarAttr,
- 0,
- 0,
- FALSE,
- mVariableModuleGlobal,
- &Variable
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
- } else {
- //
- // Load database in global variable for cache.
- //
- Valid = IsValidVariableHeader (
- Variable.CurrPtr,
- Variable.Volatile,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance,
- &VariableHeader
- );
- ASSERT (Valid);
-
- DataSize = DataSizeOfVariable (&VariableHeader);
- ASSERT (DataSize <= MAX_KEYDB_SIZE);
- GetVariableDataPtr (
- Variable.CurrPtr,
- Variable.Volatile,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance,
- (CHAR16 *) mVariableModuleGlobal->PubKeyStore
- );
-
- mPubKeyNumber = (UINT32) (DataSize / EFI_CERT_TYPE_RSA2048_SIZE);
- }
- //
- // Check "SetupMode" variable's existence.
- // If it doesn't exist, check PK database's existence to determine the value.
- // Then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- //
- Status = FindVariable (
- mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE],
- &gEfiGlobalVariableGuid,
- &Variable,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance
- );
-
- if (Variable.CurrPtr == 0x0) {
- Status = FindVariable (
- mVariableModuleGlobal->VariableName[Physical][VAR_PLATFORM_KEY],
- &gEfiGlobalVariableGuid,
- &Variable,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance
- );
- if (Variable.CurrPtr == 0x0) {
- mPlatformMode = SETUP_MODE;
- } else {
- mPlatformMode = USER_MODE;
- }
-
- VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
- Status = UpdateVariable (
- mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE],
- &gEfiGlobalVariableGuid,
- &mPlatformMode,
- sizeof(UINT8),
- VarAttr,
- 0,
- 0,
- FALSE,
- mVariableModuleGlobal,
- &Variable
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
- } else {
- GetVariableDataPtr (
- Variable.CurrPtr,
- Variable.Volatile,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance,
- (CHAR16 *) &mPlatformMode
- );
- }
- //
- // Check "SignatureSupport" variable's existence.
- // If it doesn't exist, then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- //
- Status = FindVariable (
- EFI_SIGNATURE_SUPPORT_NAME,
- &gEfiGlobalVariableGuid,
- &Variable,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- mVariableModuleGlobal->FvbInstance
- );
-
- if (Variable.CurrPtr == 0x0) {
- VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
- Status = UpdateVariable (
- EFI_SIGNATURE_SUPPORT_NAME,
- &gEfiGlobalVariableGuid,
- mSignatureSupport,
- SIGSUPPORT_NUM * sizeof(EFI_GUID),
- VarAttr,
- 0,
- 0,
- FALSE,
- mVariableModuleGlobal,
- &Variable
- );
- }
-
- return Status;
-}
-
-/**
- Add public key in store and return its index.
-
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] PubKey The input pointer to Public Key data.
-
- @return The index of new added item.
-
-**/
-UINT32
-AddPubKeyInStore (
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN UINT8 *PubKey
- )
-{
- EFI_STATUS Status;
- BOOLEAN IsFound;
- UINT32 Index;
- VARIABLE_POINTER_TRACK Variable;
- UINT8 *Ptr;
-
- if (PubKey == NULL) {
- return 0;
- }
-
- Status = FindVariable (
- Global->VariableName[VirtualMode][VAR_AUTH_KEY_DB],
- Global->AuthenticatedVariableGuid[VirtualMode],
- &Variable,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance
- );
- ASSERT_EFI_ERROR (Status);
- //
- // Check whether the public key entry does exist.
- //
- IsFound = FALSE;
- for (Ptr = Global->PubKeyStore, Index = 1; Index <= mPubKeyNumber; Index++) {
- if (CompareMem (Ptr, PubKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) {
- IsFound = TRUE;
- break;
- }
- Ptr += EFI_CERT_TYPE_RSA2048_SIZE;
- }
-
- if (!IsFound) {
- //
- // Add public key in database.
- //
- if (mPubKeyNumber == MAX_KEY_NUM) {
- //
- // Notes: Database is full, need enhancement here, currently just return 0.
- //
- return 0;
- }
-
- CopyMem (Global->PubKeyStore + mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE, PubKey, EFI_CERT_TYPE_RSA2048_SIZE);
- Index = ++mPubKeyNumber;
- //
- // Update public key database variable.
- //
- Status = UpdateVariable (
- Global->VariableName[VirtualMode][VAR_AUTH_KEY_DB],
- Global->AuthenticatedVariableGuid[VirtualMode],
- Global->PubKeyStore,
- mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS,
- 0,
- 0,
- VirtualMode,
- Global,
- &Variable
- );
- ASSERT_EFI_ERROR (Status);
- }
-
- return Index;
-}
-
-/**
- Verify data payload with AuthInfo in EFI_CERT_TYPE_RSA2048_SHA256 type.
- Follow the steps in UEFI2.2.
-
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Data The pointer to data with AuthInfo.
- @param[in] DataSize The size of Data.
- @param[in] PubKey The public key used for verification.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_SECURITY_VIOLATION Authentication failed.
- @retval EFI_SUCCESS Authentication successful.
-
-**/
-EFI_STATUS
-VerifyDataPayload (
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN UINT8 *Data,
- IN UINTN DataSize,
- IN UINT8 *PubKey
- )
-{
- BOOLEAN Status;
- EFI_VARIABLE_AUTHENTICATION *CertData;
- EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
- UINT8 Digest[SHA256_DIGEST_SIZE];
- VOID *Rsa;
- VOID *HashContext;
-
- Rsa = NULL;
- CertData = NULL;
- CertBlock = NULL;
-
- if (Data == NULL || PubKey == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;
- CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData);
-
- //
- // wCertificateType should be WIN_CERT_TYPE_EFI_GUID.
- // Cert type should be EFI_CERT_TYPE_RSA2048_SHA256.
- //
- if ((CertData->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) ||
- !CompareGuid (&CertData->AuthInfo.CertType, Global->CertRsa2048Sha256Guid[VirtualMode])
- ) {
- //
- // Invalid AuthInfo type, return EFI_SECURITY_VIOLATION.
- //
- return EFI_SECURITY_VIOLATION;
- }
-
- //
- // Hash data payload with SHA256.
- //
- ZeroMem (Digest, SHA256_DIGEST_SIZE);
- HashContext = Global->HashContext[VirtualMode];
- Status = Sha256Init (HashContext);
- if (!Status) {
- goto Done;
- }
- Status = Sha256Update (HashContext, Data + AUTHINFO_SIZE, (UINTN) (DataSize - AUTHINFO_SIZE));
- if (!Status) {
- goto Done;
- }
- //
- // Hash Monotonic Count.
- //
- Status = Sha256Update (HashContext, &CertData->MonotonicCount, sizeof (UINT64));
- if (!Status) {
- goto Done;
- }
- Status = Sha256Final (HashContext, Digest);
- if (!Status) {
- goto Done;
- }
- //
- // Generate & Initialize RSA Context.
- //
- Rsa = RsaNew ();
- ASSERT (Rsa != NULL);
- //
- // Set RSA Key Components.
- // NOTE: Only N and E are needed to be set as RSA public key for signature verification.
- //
- Status = RsaSetKey (Rsa, RsaKeyN, PubKey, EFI_CERT_TYPE_RSA2048_SIZE);
- if (!Status) {
- goto Done;
- }
- Status = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));
- if (!Status) {
- goto Done;
- }
- //
- // Verify the signature.
- //
- Status = RsaPkcs1Verify (
- Rsa,
- Digest,
- SHA256_DIGEST_SIZE,
- CertBlock->Signature,
- EFI_CERT_TYPE_RSA2048_SHA256_SIZE
- );
-
-Done:
- if (Rsa != NULL) {
- RsaFree (Rsa);
- }
- if (Status) {
- return EFI_SUCCESS;
- } else {
- return EFI_SECURITY_VIOLATION;
- }
-}
-
-
-/**
- Update platform mode.
-
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Mode SETUP_MODE or USER_MODE.
-
-**/
-VOID
-UpdatePlatformMode (
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN UINT32 Mode
- )
-{
- EFI_STATUS Status;
- VARIABLE_POINTER_TRACK Variable;
- UINT32 VarAttr;
-
- Status = FindVariable (
- Global->VariableName[VirtualMode][VAR_SETUP_MODE],
- Global->GlobalVariableGuid[VirtualMode],
- &Variable,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance
- );
- ASSERT_EFI_ERROR (Status);
-
- mPlatformMode = Mode;
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
- Status = UpdateVariable (
- Global->VariableName[VirtualMode][VAR_SETUP_MODE],
- Global->GlobalVariableGuid[VirtualMode],
- &mPlatformMode,
- sizeof(UINT8),
- VarAttr,
- 0,
- 0,
- VirtualMode,
- Global,
- &Variable
- );
- ASSERT_EFI_ERROR (Status);
-}
-
-/**
- Process variable with platform key for verification.
-
- @param[in] VariableName The name of Variable to be found.
- @param[in] VendorGuid The variable vendor GUID.
- @param[in] Data The data pointer.
- @param[in] DataSize The size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
- @param[in] IsPk Indicates whether to process pk.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable passed validation successfully.
-
-**/
-EFI_STATUS
-ProcessVarWithPk (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL,
- IN BOOLEAN IsPk
- )
-{
- EFI_STATUS Status;
- VARIABLE_POINTER_TRACK PkVariable;
- EFI_SIGNATURE_LIST *OldPkList;
- EFI_SIGNATURE_DATA *OldPkData;
- EFI_VARIABLE_AUTHENTICATION *CertData;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN Valid;
-
- OldPkList = NULL;
- ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER));
-
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {
- //
- // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- if (mPlatformMode == USER_MODE) {
- if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) {
- //
- // In user mode, PK and KEK should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;
-
- if (Variable->CurrPtr != 0x0) {
- Valid = IsValidVariableHeader (
- Variable->CurrPtr,
- Variable->Volatile,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance,
- &VariableHeader
- );
- ASSERT (Valid);
-
- if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) {
- //
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.
- //
- return EFI_SECURITY_VIOLATION;
- }
- }
- //
- // Get platform key from variable.
- //
- Status = FindVariable (
- Global->VariableName[VirtualMode][VAR_PLATFORM_KEY],
- Global->GlobalVariableGuid[VirtualMode],
- &PkVariable,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance
- );
- ASSERT_EFI_ERROR (Status);
-
- ZeroMem (Global->KeyList, MAX_KEYDB_SIZE);
- GetVariableDataPtr (
- PkVariable.CurrPtr,
- PkVariable.Volatile,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance,
- (CHAR16 *) Global->KeyList
- );
-
- OldPkList = (EFI_SIGNATURE_LIST *) Global->KeyList;
- OldPkData = (EFI_SIGNATURE_DATA *) ((UINT8 *) OldPkList + sizeof (EFI_SIGNATURE_LIST) + OldPkList->SignatureHeaderSize);
- Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, OldPkData->SignatureData);
- if (!EFI_ERROR (Status)) {
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- (UINT8*)Data + AUTHINFO_SIZE,
- DataSize - AUTHINFO_SIZE,
- Attributes,
- 0,
- CertData->MonotonicCount,
- VirtualMode,
- Global,
- Variable
- );
-
- if (!EFI_ERROR (Status)) {
- //
- // If delete PK in user mode, need change to setup mode.
- //
- if ((DataSize == AUTHINFO_SIZE) && IsPk) {
- UpdatePlatformMode (VirtualMode, Global, SETUP_MODE);
- }
- }
- }
- } else {
- Status = UpdateVariable (VariableName, VendorGuid, Data, DataSize, Attributes, 0, 0, VirtualMode, Global, Variable);
- //
- // If enroll PK in setup mode, need change to user mode.
- //
- if ((DataSize != 0) && IsPk) {
- UpdatePlatformMode (VirtualMode, Global, USER_MODE);
- }
- }
-
- return Status;
-}
-
-/**
- Process variable with key exchange key for verification.
-
- @param[in] VariableName The name of Variable to be found.
- @param[in] VendorGuid The variable vendor GUID.
- @param[in] Data The data pointer.
- @param[in] DataSize The size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_SECURITY_VIOLATION The variable did NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable passed validation successfully.
-
-**/
-EFI_STATUS
-ProcessVarWithKek (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL
- )
-{
- EFI_STATUS Status;
- VARIABLE_POINTER_TRACK KekVariable;
- EFI_SIGNATURE_LIST *KekList;
- EFI_SIGNATURE_DATA *KekItem;
- UINT32 KekCount;
- EFI_VARIABLE_AUTHENTICATION *CertData;
- EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
- BOOLEAN IsFound;
- UINT32 Index;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN Valid;
-
- KekList = NULL;
- ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER));
-
- if (mPlatformMode == USER_MODE) {
- if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) {
- //
- // In user mode, should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;
- CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData);
- if (Variable->CurrPtr != 0x0) {
- Valid = IsValidVariableHeader (
- Variable->CurrPtr,
- Variable->Volatile,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance,
- &VariableHeader
- );
- ASSERT (Valid);
-
- if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) {
- //
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.
- //
- return EFI_SECURITY_VIOLATION;
- }
- }
- //
- // Get KEK database from variable.
- //
- Status = FindVariable (
- Global->VariableName[VirtualMode][VAR_KEY_EXCHANGE_KEY],
- Global->GlobalVariableGuid[VirtualMode],
- &KekVariable,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance
- );
- ASSERT_EFI_ERROR (Status);
-
- ZeroMem (Global->KeyList, MAX_KEYDB_SIZE);
- GetVariableDataPtr (
- KekVariable.CurrPtr,
- KekVariable.Volatile,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance,
- (CHAR16 *) Global->KeyList
- );
- //
- // Enumerate all Kek items in this list to verify the variable certificate data.
- // If anyone is authenticated successfully, it means the variable is correct!
- //
- KekList = (EFI_SIGNATURE_LIST *) Global->KeyList;
- IsFound = FALSE;
- KekCount = (KekList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - KekList->SignatureHeaderSize) / KekList->SignatureSize;
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekList + sizeof (EFI_SIGNATURE_LIST) + KekList->SignatureHeaderSize);
- for (Index = 0; Index < KekCount; Index++) {
- if (CompareMem (KekItem->SignatureData, CertBlock->PublicKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) {
- IsFound = TRUE;
- break;
- }
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekItem + KekList->SignatureSize);
- }
-
- if (!IsFound) {
- return EFI_SECURITY_VIOLATION;
- }
-
- Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, CertBlock->PublicKey);
- if (!EFI_ERROR (Status)) {
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- (UINT8*)Data + AUTHINFO_SIZE,
- DataSize - AUTHINFO_SIZE,
- Attributes,
- 0,
- CertData->MonotonicCount,
- VirtualMode,
- Global,
- Variable
- );
- }
- } else {
- //
- // If in setup mode, no authentication needed.
- //
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- Data,
- DataSize,
- Attributes,
- 0,
- 0,
- VirtualMode,
- Global,
- Variable
- );
- }
-
- return Status;
-}
-
-/**
- Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set, and return the index of associated public key.
-
- @param[in] Data The data pointer.
- @param[in] DataSize The size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
- @param[out] KeyIndex The output index of corresponding public key in database.
- @param[out] MonotonicCount The output value of corresponding Monotonic Count.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_WRITE_PROTECTED The variable is write-protected and needs authentication with
- EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
- set, but the AuthInfo does NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable is not write-protected, or passed validation successfully.
-
-**/
-EFI_STATUS
-VerifyVariable (
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL,
- OUT UINT32 *KeyIndex OPTIONAL,
- OUT UINT64 *MonotonicCount OPTIONAL
- )
-{
- EFI_STATUS Status;
- BOOLEAN IsDeletion;
- BOOLEAN IsFirstTime;
- UINT8 *PubKey;
- EFI_VARIABLE_AUTHENTICATION *CertData;
- EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN Valid;
-
- CertData = NULL;
- CertBlock = NULL;
- PubKey = NULL;
- IsDeletion = FALSE;
- Valid = FALSE;
-
- if (KeyIndex != NULL) {
- *KeyIndex = 0;
- }
- //
- // Determine if first time SetVariable with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS.
- //
- ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER));
- if (Variable->CurrPtr != 0x0) {
- Valid = IsValidVariableHeader (
- Variable->CurrPtr,
- Variable->Volatile,
- &Global->VariableGlobal[VirtualMode],
- Global->FvbInstance,
- &VariableHeader
- );
- ASSERT (Valid);
- }
-
- if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {
- if (KeyIndex == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Determine current operation type.
- //
- if (DataSize == AUTHINFO_SIZE) {
- IsDeletion = TRUE;
- }
- //
- // Determine whether this is the first time with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- //
- if (Variable->CurrPtr == 0x0) {
- IsFirstTime = TRUE;
- } else if (Valid &&(VariableHeader.Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) {
- IsFirstTime = TRUE;
- } else {
- *KeyIndex = VariableHeader.PubKeyIndex;
- IsFirstTime = FALSE;
- }
- } else if (Valid && (VariableHeader.Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {
- //
- // If the variable is already write-protected, it always needs authentication before update.
- //
- return EFI_WRITE_PROTECTED;
- } else {
- //
- // If without EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, set and attributes collision.
- // That means it is not authenticated variable, just return EFI_SUCCESS.
- //
- return EFI_SUCCESS;
- }
-
- //
- // Get PubKey and check Monotonic Count value corresponding to the variable.
- //
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;
- CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData);
- PubKey = CertBlock->PublicKey;
-
- if (MonotonicCount != NULL) {
- //
- // Update Monotonic Count value.
- //
- *MonotonicCount = CertData->MonotonicCount;
- }
-
- if (!IsFirstTime) {
- //
- // Check input PubKey.
- //
- if (CompareMem (PubKey, Global->PubKeyStore + (*KeyIndex - 1) * EFI_CERT_TYPE_RSA2048_SIZE, EFI_CERT_TYPE_RSA2048_SIZE) != 0) {
- return EFI_SECURITY_VIOLATION;
- }
- //
- // Compare the current monotonic count and ensure that it is greater than the last SetVariable
- // operation with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute set.
- //
- if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) {
- //
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.
- //
- return EFI_SECURITY_VIOLATION;
- }
- }
- //
- // Verify the certificate in Data payload.
- //
- Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, PubKey);
- if (!EFI_ERROR (Status)) {
- //
- // Now, the signature has been verified!
- //
- if (IsFirstTime && !IsDeletion) {
- //
- // Update public key database variable if need and return the index.
- //
- *KeyIndex = AddPubKeyInStore (VirtualMode, Global, PubKey);
- }
- }
-
- return Status;
-}
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h deleted file mode 100644 index f3e15f61e2..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h +++ /dev/null @@ -1,151 +0,0 @@ -/** @file
- The internal header file includes the common header files, defines
- internal structure and functions used by AuthService module.
-
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef _AUTHSERVICE_H_
-#define _AUTHSERVICE_H_
-
-#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
-#define EFI_CERT_TYPE_RSA2048_SIZE 256
-
-///
-/// Size of AuthInfo prior to the data payload
-///
-#define AUTHINFO_SIZE (((UINTN)(((EFI_VARIABLE_AUTHENTICATION *) 0)->AuthInfo.CertData)) + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
-
-///
-/// Item number of support signature types.
-///
-#define SIGSUPPORT_NUM 2
-
-/**
- Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set, and return the index of associated public key.
-
- @param[in] Data The data pointer.
- @param[in] DataSize The size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
- @param[out] KeyIndex The output index of corresponding public key in database.
- @param[out] MonotonicCount The output value of corresponding Monotonic Count.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_WRITE_PROTECTED The variable is write-protected and needs authentication with
- EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
- @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
- set, but the AuthInfo does NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable is not write-protected, or passed validation successfully.
-
-**/
-EFI_STATUS
-VerifyVariable (
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL,
- OUT UINT32 *KeyIndex OPTIONAL,
- OUT UINT64 *MonotonicCount OPTIONAL
- );
-
-/**
- Initializes for authenticated varibale service.
-
- @retval EFI_SUCCESS The function successfully executed.
- @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resources.
-
-**/
-EFI_STATUS
-AutenticatedVariableServiceInitialize (
- VOID
- );
-
-/**
- Initializes for cryptlib service before use, include register algrithm and allocate scratch.
-
-**/
-VOID
-CryptLibraryInitialize (
- VOID
- );
-
-/**
- Process variable with platform key for verification.
-
- @param[in] VariableName The name of Variable to be found.
- @param[in] VendorGuid Variable vendor GUID.
- @param[in] Data The data pointer.
- @param[in] DataSize The size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
- @param[in] IsPk Indicates whether to process pk.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable passed validation successfully.
-
-**/
-EFI_STATUS
-ProcessVarWithPk (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL,
- IN BOOLEAN IsPk
- );
-
-/**
- Process variable with key exchange key for verification.
-
- @param[in] VariableName The name of Variable to be found.
- @param[in] VendorGuid The variable vendor GUID.
- @param[in] Data The data pointer.
- @param[in] DataSize Size of Data found. If size is less than the
- data, this value contains the required size.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
- @param[in] Attributes The attribute value of the variable.
-
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
- check carried out by the firmware.
- @retval EFI_SUCCESS The variable passed validation successfully.
-
-**/
-EFI_STATUS
-ProcessVarWithKek (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable,
- IN UINT32 Attributes OPTIONAL
- );
-
-#endif
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf deleted file mode 100644 index 16caa30dad..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf +++ /dev/null @@ -1,105 +0,0 @@ -## @file
-# Provides authenticated variable service for IPF platform
-#
-# This module installs variable arch protocol and variable write arch protocol to provide
-# four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo.
-#
-# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = EsalVariableDxeSal
- MODULE_UNI_FILE = EsalVariableDxeSal.uni
- FILE_GUID = 14610837-4E97-4427-96E0-21D9B2956996
- MODULE_TYPE = DXE_SAL_DRIVER
- VERSION_STRING = 1.0
-
- ENTRY_POINT = VariableServiceInitialize
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IPF
-#
-# VIRTUAL_ADDRESS_MAP_CALLBACK = VariableClassAddressChangeEvent
-#
-
-[Sources.common]
- InitVariable.c
- Reclaim.c
- Variable.c
- Variable.h
- AuthService.c
- AuthService.h
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- CryptoPkg/CryptoPkg.dec
- SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
- MemoryAllocationLib
- BaseLib
- SynchronizationLib
- UefiLib
- UefiBootServicesTableLib
- BaseMemoryLib
- DebugLib
- UefiRuntimeLib
- DxeServicesTableLib
- UefiDriverEntryPoint
- PcdLib
- ExtendedSalLib
- BaseCryptLib
- HobLib
-
-[Protocols]
- gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES
- gEfiFaultTolerantWriteProtocolGuid ## SOMETIMES_CONSUMES
-
-[Guids]
- ## SOMETIMES_CONSUMES ## Variable:L"PK"
- ## CONSUMES ## Variable:L"SetupMode"
- ## PRODUCES ## Variable:L"SetupMode"
- ## CONSUMES ## Variable:L"SignatureSupport"
- ## PRODUCES ## Variable:L"SignatureSupport"
- gEfiGlobalVariableGuid
-
- ## PRODUCES ## GUID # Variable store header
- ## CONSUMES ## GUID # Variable store header
- ## SOMETIMES_CONSUMES ## HOB
- ## SOMETIMES_PRODUCES ## SystemTable
- gEfiAuthenticatedVariableGuid
-
- gEfiEventVirtualAddressChangeGuid ## CONSUMES ## Event
- gEfiCertRsa2048Sha256Guid ## CONSUMES ## GUID # Unique ID for the format of the CertType.
-
- ## SOMETIMES_CONSUMES ## Variable:L"DB"
- ## SOMETIMES_CONSUMES ## Variable:L"DBX"
- gEfiImageSecurityDatabaseGuid
-
-[Pcd.common]
- gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase ## SOMETIMES_CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize ## CONSUMES
- gEfiMdeModulePkgTokenSpaceGuid.PcdHwErrStorageSize ## CONSUMES
-
-[FeaturePcd.common]
- gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics ## CONSUMES # statistic the information of variable.
-
-[Depex]
- gEfiExtendedSalFvBlockServicesProtocolGuid AND gEfiFaultTolerantWriteProtocolGuid
-
-[UserExtensions.TianoCore."ExtraFiles"]
- EsalVariableDxeSalExtra.uni
\ No newline at end of file diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni deleted file mode 100644 index 08588fc10d..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni +++ /dev/null @@ -1,22 +0,0 @@ -// /** @file
-// Provides authenticated variable service for IPF platform
-//
-// This module installs variable arch protocol and variable write arch protocol to provide
-// four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo.
-//
-// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-//
-// This program and the accompanying materials
-// are licensed and made available under the terms and conditions of the BSD License
-// which accompanies this distribution. The full text of the license may be found at
-// http://opensource.org/licenses/bsd-license.php
-// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "Provides authenticated variable service for IPF platform"
-
-#string STR_MODULE_DESCRIPTION #language en-US "This module installs variable arch protocol and variable write arch protocol to provide four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo."
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni deleted file mode 100644 index cb65895210..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file
-// EsalVariableDxeSal Localized Strings and Content
-//
-// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
-//
-// This program and the accompanying materials
-// are licensed and made available under the terms and conditions of the BSD License
-// which accompanies this distribution. The full text of the license may be found at
-// http://opensource.org/licenses/bsd-license.php
-// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-//
-// **/
-
-#string STR_PROPERTIES_MODULE_NAME
-#language en-US
-"Esal Authenticated Variable DXE"
-
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c deleted file mode 100644 index 0f1d645622..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c +++ /dev/null @@ -1,247 +0,0 @@ -/** @file
- Entrypoint of Extended SAL variable service module.
-
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Variable.h"
-#include "AuthService.h"
-
-//
-// Don't use module globals after the SetVirtualAddress map is signaled
-//
-EFI_EVENT mEfiVirtualNotifyEvent;
-
-/**
- Common entry for Extended SAL Variable Services Class.
-
- This is the common entry of all functions of Extended SAL Variable Services Class.
-
- @param[in] FunctionId The Function ID of member function in Extended SAL Variable Services Class.
- @param[in] Arg2 The 2nd parameter for SAL procedure call.
- @param[in] Arg3 The 3rd parameter for SAL procedure call.
- @param[in] Arg4 The 4th parameter for SAL procedure call.
- @param[in] Arg5 The 5th parameter for SAL procedure call.
- @param[in] Arg6 The 6th parameter for SAL procedure call.
- @param[in] Arg7 The 7th parameter for SAL procedure call.
- @param[in] Arg8 The 8th parameter for SAL procedure call.
- @param[in] VirtualMode The current calling mode for this function.
- @param[in] Global The context of this Extended SAL Variable Services Class call.
-
- @return The register of SAL.
-
-**/
-SAL_RETURN_REGS
-EFIAPI
-EsalVariableCommonEntry (
- IN UINT64 FunctionId,
- IN UINT64 Arg2,
- IN UINT64 Arg3,
- IN UINT64 Arg4,
- IN UINT64 Arg5,
- IN UINT64 Arg6,
- IN UINT64 Arg7,
- IN UINT64 Arg8,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- SAL_RETURN_REGS ReturnVal;
-
- ReturnVal.r9 = 0;
- ReturnVal.r10 = 0;
- ReturnVal.r11 = 0;
-
- switch (FunctionId) {
- case EsalGetVariableFunctionId:
- ReturnVal.Status = EsalGetVariable (
- (CHAR16 *) Arg2,
- (EFI_GUID *) Arg3,
- (UINT32 *) Arg4,
- (UINTN *) Arg5,
- (VOID *) Arg6,
- VirtualMode,
- Global
- );
- return ReturnVal;
-
- case EsalGetNextVariableNameFunctionId:
- ReturnVal.Status = EsalGetNextVariableName (
- (UINTN *) Arg2,
- (CHAR16 *) Arg3,
- (EFI_GUID *) Arg4,
- VirtualMode,
- Global
- );
- return ReturnVal;
-
- case EsalSetVariableFunctionId:
- ReturnVal.Status = EsalSetVariable (
- (CHAR16 *) Arg2,
- (EFI_GUID *) Arg3,
- (UINT32) Arg4,
- (UINTN) Arg5,
- (VOID *) Arg6,
- VirtualMode,
- Global
- );
- return ReturnVal;
-
- case EsalQueryVariableInfoFunctionId:
- ReturnVal.Status = EsalQueryVariableInfo (
- (UINT32) Arg2,
- (UINT64 *) Arg3,
- (UINT64 *) Arg4,
- (UINT64 *) Arg5,
- VirtualMode,
- Global
- );
- return ReturnVal;
-
- default:
- ReturnVal.Status = EFI_SAL_INVALID_ARGUMENT;
- return ReturnVal;
- }
-}
-
-/**
- Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE.
-
- This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
- It convers pointer to new virtual address.
-
- @param[in] Event The event whose notification function is being invoked.
- @param[in] Context The pointer to the notification function's context.
-
-**/
-VOID
-EFIAPI
-VariableClassAddressChangeEvent (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- UINTN Index;
-
- CopyMem (
- &mVariableModuleGlobal->VariableGlobal[Virtual],
- &mVariableModuleGlobal->VariableGlobal[Physical],
- sizeof (VARIABLE_GLOBAL)
- );
-
- EfiConvertPointer (
- 0x0,
- (VOID **) &mVariableModuleGlobal->VariableGlobal[Virtual].NonVolatileVariableBase
- );
- EfiConvertPointer (
- 0x0,
- (VOID **) &mVariableModuleGlobal->VariableGlobal[Virtual].VolatileVariableBase
- );
-
- mVariableModuleGlobal->PlatformLangCodes[Virtual] = mVariableModuleGlobal->PlatformLangCodes[Physical];
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->PlatformLangCodes[Virtual]);
-
- mVariableModuleGlobal->LangCodes[Virtual] = mVariableModuleGlobal->LangCodes[Physical];
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->LangCodes[Virtual]);
-
- mVariableModuleGlobal->PlatformLang[Virtual] = mVariableModuleGlobal->PlatformLang[Physical];
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->PlatformLang[Virtual]);
-
- CopyMem (
- mVariableModuleGlobal->VariableName[Virtual],
- mVariableModuleGlobal->VariableName[Physical],
- sizeof (mVariableModuleGlobal->VariableName[Physical])
- );
- for (Index = 0; Index < NUM_VAR_NAME; Index++) {
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->VariableName[Virtual][Index]);
- }
-
- mVariableModuleGlobal->GlobalVariableGuid[Virtual] = &gEfiGlobalVariableGuid;
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->GlobalVariableGuid[Virtual]);
-
- mVariableModuleGlobal->AuthenticatedVariableGuid[Virtual] = &gEfiAuthenticatedVariableGuid;
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->AuthenticatedVariableGuid[Virtual]);
-
- mVariableModuleGlobal->CertRsa2048Sha256Guid[Virtual] = &gEfiCertRsa2048Sha256Guid;
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->CertRsa2048Sha256Guid[Virtual]);
-
- mVariableModuleGlobal->ImageSecurityDatabaseGuid[Virtual] = &gEfiImageSecurityDatabaseGuid;
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->ImageSecurityDatabaseGuid[Virtual]);
-
- mVariableModuleGlobal->HashContext[Virtual] = mVariableModuleGlobal->HashContext[Physical];
- EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->HashContext[Virtual]);
-}
-
-/**
- Entry point of Extended SAL Variable service module.
-
- This function is the entry point of Extended SAL Variable service module.
- It registers all functions of Extended SAL Variable class, initializes
- variable store for non-volatile and volatile variables, and registers
- notification function for EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
-
- @param[in] ImageHandle The Image handle of this driver.
- @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE.
-
- @retval EFI_SUCCESS Extended SAL Variable Services Class successfully registered.
-
-**/
-EFI_STATUS
-EFIAPI
-VariableServiceInitialize (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
-
- Status = gBS->CreateEventEx (
- EVT_NOTIFY_SIGNAL,
- TPL_NOTIFY,
- VariableClassAddressChangeEvent,
- NULL,
- &gEfiEventVirtualAddressChangeGuid,
- &mEfiVirtualNotifyEvent
- );
-
- ASSERT_EFI_ERROR (Status);
-
- Status = VariableCommonInitialize (ImageHandle, SystemTable);
- ASSERT_EFI_ERROR (Status);
-
- //
- // Authenticated variable initialize
- //
- Status = AutenticatedVariableServiceInitialize ();
- ASSERT_EFI_ERROR (Status);
-
- FlushHob2Nv ();
-
- //
- // Register All the Functions with Extended SAL Variable Services Class
- //
- RegisterEsalClass (
- EFI_EXTENDED_SAL_VARIABLE_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_VARIABLE_SERVICES_PROTOCOL_GUID_HI,
- mVariableModuleGlobal,
- EsalVariableCommonEntry,
- EsalGetVariableFunctionId,
- EsalVariableCommonEntry,
- EsalGetNextVariableNameFunctionId,
- EsalVariableCommonEntry,
- EsalSetVariableFunctionId,
- EsalVariableCommonEntry,
- EsalQueryVariableInfoFunctionId,
- NULL
- );
-
- return EFI_SUCCESS;
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c deleted file mode 100644 index 1cbf9ac877..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c +++ /dev/null @@ -1,262 +0,0 @@ -/** @file
- Handles non-volatile variable store garbage collection, using FTW
- (Fault Tolerant Write) protocol.
-
-Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Variable.h"
-
-/**
- Gets firmware volume block handle by given address.
-
- This function gets firmware volume block handle whose
- address range contains the parameter Address.
-
- @param[in] Address Address which should be contained
- by returned FVB handle.
- @param[out] FvbHandle Pointer to FVB handle for output.
-
- @retval EFI_SUCCESS FVB handle successfully returned.
- @retval EFI_NOT_FOUND Failed to find FVB handle by address.
-
-**/
-EFI_STATUS
-GetFvbHandleByAddress (
- IN EFI_PHYSICAL_ADDRESS Address,
- OUT EFI_HANDLE *FvbHandle
- )
-{
- EFI_STATUS Status;
- EFI_HANDLE *HandleBuffer;
- UINTN HandleCount;
- UINTN Index;
- EFI_PHYSICAL_ADDRESS FvbBaseAddress;
- EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *Fvb;
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
-
- *FvbHandle = NULL;
- //
- // Locate all handles with Firmware Volume Block protocol
- //
- Status = gBS->LocateHandleBuffer (
- ByProtocol,
- &gEfiFirmwareVolumeBlockProtocolGuid,
- NULL,
- &HandleCount,
- &HandleBuffer
- );
- if (EFI_ERROR (Status)) {
- return EFI_NOT_FOUND;
- }
- //
- // Traverse all the handles, searching for the one containing parameter Address
- //
- for (Index = 0; Index < HandleCount; Index += 1) {
- Status = gBS->HandleProtocol (
- HandleBuffer[Index],
- &gEfiFirmwareVolumeBlockProtocolGuid,
- (VOID **) &Fvb
- );
- if (EFI_ERROR (Status)) {
- Status = EFI_NOT_FOUND;
- break;
- }
- //
- // Checks if the address range of this handle contains parameter Address
- //
- Status = Fvb->GetPhysicalAddress (Fvb, &FvbBaseAddress);
- if (EFI_ERROR (Status)) {
- continue;
- }
-
- FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvbBaseAddress);
- if ((Address >= FvbBaseAddress) && (Address <= (FvbBaseAddress + FwVolHeader->FvLength))) {
- *FvbHandle = HandleBuffer[Index];
- Status = EFI_SUCCESS;
- break;
- }
- }
-
- FreePool (HandleBuffer);
- return Status;
-}
-
-/**
- Gets LBA of block and offset by given address.
-
- This function gets the Logical Block Address (LBA) of firmware
- volume block containing the given address, and the offset of
- address on the block.
-
- @param[in] Address Address which should be contained
- by returned FVB handle.
- @param[out] Lba The pointer to LBA for output.
- @param[out] Offset The pointer to offset for output.
-
- @retval EFI_SUCCESS LBA and offset successfully returned.
- @retval EFI_NOT_FOUND Failed to find FVB handle by address.
- @retval EFI_ABORTED Failed to find valid LBA and offset.
-
-**/
-EFI_STATUS
-GetLbaAndOffsetByAddress (
- IN EFI_PHYSICAL_ADDRESS Address,
- OUT EFI_LBA *Lba,
- OUT UINTN *Offset
- )
-{
- EFI_STATUS Status;
- EFI_HANDLE FvbHandle;
- EFI_PHYSICAL_ADDRESS FvbBaseAddress;
- EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *Fvb;
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
- EFI_FV_BLOCK_MAP_ENTRY *FvbMapEntry;
- UINT32 LbaIndex;
-
- *Lba = (EFI_LBA) (-1);
- *Offset = 0;
-
- //
- // Gets firmware volume block handle by given address.
- //
- Status = GetFvbHandleByAddress (Address, &FvbHandle);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = gBS->HandleProtocol (
- FvbHandle,
- &gEfiFirmwareVolumeBlockProtocolGuid,
- (VOID **) &Fvb
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
- //
- // Get the Base Address of FV
- //
- Status = Fvb->GetPhysicalAddress (Fvb, &FvbBaseAddress);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvbBaseAddress);
-
- //
- // Get the (LBA, Offset) of Address
- //
- if ((Address >= FvbBaseAddress) && (Address <= (FvbBaseAddress + FwVolHeader->FvLength))) {
- if ((FwVolHeader->FvLength) > (FwVolHeader->HeaderLength)) {
- //
- // BUGBUG: Assume one FV has one type of BlockLength
- //
- FvbMapEntry = &FwVolHeader->BlockMap[0];
- for (LbaIndex = 1; LbaIndex <= FvbMapEntry->NumBlocks; LbaIndex += 1) {
- if (Address < (FvbBaseAddress + FvbMapEntry->Length * LbaIndex)) {
- //
- // Found the (Lba, Offset)
- //
- *Lba = LbaIndex - 1;
- *Offset = (UINTN) (Address - (FvbBaseAddress + FvbMapEntry->Length * (LbaIndex - 1)));
- return EFI_SUCCESS;
- }
- }
- }
- }
-
- return EFI_ABORTED;
-}
-
-/**
- Writes a buffer to variable storage space.
-
- This function writes a buffer to variable storage space into firmware
- volume block device. The destination is specified by parameter
- VariableBase. Fault Tolerant Write protocol is used for writing.
-
- @param[in] VariableBase The base address of the variable to write.
- @param[in] Buffer Points to the data buffer.
- @param[in] BufferSize The number of bytes of the data Buffer.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND Fail to locate Fault Tolerant Write protocol.
- @retval Other The function could not complete successfully.
-
-**/
-EFI_STATUS
-FtwVariableSpace (
- IN EFI_PHYSICAL_ADDRESS VariableBase,
- IN UINT8 *Buffer,
- IN UINTN BufferSize
- )
-{
- EFI_STATUS Status;
- EFI_HANDLE FvbHandle;
- EFI_LBA VarLba;
- UINTN VarOffset;
- UINT8 *FtwBuffer;
- UINTN FtwBufferSize;
- EFI_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;
-
- //
- // Locate Fault Tolerant Write protocol
- //
- Status = gBS->LocateProtocol (
- &gEfiFaultTolerantWriteProtocolGuid,
- NULL,
- (VOID **) &FtwProtocol
- );
- if (EFI_ERROR (Status)) {
- return EFI_NOT_FOUND;
- }
- //
- // Gets firmware volume block handle by VariableBase.
- //
- Status = GetFvbHandleByAddress (VariableBase, &FvbHandle);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- //
- // Gets LBA of block and offset by VariableBase.
- //
- Status = GetLbaAndOffsetByAddress (VariableBase, &VarLba, &VarOffset);
- if (EFI_ERROR (Status)) {
- return EFI_ABORTED;
- }
- //
- // Prepare for the variable data
- //
- FtwBufferSize = ((VARIABLE_STORE_HEADER *) ((UINTN) VariableBase))->Size;
- FtwBuffer = AllocatePool (FtwBufferSize);
- if (FtwBuffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- SetMem (FtwBuffer, FtwBufferSize, (UINT8) 0xff);
- CopyMem (FtwBuffer, Buffer, BufferSize);
-
- //
- // FTW write record
- //
- Status = FtwProtocol->Write (
- FtwProtocol,
- VarLba, // LBA
- VarOffset, // Offset
- FtwBufferSize, // NumBytes,
- NULL,
- FvbHandle,
- FtwBuffer
- );
-
- FreePool (FtwBuffer);
- return Status;
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c deleted file mode 100644 index dfa85973f4..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c +++ /dev/null @@ -1,3257 +0,0 @@ -/** @file
- The implementation of Extended SAL variable services.
-
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "Variable.h"
-#include "AuthService.h"
-
-//
-// Don't use module globals after the SetVirtualAddress map is signaled
-//
-ESAL_VARIABLE_GLOBAL *mVariableModuleGlobal;
-CHAR16 *mVariableName[NUM_VAR_NAME] = {
- L"PlatformLangCodes",
- L"LangCodes",
- L"PlatformLang",
- L"Lang",
- L"HwErrRec",
- AUTHVAR_KEYDB_NAME,
- EFI_SETUP_MODE_NAME,
- EFI_PLATFORM_KEY_NAME,
- EFI_KEY_EXCHANGE_KEY_NAME
-};
-
-GLOBAL_REMOVE_IF_UNREFERENCED VARIABLE_INFO_ENTRY *gVariableInfo = NULL;
-
-//
-// The current Hii implementation accesses this variable a larg # of times on every boot.
-// Other common variables are only accessed a single time. This is why this cache algorithm
-// only targets a single variable. Probably to get an performance improvement out of
-// a Cache you would need a cache that improves the search performance for a variable.
-//
-VARIABLE_CACHE_ENTRY mVariableCache[] = {
- {
- &gEfiGlobalVariableGuid,
- L"Lang",
- 0x00000000,
- 0x00,
- NULL
- },
- {
- &gEfiGlobalVariableGuid,
- L"PlatformLang",
- 0x00000000,
- 0x00,
- NULL
- }
-};
-
-/**
- Acquires lock only at boot time. Simply returns at runtime.
-
- This is a temperary function which will be removed when
- EfiAcquireLock() in UefiLib can handle the call in UEFI
- Runtimer driver in RT phase.
- It calls EfiAcquireLock() at boot time, and simply returns
- at runtime.
-
- @param[in] Lock A pointer to the lock to acquire.
-
-**/
-VOID
-AcquireLockOnlyAtBootTime (
- IN EFI_LOCK *Lock
- )
-{
- if (!EfiAtRuntime ()) {
- EfiAcquireLock (Lock);
- }
-}
-
-/**
- Releases lock only at boot time. Simply returns at runtime.
-
- This is a temperary function which will be removed when
- EfiReleaseLock() in UefiLib can handle the call in UEFI
- Runtimer driver in RT phase.
- It calls EfiReleaseLock() at boot time, and simply returns
- at runtime
-
- @param[in] Lock A pointer to the lock to release.
-
-**/
-VOID
-ReleaseLockOnlyAtBootTime (
- IN EFI_LOCK *Lock
- )
-{
- if (!EfiAtRuntime ()) {
- EfiReleaseLock (Lock);
- }
-}
-
-/**
- Reads/Writes variable storage, volatile or non-volatile.
-
- This function reads or writes volatile or non-volatile variable stroage.
- For volatile storage, it performs memory copy.
- For non-volatile storage, it accesses data on firmware storage. Data
- area to access can span multiple firmware blocks.
-
- @param[in] Write TRUE - Write variable store.
- FALSE - Read variable store.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Instance Instance of FV Block services.
- @param[in] StartAddress Start address of data to access.
- @param[in] DataSize Size of data to access.
- @param[in, out] Buffer For write, pointer to the buffer from which data is written.
- For read, pointer to the buffer to hold the data read.
-
- @retval EFI_SUCCESS Variable store successfully accessed.
- @retval EFI_INVALID_PARAMETER Data area to access exceeds valid variable storage.
-
-**/
-EFI_STATUS
-AccessVariableStore (
- IN BOOLEAN Write,
- IN VARIABLE_GLOBAL *Global,
- IN BOOLEAN Volatile,
- IN UINTN Instance,
- IN EFI_PHYSICAL_ADDRESS StartAddress,
- IN UINT32 DataSize,
- IN OUT VOID *Buffer
- )
-{
- EFI_FV_BLOCK_MAP_ENTRY *PtrBlockMapEntry;
- UINTN BlockIndex;
- UINTN LinearOffset;
- UINTN CurrWriteSize;
- UINTN CurrWritePtr;
- UINT8 *CurrBuffer;
- EFI_LBA LbaNumber;
- UINTN Size;
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
- VARIABLE_STORE_HEADER *VolatileBase;
- EFI_PHYSICAL_ADDRESS FvVolHdr;
- EFI_STATUS Status;
- VARIABLE_STORE_HEADER *VariableStoreHeader;
-
- FvVolHdr = 0;
- FwVolHeader = NULL;
-
- if (Volatile) {
- //
- // If data is volatile, simply calculate the data pointer and copy memory.
- // Data pointer should point to the actual address where data is to be
- // accessed.
- //
- VolatileBase = (VARIABLE_STORE_HEADER *) ((UINTN) Global->VolatileVariableBase);
-
- if ((StartAddress + DataSize) > ((UINTN) ((UINT8 *) VolatileBase + VolatileBase->Size))) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // For volatile variable, a simple memory copy is enough.
- //
- if (Write) {
- CopyMem ((VOID *) StartAddress, Buffer, DataSize);
- } else {
- CopyMem (Buffer, (VOID *) StartAddress, DataSize);
- }
-
- return EFI_SUCCESS;
- }
-
- //
- // If data is non-volatile, calculate firmware volume header and data pointer.
- //
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- GetPhysicalAddressFunctionId,
- Instance,
- (UINT64) &FvVolHdr,
- 0,
- 0,
- 0,
- 0,
- 0
- ).Status;
- ASSERT_EFI_ERROR (Status);
-
- FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvVolHdr);
- ASSERT (FwVolHeader != NULL);
- VariableStoreHeader = (VARIABLE_STORE_HEADER *)(FwVolHeader + 1);
-
- if ((StartAddress + DataSize) > ((EFI_PHYSICAL_ADDRESS) (UINTN) ((CHAR8 *)VariableStoreHeader + VariableStoreHeader->Size))) {
- return EFI_INVALID_PARAMETER;
- }
-
- LinearOffset = (UINTN) FwVolHeader;
- CurrWritePtr = StartAddress;
- CurrWriteSize = DataSize;
- CurrBuffer = Buffer;
- LbaNumber = 0;
-
- if (CurrWritePtr < LinearOffset) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Traverse data blocks of this firmware storage to find the one where CurrWritePtr locates
- //
- for (PtrBlockMapEntry = FwVolHeader->BlockMap; PtrBlockMapEntry->NumBlocks != 0; PtrBlockMapEntry++) {
- for (BlockIndex = 0; BlockIndex < PtrBlockMapEntry->NumBlocks; BlockIndex++) {
- if ((CurrWritePtr >= LinearOffset) && (CurrWritePtr < LinearOffset + PtrBlockMapEntry->Length)) {
- //
- // Check to see if the data area to access spans multiple blocks.
- //
- if ((CurrWritePtr + CurrWriteSize) <= (LinearOffset + PtrBlockMapEntry->Length)) {
- //
- // If data area to access is contained in one block, just access and return.
- //
- if (Write) {
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- WriteFunctionId,
- Instance,
- LbaNumber,
- (CurrWritePtr - LinearOffset),
- (UINT64) &CurrWriteSize,
- (UINT64) CurrBuffer,
- 0,
- 0
- ).Status;
- } else {
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- ReadFunctionId,
- Instance,
- LbaNumber,
- (CurrWritePtr - LinearOffset),
- (UINT64) &CurrWriteSize,
- (UINT64) CurrBuffer,
- 0,
- 0
- ).Status;
- }
- return Status;
- } else {
- //
- // If data area to access spans multiple blocks, access this one and adjust for the next one.
- //
- Size = (UINT32) (LinearOffset + PtrBlockMapEntry->Length - CurrWritePtr);
- if (Write) {
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- WriteFunctionId,
- Instance,
- LbaNumber,
- (CurrWritePtr - LinearOffset),
- (UINT64) &Size,
- (UINT64) CurrBuffer,
- 0,
- 0
- ).Status;
- } else {
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- ReadFunctionId,
- Instance,
- LbaNumber,
- (CurrWritePtr - LinearOffset),
- (UINT64) &Size,
- (UINT64) CurrBuffer,
- 0,
- 0
- ).Status;
- }
- if (EFI_ERROR (Status)) {
- return Status;
- }
- //
- // Adjust for the remaining data.
- //
- CurrWritePtr = LinearOffset + PtrBlockMapEntry->Length;
- CurrBuffer = CurrBuffer + Size;
- CurrWriteSize = CurrWriteSize - Size;
- }
- }
-
- LinearOffset += PtrBlockMapEntry->Length;
- LbaNumber++;
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Retrieves header of volatile or non-volatile variable stroage.
-
- @param[in] VarStoreAddress Start address of variable storage.
- @param[in] Volatile TRUE - Variable storage is volatile.
- FALSE - Variable storage is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VarStoreHeader Pointer to VARIABLE_STORE_HEADER for output.
-
-**/
-VOID
-GetVarStoreHeader (
- IN EFI_PHYSICAL_ADDRESS VarStoreAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT VARIABLE_STORE_HEADER *VarStoreHeader
- )
-{
- EFI_STATUS Status;
-
- Status = AccessVariableStore (
- FALSE,
- Global,
- Volatile,
- Instance,
- VarStoreAddress,
- sizeof (VARIABLE_STORE_HEADER),
- VarStoreHeader
- );
- ASSERT_EFI_ERROR (Status);
-}
-
-/**
- Checks variable header.
-
- This function checks if variable header is valid or not.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VariableHeader Pointer to AUTHENTICATED_VARIABLE_HEADER for output.
-
- @retval TRUE Variable header is valid.
- @retval FALSE Variable header is not valid.
-
-**/
-BOOLEAN
-IsValidVariableHeader (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT AUTHENTICATED_VARIABLE_HEADER *VariableHeader OPTIONAL
- )
-{
- EFI_STATUS Status;
- AUTHENTICATED_VARIABLE_HEADER LocalVariableHeader;
-
- Status = AccessVariableStore (
- FALSE,
- Global,
- Volatile,
- Instance,
- VariableAddress,
- sizeof (AUTHENTICATED_VARIABLE_HEADER),
- &LocalVariableHeader
- );
-
- if (EFI_ERROR (Status) || LocalVariableHeader.StartId != VARIABLE_DATA) {
- return FALSE;
- }
-
- if (VariableHeader != NULL) {
- CopyMem (VariableHeader, &LocalVariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER));
- }
-
- return TRUE;
-}
-
-/**
- Gets status of variable store.
-
- This function gets the current status of variable store.
-
- @param[in] VarStoreHeader Pointer to header of variable store.
-
- @retval EfiRaw Variable store status is raw.
- @retval EfiValid Variable store status is valid.
- @retval EfiInvalid Variable store status is invalid.
-
-**/
-VARIABLE_STORE_STATUS
-GetVariableStoreStatus (
- IN VARIABLE_STORE_HEADER *VarStoreHeader
- )
-{
-
- if (CompareGuid (&VarStoreHeader->Signature, &gEfiAuthenticatedVariableGuid) &&
- VarStoreHeader->Format == VARIABLE_STORE_FORMATTED &&
- VarStoreHeader->State == VARIABLE_STORE_HEALTHY
- ) {
-
- return EfiValid;
- } else if (((UINT32 *)(&VarStoreHeader->Signature))[0] == 0xffffffff &&
- ((UINT32 *)(&VarStoreHeader->Signature))[1] == 0xffffffff &&
- ((UINT32 *)(&VarStoreHeader->Signature))[2] == 0xffffffff &&
- ((UINT32 *)(&VarStoreHeader->Signature))[3] == 0xffffffff &&
- VarStoreHeader->Size == 0xffffffff &&
- VarStoreHeader->Format == 0xff &&
- VarStoreHeader->State == 0xff
- ) {
-
- return EfiRaw;
- } else {
- return EfiInvalid;
- }
-}
-
-/**
- Gets the size of variable name.
-
- This function gets the size of variable name.
- The variable is specified by its variable header.
- If variable header contains raw data, just return 0.
-
- @param[in] Variable Pointer to the variable header.
-
- @return Size of variable name in bytes.
-
-**/
-UINTN
-NameSizeOfVariable (
- IN AUTHENTICATED_VARIABLE_HEADER *Variable
- )
-{
- if (Variable->State == (UINT8) (-1) ||
- Variable->DataSize == (UINT32) -1 ||
- Variable->NameSize == (UINT32) -1 ||
- Variable->Attributes == (UINT32) -1) {
- return 0;
- }
- return (UINTN) Variable->NameSize;
-}
-
-/**
- Gets the size of variable data area.
-
- This function gets the size of variable data area.
- The variable is specified by its variable header.
- If variable header contains raw data, just return 0.
-
- @param[in] Variable Pointer to the variable header.
-
- @return Size of variable data area in bytes.
-
-**/
-UINTN
-DataSizeOfVariable (
- IN AUTHENTICATED_VARIABLE_HEADER *Variable
- )
-{
- if (Variable->State == (UINT8) -1 ||
- Variable->DataSize == (UINT32) -1 ||
- Variable->NameSize == (UINT32) -1 ||
- Variable->Attributes == (UINT32) -1) {
- return 0;
- }
- return (UINTN) Variable->DataSize;
-}
-
-/**
- Gets the pointer to variable name.
-
- This function gets the pointer to variable name.
- The variable is specified by its variable header.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VariableName Buffer to hold variable name for output.
-
-**/
-VOID
-GetVariableNamePtr (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- EFI_PHYSICAL_ADDRESS Address;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN IsValid;
-
- IsValid = IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader);
- ASSERT (IsValid);
-
- //
- // Name area follows variable header.
- //
- Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER);
-
- Status = AccessVariableStore (
- FALSE,
- Global,
- Volatile,
- Instance,
- Address,
- VariableHeader.NameSize,
- VariableName
- );
- ASSERT_EFI_ERROR (Status);
-}
-
-/**
- Gets the pointer to variable data area.
-
- This function gets the pointer to variable data area.
- The variable is specified by its variable header.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VariableData Buffer to hold variable data for output.
-
-**/
-VOID
-GetVariableDataPtr (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT CHAR16 *VariableData
- )
-{
- EFI_STATUS Status;
- EFI_PHYSICAL_ADDRESS Address;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN IsValid;
-
- IsValid = IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader);
- ASSERT (IsValid);
-
- //
- // Data area follows variable name.
- // Be careful about pad size for alignment
- //
- Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER);
- Address += NameSizeOfVariable (&VariableHeader);
- Address += GET_PAD_SIZE (NameSizeOfVariable (&VariableHeader));
-
- Status = AccessVariableStore (
- FALSE,
- Global,
- Volatile,
- Instance,
- Address,
- VariableHeader.DataSize,
- VariableData
- );
- ASSERT_EFI_ERROR (Status);
-}
-
-
-/**
- Gets the pointer to the next variable header.
-
- This function gets the pointer to the next variable header.
- The variable is specified by its variable header.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
-
- @return Pointer to the next variable header.
- NULL if variable header is invalid.
-
-**/
-EFI_PHYSICAL_ADDRESS
-GetNextVariablePtr (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance
- )
-{
- EFI_PHYSICAL_ADDRESS Address;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
-
- if (!IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader)) {
- return 0x0;
- }
-
- //
- // Header of next variable follows data area of this variable
- //
- Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER);
- Address += NameSizeOfVariable (&VariableHeader);
- Address += GET_PAD_SIZE (NameSizeOfVariable (&VariableHeader));
- Address += DataSizeOfVariable (&VariableHeader);
- Address += GET_PAD_SIZE (DataSizeOfVariable (&VariableHeader));
-
- //
- // Be careful about pad size for alignment
- //
- return HEADER_ALIGN (Address);
-}
-
-/**
- Gets the pointer to the first variable header in given variable store area.
-
- This function gets the pointer to the first variable header in given variable
- store area. The variable store area is given by its start address.
-
- @param[in] VarStoreHeaderAddress Pointer to the header of variable store area.
-
- @return Pointer to the first variable header.
-
-**/
-EFI_PHYSICAL_ADDRESS
-GetStartPointer (
- IN EFI_PHYSICAL_ADDRESS VarStoreHeaderAddress
- )
-{
- return HEADER_ALIGN (VarStoreHeaderAddress + sizeof (VARIABLE_STORE_HEADER));
-}
-
-/**
- Gets the pointer to the end of given variable store area.
-
- This function gets the pointer to the end of given variable store area.
- The variable store area is given by its start address.
-
- @param[in] VarStoreHeaderAddress Pointer to the header of variable store area.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
-
- @return Pointer to the end of given variable store area.
-
-**/
-EFI_PHYSICAL_ADDRESS
-GetEndPointer (
- IN EFI_PHYSICAL_ADDRESS VarStoreHeaderAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance
- )
-{
- EFI_STATUS Status;
- VARIABLE_STORE_HEADER VariableStoreHeader;
-
- Status = AccessVariableStore (
- FALSE,
- Global,
- Volatile,
- Instance,
- VarStoreHeaderAddress,
- sizeof (VARIABLE_STORE_HEADER),
- &VariableStoreHeader
- );
-
- ASSERT_EFI_ERROR (Status);
- return HEADER_ALIGN (VarStoreHeaderAddress + VariableStoreHeader.Size);
-}
-
-/**
- Updates variable info entry in EFI system table for statistical information.
-
- Routine used to track statistical information about variable usage.
- The data is stored in the EFI system table so it can be accessed later.
- VariableInfo.efi can dump out the table. Only Boot Services variable
- accesses are tracked by this code. The PcdVariableCollectStatistics
- build flag controls if this feature is enabled.
- A read that hits in the cache will have Read and Cache true for
- the transaction. Data is allocated by this routine, but never
- freed.
-
- @param[in] VariableName Name of the Variable to track.
- @param[in] VendorGuid Guid of the Variable to track.
- @param[in] Volatile TRUE if volatile FALSE if non-volatile.
- @param[in] Read TRUE if GetVariable() was called.
- @param[in] Write TRUE if SetVariable() was called.
- @param[in] Delete TRUE if deleted via SetVariable().
- @param[in] Cache TRUE for a cache hit.
-
-**/
-VOID
-UpdateVariableInfo (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN BOOLEAN Volatile,
- IN BOOLEAN Read,
- IN BOOLEAN Write,
- IN BOOLEAN Delete,
- IN BOOLEAN Cache
- )
-{
- VARIABLE_INFO_ENTRY *Entry;
-
- if (FeaturePcdGet (PcdVariableCollectStatistics)) {
-
- if (EfiAtRuntime ()) {
- //
- // Don't collect statistics at runtime
- //
- return;
- }
-
- if (gVariableInfo == NULL) {
- //
- // on the first call allocate a entry and place a pointer to it in
- // the EFI System Table
- //
- gVariableInfo = AllocateZeroPool (sizeof (VARIABLE_INFO_ENTRY));
- ASSERT (gVariableInfo != NULL);
-
- CopyGuid (&gVariableInfo->VendorGuid, VendorGuid);
- gVariableInfo->Name = AllocatePool (StrSize (VariableName));
- ASSERT (gVariableInfo->Name != NULL);
- StrCpyS (gVariableInfo->Name, StrSize (VariableName) / sizeof (CHAR16), VariableName);
- gVariableInfo->Volatile = Volatile;
-
- gBS->InstallConfigurationTable (&gEfiAuthenticatedVariableGuid, gVariableInfo);
- }
-
-
- for (Entry = gVariableInfo; Entry != NULL; Entry = Entry->Next) {
- if (CompareGuid (VendorGuid, &Entry->VendorGuid)) {
- if (StrCmp (VariableName, Entry->Name) == 0) {
- //
- // Find the entry matching both variable name and vender GUID,
- // and update counters for all types.
- //
- if (Read) {
- Entry->ReadCount++;
- }
- if (Write) {
- Entry->WriteCount++;
- }
- if (Delete) {
- Entry->DeleteCount++;
- }
- if (Cache) {
- Entry->CacheCount++;
- }
-
- return;
- }
- }
-
- if (Entry->Next == NULL) {
- //
- // If the entry is not in the table add it.
- // Next iteration of the loop will fill in the data
- //
- Entry->Next = AllocateZeroPool (sizeof (VARIABLE_INFO_ENTRY));
- ASSERT (Entry->Next != NULL);
-
- CopyGuid (&Entry->Next->VendorGuid, VendorGuid);
- Entry->Next->Name = AllocatePool (StrSize (VariableName));
- ASSERT (Entry->Next->Name != NULL);
- StrCpyS (Entry->Next->Name, StrSize (VariableName) / sizeof (CHAR16), VariableName);
- Entry->Next->Volatile = Volatile;
- }
-
- }
- }
-}
-
-/**
- Updates variable in cache.
-
- This function searches the variable cache. If the variable to set exists in the cache,
- it updates the variable in cache. It has the same parameters with UEFI SetVariable()
- service.
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's
- variable. Each VariableName is unique for each VendorGuid.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] Attributes Attributes bitmask to set for the variable.
- @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the
- variable to be deleted.
- @param[in] Data The contents for the variable.
-
-**/
-VOID
-UpdateVariableCache (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- IN UINTN DataSize,
- IN VOID *Data
- )
-{
- VARIABLE_CACHE_ENTRY *Entry;
- UINTN Index;
-
- if (EfiAtRuntime ()) {
- //
- // Don't use the cache at runtime
- //
- return;
- }
-
- //
- // Searches cache for the variable to update. If it exists, update it.
- //
- for (Index = 0, Entry = mVariableCache; Index < sizeof (mVariableCache)/sizeof (VARIABLE_CACHE_ENTRY); Index++, Entry++) {
- if (CompareGuid (VendorGuid, Entry->Guid)) {
- if (StrCmp (VariableName, Entry->Name) == 0) {
- Entry->Attributes = Attributes;
- if (DataSize == 0) {
- //
- // If DataSize is 0, delete the variable.
- //
- if (Entry->DataSize != 0) {
- FreePool (Entry->Data);
- }
- Entry->DataSize = DataSize;
- } else if (DataSize == Entry->DataSize) {
- //
- // If size of data does not change, simply copy data
- //
- CopyMem (Entry->Data, Data, DataSize);
- } else {
- //
- // If size of data changes, allocate pool and copy data.
- //
- Entry->Data = AllocatePool (DataSize);
- ASSERT (Entry->Data != NULL);
- Entry->DataSize = DataSize;
- CopyMem (Entry->Data, Data, DataSize);
- }
- }
- }
- }
-}
-
-
-/**
- Search the cache to check if the variable is in it.
-
- This function searches the variable cache. If the variable to find exists, return its data
- and attributes.
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's
- variable. Each VariableName is unique for each VendorGuid.
- @param[in] VendorGuid A unique identifier for the vendor
- @param[out] Attributes Pointer to the attributes bitmask of the variable for output.
- @param[in, out] DataSize On input, size of the buffer of Data.
- On output, size of the variable's data.
- @param[out] Data Pointer to the data buffer for output.
-
- @retval EFI_SUCCESS VariableGuid & VariableName data was returned.
- @retval EFI_NOT_FOUND No matching variable found in cache.
- @retval EFI_BUFFER_TOO_SMALL *DataSize is smaller than size of the variable's data to return.
-
-**/
-EFI_STATUS
-FindVariableInCache (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT UINT32 *Attributes OPTIONAL,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- )
-{
- VARIABLE_CACHE_ENTRY *Entry;
- UINTN Index;
-
- if (EfiAtRuntime ()) {
- //
- // Don't use the cache at runtime
- //
- return EFI_NOT_FOUND;
- }
-
- //
- // Searches cache for the variable
- //
- for (Index = 0, Entry = mVariableCache; Index < sizeof (mVariableCache)/sizeof (VARIABLE_CACHE_ENTRY); Index++, Entry++) {
- if (CompareGuid (VendorGuid, Entry->Guid)) {
- if (StrCmp (VariableName, Entry->Name) == 0) {
- if (Entry->DataSize == 0) {
- //
- // Variable has been deleted so return EFI_NOT_FOUND
- //
- return EFI_NOT_FOUND;
- } else if (Entry->DataSize > *DataSize) {
- //
- // If buffer is too small, return the size needed and EFI_BUFFER_TOO_SMALL
- //
- *DataSize = Entry->DataSize;
- return EFI_BUFFER_TOO_SMALL;
- } else {
- //
- // If buffer is large enough, return the data
- //
- *DataSize = Entry->DataSize;
- CopyMem (Data, Entry->Data, Entry->DataSize);
- //
- // If Attributes is not NULL, return the variable's attribute.
- //
- if (Attributes != NULL) {
- *Attributes = Entry->Attributes;
- }
- return EFI_SUCCESS;
- }
- }
- }
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- Finds variable in volatile and non-volatile storage areas.
-
- This code finds variable in volatile and non-volatile storage areas.
- If VariableName is an empty string, then we just return the first
- qualified variable without comparing VariableName and VendorGuid.
- Otherwise, VariableName and VendorGuid are compared.
-
- @param[in] VariableName Name of the variable to be found.
- @param[in] VendorGuid Vendor GUID to be found.
- @param[out] PtrTrack VARIABLE_POINTER_TRACK structure for output,
- including the range searched and the target position.
- @param[in] Global Pointer to VARIABLE_GLOBAL structure, including
- base of volatile variable storage area, base of
- NV variable storage area, and a lock.
- @param[in] Instance Instance of FV Block services.
-
- @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while
- VendorGuid is NULL.
- @retval EFI_SUCCESS Variable successfully found.
- @retval EFI_INVALID_PARAMETER Variable not found.
-
-**/
-EFI_STATUS
-FindVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT VARIABLE_POINTER_TRACK *PtrTrack,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance
- )
-{
- EFI_PHYSICAL_ADDRESS Variable[2];
- EFI_PHYSICAL_ADDRESS InDeletedVariable;
- EFI_PHYSICAL_ADDRESS VariableStoreHeader[2];
- UINTN InDeletedStorageIndex;
- UINTN Index;
- CHAR16 LocalVariableName[MAX_NAME_SIZE];
- BOOLEAN Volatile;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
-
- //
- // 0: Volatile, 1: Non-Volatile
- // The index and attributes mapping must be kept in this order as RuntimeServiceGetNextVariableName
- // make use of this mapping to implement search algorithme.
- //
- VariableStoreHeader[0] = Global->VolatileVariableBase;
- VariableStoreHeader[1] = Global->NonVolatileVariableBase;
-
- //
- // Start Pointers for the variable.
- // Actual Data Pointer where data can be written.
- //
- Variable[0] = GetStartPointer (VariableStoreHeader[0]);
- Variable[1] = GetStartPointer (VariableStoreHeader[1]);
-
- if (VariableName[0] != 0 && VendorGuid == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Find the variable by walk through volatile and then non-volatile variable store
- //
- InDeletedVariable = 0x0;
- InDeletedStorageIndex = 0;
- Volatile = TRUE;
- for (Index = 0; Index < 2; Index++) {
- if (Index == 1) {
- Volatile = FALSE;
- }
- while (IsValidVariableHeader (Variable[Index], Volatile, Global, Instance, &VariableHeader)) {
- if (VariableHeader.State == VAR_ADDED ||
- VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)
- ) {
- if (!EfiAtRuntime () || ((VariableHeader.Attributes & EFI_VARIABLE_RUNTIME_ACCESS) != 0)) {
- if (VariableName[0] == 0) {
- //
- // If VariableName is an empty string, then we just find the first qualified variable
- // without comparing VariableName and VendorGuid
- //
- if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) {
- //
- // If variable is in delete transition, record it.
- //
- InDeletedVariable = Variable[Index];
- InDeletedStorageIndex = Index;
- } else {
- //
- // If variable is not in delete transition, return it.
- //
- PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[Index]);
- PtrTrack->EndPtr = GetEndPointer (VariableStoreHeader[Index], Volatile, Global, Instance);
- PtrTrack->CurrPtr = Variable[Index];
- PtrTrack->Volatile = Volatile;
-
- return EFI_SUCCESS;
- }
- } else {
- //
- // If VariableName is not an empty string, then VariableName and VendorGuid are compared.
- //
- if (CompareGuid (VendorGuid, &VariableHeader.VendorGuid)) {
- GetVariableNamePtr (
- Variable[Index],
- Volatile,
- Global,
- Instance,
- LocalVariableName
- );
-
- ASSERT (NameSizeOfVariable (&VariableHeader) != 0);
- if (CompareMem (VariableName, LocalVariableName, NameSizeOfVariable (&VariableHeader)) == 0) {
- if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) {
- //
- // If variable is in delete transition, record it.
- // We will use if only no VAR_ADDED variable is found.
- //
- InDeletedVariable = Variable[Index];
- InDeletedStorageIndex = Index;
- } else {
- //
- // If variable is not in delete transition, return it.
- //
- PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[Index]);
- PtrTrack->EndPtr = GetEndPointer (VariableStoreHeader[Index], Volatile, Global, Instance);
- PtrTrack->CurrPtr = Variable[Index];
- PtrTrack->Volatile = Volatile;
-
- return EFI_SUCCESS;
- }
- }
- }
- }
- }
- }
-
- Variable[Index] = GetNextVariablePtr (
- Variable[Index],
- Volatile,
- Global,
- Instance
- );
- }
- if (InDeletedVariable != 0x0) {
- //
- // If no VAR_ADDED variable is found, and only variable in delete transition, then use this one.
- //
- PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[InDeletedStorageIndex]);
- PtrTrack->EndPtr = GetEndPointer (
- VariableStoreHeader[InDeletedStorageIndex],
- (BOOLEAN)(InDeletedStorageIndex == 0),
- Global,
- Instance
- );
- PtrTrack->CurrPtr = InDeletedVariable;
- PtrTrack->Volatile = (BOOLEAN)(InDeletedStorageIndex == 0);
- return EFI_SUCCESS;
- }
- }
- PtrTrack->CurrPtr = 0x0;
- return EFI_NOT_FOUND;
-}
-
-/**
- Variable store garbage collection and reclaim operation.
-
- @param[in] VariableBase Base address of variable store area.
- @param[out] LastVariableOffset Offset of last variable.
- @param[in] IsVolatile The variable store is volatile or not,
- if it is non-volatile, need FTW.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
- @param[in] UpdatingVariable Pointer to header of the variable that is being updated.
-
- @retval EFI_SUCCESS Variable store successfully reclaimed.
- @retval EFI_OUT_OF_RESOURCES Fail to allocate memory buffer to hold all valid variables.
-
-**/
-EFI_STATUS
-Reclaim (
- IN EFI_PHYSICAL_ADDRESS VariableBase,
- OUT UINTN *LastVariableOffset,
- IN BOOLEAN IsVolatile,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN EFI_PHYSICAL_ADDRESS UpdatingVariable
- )
-{
- EFI_PHYSICAL_ADDRESS Variable;
- EFI_PHYSICAL_ADDRESS AddedVariable;
- EFI_PHYSICAL_ADDRESS NextVariable;
- EFI_PHYSICAL_ADDRESS NextAddedVariable;
- VARIABLE_STORE_HEADER VariableStoreHeader;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- AUTHENTICATED_VARIABLE_HEADER AddedVariableHeader;
- CHAR16 VariableName[MAX_NAME_SIZE];
- CHAR16 AddedVariableName[MAX_NAME_SIZE];
- UINT8 *ValidBuffer;
- UINTN MaximumBufferSize;
- UINTN VariableSize;
- UINTN NameSize;
- UINT8 *CurrPtr;
- BOOLEAN FoundAdded;
- EFI_STATUS Status;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- GetVarStoreHeader (VariableBase, IsVolatile, VariableGlobal, Instance, &VariableStoreHeader);
- //
- // recaluate the total size of Common/HwErr type variables in non-volatile area.
- //
- if (!IsVolatile) {
- Global->CommonVariableTotalSize = 0;
- Global->HwErrVariableTotalSize = 0;
- }
-
- //
- // Calculate the size of buffer needed to gather all valid variables
- //
- Variable = GetStartPointer (VariableBase);
- MaximumBufferSize = sizeof (VARIABLE_STORE_HEADER);
-
- while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) {
- NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance);
- //
- // Collect VAR_ADDED variables, and variables in delete transition status.
- //
- if (VariableHeader.State == VAR_ADDED ||
- VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)
- ) {
- VariableSize = NextVariable - Variable;
- MaximumBufferSize += VariableSize;
- }
-
- Variable = NextVariable;
- }
-
- //
- // Reserve the 1 Bytes with Oxff to identify the
- // end of the variable buffer.
- //
- MaximumBufferSize += 1;
- ValidBuffer = AllocatePool (MaximumBufferSize);
- if (ValidBuffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- SetMem (ValidBuffer, MaximumBufferSize, 0xff);
-
- //
- // Copy variable store header
- //
- CopyMem (ValidBuffer, &VariableStoreHeader, sizeof (VARIABLE_STORE_HEADER));
- CurrPtr = (UINT8 *) GetStartPointer ((EFI_PHYSICAL_ADDRESS) ValidBuffer);
-
- //
- // Reinstall all ADDED variables
- //
- Variable = GetStartPointer (VariableBase);
- while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) {
- NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance);
- if (VariableHeader.State == VAR_ADDED) {
- VariableSize = NextVariable - Variable;
- CopyMem (CurrPtr, (UINT8 *) Variable, VariableSize);
- CurrPtr += VariableSize;
- if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- Global->HwErrVariableTotalSize += VariableSize;
- } else if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- Global->CommonVariableTotalSize += VariableSize;
- }
- }
- Variable = NextVariable;
- }
- //
- // Reinstall in delete transition variables
- //
- Variable = GetStartPointer (VariableBase);
- while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) {
- NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance);
- if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) {
-
- //
- // Buffer has cached all ADDED variable.
- // Per IN_DELETED variable, we have to guarantee that
- // no ADDED one in previous buffer.
- //
- FoundAdded = FALSE;
- AddedVariable = GetStartPointer ((EFI_PHYSICAL_ADDRESS) ValidBuffer);
- while (IsValidVariableHeader (AddedVariable, IsVolatile, VariableGlobal, Instance, &AddedVariableHeader)) {
- NextAddedVariable = GetNextVariablePtr (AddedVariable, IsVolatile, VariableGlobal, Instance);
- NameSize = NameSizeOfVariable (&AddedVariableHeader);
- if (CompareGuid (&AddedVariableHeader.VendorGuid, &VariableHeader.VendorGuid) &&
- NameSize == NameSizeOfVariable (&VariableHeader)
- ) {
- GetVariableNamePtr (Variable, IsVolatile, VariableGlobal, Instance, VariableName);
- GetVariableNamePtr (AddedVariable, IsVolatile, VariableGlobal, Instance, AddedVariableName);
- if (CompareMem (VariableName, AddedVariableName, NameSize) == 0) {
- //
- // If ADDED variable with the same name and vender GUID has been reinstalled,
- // then discard this IN_DELETED copy.
- //
- FoundAdded = TRUE;
- break;
- }
- }
- AddedVariable = NextAddedVariable;
- }
- //
- // Add IN_DELETE variables that have not been added to buffer
- //
- if (!FoundAdded) {
- VariableSize = NextVariable - Variable;
- CopyMem (CurrPtr, (UINT8 *) Variable, VariableSize);
- if (Variable != UpdatingVariable) {
- //
- // Make this IN_DELETE instance valid if:
- // 1. No valid instance of this variable exists.
- // 2. It is not the variable that is going to be updated.
- //
- ((AUTHENTICATED_VARIABLE_HEADER *) CurrPtr)->State = VAR_ADDED;
- }
- CurrPtr += VariableSize;
- if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- Global->HwErrVariableTotalSize += VariableSize;
- } else if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- Global->CommonVariableTotalSize += VariableSize;
- }
- }
- }
- Variable = NextVariable;
- }
-
- if (IsVolatile) {
- //
- // If volatile variable store, just copy valid buffer
- //
- SetMem ((UINT8 *) (UINTN) VariableBase, VariableStoreHeader.Size, 0xff);
- CopyMem ((UINT8 *) (UINTN) VariableBase, ValidBuffer, (UINTN) (CurrPtr - (UINT8 *) ValidBuffer));
- Status = EFI_SUCCESS;
- } else {
- //
- // If non-volatile variable store, perform FTW here.
- // Write ValidBuffer to destination specified by VariableBase.
- //
- Status = FtwVariableSpace (
- VariableBase,
- ValidBuffer,
- (UINTN) (CurrPtr - (UINT8 *) ValidBuffer)
- );
- }
- if (!EFI_ERROR (Status)) {
- *LastVariableOffset = (UINTN) (CurrPtr - (UINT8 *) ValidBuffer);
- } else {
- *LastVariableOffset = 0;
- }
-
- FreePool (ValidBuffer);
-
- return Status;
-}
-
-/**
- Get index from supported language codes according to language string.
-
- This code is used to get corresponding index in supported language codes. It can handle
- RFC4646 and ISO639 language tags.
- In ISO639 language tags, take 3-characters as a delimitation to find matched string and calculate the index.
- In RFC4646 language tags, take semicolon as a delimitation to find matched string and calculate the index.
-
- For example:
- SupportedLang = "engfraengfra"
- Lang = "eng"
- Iso639Language = TRUE
- The return value is "0".
- Another example:
- SupportedLang = "en;fr;en-US;fr-FR"
- Lang = "fr-FR"
- Iso639Language = FALSE
- The return value is "3".
-
- @param[in] SupportedLang Platform supported language codes.
- @param[in] Lang Configured language.
- @param[in] Iso639Language A bool value to signify if the handler is operated on ISO639 or RFC4646.
-
- @return The index of language in the language codes.
-
-**/
-UINTN
-GetIndexFromSupportedLangCodes(
- IN CHAR8 *SupportedLang,
- IN CHAR8 *Lang,
- IN BOOLEAN Iso639Language
- )
-{
- UINTN Index;
- UINTN CompareLength;
- UINTN LanguageLength;
-
- if (Iso639Language) {
- CompareLength = ISO_639_2_ENTRY_SIZE;
- for (Index = 0; Index < AsciiStrLen (SupportedLang); Index += CompareLength) {
- if (AsciiStrnCmp (Lang, SupportedLang + Index, CompareLength) == 0) {
- //
- // Successfully find the index of Lang string in SupportedLang string.
- //
- Index = Index / CompareLength;
- return Index;
- }
- }
- ASSERT (FALSE);
- return 0;
- } else {
- //
- // Compare RFC4646 language code
- //
- Index = 0;
- for (LanguageLength = 0; Lang[LanguageLength] != '\0'; LanguageLength++);
-
- for (Index = 0; *SupportedLang != '\0'; Index++, SupportedLang += CompareLength) {
- //
- // Skip ';' characters in SupportedLang
- //
- for (; *SupportedLang != '\0' && *SupportedLang == ';'; SupportedLang++);
- //
- // Determine the length of the next language code in SupportedLang
- //
- for (CompareLength = 0; SupportedLang[CompareLength] != '\0' && SupportedLang[CompareLength] != ';'; CompareLength++);
-
- if ((CompareLength == LanguageLength) &&
- (AsciiStrnCmp (Lang, SupportedLang, CompareLength) == 0)) {
- //
- // Successfully find the index of Lang string in SupportedLang string.
- //
- return Index;
- }
- }
- ASSERT (FALSE);
- return 0;
- }
-}
-
-/**
- Get language string from supported language codes according to index.
-
- This code is used to get corresponding language string in supported language codes. It can handle
- RFC4646 and ISO639 language tags.
- In ISO639 language tags, take 3-characters as a delimitation. Find language string according to the index.
- In RFC4646 language tags, take semicolon as a delimitation. Find language string according to the index.
-
- For example:
- SupportedLang = "engfraengfra"
- Index = "1"
- Iso639Language = TRUE
- The return value is "fra".
- Another example:
- SupportedLang = "en;fr;en-US;fr-FR"
- Index = "1"
- Iso639Language = FALSE
- The return value is "fr".
-
- @param[in] SupportedLang Platform supported language codes.
- @param[in] Index the index in supported language codes.
- @param[in] Iso639Language A bool value to signify if the handler is operated on ISO639 or RFC4646.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @return The language string in the language codes.
-
-**/
-CHAR8 *
-GetLangFromSupportedLangCodes (
- IN CHAR8 *SupportedLang,
- IN UINTN Index,
- IN BOOLEAN Iso639Language,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- UINTN SubIndex;
- UINTN CompareLength;
- CHAR8 *Supported;
-
- SubIndex = 0;
- Supported = SupportedLang;
- if (Iso639Language) {
- //
- // according to the index of Lang string in SupportedLang string to get the language.
- // As this code will be invoked in RUNTIME, therefore there is not memory allocate/free operation.
- // In driver entry, it pre-allocates a runtime attribute memory to accommodate this string.
- //
- CompareLength = ISO_639_2_ENTRY_SIZE;
- Global->Lang[CompareLength] = '\0';
- return CopyMem (Global->Lang, SupportedLang + Index * CompareLength, CompareLength);
-
- } else {
- while (TRUE) {
- //
- // take semicolon as delimitation, sequentially traverse supported language codes.
- //
- for (CompareLength = 0; *Supported != ';' && *Supported != '\0'; CompareLength++) {
- Supported++;
- }
- if ((*Supported == '\0') && (SubIndex != Index)) {
- //
- // Have completed the traverse, but not find corrsponding string.
- // This case is not allowed to happen.
- //
- ASSERT(FALSE);
- return NULL;
- }
- if (SubIndex == Index) {
- //
- // according to the index of Lang string in SupportedLang string to get the language.
- // As this code will be invoked in RUNTIME, therefore there is not memory allocate/free operation.
- // In driver entry, it pre-allocates a runtime attribute memory to accommodate this string.
- //
- Global->PlatformLang[VirtualMode][CompareLength] = '\0';
- return CopyMem (Global->PlatformLang[VirtualMode], Supported - CompareLength, CompareLength);
- }
- SubIndex++;
-
- //
- // Skip ';' characters in Supported
- //
- for (; *Supported != '\0' && *Supported == ';'; Supported++);
- }
- }
-}
-
-/**
- Returns a pointer to an allocated buffer that contains the best matching language
- from a set of supported languages.
-
- This function supports both ISO 639-2 and RFC 4646 language codes, but language
- code types may not be mixed in a single call to this function. This function
- supports a variable argument list that allows the caller to pass in a prioritized
- list of language codes to test against all the language codes in SupportedLanguages.
-
- If SupportedLanguages is NULL, then ASSERT().
-
- @param[in] SupportedLanguages A pointer to a Null-terminated ASCII string that
- contains a set of language codes in the format
- specified by Iso639Language.
- @param[in] Iso639Language If TRUE, then all language codes are assumed to be
- in ISO 639-2 format. If FALSE, then all language
- codes are assumed to be in RFC 4646 language format.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] ... A variable argument list that contains pointers to
- Null-terminated ASCII strings that contain one or more
- language codes in the format specified by Iso639Language.
- The first language code from each of these language
- code lists is used to determine if it is an exact or
- close match to any of the language codes in
- SupportedLanguages. Close matches only apply to RFC 4646
- language codes, and the matching algorithm from RFC 4647
- is used to determine if a close match is present. If
- an exact or close match is found, then the matching
- language code from SupportedLanguages is returned. If
- no matches are found, then the next variable argument
- parameter is evaluated. The variable argument list
- is terminated by a NULL.
-
- @retval NULL The best matching language could not be found in SupportedLanguages.
- @retval NULL There are not enough resources available to return the best matching
- language.
- @retval Other A pointer to a Null-terminated ASCII string that is the best matching
- language in SupportedLanguages.
-
-**/
-CHAR8 *
-VariableGetBestLanguage (
- IN CONST CHAR8 *SupportedLanguages,
- IN BOOLEAN Iso639Language,
- IN BOOLEAN VirtualMode,
- ...
- )
-{
- VA_LIST Args;
- CHAR8 *Language;
- UINTN CompareLength;
- UINTN LanguageLength;
- CONST CHAR8 *Supported;
- CHAR8 *Buffer;
-
- ASSERT (SupportedLanguages != NULL);
-
- VA_START (Args, VirtualMode);
- while ((Language = VA_ARG (Args, CHAR8 *)) != NULL) {
- //
- // Default to ISO 639-2 mode
- //
- CompareLength = 3;
- LanguageLength = MIN (3, AsciiStrLen (Language));
-
- //
- // If in RFC 4646 mode, then determine the length of the first RFC 4646 language code in Language
- //
- if (!Iso639Language) {
- for (LanguageLength = 0; Language[LanguageLength] != 0 && Language[LanguageLength] != ';'; LanguageLength++);
- }
-
- //
- // Trim back the length of Language used until it is empty
- //
- while (LanguageLength > 0) {
- //
- // Loop through all language codes in SupportedLanguages
- //
- for (Supported = SupportedLanguages; *Supported != '\0'; Supported += CompareLength) {
- //
- // In RFC 4646 mode, then Loop through all language codes in SupportedLanguages
- //
- if (!Iso639Language) {
- //
- // Skip ';' characters in Supported
- //
- for (; *Supported != '\0' && *Supported == ';'; Supported++);
- //
- // Determine the length of the next language code in Supported
- //
- for (CompareLength = 0; Supported[CompareLength] != 0 && Supported[CompareLength] != ';'; CompareLength++);
- //
- // If Language is longer than the Supported, then skip to the next language
- //
- if (LanguageLength > CompareLength) {
- continue;
- }
- }
- //
- // See if the first LanguageLength characters in Supported match Language
- //
- if (AsciiStrnCmp (Supported, Language, LanguageLength) == 0) {
- VA_END (Args);
-
- Buffer = Iso639Language ? mVariableModuleGlobal->Lang : mVariableModuleGlobal->PlatformLang[VirtualMode];
- Buffer[CompareLength] = '\0';
- return CopyMem (Buffer, Supported, CompareLength);
- }
- }
-
- if (Iso639Language) {
- //
- // If ISO 639 mode, then each language can only be tested once
- //
- LanguageLength = 0;
- } else {
- //
- // If RFC 4646 mode, then trim Language from the right to the next '-' character
- //
- for (LanguageLength--; LanguageLength > 0 && Language[LanguageLength] != '-'; LanguageLength--);
- }
- }
- }
- VA_END (Args);
-
- //
- // No matches were found
- //
- return NULL;
-}
-
-/**
- Hook the operations in PlatformLangCodes, LangCodes, PlatformLang and Lang.
-
- When setting Lang/LangCodes, simultaneously update PlatformLang/PlatformLangCodes.
- According to UEFI spec, PlatformLangCodes/LangCodes are only set once in firmware initialization,
- and are read-only. Therefore, in variable driver, only store the original value for other use.
-
- @param[in] VariableName Name of variable.
- @param[in] Data Variable data.
- @param[in] DataSize Size of data. 0 means delete.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
-**/
-VOID
-AutoUpdateLangVariable(
- IN CHAR16 *VariableName,
- IN VOID *Data,
- IN UINTN DataSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- EFI_STATUS Status;
- CHAR8 *BestPlatformLang;
- CHAR8 *BestLang;
- UINTN Index;
- UINT32 Attributes;
- VARIABLE_POINTER_TRACK Variable;
- BOOLEAN SetLanguageCodes;
- CHAR16 **PredefinedVariableName;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- //
- // Don't do updates for delete operation
- //
- if (DataSize == 0) {
- return;
- }
-
- SetLanguageCodes = FALSE;
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
-
- PredefinedVariableName = &Global->VariableName[VirtualMode][0];
- if (StrCmp (VariableName, PredefinedVariableName[VAR_PLATFORM_LANG_CODES]) == 0) {
- //
- // PlatformLangCodes is a volatile variable, so it can not be updated at runtime.
- //
- if (EfiAtRuntime ()) {
- return;
- }
-
- SetLanguageCodes = TRUE;
-
- //
- // According to UEFI spec, PlatformLangCodes is only set once in firmware initialization, and is read-only
- // Therefore, in variable driver, only store the original value for other use.
- //
- if (Global->PlatformLangCodes[VirtualMode] != NULL) {
- FreePool (Global->PlatformLangCodes[VirtualMode]);
- }
- Global->PlatformLangCodes[VirtualMode] = AllocateRuntimeCopyPool (DataSize, Data);
- ASSERT (Global->PlatformLangCodes[VirtualMode] != NULL);
-
- //
- // PlatformLang holds a single language from PlatformLangCodes,
- // so the size of PlatformLangCodes is enough for the PlatformLang.
- //
- if (Global->PlatformLang[VirtualMode] != NULL) {
- FreePool (Global->PlatformLang[VirtualMode]);
- }
- Global->PlatformLang[VirtualMode] = AllocateRuntimePool (DataSize);
- ASSERT (Global->PlatformLang[VirtualMode] != NULL);
-
- } else if (StrCmp (VariableName, PredefinedVariableName[VAR_LANG_CODES]) == 0) {
- //
- // LangCodes is a volatile variable, so it can not be updated at runtime.
- //
- if (EfiAtRuntime ()) {
- return;
- }
-
- SetLanguageCodes = TRUE;
-
- //
- // According to UEFI spec, LangCodes is only set once in firmware initialization, and is read-only
- // Therefore, in variable driver, only store the original value for other use.
- //
- if (Global->LangCodes[VirtualMode] != NULL) {
- FreePool (Global->LangCodes[VirtualMode]);
- }
- Global->LangCodes[VirtualMode] = AllocateRuntimeCopyPool (DataSize, Data);
- ASSERT (Global->LangCodes[VirtualMode] != NULL);
- }
-
- if (SetLanguageCodes
- && (Global->PlatformLangCodes[VirtualMode] != NULL)
- && (Global->LangCodes[VirtualMode] != NULL)) {
- //
- // Update Lang if PlatformLang is already set
- // Update PlatformLang if Lang is already set
- //
- Status = FindVariable (PredefinedVariableName[VAR_PLATFORM_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance);
- if (!EFI_ERROR (Status)) {
- //
- // Update Lang
- //
- VariableName = PredefinedVariableName[VAR_PLATFORM_LANG];
- } else {
- Status = FindVariable (PredefinedVariableName[VAR_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance);
- if (!EFI_ERROR (Status)) {
- //
- // Update PlatformLang
- //
- VariableName = PredefinedVariableName[VAR_LANG];
- } else {
- //
- // Neither PlatformLang nor Lang is set, directly return
- //
- return;
- }
- }
- Data = (VOID *) GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance);
- GetVariableDataPtr ((EFI_PHYSICAL_ADDRESS) Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, (CHAR16 *) Data);
-
- Status = AccessVariableStore (
- FALSE,
- VariableGlobal,
- Variable.Volatile,
- Instance,
- (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable.CurrPtr)->DataSize),
- sizeof (DataSize),
- &DataSize
- );
- ASSERT_EFI_ERROR (Status);
- }
-
- //
- // According to UEFI spec, "Lang" and "PlatformLang" is NV|BS|RT attributions.
- //
- Attributes = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS;
-
- if (StrCmp (VariableName, PredefinedVariableName[VAR_PLATFORM_LANG]) == 0) {
- //
- // Update Lang when PlatformLangCodes/LangCodes were set.
- //
- if ((Global->PlatformLangCodes[VirtualMode] != NULL) && (Global->LangCodes[VirtualMode] != NULL)) {
- //
- // When setting PlatformLang, firstly get most matched language string from supported language codes.
- //
- BestPlatformLang = VariableGetBestLanguage (Global->PlatformLangCodes[VirtualMode], FALSE, VirtualMode, Data, NULL);
- if (BestPlatformLang != NULL) {
- //
- // Get the corresponding index in language codes.
- //
- Index = GetIndexFromSupportedLangCodes (Global->PlatformLangCodes[VirtualMode], BestPlatformLang, FALSE);
-
- //
- // Get the corresponding ISO639 language tag according to RFC4646 language tag.
- //
- BestLang = GetLangFromSupportedLangCodes (Global->LangCodes[VirtualMode], Index, TRUE, VirtualMode, Global);
-
- //
- // Successfully convert PlatformLang to Lang, and set the BestLang value into Lang variable simultaneously.
- //
- FindVariable (PredefinedVariableName[VAR_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance);
-
- Status = UpdateVariable (
- PredefinedVariableName[VAR_LANG],
- Global->GlobalVariableGuid[VirtualMode],
- BestLang,
- ISO_639_2_ENTRY_SIZE + 1,
- Attributes,
- 0,
- 0,
- VirtualMode,
- Global,
- &Variable
- );
-
- DEBUG ((EFI_D_INFO, "Variable Driver Auto Update PlatformLang, PlatformLang:%a, Lang:%a\n", BestPlatformLang, BestLang));
-
- ASSERT_EFI_ERROR (Status);
- }
- }
-
- } else if (StrCmp (VariableName, PredefinedVariableName[VAR_LANG]) == 0) {
- //
- // Update PlatformLang when PlatformLangCodes/LangCodes were set.
- //
- if ((Global->PlatformLangCodes[VirtualMode] != NULL) && (Global->LangCodes[VirtualMode] != NULL)) {
- //
- // When setting Lang, firstly get most matched language string from supported language codes.
- //
- BestLang = VariableGetBestLanguage (Global->LangCodes[VirtualMode], TRUE, VirtualMode, Data, NULL);
- if (BestLang != NULL) {
- //
- // Get the corresponding index in language codes.
- //
- Index = GetIndexFromSupportedLangCodes (Global->LangCodes[VirtualMode], BestLang, TRUE);
-
- //
- // Get the corresponding RFC4646 language tag according to ISO639 language tag.
- //
- BestPlatformLang = GetLangFromSupportedLangCodes (Global->PlatformLangCodes[VirtualMode], Index, FALSE, VirtualMode, Global);
-
- //
- // Successfully convert Lang to PlatformLang, and set the BestPlatformLang value into PlatformLang variable simultaneously.
- //
- FindVariable (PredefinedVariableName[VAR_PLATFORM_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance);
-
- Status = UpdateVariable (
- PredefinedVariableName[VAR_PLATFORM_LANG],
- Global->GlobalVariableGuid[VirtualMode],
- BestPlatformLang,
- AsciiStrSize (BestPlatformLang),
- Attributes,
- 0,
- 0,
- VirtualMode,
- Global,
- &Variable
- );
-
- DEBUG ((EFI_D_INFO, "Variable Driver Auto Update Lang, Lang:%a, PlatformLang:%a\n", BestLang, BestPlatformLang));
- ASSERT_EFI_ERROR (Status);
- }
- }
- }
-}
-
-/**
- Update the variable region with Variable information. These are the same
- arguments as the EFI Variable services.
-
- @param[in] VariableName Name of variable.
- @param[in] VendorGuid Guid of variable.
- @param[in] Data Variable data.
- @param[in] DataSize Size of data. 0 means delete.
- @param[in] Attributes Attributes of the variable.
- @param[in] KeyIndex Index of associated public key.
- @param[in] MonotonicCount Value of associated monotonic count.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
-
- @retval EFI_SUCCESS The update operation is success.
- @retval EFI_OUT_OF_RESOURCES Variable region is full, can not write other data into this region.
-
-**/
-EFI_STATUS
-EFIAPI
-UpdateVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes OPTIONAL,
- IN UINT32 KeyIndex OPTIONAL,
- IN UINT64 MonotonicCount OPTIONAL,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable
- )
-{
- EFI_STATUS Status;
- AUTHENTICATED_VARIABLE_HEADER *NextVariable;
- UINTN VarNameOffset;
- UINTN VarDataOffset;
- UINTN VarNameSize;
- UINTN VarSize;
- BOOLEAN Volatile;
- UINT8 State;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- AUTHENTICATED_VARIABLE_HEADER *NextVariableHeader;
- BOOLEAN Valid;
- BOOLEAN Reclaimed;
- VARIABLE_STORE_HEADER VariableStoreHeader;
- UINTN ScratchSize;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- Reclaimed = FALSE;
-
- if (Variable->CurrPtr != 0) {
-
- Valid = IsValidVariableHeader (Variable->CurrPtr, Variable->Volatile, VariableGlobal, Instance, &VariableHeader);
- if (!Valid) {
- Status = EFI_NOT_FOUND;
- goto Done;
- }
-
- //
- // Update/Delete existing variable
- //
- Volatile = Variable->Volatile;
-
- if (EfiAtRuntime ()) {
- //
- // If EfiAtRuntime and the variable is Volatile and Runtime Access,
- // the volatile is ReadOnly, and SetVariable should be aborted and
- // return EFI_WRITE_PROTECTED.
- //
- if (Variable->Volatile) {
- Status = EFI_WRITE_PROTECTED;
- goto Done;
- }
- //
- // Only variable have NV attribute can be updated/deleted in Runtime
- //
- if ((VariableHeader.Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {
- Status = EFI_INVALID_PARAMETER;
- goto Done;
- }
- }
- //
- // Setting a data variable with no access, or zero DataSize attributes
- // specified causes it to be deleted.
- //
- if (DataSize == 0 || (Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == 0) {
- State = VariableHeader.State;
- State &= VAR_DELETED;
-
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- Variable->Volatile,
- Instance,
- (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State),
- sizeof (UINT8),
- &State
- );
- if (!EFI_ERROR (Status)) {
- UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, FALSE, TRUE, FALSE);
- UpdateVariableCache (VariableName, VendorGuid, Attributes, DataSize, Data);
- }
- goto Done;
- }
- //
- // Logic comes here to update variable.
- // If the variable is marked valid and the same data has been passed in
- // then return to the caller immediately.
- //
- if (DataSizeOfVariable (&VariableHeader) == DataSize) {
- NextVariable = (AUTHENTICATED_VARIABLE_HEADER *)GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance);
- GetVariableDataPtr (Variable->CurrPtr, Variable->Volatile, VariableGlobal, Instance, (CHAR16 *) NextVariable);
- if (CompareMem (Data, (VOID *) NextVariable, DataSize) == 0) {
- UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, TRUE, FALSE, FALSE);
- Status = EFI_SUCCESS;
- goto Done;
- }
- }
- if ((VariableHeader.State == VAR_ADDED) ||
- (VariableHeader.State == (VAR_ADDED & VAR_IN_DELETED_TRANSITION))) {
- //
- // If new data is different from the old one, mark the old one as VAR_IN_DELETED_TRANSITION.
- // It will be deleted if new variable is successfully written.
- //
- State = VariableHeader.State;
- State &= VAR_IN_DELETED_TRANSITION;
-
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- Variable->Volatile,
- Instance,
- (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State),
- sizeof (UINT8),
- &State
- );
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- }
- } else {
- //
- // Create a new variable
- //
-
- //
- // Make sure we are trying to create a new variable.
- // Setting a data variable with no access, or zero DataSize attributes means to delete it.
- //
- if (DataSize == 0 || (Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == 0) {
- Status = EFI_NOT_FOUND;
- goto Done;
- }
-
- //
- // Only variable have NV|RT attribute can be created in Runtime
- //
- if (EfiAtRuntime () &&
- (((Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0) || ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0))) {
- Status = EFI_INVALID_PARAMETER;
- goto Done;
- }
- }
-
- //
- // Function part - create a new variable and copy the data.
- // Both update a variable and create a variable will come here.
- //
- // Tricky part: Use scratch data area at the end of volatile variable store
- // as a temporary storage.
- //
- NextVariable = (AUTHENTICATED_VARIABLE_HEADER *)GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance);
- ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));
- NextVariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) NextVariable;
-
- SetMem (NextVariableHeader, ScratchSize, 0xff);
-
- NextVariableHeader->StartId = VARIABLE_DATA;
- NextVariableHeader->Attributes = Attributes;
- NextVariableHeader->PubKeyIndex = KeyIndex;
- NextVariableHeader->MonotonicCount = MonotonicCount;
- NextVariableHeader->Reserved = 0;
- VarNameOffset = sizeof (AUTHENTICATED_VARIABLE_HEADER);
- VarNameSize = StrSize (VariableName);
- CopyMem (
- (UINT8 *) ((UINTN)NextVariable + VarNameOffset),
- VariableName,
- VarNameSize
- );
- VarDataOffset = VarNameOffset + VarNameSize + GET_PAD_SIZE (VarNameSize);
- CopyMem (
- (UINT8 *) ((UINTN)NextVariable + VarDataOffset),
- Data,
- DataSize
- );
- CopyMem (&NextVariableHeader->VendorGuid, VendorGuid, sizeof (EFI_GUID));
- //
- // There will be pad bytes after Data, the NextVariable->NameSize and
- // NextVariable->DataSize should not include pad size so that variable
- // service can get actual size in GetVariable.
- //
- NextVariableHeader->NameSize = (UINT32)VarNameSize;
- NextVariableHeader->DataSize = (UINT32)DataSize;
-
- //
- // The actual size of the variable that stores in storage should
- // include pad size.
- //
- VarSize = VarDataOffset + DataSize + GET_PAD_SIZE (DataSize);
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
- //
- // Create a nonvolatile variable
- //
- Volatile = FALSE;
-
- GetVarStoreHeader (VariableGlobal->NonVolatileVariableBase, FALSE, VariableGlobal, Instance, &VariableStoreHeader);
- if ((((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0)
- && ((HEADER_ALIGN (VarSize) + Global->HwErrVariableTotalSize) > PcdGet32(PcdHwErrStorageSize)))
- || (((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == 0)
- && ((HEADER_ALIGN (VarSize) + Global->CommonVariableTotalSize) > VariableStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize)))) {
- if (EfiAtRuntime ()) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Done;
- }
- //
- // Perform garbage collection & reclaim operation
- //
- Status = Reclaim (VariableGlobal->NonVolatileVariableBase, &(Global->NonVolatileLastVariableOffset), FALSE, VirtualMode, Global, Variable->CurrPtr);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- Reclaimed = TRUE;
- //
- // If still no enough space, return out of resources
- //
- if ((((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0)
- && ((HEADER_ALIGN (VarSize) + Global->HwErrVariableTotalSize) > PcdGet32(PcdHwErrStorageSize)))
- || (((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == 0)
- && ((HEADER_ALIGN (VarSize) + Global->CommonVariableTotalSize) > VariableStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize)))) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Done;
- }
- }
- //
- // Four steps
- // 1. Write variable header
- // 2. Set variable state to header valid
- // 3. Write variable data
- // 4. Set variable state to valid
- //
- //
- // Step 1:
- //
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- FALSE,
- Instance,
- VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset,
- sizeof (AUTHENTICATED_VARIABLE_HEADER),
- (UINT8 *) NextVariable
- );
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- //
- // Step 2:
- //
- NextVariableHeader->State = VAR_HEADER_VALID_ONLY;
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- FALSE,
- Instance,
- VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset,
- sizeof (AUTHENTICATED_VARIABLE_HEADER),
- (UINT8 *) NextVariable
- );
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- //
- // Step 3:
- //
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- FALSE,
- Instance,
- VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset + sizeof (AUTHENTICATED_VARIABLE_HEADER),
- (UINT32) VarSize - sizeof (AUTHENTICATED_VARIABLE_HEADER),
- (UINT8 *) NextVariable + sizeof (AUTHENTICATED_VARIABLE_HEADER)
- );
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- //
- // Step 4:
- //
- NextVariableHeader->State = VAR_ADDED;
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- FALSE,
- Instance,
- VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset,
- sizeof (AUTHENTICATED_VARIABLE_HEADER),
- (UINT8 *) NextVariable
- );
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- Global->NonVolatileLastVariableOffset += HEADER_ALIGN (VarSize);
-
- if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0) {
- Global->HwErrVariableTotalSize += HEADER_ALIGN (VarSize);
- } else {
- Global->CommonVariableTotalSize += HEADER_ALIGN (VarSize);
- }
- } else {
- //
- // Create a volatile variable
- //
- Volatile = TRUE;
-
- if ((UINT32) (HEADER_ALIGN(VarSize) + Global->VolatileLastVariableOffset) >
- ((VARIABLE_STORE_HEADER *) ((UINTN) (VariableGlobal->VolatileVariableBase)))->Size) {
- //
- // Perform garbage collection & reclaim operation
- //
- Status = Reclaim (VariableGlobal->VolatileVariableBase, &Global->VolatileLastVariableOffset, TRUE, VirtualMode, Global, Variable->CurrPtr);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- //
- // If still no enough space, return out of resources
- //
- if ((UINT32) (HEADER_ALIGN (VarSize) + Global->VolatileLastVariableOffset) >
- ((VARIABLE_STORE_HEADER *) ((UINTN) (VariableGlobal->VolatileVariableBase)))->Size
- ) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Done;
- }
- Reclaimed = TRUE;
- }
-
- NextVariableHeader->State = VAR_ADDED;
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- TRUE,
- Instance,
- VariableGlobal->VolatileVariableBase + Global->VolatileLastVariableOffset,
- (UINT32) VarSize,
- (UINT8 *) NextVariable
- );
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- Global->VolatileLastVariableOffset += HEADER_ALIGN (VarSize);
- }
- //
- // Mark the old variable as deleted
- // If storage has just been reclaimed, the old variable marked as VAR_IN_DELETED_TRANSITION
- // has already been eliminated, so no need to delete it.
- //
- if (!Reclaimed && !EFI_ERROR (Status) && Variable->CurrPtr != 0) {
- State = ((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State;
- State &= VAR_DELETED;
-
- Status = AccessVariableStore (
- TRUE,
- VariableGlobal,
- Variable->Volatile,
- Instance,
- (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State),
- sizeof (UINT8),
- &State
- );
- }
-
- if (!EFI_ERROR (Status)) {
- UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, TRUE, FALSE, FALSE);
- UpdateVariableCache (VariableName, VendorGuid, Attributes, DataSize, Data);
- }
-
-Done:
- return Status;
-}
-
-/**
- Implements EsalGetVariable function of Extended SAL Variable Services Class.
-
- This function implements EsalGetVariable function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service GetVariable().
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of
- the vendor's variable.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[out] Attributes If not NULL, a pointer to the memory location to return the
- attributes bitmask for the variable.
- @param[in, out] DataSize Size of Data found. If size is less than the
- data, this value contains the required size.
- @param[out] Data On input, the size in bytes of the return Data buffer.
- On output, the size of data returned in Data.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND The variable was not found.
- @retval EFI_BUFFER_TOO_SMALL DataSize is too small for the result. DataSize has
- been updated with the size needed to complete the request.
- @retval EFI_INVALID_PARAMETER VariableName is NULL.
- @retval EFI_INVALID_PARAMETER VendorGuid is NULL.
- @retval EFI_INVALID_PARAMETER DataSize is NULL.
- @retval EFI_INVALID_PARAMETER DataSize is not too small and Data is NULL.
- @retval EFI_DEVICE_ERROR The variable could not be retrieved due to a hardware error.
- @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalGetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT UINT32 *Attributes OPTIONAL,
- IN OUT UINTN *DataSize,
- OUT VOID *Data,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- VARIABLE_POINTER_TRACK Variable;
- UINTN VarDataSize;
- EFI_STATUS Status;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- BOOLEAN Valid;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock);
-
- //
- // Check if this variable exists in cache.
- //
- Status = FindVariableInCache (VariableName, VendorGuid, Attributes, DataSize, Data);
- if ((Status == EFI_BUFFER_TOO_SMALL) || (Status == EFI_SUCCESS)){
- //
- // If variable exists in cache, just update statistical information for it and finish.
- // Here UpdateVariableInfo() has already retrieved data & attributes for output.
- //
- UpdateVariableInfo (VariableName, VendorGuid, FALSE, TRUE, FALSE, FALSE, TRUE);
- goto Done;
- }
- //
- // If variable does not exist in cache, search for it in variable storage area.
- //
- Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance);
- if (Variable.CurrPtr == 0x0 || EFI_ERROR (Status)) {
- //
- // If it cannot be found in variable storage area, goto Done.
- //
- goto Done;
- }
-
- Valid = IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, &VariableHeader);
- if (!Valid) {
- Status = EFI_NOT_FOUND;
- goto Done;
- }
- //
- // If variable exists, but not in cache, get its data and attributes, update
- // statistical information, and update cache.
- //
- VarDataSize = DataSizeOfVariable (&VariableHeader);
- ASSERT (VarDataSize != 0);
-
- if (*DataSize >= VarDataSize) {
- if (Data == NULL) {
- Status = EFI_INVALID_PARAMETER;
- goto Done;
- }
-
- GetVariableDataPtr (
- Variable.CurrPtr,
- Variable.Volatile,
- VariableGlobal,
- Instance,
- Data
- );
- if (Attributes != NULL) {
- *Attributes = VariableHeader.Attributes;
- }
-
- *DataSize = VarDataSize;
- UpdateVariableInfo (VariableName, VendorGuid, Variable.Volatile, TRUE, FALSE, FALSE, FALSE);
- UpdateVariableCache (VariableName, VendorGuid, VariableHeader.Attributes, VarDataSize, Data);
-
- Status = EFI_SUCCESS;
- goto Done;
- } else {
- //
- // If DataSize is too small for the result, return EFI_BUFFER_TOO_SMALL.
- //
- *DataSize = VarDataSize;
- Status = EFI_BUFFER_TOO_SMALL;
- goto Done;
- }
-
-Done:
- ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock);
- return Status;
-}
-
-/**
- Implements EsalGetNextVariableName function of Extended SAL Variable Services Class.
-
- This function implements EsalGetNextVariableName function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service GetNextVariableName().
-
- @param[in, out] VariableNameSize Size of the variable
- @param[in, out] VariableName On input, supplies the last VariableName that was returned by GetNextVariableName().
- On output, returns the Null-terminated Unicode string of the current variable.
- @param[in, out] VendorGuid On input, supplies the last VendorGuid that was returned by GetNextVariableName().
- On output, returns the VendorGuid of the current variable.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND The next variable was not found.
- @retval EFI_BUFFER_TOO_SMALL VariableNameSize is too small for the result.
- VariableNameSize has been updated with the size needed to complete the request.
- @retval EFI_INVALID_PARAMETER VariableNameSize is NULL.
- @retval EFI_INVALID_PARAMETER VariableName is NULL.
- @retval EFI_INVALID_PARAMETER VendorGuid is NULL.
- @retval EFI_DEVICE_ERROR The variable name could not be retrieved due to a hardware error.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalGetNextVariableName (
- IN OUT UINTN *VariableNameSize,
- IN OUT CHAR16 *VariableName,
- IN OUT EFI_GUID *VendorGuid,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- VARIABLE_POINTER_TRACK Variable;
- UINTN VarNameSize;
- EFI_STATUS Status;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock);
-
- Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance);
- //
- // If the variable does not exist, goto Done and return.
- //
- if (Variable.CurrPtr == 0x0 || EFI_ERROR (Status)) {
- goto Done;
- }
-
- if (VariableName[0] != 0) {
- //
- // If variable name is not NULL, get next variable
- //
- Variable.CurrPtr = GetNextVariablePtr (
- Variable.CurrPtr,
- Variable.Volatile,
- VariableGlobal,
- Instance
- );
- }
-
- while (TRUE) {
- if (Variable.CurrPtr >= Variable.EndPtr || Variable.CurrPtr == 0x0) {
- //
- // If fail to find a variable in current area, reverse the volatile attribute of area to search.
- //
- Variable.Volatile = (BOOLEAN) (Variable.Volatile ^ ((BOOLEAN) 0x1));
- //
- // Here we depend on the searching sequence of FindVariable().
- // It first searches volatile area, then NV area.
- // So if the volatile attribute after switching is non-volatile, it means that we have finished searching volatile area,
- // and EFI_NOT_FOUND is returnd.
- // Otherwise, it means that we have finished searchig non-volatile area, and we will continue to search volatile area.
- //
- if (!Variable.Volatile) {
- Variable.StartPtr = GetStartPointer (VariableGlobal->NonVolatileVariableBase);
- Variable.EndPtr = GetEndPointer (VariableGlobal->NonVolatileVariableBase, FALSE, VariableGlobal, Instance);
- } else {
- Status = EFI_NOT_FOUND;
- goto Done;
- }
-
- Variable.CurrPtr = Variable.StartPtr;
- if (!IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, NULL)) {
- continue;
- }
- }
- //
- // Variable is found
- //
- if (IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, &VariableHeader)) {
- if ((VariableHeader.State == VAR_ADDED) &&
- (!(EfiAtRuntime () && ((VariableHeader.Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0)))) {
- VarNameSize = NameSizeOfVariable (&VariableHeader);
- ASSERT (VarNameSize != 0);
-
- if (VarNameSize <= *VariableNameSize) {
- GetVariableNamePtr (
- Variable.CurrPtr,
- Variable.Volatile,
- VariableGlobal,
- Instance,
- VariableName
- );
- CopyMem (
- VendorGuid,
- &VariableHeader.VendorGuid,
- sizeof (EFI_GUID)
- );
- Status = EFI_SUCCESS;
- } else {
- Status = EFI_BUFFER_TOO_SMALL;
- }
-
- *VariableNameSize = VarNameSize;
- goto Done;
- }
- }
-
- Variable.CurrPtr = GetNextVariablePtr (
- Variable.CurrPtr,
- Variable.Volatile,
- VariableGlobal,
- Instance
- );
- }
-
-Done:
- ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock);
- return Status;
-}
-
-/**
- Implements EsalSetVariable function of Extended SAL Variable Services Class.
-
- This function implements EsalSetVariable function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service SetVariable().
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's
- variable. Each VariableName is unique for each
- VendorGuid. VariableName must contain 1 or more
- Unicode characters. If VariableName is an empty Unicode
- string, then EFI_INVALID_PARAMETER is returned.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] Attributes Attributes bitmask to set for the variable.
- @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the
- variable to be deleted.
- @param[in] Data The contents for the variable.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as
- defined by the Attributes.
- @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the
- DataSize exceeds the maximum allowed.
- @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure.
- @retval EFI_WRITE_PROTECTED The variable in question is read-only.
- @retval EFI_WRITE_PROTECTED The variable in question cannot be deleted.
- @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure.
- @retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalSetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- IN UINTN DataSize,
- IN VOID *Data,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- VARIABLE_POINTER_TRACK Variable;
- EFI_STATUS Status;
- EFI_PHYSICAL_ADDRESS NextVariable;
- EFI_PHYSICAL_ADDRESS Point;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
- UINT32 KeyIndex;
- UINT64 MonotonicCount;
- UINTN PayloadSize;
-
- //
- // Check input parameters
- //
- if (VariableName == NULL || VariableName[0] == 0 || VendorGuid == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (DataSize != 0 && Data == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // EFI_VARIABLE_RUNTIME_ACCESS bit cannot be set without EFI_VARIABLE_BOOTSERVICE_ACCESS bit.
- //
- if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) {
- if (DataSize < AUTHINFO_SIZE) {
- //
- // Try to write Authencated Variable without AuthInfo
- //
- return EFI_SECURITY_VIOLATION;
- }
- PayloadSize = DataSize - AUTHINFO_SIZE;
- } else {
- PayloadSize = DataSize;
- }
-
-
- if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){
- //
- // Prevent whole variable size overflow
- //
- return EFI_INVALID_PARAMETER;
- }
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- //
- // For variable for hardware error record, the size of the VariableName, including the Unicode Null
- // in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes.
- //
- if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER)) {
- return EFI_INVALID_PARAMETER;
- }
- //
- // According to UEFI spec, HARDWARE_ERROR_RECORD variable name convention should be L"HwErrRecXXXX"
- //
- if (StrnCmp (VariableName, \
- Global->VariableName[VirtualMode][VAR_HW_ERR_REC], \
- StrLen(Global->VariableName[VirtualMode][VAR_HW_ERR_REC])) != 0) {
- return EFI_INVALID_PARAMETER;
- }
- } else {
- //
- // For variable not for hardware error record, the size of the VariableName, including the
- // Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes.
- //
- if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER)) {
- return EFI_INVALID_PARAMETER;
- }
- }
-
- AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock);
-
- //
- // Consider reentrant in MCA/INIT/NMI. It needs be reupdated;
- //
- if (InterlockedIncrement (&Global->ReentrantState) > 1) {
- Point = VariableGlobal->NonVolatileVariableBase;;
- //
- // Parse non-volatile variable data and get last variable offset
- //
- NextVariable = GetStartPointer (Point);
- while (IsValidVariableHeader (NextVariable, FALSE, VariableGlobal, Instance, NULL)) {
- NextVariable = GetNextVariablePtr (NextVariable, FALSE, VariableGlobal, Instance);
- }
- Global->NonVolatileLastVariableOffset = NextVariable - Point;
- }
-
- //
- // Check whether the input variable exists
- //
-
- Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance);
-
- //
- // Hook the operation of setting PlatformLangCodes/PlatformLang and LangCodes/Lang
- //
- AutoUpdateLangVariable (VariableName, Data, PayloadSize, VirtualMode, Global);
-
- //
- // Process PK, KEK, Sigdb seperately
- //
- if (CompareGuid (VendorGuid, Global->GlobalVariableGuid[VirtualMode]) && (StrCmp (VariableName, Global->VariableName[VirtualMode][VAR_PLATFORM_KEY]) == 0)) {
- Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes, TRUE);
- } else if (CompareGuid (VendorGuid, Global->GlobalVariableGuid[VirtualMode]) && (StrCmp (VariableName, Global->VariableName[VirtualMode][VAR_KEY_EXCHANGE_KEY]) == 0)) {
- Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes, FALSE);
- } else if (CompareGuid (VendorGuid, Global->ImageSecurityDatabaseGuid[VirtualMode])) {
- Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes);
- } else {
- Status = VerifyVariable (Data, DataSize, VirtualMode, Global, &Variable, Attributes, &KeyIndex, &MonotonicCount);
- if (!EFI_ERROR(Status)) {
- //
- // Verification pass
- //
- if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {
- //
- // Cut the certificate size before set
- //
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- (UINT8*)Data + AUTHINFO_SIZE,
- DataSize - AUTHINFO_SIZE,
- Attributes,
- KeyIndex,
- MonotonicCount,
- VirtualMode,
- Global,
- &Variable
- );
- } else {
- //
- // Update variable as usual
- //
- Status = UpdateVariable (
- VariableName,
- VendorGuid,
- Data,
- DataSize,
- Attributes,
- 0,
- 0,
- VirtualMode,
- Global,
- &Variable
- );
- }
- }
- }
-
- InterlockedDecrement (&Global->ReentrantState);
- ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock);
- return Status;
-}
-
-/**
- Implements EsalQueryVariableInfo function of Extended SAL Variable Services Class.
-
- This function implements EsalQueryVariableInfo function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service QueryVariableInfo().
-
- @param[in] Attributes Attributes bitmask to specify the type of variables
- on which to return information.
- @param[out] MaximumVariableStorageSize On output the maximum size of the storage space available for
- the EFI variables associated with the attributes specified.
- @param[out] RemainingVariableStorageSize Returns the remaining size of the storage space available for EFI
- variables associated with the attributes specified.
- @param[out] MaximumVariableSize Returns the maximum size of an individual EFI variable
- associated with the attributes specified.
- @param[in] VirtualMode Current calling mode for this function
- @param[in] Global Context of this Extended SAL Variable Services Class call
-
- @retval EFI_SUCCESS Valid answer returned.
- @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied.
- @retval EFI_UNSUPPORTED The attribute is not supported on this platform, and the
- MaximumVariableStorageSize, RemainingVariableStorageSize,
- MaximumVariableSize are undefined.
-**/
-EFI_STATUS
-EFIAPI
-EsalQueryVariableInfo (
- IN UINT32 Attributes,
- OUT UINT64 *MaximumVariableStorageSize,
- OUT UINT64 *RemainingVariableStorageSize,
- OUT UINT64 *MaximumVariableSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- )
-{
- EFI_PHYSICAL_ADDRESS Variable;
- EFI_PHYSICAL_ADDRESS NextVariable;
- UINT64 VariableSize;
- EFI_PHYSICAL_ADDRESS VariableStoreHeaderAddress;
- BOOLEAN Volatile;
- VARIABLE_STORE_HEADER VarStoreHeader;
- AUTHENTICATED_VARIABLE_HEADER VariableHeader;
- UINT64 CommonVariableTotalSize;
- UINT64 HwErrVariableTotalSize;
- VARIABLE_GLOBAL *VariableGlobal;
- UINT32 Instance;
-
- CommonVariableTotalSize = 0;
- HwErrVariableTotalSize = 0;
-
- if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- if((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == 0) {
- //
- // Make sure the Attributes combination is supported by the platform.
- //
- return EFI_UNSUPPORTED;
- } else if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) {
- //
- // Make sure if runtime bit is set, boot service bit is set also.
- //
- return EFI_INVALID_PARAMETER;
- } else if (EfiAtRuntime () && ((Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0)) {
- //
- // Make sure RT Attribute is set if we are in Runtime phase.
- //
- return EFI_INVALID_PARAMETER;
- } else if ((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- //
- // Make sure Hw Attribute is set with NV.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- VariableGlobal = &Global->VariableGlobal[VirtualMode];
- Instance = Global->FvbInstance;
-
- AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock);
-
- if((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {
- //
- // Query is Volatile related.
- //
- Volatile = TRUE;
- VariableStoreHeaderAddress = VariableGlobal->VolatileVariableBase;
- } else {
- //
- // Query is Non-Volatile related.
- //
- Volatile = FALSE;
- VariableStoreHeaderAddress = VariableGlobal->NonVolatileVariableBase;
- }
-
- //
- // Now let's fill *MaximumVariableStorageSize *RemainingVariableStorageSize
- // with the storage size (excluding the storage header size).
- //
- GetVarStoreHeader (VariableStoreHeaderAddress, Volatile, VariableGlobal, Instance, &VarStoreHeader);
-
- *MaximumVariableStorageSize = VarStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER);
-
- // Harware error record variable needs larger size.
- //
- if ((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- *MaximumVariableStorageSize = PcdGet32(PcdHwErrStorageSize);
- *MaximumVariableSize = PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER);
- } else {
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
- ASSERT (PcdGet32(PcdHwErrStorageSize) < VarStoreHeader.Size);
- *MaximumVariableStorageSize = VarStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize);
- }
-
- //
- // Let *MaximumVariableSize be PcdGet32(PcdMaxVariableSize) with the exception of the variable header size.
- //
- *MaximumVariableSize = PcdGet32(PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER);
- }
-
- //
- // Point to the starting address of the variables.
- //
- Variable = GetStartPointer (VariableStoreHeaderAddress);
-
- //
- // Now walk through the related variable store.
- //
- while (IsValidVariableHeader (Variable, Volatile, VariableGlobal, Instance, &VariableHeader) &&
- (Variable < GetEndPointer (VariableStoreHeaderAddress, Volatile, VariableGlobal, Instance))) {
- NextVariable = GetNextVariablePtr (Variable, Volatile, VariableGlobal, Instance);
- VariableSize = NextVariable - Variable;
-
- if (EfiAtRuntime ()) {
- //
- // we don't take the state of the variables in mind
- // when calculating RemainingVariableStorageSize,
- // since the space occupied by variables not marked with
- // VAR_ADDED is not allowed to be reclaimed in Runtime.
- //
- if ((VariableHeader.Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- HwErrVariableTotalSize += VariableSize;
- } else {
- CommonVariableTotalSize += VariableSize;
- }
- } else {
- //
- // Only care about Variables with State VAR_ADDED,because
- // the space not marked as VAR_ADDED is reclaimable now.
- //
- if (VariableHeader.State == VAR_ADDED) {
- if ((VariableHeader.Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {
- HwErrVariableTotalSize += VariableSize;
- } else {
- CommonVariableTotalSize += VariableSize;
- }
- }
- }
-
- //
- // Go to the next one
- //
- Variable = NextVariable;
- }
-
- if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD){
- *RemainingVariableStorageSize = *MaximumVariableStorageSize - HwErrVariableTotalSize;
- }else {
- *RemainingVariableStorageSize = *MaximumVariableStorageSize - CommonVariableTotalSize;
- }
-
- if (*RemainingVariableStorageSize < sizeof (AUTHENTICATED_VARIABLE_HEADER)) {
- *MaximumVariableSize = 0;
- } else if ((*RemainingVariableStorageSize - sizeof (AUTHENTICATED_VARIABLE_HEADER)) < *MaximumVariableSize) {
- *MaximumVariableSize = *RemainingVariableStorageSize - sizeof (AUTHENTICATED_VARIABLE_HEADER);
- }
-
- ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock);
- return EFI_SUCCESS;
-}
-
-/**
- Notification function of EVT_GROUP_READY_TO_BOOT event group.
-
- This is a notification function registered on EVT_GROUP_READY_TO_BOOT event group.
- When the Boot Manager is about to load and execute a boot option, it reclaims variable
- storage if free size is below the threshold.
-
- @param[in] Event Event whose notification function is being invoked.
- @param[in] Context Pointer to the notification function's context.
-
-**/
-VOID
-EFIAPI
-ReclaimForOS(
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- UINT32 VarSize;
- EFI_STATUS Status;
- UINTN CommonVariableSpace;
- UINTN RemainingCommonVariableSpace;
- UINTN RemainingHwErrVariableSpace;
-
- VarSize = ((VARIABLE_STORE_HEADER *) ((UINTN) mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase))->Size;
- Status = EFI_SUCCESS;
- //
- //Allowable max size of common variable storage space
- //
- CommonVariableSpace = VarSize - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize);
-
- RemainingCommonVariableSpace = CommonVariableSpace - mVariableModuleGlobal->CommonVariableTotalSize;
-
- RemainingHwErrVariableSpace = PcdGet32 (PcdHwErrStorageSize) - mVariableModuleGlobal->HwErrVariableTotalSize;
- //
- // If the free area is below a threshold, then performs reclaim operation.
- //
- if ((RemainingCommonVariableSpace < PcdGet32 (PcdMaxVariableSize))
- || ((PcdGet32 (PcdHwErrStorageSize) != 0) &&
- (RemainingHwErrVariableSpace < PcdGet32 (PcdMaxHardwareErrorVariableSize)))){
- Status = Reclaim (
- mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase,
- &mVariableModuleGlobal->NonVolatileLastVariableOffset,
- FALSE,
- Physical,
- mVariableModuleGlobal,
- 0x0
- );
- ASSERT_EFI_ERROR (Status);
- }
-}
-
-/**
- Flush the HOB variable to NV variable storage.
-**/
-VOID
-FlushHob2Nv (
- VOID
- )
-{
- EFI_STATUS Status;
- VOID *GuidHob;
- VARIABLE_STORE_HEADER *VariableStoreHeader;
- AUTHENTICATED_VARIABLE_HEADER *VariableHeader;
- //
- // Get HOB variable store.
- //
- GuidHob = GetFirstGuidHob (&gEfiAuthenticatedVariableGuid);
- if (GuidHob != NULL) {
- VariableStoreHeader = (VARIABLE_STORE_HEADER *) GET_GUID_HOB_DATA (GuidHob);
- if (CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid) &&
- (VariableStoreHeader->Format == VARIABLE_STORE_FORMATTED) &&
- (VariableStoreHeader->State == VARIABLE_STORE_HEALTHY)
- ) {
- DEBUG ((EFI_D_INFO, "HOB Variable Store appears to be valid.\n"));
- //
- // Flush the HOB variable to NV Variable storage.
- //
- for ( VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN (VariableStoreHeader + 1)
- ; (VariableHeader < (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN ((UINTN) VariableStoreHeader + VariableStoreHeader->Size)
- &&
- (VariableHeader->StartId == VARIABLE_DATA))
- ; VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN ((UINTN) (VariableHeader + 1)
- + VariableHeader->NameSize + GET_PAD_SIZE (VariableHeader->NameSize)
- + VariableHeader->DataSize + GET_PAD_SIZE (VariableHeader->DataSize)
- )
- ) {
- ASSERT (VariableHeader->State == VAR_ADDED);
- ASSERT ((VariableHeader->Attributes & EFI_VARIABLE_NON_VOLATILE) != 0);
- Status = EsalSetVariable (
- (CHAR16 *) (VariableHeader + 1),
- &VariableHeader->VendorGuid,
- VariableHeader->Attributes,
- VariableHeader->DataSize,
- (UINT8 *) (VariableHeader + 1) + VariableHeader->NameSize + GET_PAD_SIZE (VariableHeader->NameSize),
- Physical,
- mVariableModuleGlobal
- );
- ASSERT_EFI_ERROR (Status);
- }
- }
- }
-}
-
-/**
- Initializes variable store area for non-volatile and volatile variable.
-
- This function allocates and initializes memory space for global context of ESAL
- variable service and variable store area for non-volatile and volatile variable.
-
- @param[in] ImageHandle The Image handle of this driver.
- @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE.
-
- @retval EFI_SUCCESS Function successfully executed.
- @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
-
-**/
-EFI_STATUS
-VariableCommonInitialize (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
- EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader;
- EFI_PHYSICAL_ADDRESS CurrPtr;
- VARIABLE_STORE_HEADER *VolatileVariableStore;
- VARIABLE_STORE_HEADER *VariableStoreHeader;
- EFI_PHYSICAL_ADDRESS Variable;
- EFI_PHYSICAL_ADDRESS NextVariable;
- UINTN VariableSize;
- UINT32 Instance;
- EFI_PHYSICAL_ADDRESS FvVolHdr;
- EFI_PHYSICAL_ADDRESS TempVariableStoreHeader;
- EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor;
- UINT64 BaseAddress;
- UINT64 Length;
- UINTN Index;
- UINT8 Data;
- EFI_PHYSICAL_ADDRESS VariableStoreBase;
- UINT64 VariableStoreLength;
- EFI_EVENT ReadyToBootEvent;
- UINTN ScratchSize;
-
- //
- // Allocate memory for mVariableModuleGlobal
- //
- mVariableModuleGlobal = AllocateRuntimeZeroPool (sizeof (ESAL_VARIABLE_GLOBAL));
- if (mVariableModuleGlobal == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- mVariableModuleGlobal->GlobalVariableGuid[Physical] = &gEfiGlobalVariableGuid;
- CopyMem (
- mVariableModuleGlobal->VariableName[Physical],
- mVariableName,
- sizeof (mVariableName)
- );
-
- EfiInitializeLock(&mVariableModuleGlobal->VariableGlobal[Physical].VariableServicesLock, TPL_NOTIFY);
-
- //
- // Note that in EdkII variable driver implementation, Hardware Error Record type variable
- // is stored with common variable in the same NV region. So the platform integrator should
- // ensure that the value of PcdHwErrStorageSize is less than or equal to the value of
- // PcdFlashNvStorageVariableSize.
- //
- ASSERT (PcdGet32(PcdHwErrStorageSize) <= PcdGet32 (PcdFlashNvStorageVariableSize));
-
- //
- // Allocate memory for volatile variable store
- //
- ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));
- VolatileVariableStore = AllocateRuntimePool (PcdGet32 (PcdVariableStoreSize) + ScratchSize);
- if (VolatileVariableStore == NULL) {
- FreePool (mVariableModuleGlobal);
- return EFI_OUT_OF_RESOURCES;
- }
-
- SetMem (VolatileVariableStore, PcdGet32 (PcdVariableStoreSize) + ScratchSize, 0xff);
-
- //
- // Variable Specific Data
- //
- mVariableModuleGlobal->VariableGlobal[Physical].VolatileVariableBase = (EFI_PHYSICAL_ADDRESS) (UINTN) VolatileVariableStore;
- mVariableModuleGlobal->VolatileLastVariableOffset = (UINTN) GetStartPointer ((EFI_PHYSICAL_ADDRESS) VolatileVariableStore) - (UINTN) VolatileVariableStore;
-
- CopyGuid (&VolatileVariableStore->Signature, &gEfiAuthenticatedVariableGuid);
- VolatileVariableStore->Size = PcdGet32 (PcdVariableStoreSize);
- VolatileVariableStore->Format = VARIABLE_STORE_FORMATTED;
- VolatileVariableStore->State = VARIABLE_STORE_HEALTHY;
- VolatileVariableStore->Reserved = 0;
- VolatileVariableStore->Reserved1 = 0;
-
- //
- // Get non volatile varaible store
- //
- TempVariableStoreHeader = (UINT64) PcdGet32 (PcdFlashNvStorageVariableBase);
- VariableStoreBase = TempVariableStoreHeader + \
- (((EFI_FIRMWARE_VOLUME_HEADER *) (UINTN) (TempVariableStoreHeader)) -> HeaderLength);
- VariableStoreLength = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \
- (((EFI_FIRMWARE_VOLUME_HEADER *) (UINTN) (TempVariableStoreHeader)) -> HeaderLength);
- //
- // Mark the variable storage region of the FLASH as RUNTIME
- //
- BaseAddress = VariableStoreBase & (~EFI_PAGE_MASK);
- Length = VariableStoreLength + (VariableStoreBase - BaseAddress);
- Length = (Length + EFI_PAGE_SIZE - 1) & (~EFI_PAGE_MASK);
-
- Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- Status = gDS->SetMemorySpaceAttributes (
- BaseAddress,
- Length,
- GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME
- );
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- //
- // Get address of non volatile variable store base.
- //
- mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase = VariableStoreBase;
-
- //
- // Check Integrity
- //
- //
- // Find the Correct Instance of the FV Block Service.
- //
- Instance = 0;
- CurrPtr = mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase;
-
- do {
- FvVolHdr = 0;
- Status = (EFI_STATUS) EsalCall (
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO,
- EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI,
- GetPhysicalAddressFunctionId,
- Instance,
- (UINT64) &FvVolHdr,
- 0,
- 0,
- 0,
- 0,
- 0
- ).Status;
- if (EFI_ERROR (Status)) {
- break;
- }
- FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvVolHdr);
- ASSERT (FwVolHeader != NULL);
- if (CurrPtr >= (EFI_PHYSICAL_ADDRESS) FwVolHeader &&
- CurrPtr < ((EFI_PHYSICAL_ADDRESS) FwVolHeader + FwVolHeader->FvLength)) {
- mVariableModuleGlobal->FvbInstance = Instance;
- break;
- }
-
- Instance++;
- } while (Status == EFI_SUCCESS);
-
- VariableStoreHeader = (VARIABLE_STORE_HEADER *) CurrPtr;
- if (GetVariableStoreStatus (VariableStoreHeader) == EfiValid) {
- if (~VariableStoreHeader->Size == 0) {
- Status = AccessVariableStore (
- TRUE,
- &mVariableModuleGlobal->VariableGlobal[Physical],
- FALSE,
- mVariableModuleGlobal->FvbInstance,
- (UINTN) &VariableStoreHeader->Size,
- sizeof (UINT32),
- (UINT8 *) &VariableStoreLength
- );
- //
- // As Variables are stored in NV storage, which are slow devices,such as flash.
- // Variable operation may skip checking variable program result to improve performance,
- // We can assume Variable program is OK through some check point.
- // Variable Store Size Setting should be the first Variable write operation,
- // We can assume all Read/Write is OK if we can set Variable store size successfully.
- // If write fail, we will assert here.
- //
- ASSERT(VariableStoreHeader->Size == VariableStoreLength);
-
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- }
-
- mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase = (EFI_PHYSICAL_ADDRESS) ((UINTN) CurrPtr);
- //
- // Parse non-volatile variable data and get last variable offset.
- //
- Variable = GetStartPointer (CurrPtr);
- Status = EFI_SUCCESS;
-
- while (IsValidVariableHeader (Variable, FALSE, &(mVariableModuleGlobal->VariableGlobal[Physical]), Instance, NULL)) {
- NextVariable = GetNextVariablePtr (
- Variable,
- FALSE,
- &(mVariableModuleGlobal->VariableGlobal[Physical]),
- Instance
- );
- VariableSize = NextVariable - Variable;
- if ((((AUTHENTICATED_VARIABLE_HEADER *)Variable)->Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) {
- mVariableModuleGlobal->HwErrVariableTotalSize += VariableSize;
- } else {
- mVariableModuleGlobal->CommonVariableTotalSize += VariableSize;
- }
-
- Variable = NextVariable;
- }
-
- mVariableModuleGlobal->NonVolatileLastVariableOffset = (UINTN) Variable - (UINTN) CurrPtr;
-
- //
- // Check if the free area is really free.
- //
- for (Index = mVariableModuleGlobal->NonVolatileLastVariableOffset; Index < VariableStoreHeader->Size; Index++) {
- Data = ((UINT8 *) (UINTN) mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase)[Index];
- if (Data != 0xff) {
- //
- // There must be something wrong in variable store, do reclaim operation.
- //
- Status = Reclaim (
- mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase,
- &mVariableModuleGlobal->NonVolatileLastVariableOffset,
- FALSE,
- Physical,
- mVariableModuleGlobal,
- 0x0
- );
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- break;
- }
- }
-
- //
- // Register the event handling function to reclaim variable for OS usage.
- //
- Status = EfiCreateEventReadyToBootEx (
- TPL_NOTIFY,
- ReclaimForOS,
- NULL,
- &ReadyToBootEvent
- );
- } else {
- Status = EFI_VOLUME_CORRUPTED;
- DEBUG((EFI_D_ERROR, "Variable Store header is corrupted\n"));
- }
-
-Done:
- if (EFI_ERROR (Status)) {
- FreePool (mVariableModuleGlobal);
- FreePool (VolatileVariableStore);
- }
-
- return Status;
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h deleted file mode 100644 index b32ef741bf..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h +++ /dev/null @@ -1,505 +0,0 @@ -/** @file
- Internal header file for Extended SAL variable service module.
-
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef _VARIABLE_H_
-#define _VARIABLE_H_
-
-#include <PiDxe.h>
-
-#include <Protocol/VariableWrite.h>
-#include <Protocol/FaultTolerantWrite.h>
-#include <Protocol/FirmwareVolumeBlock.h>
-#include <Protocol/Variable.h>
-#include <Protocol/ExtendedSalBootService.h>
-#include <Protocol/ExtendedSalServiceClasses.h>
-
-#include <Guid/GlobalVariable.h>
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/ImageAuthentication.h>
-#include <Guid/EventGroup.h>
-
-#include <Library/PcdLib.h>
-#include <Library/HobLib.h>
-#include <Library/UefiDriverEntryPoint.h>
-#include <Library/DxeServicesTableLib.h>
-#include <Library/UefiRuntimeLib.h>
-#include <Library/DebugLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiLib.h>
-#include <Library/BaseLib.h>
-#include <Library/SynchronizationLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/ExtendedSalLib.h>
-#include <Library/BaseCryptLib.h>
-
-#define MAX_NAME_SIZE 0x100
-#define NUM_VAR_NAME 9 // Number of pre-defined variable name to be referenced
-#define VAR_PLATFORM_LANG_CODES 0 // Index of "PlatformLangCodes" variable
-#define VAR_LANG_CODES 1 // Index of "LangCodes" variable
-#define VAR_PLATFORM_LANG 2 // Index of "PlatformLang" variable
-#define VAR_LANG 3 // Index of "Lang" variable
-#define VAR_HW_ERR_REC 4 // Index of "HwErrRecXXXX" variable
-#define VAR_AUTH_KEY_DB 5 // Index of "AuthVarKeyDatabase" variable
-#define VAR_SETUP_MODE 6 // Index of "SetupMode" variable
-#define VAR_PLATFORM_KEY 7 // Index of "PK" variable
-#define VAR_KEY_EXCHANGE_KEY 8 // Index of "KEK" variable
-
-///
-/// "AuthVarKeyDatabase" variable for the Public Key store.
-///
-#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
-#define AUTHVAR_KEYDB_NAME_SIZE 38
-
-///
-/// The maximum size of the public key database, restricted by maximum individal EFI
-/// varible size, and excluding the variable header and name size.
-///
-#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)
-#define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
-
-///
-/// The size of a 3 character ISO639 language code.
-///
-#define ISO_639_2_ENTRY_SIZE 3
-
-typedef enum {
- Physical,
- Virtual
-} VARIABLE_POINTER_TYPE;
-
-typedef struct {
- EFI_PHYSICAL_ADDRESS CurrPtr;
- EFI_PHYSICAL_ADDRESS EndPtr;
- EFI_PHYSICAL_ADDRESS StartPtr;
- BOOLEAN Volatile;
-} VARIABLE_POINTER_TRACK;
-
-typedef struct {
- EFI_PHYSICAL_ADDRESS VolatileVariableBase;
- EFI_PHYSICAL_ADDRESS NonVolatileVariableBase;
- EFI_LOCK VariableServicesLock;
-} VARIABLE_GLOBAL;
-
-typedef struct {
- VARIABLE_GLOBAL VariableGlobal[2];
- CHAR16 *VariableName[2][NUM_VAR_NAME];
- EFI_GUID *GlobalVariableGuid[2];
- UINTN VolatileLastVariableOffset;
- UINTN NonVolatileLastVariableOffset;
- UINTN CommonVariableTotalSize;
- UINTN HwErrVariableTotalSize;
- CHAR8 *PlatformLangCodes[2];
- CHAR8 *LangCodes[2];
- CHAR8 *PlatformLang[2];
- CHAR8 Lang[ISO_639_2_ENTRY_SIZE + 1];
- UINT32 FvbInstance;
- UINT32 ReentrantState;
- EFI_GUID *AuthenticatedVariableGuid[2];
- EFI_GUID *CertRsa2048Sha256Guid[2];
- EFI_GUID *ImageSecurityDatabaseGuid[2];
- VOID *HashContext[2]; // Hash context pointer
- UINT8 KeyList[MAX_KEYDB_SIZE]; // Cached Platform Key list
- UINT8 PubKeyStore[MAX_KEYDB_SIZE]; // Cached Public Key list
-} ESAL_VARIABLE_GLOBAL;
-
-typedef struct {
- EFI_GUID *Guid;
- CHAR16 *Name;
- UINT32 Attributes;
- UINTN DataSize;
- VOID *Data;
-} VARIABLE_CACHE_ENTRY;
-
-
-extern ESAL_VARIABLE_GLOBAL *mVariableModuleGlobal;
-
-//
-// Functions
-//
-
-/**
- Initializes variable store area for non-volatile and volatile variable.
-
- This function allocates and initializes memory space for global context of ESAL
- variable service and variable store area for non-volatile and volatile variable.
-
- @param[in] ImageHandle The Image handle of this driver.
- @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE.
-
- @retval EFI_SUCCESS Function successfully executed.
- @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resource.
-
-**/
-EFI_STATUS
-VariableCommonInitialize (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- );
-
-/**
- Entry point of Extended SAL Variable service module.
-
- This function is the entry point of Extended SAL Variable service module.
- It registers all functions of Extended SAL Variable class, initializes
- variable store for non-volatile and volatile variables, and registers
- notification function for EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
-
- @param[in] ImageHandle The Image handle of this driver.
- @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE.
-
- @retval EFI_SUCCESS Extended SAL Variable Services Class successfully registered.
-
-**/
-EFI_STATUS
-EFIAPI
-VariableServiceInitialize (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- );
-
-/**
- Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE.
-
- This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
- It convers pointer to new virtual address.
-
- @param[in] Event The event whose notification function is being invoked.
- @param[in] Context The pointer to the notification function's context.
-
-**/
-VOID
-EFIAPI
-VariableClassAddressChangeEvent (
- IN EFI_EVENT Event,
- IN VOID *Context
- );
-
-/**
- Implements EsalGetVariable function of Extended SAL Variable Services Class.
-
- This function implements EsalGetVariable function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service GetVariable().
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of
- the vendor's variable.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[out] Attributes If not NULL, a pointer to the memory location to return the
- attributes bitmask for the variable.
- @param[in, out] DataSize Size of Data found. If size is less than the
- data, this value contains the required size.
- @param[out] Data On input, the size in bytes of the return Data buffer.
- On output, the size of data returned in Data.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND The variable was not found.
- @retval EFI_BUFFER_TOO_SMALL DataSize is too small for the result. DataSize has
- been updated with the size needed to complete the request.
- @retval EFI_INVALID_PARAMETER VariableName is NULL.
- @retval EFI_INVALID_PARAMETER VendorGuid is NULL.
- @retval EFI_INVALID_PARAMETER DataSize is NULL.
- @retval EFI_INVALID_PARAMETER DataSize is not too small and Data is NULL.
- @retval EFI_DEVICE_ERROR The variable could not be retrieved due to a hardware error.
- @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalGetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT UINT32 *Attributes OPTIONAL,
- IN OUT UINTN *DataSize,
- OUT VOID *Data,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- );
-
-/**
- Implements EsalGetNextVariableName function of Extended SAL Variable Services Class.
-
- This function implements EsalGetNextVariableName function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service GetNextVariableName().
-
- @param[in, out] VariableNameSize Size of the variable
- @param[in, out] VariableName On input, supplies the last VariableName that was returned by GetNextVariableName().
- On output, returns the Null-terminated Unicode string of the current variable.
- @param[in, out] VendorGuid On input, supplies the last VendorGuid that was returned by GetNextVariableName().
- On output, returns the VendorGuid of the current variable.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND The next variable was not found.
- @retval EFI_BUFFER_TOO_SMALL VariableNameSize is too small for the result.
- VariableNameSize has been updated with the size needed to complete the request.
- @retval EFI_INVALID_PARAMETER VariableNameSize is NULL.
- @retval EFI_INVALID_PARAMETER VariableName is NULL.
- @retval EFI_INVALID_PARAMETER VendorGuid is NULL.
- @retval EFI_DEVICE_ERROR The variable name could not be retrieved due to a hardware error.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalGetNextVariableName (
- IN OUT UINTN *VariableNameSize,
- IN OUT CHAR16 *VariableName,
- IN OUT EFI_GUID *VendorGuid,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- );
-
-/**
- Implements EsalSetVariable function of Extended SAL Variable Services Class.
-
- This function implements EsalSetVariable function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service SetVariable().
-
- @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's
- variable. Each VariableName is unique for each
- VendorGuid. VariableName must contain 1 or more
- Unicode characters. If VariableName is an empty Unicode
- string, then EFI_INVALID_PARAMETER is returned.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] Attributes Attributes bitmask to set for the variable.
- @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the
- variable to be deleted.
- @param[in] Data The contents for the variable.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
-
- @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as
- defined by the Attributes.
- @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the
- DataSize exceeds the maximum allowed.
- @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure.
- @retval EFI_WRITE_PROTECTED The variable in question is read-only.
- @retval EFI_WRITE_PROTECTED The variable in question cannot be deleted.
- @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure.
- @retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found.
-
-**/
-EFI_STATUS
-EFIAPI
-EsalSetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- IN UINTN DataSize,
- IN VOID *Data,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- );
-
-/**
- Implements EsalQueryVariableInfo function of Extended SAL Variable Services Class.
-
- This function implements EsalQueryVariableInfo function of Extended SAL Variable Services Class.
- It is equivalent in functionality to the EFI Runtime Service QueryVariableInfo().
-
- @param[in] Attributes Attributes bitmask to specify the type of variables
- on which to return information.
- @param[out] MaximumVariableStorageSize On output the maximum size of the storage space available for
- the EFI variables associated with the attributes specified.
- @param[out] RemainingVariableStorageSize Returns the remaining size of the storage space available for EFI
- variables associated with the attributes specified.
- @param[out] MaximumVariableSize Returns the maximum size of an individual EFI variable
- associated with the attributes specified.
- @param[in] VirtualMode Current calling mode for this function
- @param[in] Global Context of this Extended SAL Variable Services Class call
-
- @retval EFI_SUCCESS Valid answer returned.
- @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied.
- @retval EFI_UNSUPPORTED The attribute is not supported on this platform, and the
- MaximumVariableStorageSize, RemainingVariableStorageSize,
- MaximumVariableSize are undefined.
-**/
-EFI_STATUS
-EFIAPI
-EsalQueryVariableInfo (
- IN UINT32 Attributes,
- OUT UINT64 *MaximumVariableStorageSize,
- OUT UINT64 *RemainingVariableStorageSize,
- OUT UINT64 *MaximumVariableSize,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global
- );
-
-/**
- Writes a buffer to variable storage space.
-
- This function writes a buffer to variable storage space into firmware
- volume block device. The destination is specified by parameter
- VariableBase. Fault Tolerant Write protocol is used for writing.
-
- @param[in] VariableBase The base address of the variable to write.
- @param[in] Buffer Points to the data buffer.
- @param[in] BufferSize The number of bytes of the data Buffer.
-
- @retval EFI_SUCCESS The function completed successfully.
- @retval EFI_NOT_FOUND Fail to locate Fault Tolerant Write protocol.
- @retval Other The function could not complete successfully.
-
-**/
-EFI_STATUS
-FtwVariableSpace (
- IN EFI_PHYSICAL_ADDRESS VariableBase,
- IN UINT8 *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Finds variable in volatile and non-volatile storage areas.
-
- This code finds variable in volatile and non-volatile storage areas.
- If VariableName is an empty string, then we just return the first
- qualified variable without comparing VariableName and VendorGuid.
- Otherwise, VariableName and VendorGuid are compared.
-
- @param[in] VariableName Name of the variable to be found.
- @param[in] VendorGuid Vendor GUID to be found.
- @param[out] PtrTrack VARIABLE_POINTER_TRACK structure for output,
- including the range searched and the target position.
- @param[in] Global Pointer to VARIABLE_GLOBAL structure, including
- base of volatile variable storage area, base of
- NV variable storage area, and a lock.
- @param[in] Instance Instance of FV Block services.
-
- @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while
- VendorGuid is NULL.
- @retval EFI_SUCCESS Variable successfully found.
- @retval EFI_INVALID_PARAMETER Variable not found.
-
-**/
-EFI_STATUS
-FindVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- OUT VARIABLE_POINTER_TRACK *PtrTrack,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance
- );
-
-/**
- Gets the pointer to variable data area.
-
- This function gets the pointer to variable data area.
- The variable is specified by its variable header.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VariableData Buffer to hold variable data for output.
-
-**/
-VOID
-GetVariableDataPtr (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT CHAR16 *VariableData
- );
-
-/**
- Gets the size of variable data area.
-
- This function gets the size of variable data area.
- The variable is specified by its variable header.
- If variable header contains raw data, just return 0.
-
- @param[in] Variable Pointer to the variable header.
-
- @return Size of variable data area in bytes.
-
-**/
-UINTN
-DataSizeOfVariable (
- IN AUTHENTICATED_VARIABLE_HEADER *Variable
- );
-
-/**
- Update the variable region with Variable information. These are the same
- arguments as the EFI Variable services.
-
- @param[in] VariableName Name of variable.
- @param[in] VendorGuid Guid of variable.
- @param[in] Data Variable data.
- @param[in] DataSize Size of data. 0 means delete.
- @param[in] Attributes Attributes of the variable.
- @param[in] KeyIndex Index of associated public key.
- @param[in] MonotonicCount Value of associated monotonic count.
- @param[in] VirtualMode Current calling mode for this function.
- @param[in] Global Context of this Extended SAL Variable Services Class call.
- @param[in] Variable The variable information which is used to keep track of variable usage.
-
- @retval EFI_SUCCESS The update operation is success.
- @retval EFI_OUT_OF_RESOURCES Variable region is full, can not write other data into this region.
-
-**/
-EFI_STATUS
-EFIAPI
-UpdateVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN VOID *Data,
- IN UINTN DataSize,
- IN UINT32 Attributes OPTIONAL,
- IN UINT32 KeyIndex OPTIONAL,
- IN UINT64 MonotonicCount OPTIONAL,
- IN BOOLEAN VirtualMode,
- IN ESAL_VARIABLE_GLOBAL *Global,
- IN VARIABLE_POINTER_TRACK *Variable
- );
-
-/**
- Checks variable header.
-
- This function checks if variable header is valid or not.
-
- @param[in] VariableAddress Start address of variable header.
- @param[in] Volatile TRUE - Variable is volatile.
- FALSE - Variable is non-volatile.
- @param[in] Global Pointer to VARAIBLE_GLOBAL structure.
- @param[in] Instance Instance of FV Block services.
- @param[out] VariableHeader Pointer to AUTHENTICATED_VARIABLE_HEADER for output.
-
- @retval TRUE Variable header is valid.
- @retval FALSE Variable header is not valid.
-
-**/
-BOOLEAN
-IsValidVariableHeader (
- IN EFI_PHYSICAL_ADDRESS VariableAddress,
- IN BOOLEAN Volatile,
- IN VARIABLE_GLOBAL *Global,
- IN UINTN Instance,
- OUT AUTHENTICATED_VARIABLE_HEADER *VariableHeader OPTIONAL
- );
-
-/**
- Flush the HOB variable to NV variable storage.
-**/
-VOID
-FlushHob2Nv (
- VOID
- );
-
-#endif
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr deleted file mode 100644 index bbecff2b08..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ /dev/null @@ -1,570 +0,0 @@ -/** @file
- VFR file used by the SecureBoot configuration component.
-
-Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigNvData.h"
-
-formset
- guid = SECUREBOOT_CONFIG_FORM_SET_GUID,
- title = STRING_TOKEN(STR_SECUREBOOT_TITLE),
- help = STRING_TOKEN(STR_SECUREBOOT_HELP),
- classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID,
-
- varstore SECUREBOOT_CONFIGURATION,
- varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID,
- name = SECUREBOOT_CONFIGURATION,
- guid = SECUREBOOT_CONFIG_FORM_SET_GUID;
-
- //
- // ##1 Form "Secure Boot Configuration"
- //
- form formid = SECUREBOOT_CONFIGURATION_FORM_ID,
- title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- text
- help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
- text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
- text = STRING_TOKEN(STR_SECURE_BOOT_STATE_CONTENT);
-
- //
- // Display of Check Box: Attempt Secure Boot
- //
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1 OR NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
- checkbox varid = SECUREBOOT_CONFIGURATION.AttemptSecureBoot,
- questionid = KEY_SECURE_BOOT_ENABLE,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_HELP),
- flags = INTERACTIVE | RESET_REQUIRED,
- endcheckbox;
- endif;
-
- //
- // Display of Oneof: 'Secure Boot Mode'
- //
- oneof name = SecureBootMode,
- questionid = KEY_SECURE_BOOT_MODE,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
- flags = INTERACTIVE | NUMERIC_SIZE_1,
- option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;
- option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0;
- endoneof;
-
- //
- // Display of 'Current Secure Boot Mode'
- //
- suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;
- grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_OPTION;
- endif;
- endif;
-
- endform;
-
- //
- // ##2 Form: 'Custom Secure Boot Options'
- //
- form formid = FORMID_SECURE_BOOT_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_OPTION_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_PK_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_KEK_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_KEK_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_DB_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_DB_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_DBX_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_DBX_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_DBT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_DBT_OPTION;
-
- endform;
-
- //
- // ##3 Form: 'PK Options'
- //
- form formid = FORMID_SECURE_BOOT_PK_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Display of 'Enroll PK'
- //
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HasPk == 1;
- goto FORMID_ENROLL_PK_FORM,
- prompt = STRING_TOKEN(STR_ENROLL_PK),
- help = STRING_TOKEN(STR_ENROLL_PK_HELP),
- flags = INTERACTIVE,
- key = KEY_ENROLL_PK;
- endif;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Display of Check Box: 'Delete Pk'
- //
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
- checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
- questionid = KEY_SECURE_BOOT_DELETE_PK,
- prompt = STRING_TOKEN(STR_DELETE_PK),
- help = STRING_TOKEN(STR_DELETE_PK_HELP),
- flags = INTERACTIVE | RESET_REQUIRED,
- endcheckbox;
- endif;
- endform;
-
- //
- // ##4 Form: 'Enroll PK'
- //
- form formid = FORMID_ENROLL_PK_FORM,
- title = STRING_TOKEN(STR_ENROLL_PK);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_ENROLL_PK_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
- flags = INTERACTIVE,
- key = FORMID_ENROLL_PK_FORM;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label FORMID_ENROLL_PK_FORM;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE| RESET_REQUIRED,
- key = KEY_VALUE_SAVE_AND_EXIT_PK;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_PK;
-
- endform;
-
- //
- // ##5 Form: 'KEK Options'
- //
- form formid = FORMID_SECURE_BOOT_KEK_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION);
-
- //
- // Display of 'Enroll KEK'
- //
- goto FORMID_ENROLL_KEK_FORM,
- prompt = STRING_TOKEN(STR_ENROLL_KEK),
- help = STRING_TOKEN(STR_ENROLL_KEK_HELP),
- flags = INTERACTIVE;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Display of 'Delete KEK'
- //
- goto FORMID_DELETE_KEK_FORM,
- prompt = STRING_TOKEN(STR_DELETE_KEK),
- help = STRING_TOKEN(STR_DELETE_KEK_HELP),
- flags = INTERACTIVE,
- key = KEY_DELETE_KEK;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- endform;
-
- //
- // ##6 Form: 'Enroll KEK'
- //
- form formid = FORMID_ENROLL_KEK_FORM,
- title = STRING_TOKEN(STR_ENROLL_KEK_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_ENROLL_KEK_FORM,
- prompt = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE),
- help = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP),
- flags = INTERACTIVE,
- key = FORMID_ENROLL_KEK_FORM;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label FORMID_ENROLL_KEK_FORM;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_KEK_GUID,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_KEK;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_KEK;
-
- endform;
-
- //
- // ##7 Form: 'Delete KEK'
- //
- form formid = FORMID_DELETE_KEK_FORM,
- title = STRING_TOKEN(STR_DELETE_KEK_TITLE);
-
- label LABEL_KEK_DELETE;
- label LABEL_END;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // ##8 Form: 'DB Options'
- //
- form formid = FORMID_SECURE_BOOT_DB_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- flags = 0;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- flags = INTERACTIVE,
- key = SECUREBOOT_DELETE_SIGNATURE_FROM_DB;
-
- endform;
-
- //
- // ##9 Form: 'DBX Options'
- //
- form formid = FORMID_SECURE_BOOT_DBX_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- flags = 0;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- flags = INTERACTIVE,
- key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX;
-
- endform;
-
- //
- // ##9 Form: 'DBT Options'
- //
- form formid = FORMID_SECURE_BOOT_DBT_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- flags = 0;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- flags = INTERACTIVE,
- key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT;
-
- endform;
-
- //
- // Form: 'Delete Signature' for DB Options.
- //
- form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
-
- label LABEL_DB_DELETE;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // Form: 'Delete Signature' for DBX Options.
- //
- form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
-
- label LABEL_DBX_DELETE;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // Form: 'Delete Signature' for DBT Options.
- //
- form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
- title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
-
- label LABEL_DBT_DELETE;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // Form: 'Enroll Signature' for DB options.
- //
- form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
- title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_SIGNATURE_GUID_DB,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_DB;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_DB;
-
- endform;
-
- //
- // Form: 'Enroll Signature' for DBX options.
- //
- form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
- title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
-
- label SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
- endif;
-
- disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 1;
- oneof name = X509SignatureFormatInDbx,
- varid = SECUREBOOT_CONFIGURATION.CertificateFormat,
- prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
- help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;
- option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;
- endoneof;
- endif;
-
- disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 2;
- text
- help = STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP), // Help string
- text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string
- text = STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); // PE image type
- endif;
-
- disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
- text
- help = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP), // Help string
- text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string
- text = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); // AUTH_2 image type
- endif;
-
- suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;
- checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation,
- prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),
- help = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),
- flags = INTERACTIVE,
- endcheckbox;
-
- suppressif ideqval SECUREBOOT_CONFIGURATION.AlwaysRevocation == 1;
- date varid = SECUREBOOT_CONFIGURATION.RevocationDate,
- prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_PROMPT),
- help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_HELP),
- flags = STORAGE_NORMAL,
- enddate;
-
- time varid = SECUREBOOT_CONFIGURATION.RevocationTime,
- prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_PROMPT),
- help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_HELP),
- flags = STORAGE_NORMAL,
- endtime;
- endif;
- endif;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_DBX;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_DBX;
-
- endform;
-
- //
- // Form: 'Enroll Signature' for DBT options.
- //
- form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT,
- title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label SECUREBOOT_ENROLL_SIGNATURE_TO_DBT;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBT,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_DBT;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_DBT;
-
- endform;
-
-endformset;
\ No newline at end of file diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c deleted file mode 100644 index 28c4d4f8b6..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c +++ /dev/null @@ -1,38 +0,0 @@ -/** @file
- Internal function defines the default device path string for SecureBoot configuration module.
-
-Copyright (c) 2012 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-
-/**
- This function converts an input device structure to a Unicode string.
-
- @param[in] DevPath A pointer to the device path structure.
-
- @return A new allocated Unicode string that represents the device path.
-
-**/
-CHAR16 *
-EFIAPI
-DevicePathToStr (
- IN EFI_DEVICE_PATH_PROTOCOL *DevPath
- )
-{
- return ConvertDevicePathToText (
- DevPath,
- FALSE,
- TRUE
- );
-}
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c deleted file mode 100644 index 1d6c4ac6e8..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c +++ /dev/null @@ -1,133 +0,0 @@ -/** @file
- The module entry point for SecureBoot configuration module.
-
-Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-/**
- The entry point for SecureBoot configuration driver.
-
- @param[in] ImageHandle The image handle of the driver.
- @param[in] SystemTable The system table.
-
- @retval EFI_ALREADY_STARTED The driver already exists in system.
- @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
- @retval EFI_SUCCES All the related protocols are installed on the driver.
- @retval Others Fail to get the SecureBootEnable variable.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootConfigDriverEntryPoint (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
-
- //
- // If already started, return.
- //
- Status = gBS->OpenProtocol (
- ImageHandle,
- &gEfiCallerIdGuid,
- NULL,
- ImageHandle,
- ImageHandle,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
- if (!EFI_ERROR (Status)) {
- return EFI_ALREADY_STARTED;
- }
-
- //
- // Create a private data structure.
- //
- PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate);
- if (PrivateData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Install SecureBoot configuration form
- //
- Status = InstallSecureBootConfigForm (PrivateData);
- if (EFI_ERROR (Status)) {
- goto ErrorExit;
- }
-
- //
- // Install private GUID.
- //
- Status = gBS->InstallMultipleProtocolInterfaces (
- &ImageHandle,
- &gEfiCallerIdGuid,
- PrivateData,
- NULL
- );
-
- if (EFI_ERROR (Status)) {
- goto ErrorExit;
- }
-
- return EFI_SUCCESS;
-
-ErrorExit:
- if (PrivateData != NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- }
-
- return Status;
-}
-
-/**
- Unload the SecureBoot configuration form.
-
- @param[in] ImageHandle The driver's image handle.
-
- @retval EFI_SUCCESS The SecureBoot configuration form is unloaded.
- @retval Others Failed to unload the form.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootConfigDriverUnload (
- IN EFI_HANDLE ImageHandle
- )
-{
- EFI_STATUS Status;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
-
- Status = gBS->HandleProtocol (
- ImageHandle,
- &gEfiCallerIdGuid,
- (VOID **) &PrivateData
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE);
-
- gBS->UninstallMultipleProtocolInterfaces (
- &ImageHandle,
- &gEfiCallerIdGuid,
- PrivateData,
- NULL
- );
-
- UninstallSecureBootConfigForm (PrivateData);
-
- return EFI_SUCCESS;
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf deleted file mode 100644 index fa7c39d6e5..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ /dev/null @@ -1,127 +0,0 @@ -## @file
-# Provides the capbility to configure secure boot in a setup browser
-# By this module, user may change the content of DB, DBX, PK and KEK.
-#
-# Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = SecureBootConfigDxe
- MODULE_UNI_FILE = SecureBootConfigDxe.uni
- FILE_GUID = F0E6A44F-7195-41c3-AC64-54F202CD0A21
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- ENTRY_POINT = SecureBootConfigDriverEntryPoint
- UNLOAD_IMAGE = SecureBootConfigDriverUnload
-
-#
-# VALID_ARCHITECTURES = IA32 X64 IPF EBC
-#
-
-[Sources]
- SecureBootConfigDriver.c
- SecureBootConfigImpl.c
- SecureBootConfigFileExplorer.c
- SecureBootConfigDevicePath.c
- SecureBootConfigMisc.c
- SecureBootConfigImpl.h
- SecureBootConfig.vfr
- SecureBootConfigStrings.uni
- SecureBootConfigNvData.h
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
-
-[LibraryClasses]
- BaseLib
- BaseMemoryLib
- BaseCryptLib
- MemoryAllocationLib
- UefiLib
- UefiBootServicesTableLib
- UefiRuntimeServicesTableLib
- UefiDriverEntryPoint
- UefiHiiServicesLib
- DebugLib
- HiiLib
- PlatformSecureLib
- DevicePathLib
- FileExplorerLib
- PeCoffLib
-
-[Guids]
- ## SOMETIMES_CONSUMES ## Variable:L"CustomMode"
- ## SOMETIMES_PRODUCES ## Variable:L"CustomMode"
- gEfiCustomModeEnableGuid
-
- ## SOMETIMES_CONSUMES ## Variable:L"SecureBootEnable"
- ## SOMETIMES_PRODUCES ## Variable:L"SecureBootEnable"
- gEfiSecureBootEnableDisableGuid
-
- ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
- ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
- gEfiCertRsa2048Guid
-
- ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
- ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
- gEfiCertX509Guid
-
- ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
- ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
- gEfiCertSha1Guid
-
- ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
- ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature.
- gEfiCertSha256Guid
-
- ## SOMETIMES_CONSUMES ## Variable:L"db"
- ## SOMETIMES_PRODUCES ## Variable:L"db"
- ## SOMETIMES_CONSUMES ## Variable:L"dbx"
- ## SOMETIMES_PRODUCES ## Variable:L"dbx"
- gEfiImageSecurityDatabaseGuid
-
- ## SOMETIMES_CONSUMES ## Variable:L"SetupMode"
- ## SOMETIMES_PRODUCES ## Variable:L"PK"
- ## SOMETIMES_CONSUMES ## Variable:L"KEK"
- ## SOMETIMES_PRODUCES ## Variable:L"KEK"
- ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot"
- gEfiGlobalVariableGuid
-
- gEfiIfrTianoGuid ## PRODUCES ## GUID # HII opcode
- ## PRODUCES ## HII
- ## CONSUMES ## HII
- gSecureBootConfigFormSetGuid
- gEfiCertPkcs7Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate.
- gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
- gEfiFileSystemVolumeLabelInfoIdGuid ## SOMETIMES_CONSUMES ## GUID # Indicate the information type
- gEfiFileInfoGuid ## SOMETIMES_CONSUMES ## GUID # Indicate the information type
-
- gEfiCertX509Sha256Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate.
- gEfiCertX509Sha384Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate.
- gEfiCertX509Sha512Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate.
-
-[Protocols]
- gEfiHiiConfigAccessProtocolGuid ## PRODUCES
- gEfiDevicePathProtocolGuid ## PRODUCES
- gEfiSimpleFileSystemProtocolGuid ## SOMETIMES_CONSUMES
- gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
-
-[Depex]
- gEfiHiiConfigRoutingProtocolGuid AND
- gEfiHiiDatabaseProtocolGuid AND
- gEfiVariableArchProtocolGuid AND
- gEfiVariableWriteArchProtocolGuid
-
-[UserExtensions.TianoCore."ExtraFiles"]
- SecureBootConfigDxeExtra.uni
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni deleted file mode 100644 index d0d2e5ad75..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni +++ /dev/null @@ -1,21 +0,0 @@ -// /** @file
-// Provides the capbility to configure secure boot in a setup browser
-//
-// By this module, user may change the content of DB, DBX, PK and KEK.
-//
-// Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
-//
-// This program and the accompanying materials
-// are licensed and made available under the terms and conditions of the BSD License
-// which accompanies this distribution. The full text of the license may be found at
-// http://opensource.org/licenses/bsd-license.php
-// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "Provides the capability to configure secure boot in a setup browser"
-
-#string STR_MODULE_DESCRIPTION #language en-US "By this module, user may change the content of DB, DBX, PK and KEK."
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni deleted file mode 100644 index 2bc7f3d537..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file
-// SecureBootConfigDxe Localized Strings and Content
-//
-// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
-//
-// This program and the accompanying materials
-// are licensed and made available under the terms and conditions of the BSD License
-// which accompanies this distribution. The full text of the license may be found at
-// http://opensource.org/licenses/bsd-license.php
-// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-//
-// **/
-
-#string STR_PROPERTIES_MODULE_NAME
-#language en-US
-"Secure Boot Config DXE"
-
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c deleted file mode 100644 index 1b6f888042..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c +++ /dev/null @@ -1,422 +0,0 @@ -/** @file
- Internal file explorer functions for SecureBoot configuration module.
-
-Copyright (c) 2012 - 2016, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-VOID *mStartOpCodeHandle = NULL;
-VOID *mEndOpCodeHandle = NULL;
-EFI_IFR_GUID_LABEL *mStartLabel = NULL;
-EFI_IFR_GUID_LABEL *mEndLabel = NULL;
-
-/**
- Refresh the global UpdateData structure.
-
-**/
-VOID
-RefreshUpdateData (
- VOID
- )
-{
- //
- // Free current updated date
- //
- if (mStartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mStartOpCodeHandle);
- }
-
- //
- // Create new OpCode Handle
- //
- mStartOpCodeHandle = HiiAllocateOpCodeHandle ();
-
- //
- // Create Hii Extend Label OpCode as the start opcode
- //
- mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mStartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
-}
-
-/**
- Clean up the dynamic opcode at label and form specified by both LabelId.
-
- @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
- @param[in] PrivateData Module private data.
-
-**/
-VOID
-CleanUpPage (
- IN UINT16 LabelId,
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- RefreshUpdateData ();
-
- //
- // Remove all op-codes from dynamic page
- //
- mStartLabel->Number = LabelId;
- HiiUpdateForm (
- PrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- LabelId,
- mStartOpCodeHandle, // Label LabelId
- mEndOpCodeHandle // LABEL_END
- );
-}
-
-/**
- This function will open a file or directory referenced by DevicePath.
-
- This function opens a file with the open mode according to the file path. The
- Attributes is valid only for EFI_FILE_MODE_CREATE.
-
- @param[in, out] FilePath On input, the device path to the file.
- On output, the remaining device path.
- @param[out] FileHandle Pointer to the file handle.
- @param[in] OpenMode The mode to open the file with.
- @param[in] Attributes The file's file attributes.
-
- @retval EFI_SUCCESS The information was set.
- @retval EFI_INVALID_PARAMETER One of the parameters has an invalid value.
- @retval EFI_UNSUPPORTED Could not open the file path.
- @retval EFI_NOT_FOUND The specified file could not be found on the
- device or the file system could not be found on
- the device.
- @retval EFI_NO_MEDIA The device has no medium.
- @retval EFI_MEDIA_CHANGED The device has a different medium in it or the
- medium is no longer supported.
- @retval EFI_DEVICE_ERROR The device reported an error.
- @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
- @retval EFI_WRITE_PROTECTED The file or medium is write protected.
- @retval EFI_ACCESS_DENIED The file was opened read only.
- @retval EFI_OUT_OF_RESOURCES Not enough resources were available to open the
- file.
- @retval EFI_VOLUME_FULL The volume is full.
-**/
-EFI_STATUS
-EFIAPI
-OpenFileByDevicePath(
- IN OUT EFI_DEVICE_PATH_PROTOCOL **FilePath,
- OUT EFI_FILE_HANDLE *FileHandle,
- IN UINT64 OpenMode,
- IN UINT64 Attributes
- )
-{
- EFI_STATUS Status;
- EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *EfiSimpleFileSystemProtocol;
- EFI_FILE_PROTOCOL *Handle1;
- EFI_FILE_PROTOCOL *Handle2;
- EFI_HANDLE DeviceHandle;
-
- if ((FilePath == NULL || FileHandle == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = gBS->LocateDevicePath (
- &gEfiSimpleFileSystemProtocolGuid,
- FilePath,
- &DeviceHandle
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = gBS->OpenProtocol(
- DeviceHandle,
- &gEfiSimpleFileSystemProtocolGuid,
- (VOID**)&EfiSimpleFileSystemProtocol,
- gImageHandle,
- NULL,
- EFI_OPEN_PROTOCOL_GET_PROTOCOL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = EfiSimpleFileSystemProtocol->OpenVolume(EfiSimpleFileSystemProtocol, &Handle1);
- if (EFI_ERROR (Status)) {
- FileHandle = NULL;
- return Status;
- }
-
- //
- // go down directories one node at a time.
- //
- while (!IsDevicePathEnd (*FilePath)) {
- //
- // For file system access each node should be a file path component
- //
- if (DevicePathType (*FilePath) != MEDIA_DEVICE_PATH ||
- DevicePathSubType (*FilePath) != MEDIA_FILEPATH_DP
- ) {
- FileHandle = NULL;
- return (EFI_INVALID_PARAMETER);
- }
- //
- // Open this file path node
- //
- Handle2 = Handle1;
- Handle1 = NULL;
-
- //
- // Try to test opening an existing file
- //
- Status = Handle2->Open (
- Handle2,
- &Handle1,
- ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
- OpenMode &~EFI_FILE_MODE_CREATE,
- 0
- );
-
- //
- // see if the error was that it needs to be created
- //
- if ((EFI_ERROR (Status)) && (OpenMode != (OpenMode &~EFI_FILE_MODE_CREATE))) {
- Status = Handle2->Open (
- Handle2,
- &Handle1,
- ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
- OpenMode,
- Attributes
- );
- }
- //
- // Close the last node
- //
- Handle2->Close (Handle2);
-
- if (EFI_ERROR(Status)) {
- return (Status);
- }
-
- //
- // Get the next node
- //
- *FilePath = NextDevicePathNode (*FilePath);
- }
-
- //
- // This is a weak spot since if the undefined SHELL_FILE_HANDLE format changes this must change also!
- //
- *FileHandle = (VOID*)Handle1;
- return EFI_SUCCESS;
-}
-
-
-/**
- Extract filename from device path. The returned buffer is allocated using AllocateCopyPool.
- The caller is responsible for freeing the allocated buffer using FreePool(). If return NULL
- means not enough memory resource.
-
- @param DevicePath Device path.
-
- @retval NULL Not enough memory resourece for AllocateCopyPool.
- @retval Other A new allocated string that represents the file name.
-
-**/
-CHAR16 *
-ExtractFileNameFromDevicePath (
- IN EFI_DEVICE_PATH_PROTOCOL *DevicePath
- )
-{
- CHAR16 *String;
- CHAR16 *MatchString;
- CHAR16 *LastMatch;
- CHAR16 *FileName;
- UINTN Length;
-
- ASSERT(DevicePath != NULL);
-
- String = DevicePathToStr(DevicePath);
- MatchString = String;
- LastMatch = String;
- FileName = NULL;
-
- while(MatchString != NULL){
- LastMatch = MatchString + 1;
- MatchString = StrStr(LastMatch,L"\\");
- }
-
- Length = StrLen(LastMatch);
- FileName = AllocateCopyPool ((Length + 1) * sizeof(CHAR16), LastMatch);
- if (FileName != NULL) {
- *(FileName + Length) = 0;
- }
-
- FreePool(String);
-
- return FileName;
-}
-
-
-/**
- Update the form base on the selected file.
-
- @param FilePath Point to the file path.
- @param FormId The form need to display.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-
-**/
-BOOLEAN
-UpdatePage(
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath,
- IN EFI_FORM_ID FormId
- )
-{
- CHAR16 *FileName;
- EFI_STRING_ID StringToken;
-
- FileName = NULL;
-
- if (FilePath != NULL) {
- FileName = ExtractFileNameFromDevicePath(FilePath);
- }
- if (FileName == NULL) {
- //
- // FileName = NULL has two case:
- // 1. FilePath == NULL, not select file.
- // 2. FilePath != NULL, but ExtractFileNameFromDevicePath return NULL not enough memory resource.
- // In these two case, no need to update the form, and exit the caller function.
- //
- return TRUE;
- }
- StringToken = HiiSetString (gSecureBootPrivateData->HiiHandle, 0, FileName, NULL);
-
- gSecureBootPrivateData->FileContext->FileName = FileName;
-
- OpenFileByDevicePath(
- &FilePath,
- &gSecureBootPrivateData->FileContext->FHandle,
- EFI_FILE_MODE_READ,
- 0
- );
- //
- // Create Subtitle op-code for the display string of the option.
- //
- RefreshUpdateData ();
- mStartLabel->Number = FormId;
-
- HiiCreateSubTitleOpCode (
- mStartOpCodeHandle,
- StringToken,
- 0,
- 0,
- 0
- );
-
- HiiUpdateForm (
- gSecureBootPrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- FormId,
- mStartOpCodeHandle, // Label FormId
- mEndOpCodeHandle // LABEL_END
- );
-
- return TRUE;
-}
-
-/**
- Update the PK form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdatePKFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- )
-{
- return UpdatePage(FilePath, FORMID_ENROLL_PK_FORM);
-
-}
-
-/**
- Update the KEK form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateKEKFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- )
-{
- return UpdatePage(FilePath, FORMID_ENROLL_KEK_FORM);
-}
-
-/**
- Update the DB form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- )
-{
- return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DB);
-}
-
-/**
- Update the DBX form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBXFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- )
-{
- return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DBX);
-}
-
-/**
- Update the DBT form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBTFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- )
-{
- return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DBT);
-}
-
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c deleted file mode 100644 index 2eaf24633d..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ /dev/null @@ -1,4080 +0,0 @@ -/** @file
- HII Config Access protocol implementation of SecureBoot configuration module.
-
-Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
-
-SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate = {
- SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE,
- {
- SecureBootExtractConfig,
- SecureBootRouteConfig,
- SecureBootCallback
- }
-};
-
-HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
- {
- {
- HARDWARE_DEVICE_PATH,
- HW_VENDOR_DP,
- {
- (UINT8) (sizeof (VENDOR_DEVICE_PATH)),
- (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8)
- }
- },
- SECUREBOOT_CONFIG_FORM_SET_GUID
- },
- {
- END_DEVICE_PATH_TYPE,
- END_ENTIRE_DEVICE_PATH_SUBTYPE,
- {
- (UINT8) (END_DEVICE_PATH_LENGTH),
- (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8)
- }
- }
-};
-
-
-BOOLEAN mIsEnterSecureBootForm = FALSE;
-
-//
-// OID ASN.1 Value for Hash Algorithms
-//
-UINT8 mHashOidValue[] = {
- 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, // OBJ_md5
- 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJ_sha1
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, // OBJ_sha224
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, // OBJ_sha256
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, // OBJ_sha384
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, // OBJ_sha512
- };
-
-HASH_TABLE mHash[] = {
- { L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL },
- { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final},
- { L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final},
- { L"SHA512", 64, &mHashOidValue[40], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final}
-};
-
-//
-// Variable Definitions
-//
-UINT32 mPeCoffHeaderOffset = 0;
-WIN_CERTIFICATE *mCertificate = NULL;
-IMAGE_TYPE mImageType;
-UINT8 *mImageBase = NULL;
-UINTN mImageSize = 0;
-UINT8 mImageDigest[MAX_DIGEST_SIZE];
-UINTN mImageDigestSize;
-EFI_GUID mCertType;
-EFI_IMAGE_SECURITY_DATA_DIRECTORY *mSecDataDir = NULL;
-EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader;
-
-//
-// Possible DER-encoded certificate file suffixes, end with NULL pointer.
-//
-CHAR16* mDerEncodedSuffix[] = {
- L".cer",
- L".der",
- L".crt",
- NULL
-};
-CHAR16* mSupportX509Suffix = L"*.cer/der/crt";
-
-SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL;
-
-/**
- This code cleans up enrolled file by closing file & free related resources attached to
- enrolled file.
-
- @param[in] FileContext FileContext cached in SecureBootConfig driver
-
-**/
-VOID
-CloseEnrolledFile(
- IN SECUREBOOT_FILE_CONTEXT *FileContext
-)
-{
- if (FileContext->FHandle != NULL) {
- CloseFile (FileContext->FHandle);
- FileContext->FHandle = NULL;
- }
-
- if (FileContext->FileName != NULL){
- FreePool(FileContext->FileName);
- FileContext->FileName = NULL;
- }
- FileContext->FileType = UNKNOWN_FILE_TYPE;
-
-}
-
-/**
- This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.
-
- @param[in] FileSuffix The suffix of the input certificate file
-
- @retval TRUE It's a DER-encoded certificate.
- @retval FALSE It's NOT a DER-encoded certificate.
-
-**/
-BOOLEAN
-IsDerEncodeCertificate (
- IN CONST CHAR16 *FileSuffix
-)
-{
- UINTN Index;
- for (Index = 0; mDerEncodedSuffix[Index] != NULL; Index++) {
- if (StrCmp (FileSuffix, mDerEncodedSuffix[Index]) == 0) {
- return TRUE;
- }
- }
- return FALSE;
-}
-
-/**
- This code checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format
-The function reads file content but won't open/close given FileHandle.
-
- @param[in] FileHandle The FileHandle to be checked
-
- @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.
- @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.
-
-**/
-BOOLEAN
-IsAuthentication2Format (
- IN EFI_FILE_HANDLE FileHandle
-)
-{
- EFI_STATUS Status;
- EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
- BOOLEAN IsAuth2Format;
-
- IsAuth2Format = FALSE;
-
- //
- // Read the whole file content
- //
- Status = ReadFileContent(
- FileHandle,
- (VOID **) &mImageBase,
- &mImageSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase;
- if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
- goto ON_EXIT;
- }
-
- if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {
- IsAuth2Format = TRUE;
- }
-
-ON_EXIT:
- //
- // Do not close File. simply check file content
- //
- if (mImageBase != NULL) {
- FreePool (mImageBase);
- mImageBase = NULL;
- }
-
- return IsAuth2Format;
-}
-
-/**
- Set Secure Boot option into variable space.
-
- @param[in] VarValue The option of Secure Boot.
-
- @retval EFI_SUCCESS The operation is finished successfully.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-SaveSecureBootVariable (
- IN UINT8 VarValue
- )
-{
- EFI_STATUS Status;
-
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &VarValue
- );
- return Status;
-}
-
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-/**
- Internal helper function to delete a Variable given its name and GUID, NO authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
- FreePool (Variable);
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-/**
-
- Set the platform secure boot mode into "Custom" or "Standard" mode.
-
- @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
- CUSTOM_SECURE_BOOT_MODE.
-
- @return EFI_SUCCESS The platform has switched to the special mode successfully.
- @return other Fail to operate the secure boot mode.
-
-**/
-EFI_STATUS
-SetSecureBootMode (
- IN UINT8 SecureBootMode
- )
-{
- return gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &SecureBootMode
- );
-}
-
-/**
- Generate the PK signature list from the X509 Certificate storing file (.cer)
-
- @param[in] X509File FileHandle of X509 Certificate storing file.
- @param[out] PkCert Point to the data buffer to store the signature list.
-
- @return EFI_UNSUPPORTED Unsupported Key Length.
- @return EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.
-
-**/
-EFI_STATUS
-CreatePkX509SignatureList (
- IN EFI_FILE_HANDLE X509File,
- OUT EFI_SIGNATURE_LIST **PkCert
- )
-{
- EFI_STATUS Status;
- UINT8 *X509Data;
- UINTN X509DataSize;
- EFI_SIGNATURE_DATA *PkCertData;
-
- X509Data = NULL;
- PkCertData = NULL;
- X509DataSize = 0;
-
- Status = ReadFileContent (X509File, (VOID**) &X509Data, &X509DataSize, 0);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- *PkCert = (EFI_SIGNATURE_LIST*) AllocateZeroPool (
- sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (*PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- (*PkCert)->SignatureListSize = (UINT32) (sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- (*PkCert)->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- (*PkCert)->SignatureHeaderSize = 0;
- CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA*) ((UINTN)(*PkCert)
- + sizeof(EFI_SIGNATURE_LIST)
- + (*PkCert)->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
-ON_EXIT:
-
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- if (EFI_ERROR(Status) && *PkCert != NULL) {
- FreePool (*PkCert);
- *PkCert = NULL;
- }
-
- return Status;
-}
-
-/**
- Enroll new PK into the System without original PK's authentication.
-
- The SignatureOwner GUID will be the same with PK's vendorguid.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New PK enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollPlatformKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA* Private
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
- UINT16* FilePostFix;
- UINTN NameLength;
-
- if (Private->FileContext->FileName == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- PkCert = NULL;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Parse the file's postfix. Only support DER encoded X.509 certificate files.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (!IsDerEncodeCertificate(FilePostFix)) {
- DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded certificate (%s) is supported.", mSupportX509Suffix));
- return EFI_INVALID_PARAMETER;
- }
- DEBUG ((EFI_D_INFO, "FileName= %s\n", Private->FileContext->FileName));
- DEBUG ((EFI_D_INFO, "FilePostFix = %s\n", FilePostFix));
-
- //
- // Prase the selected PK file and generature PK certificate list.
- //
- Status = CreatePkX509SignatureList (
- Private->FileContext->FHandle,
- &PkCert
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (PkCert != NULL);
-
- //
- // Set Platform Key variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- DataSize = PkCert->SignatureListSize;
- Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &PkCert);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- if (Status == EFI_OUT_OF_RESOURCES) {
- DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n"));
- }
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool(PkCert);
- }
-
- CloseEnrolledFile(Private->FileContext);
-
- return Status;
-}
-
-/**
- Remove the PK variable.
-
- @retval EFI_SUCCESS Delete PK successfully.
- @retval Others Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
- VOID
-)
-{
- EFI_STATUS Status;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = DeleteVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid
- );
- return Status;
-}
-
-/**
- Enroll a new KEK item from public key storing file (*.pbk).
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollRsa2048ToKek (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN KeyBlobSize;
- UINT8 *KeyBlob;
- CPL_KEY_INFO *KeyInfo;
- EFI_SIGNATURE_DATA *KEKSigData;
- UINTN KekSigListSize;
- UINT8 *KeyBuffer;
- UINTN KeyLenInBytes;
-
- Attr = 0;
- DataSize = 0;
- KeyBuffer = NULL;
- KeyBlobSize = 0;
- KeyBlob = NULL;
- KeyInfo = NULL;
- KEKSigData = NULL;
- KekSigList = NULL;
- KekSigListSize = 0;
-
- //
- // Form the KeKpub certificate list into EFI_SIGNATURE_LIST type.
- // First, We have to parse out public key data from the pbk key file.
- //
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- (VOID**) &KeyBlob,
- &KeyBlobSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (KeyBlob != NULL);
- KeyInfo = (CPL_KEY_INFO *) KeyBlob;
- if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
- DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
- Status = EFI_UNSUPPORTED;
- goto ON_EXIT;
- }
-
- //
- // Convert the Public key to fix octet string format represented in RSA PKCS#1.
- //
- KeyLenInBytes = KeyInfo->KeyLengthInBits / 8;
- KeyBuffer = AllocateZeroPool (KeyLenInBytes);
- if (KeyBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- Int2OctStr (
- (UINTN*) (KeyBlob + sizeof (CPL_KEY_INFO)),
- KeyLenInBytes / sizeof (UINTN),
- KeyBuffer,
- KeyLenInBytes
- );
- CopyMem(KeyBlob + sizeof(CPL_KEY_INFO), KeyBuffer, KeyLenInBytes);
-
- //
- // Form an new EFI_SIGNATURE_LIST.
- //
- KekSigListSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
-
- KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- KekSigList->SignatureListSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
- CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA*)((UINT8*)KekSigList + sizeof(EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
- CopyMem (
- KEKSigData->SignatureData,
- KeyBlob + sizeof(CPL_KEY_INFO),
- WIN_CERT_UEFI_RSA2048_SIZE
- );
-
- //
- // Check if KEK entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new KEK to original variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- //
- // Done. Now we have formed the correct KEKpub database item, just set it into variable storage,
- //
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (KeyBlob != NULL) {
- FreePool (KeyBlob);
- }
- if (KeyBuffer != NULL) {
- FreePool (KeyBuffer);
- }
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Enroll a new KEK item from X509 certificate file.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509ToKek (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- X509Data = NULL;
- X509DataSize = 0;
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- KekSigListSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32) KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA*) ((UINT8*) KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Enroll new KEK into the System without PK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successful.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll KEK data.
-
-**/
-EFI_STATUS
-EnrollKeyExchangeKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- UINT16* FilePostFix;
- EFI_STATUS Status;
- UINTN NameLength;
-
- if ((Private->FileContext->FHandle == NULL) || (Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Parse the file's postfix. Supports DER-encoded X509 certificate,
- // and .pbk as RSA public key file.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (IsDerEncodeCertificate(FilePostFix)) {
- return EnrollX509ToKek (Private);
- } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {
- return EnrollRsa2048ToKek (Private);
- } else {
- //
- // File type is wrong, simply close it
- //
- CloseEnrolledFile(Private->FileContext);
-
- return EFI_INVALID_PARAMETER;
- }
-}
-
-/**
- Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without
- KEK's authentication.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509toSigDB (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- X509DataSize = 0;
- SigDBSize = 0;
- DataSize = 0;
- X509Data = NULL;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- SigDBSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST*) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);
- CopyMem ((UINT8* ) (SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- return Status;
-}
-
-/**
- Check whether signature is in specified database.
-
- @param[in] VariableName Name of database variable that is searched in.
- @param[in] Signature Pointer to signature that is searched for.
- @param[in] SignatureSize Size of Signature.
-
- @return TRUE Found the signature in the variable database.
- @return FALSE Not found the signature in the variable database.
-
-**/
-BOOLEAN
-IsSignatureFoundInDatabase (
- IN CHAR16 *VariableName,
- IN UINT8 *Signature,
- IN UINTN SignatureSize
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN DataSize;
- UINT8 *Data;
- UINTN Index;
- UINTN CertCount;
- BOOLEAN IsFound;
-
- //
- // Read signature database variable.
- //
- IsFound = FALSE;
- Data = NULL;
- DataSize = 0;
- Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
- if (Status != EFI_BUFFER_TOO_SMALL) {
- return FALSE;
- }
-
- Data = (UINT8 *) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- return FALSE;
- }
-
- Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- //
- // Enumerate all signature data in SigDB to check if executable's signature exists.
- //
- CertList = (EFI_SIGNATURE_LIST *) Data;
- while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- if ((CertList->SignatureSize == sizeof(EFI_SIGNATURE_DATA) - 1 + SignatureSize) && (CompareGuid(&CertList->SignatureType, &gEfiCertX509Guid))) {
- for (Index = 0; Index < CertCount; Index++) {
- if (CompareMem (Cert->SignatureData, Signature, SignatureSize) == 0) {
- //
- // Find the signature in database.
- //
- IsFound = TRUE;
- break;
- }
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
- }
-
- if (IsFound) {
- break;
- }
- }
-
- DataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
-Done:
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return IsFound;
-}
-
-/**
- Calculate the hash of a certificate data with the specified hash algorithm.
-
- @param[in] CertData The certificate data to be hashed.
- @param[in] CertSize The certificate size in bytes.
- @param[in] HashAlg The specified hash algorithm.
- @param[out] CertHash The output digest of the certificate
-
- @retval TRUE Successfully got the hash of the CertData.
- @retval FALSE Failed to get the hash of CertData.
-
-**/
-BOOLEAN
-CalculateCertHash (
- IN UINT8 *CertData,
- IN UINTN CertSize,
- IN UINT32 HashAlg,
- OUT UINT8 *CertHash
- )
-{
- BOOLEAN Status;
- VOID *HashCtx;
- UINTN CtxSize;
- UINT8 *TBSCert;
- UINTN TBSCertSize;
-
- HashCtx = NULL;
- Status = FALSE;
-
- if (HashAlg >= HASHALG_MAX) {
- return FALSE;
- }
-
- //
- // Retrieve the TBSCertificate for Hash Calculation.
- //
- if (!X509GetTBSCert (CertData, CertSize, &TBSCert, &TBSCertSize)) {
- return FALSE;
- }
-
- //
- // 1. Initialize context of hash.
- //
- CtxSize = mHash[HashAlg].GetContextSize ();
- HashCtx = AllocatePool (CtxSize);
- ASSERT (HashCtx != NULL);
-
- //
- // 2. Initialize a hash context.
- //
- Status = mHash[HashAlg].HashInit (HashCtx);
- if (!Status) {
- goto Done;
- }
-
- //
- // 3. Calculate the hash.
- //
- Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize);
- if (!Status) {
- goto Done;
- }
-
- //
- // 4. Get the hash result.
- //
- ZeroMem (CertHash, mHash[HashAlg].DigestLength);
- Status = mHash[HashAlg].HashFinal (HashCtx, CertHash);
-
-Done:
- if (HashCtx != NULL) {
- FreePool (HashCtx);
- }
-
- return Status;
-}
-
-/**
- Check whether the hash of an X.509 certificate is in forbidden database (DBX).
-
- @param[in] Certificate Pointer to X.509 Certificate that is searched for.
- @param[in] CertSize Size of X.509 Certificate.
-
- @return TRUE Found the certificate hash in the forbidden database.
- @return FALSE Certificate hash is Not found in the forbidden database.
-
-**/
-BOOLEAN
-IsCertHashFoundInDbx (
- IN UINT8 *Certificate,
- IN UINTN CertSize
- )
-{
- BOOLEAN IsFound;
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *DbxList;
- EFI_SIGNATURE_DATA *CertHash;
- UINTN CertHashCount;
- UINTN Index;
- UINT32 HashAlg;
- UINT8 CertDigest[MAX_DIGEST_SIZE];
- UINT8 *DbxCertHash;
- UINTN SiglistHeaderSize;
- UINT8 *Data;
- UINTN DataSize;
-
- IsFound = FALSE;
- HashAlg = HASHALG_MAX;
- Data = NULL;
-
- //
- // Read signature database variable.
- //
- DataSize = 0;
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
- if (Status != EFI_BUFFER_TOO_SMALL) {
- return FALSE;
- }
-
- Data = (UINT8 *) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- return FALSE;
- }
-
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
-
- //
- // Check whether the certificate hash exists in the forbidden database.
- //
- DbxList = (EFI_SIGNATURE_LIST *) Data;
- while ((DataSize > 0) && (DataSize >= DbxList->SignatureListSize)) {
- //
- // Determine Hash Algorithm of Certificate in the forbidden database.
- //
- if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha256Guid)) {
- HashAlg = HASHALG_SHA256;
- } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha384Guid)) {
- HashAlg = HASHALG_SHA384;
- } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha512Guid)) {
- HashAlg = HASHALG_SHA512;
- } else {
- DataSize -= DbxList->SignatureListSize;
- DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize);
- continue;
- }
-
- //
- // Calculate the hash value of current db certificate for comparision.
- //
- if (!CalculateCertHash (Certificate, CertSize, HashAlg, CertDigest)) {
- goto Done;
- }
-
- SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize;
- CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize);
- CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize;
- for (Index = 0; Index < CertHashCount; Index++) {
- //
- // Iterate each Signature Data Node within this CertList for verify.
- //
- DbxCertHash = CertHash->SignatureData;
- if (CompareMem (DbxCertHash, CertDigest, mHash[HashAlg].DigestLength) == 0) {
- //
- // Hash of Certificate is found in forbidden database.
- //
- IsFound = TRUE;
- goto Done;
- }
- CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertHash + DbxList->SignatureSize);
- }
-
- DataSize -= DbxList->SignatureListSize;
- DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize);
- }
-
-Done:
- if (Data != NULL) {
- FreePool (Data);
- }
-
- return IsFound;
-}
-
-/**
- Check whether the signature list exists in given variable data.
-
- It searches the signature list for the ceritificate hash by CertType.
- If the signature list is found, get the offset of Database for the
- next hash of a certificate.
-
- @param[in] Database Variable data to save signature list.
- @param[in] DatabaseSize Variable size.
- @param[in] SignatureType The type of the signature.
- @param[out] Offset The offset to save a new hash of certificate.
-
- @return TRUE The signature list is found in the forbidden database.
- @return FALSE The signature list is not found in the forbidden database.
-**/
-BOOLEAN
-GetSignaturelistOffset (
- IN EFI_SIGNATURE_LIST *Database,
- IN UINTN DatabaseSize,
- IN EFI_GUID *SignatureType,
- OUT UINTN *Offset
- )
-{
- EFI_SIGNATURE_LIST *SigList;
- UINTN SiglistSize;
-
- if ((Database == NULL) || (DatabaseSize == 0)) {
- *Offset = 0;
- return FALSE;
- }
-
- SigList = Database;
- SiglistSize = DatabaseSize;
- while ((SiglistSize > 0) && (SiglistSize >= SigList->SignatureListSize)) {
- if (CompareGuid (&SigList->SignatureType, SignatureType)) {
- *Offset = DatabaseSize - SiglistSize;
- return TRUE;
- }
- SiglistSize -= SigList->SignatureListSize;
- SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize);
- }
- *Offset = 0;
- return FALSE;
-}
-
-/**
- Enroll a new X509 certificate hash into Signature Database (dbx) without
- KEK's authentication.
-
- @param[in] PrivateData The module's private data.
- @param[in] HashAlg The hash algorithm to enroll the certificate.
- @param[in] RevocationDate The revocation date of the certificate.
- @param[in] RevocationTime The revocation time of the certificate.
- @param[in] AlwaysRevocation Indicate whether the certificate is always revoked.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509HashtoSigDB (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN UINT32 HashAlg,
- IN EFI_HII_DATE *RevocationDate,
- IN EFI_HII_TIME *RevocationTime,
- IN BOOLEAN AlwaysRevocation
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- EFI_SIGNATURE_LIST *SignatureList;
- UINTN SignatureListSize;
- UINT8 *Data;
- UINT8 *NewData;
- UINTN DataSize;
- UINTN DbSize;
- UINT32 Attr;
- EFI_SIGNATURE_DATA *SignatureData;
- UINTN SignatureSize;
- EFI_GUID SignatureType;
- UINTN Offset;
- UINT8 CertHash[MAX_DIGEST_SIZE];
- UINT16* FilePostFix;
- UINTN NameLength;
- EFI_TIME *Time;
-
- X509DataSize = 0;
- DbSize = 0;
- X509Data = NULL;
- SignatureData = NULL;
- SignatureList = NULL;
- Data = NULL;
- NewData = NULL;
-
- if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Parse the file's postfix.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (!IsDerEncodeCertificate(FilePostFix)) {
- //
- // Only supports DER-encoded X509 certificate.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Get the certificate from file and calculate its hash.
- //
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- if (!CalculateCertHash (X509Data, X509DataSize, HashAlg, CertHash)) {
- goto ON_EXIT;
- }
-
- //
- // Get the variable for enrollment.
- //
- DataSize = 0;
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Data = (UINT8 *) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- }
-
- //
- // Allocate memory for Signature and fill the Signature
- //
- SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + sizeof (EFI_TIME) + mHash[HashAlg].DigestLength;
- SignatureData = (EFI_SIGNATURE_DATA *) AllocateZeroPool (SignatureSize);
- if (SignatureData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- CopyGuid (&SignatureData->SignatureOwner, Private->SignatureGUID);
- CopyMem (SignatureData->SignatureData, CertHash, mHash[HashAlg].DigestLength);
-
- //
- // Fill the time.
- //
- if (!AlwaysRevocation) {
- Time = (EFI_TIME *)(&SignatureData->SignatureData + mHash[HashAlg].DigestLength);
- Time->Year = RevocationDate->Year;
- Time->Month = RevocationDate->Month;
- Time->Day = RevocationDate->Day;
- Time->Hour = RevocationTime->Hour;
- Time->Minute = RevocationTime->Minute;
- Time->Second = RevocationTime->Second;
- }
-
- //
- // Determine the GUID for certificate hash.
- //
- switch (HashAlg) {
- case HASHALG_SHA256:
- SignatureType = gEfiCertX509Sha256Guid;
- break;
- case HASHALG_SHA384:
- SignatureType = gEfiCertX509Sha384Guid;
- break;
- case HASHALG_SHA512:
- SignatureType = gEfiCertX509Sha512Guid;
- break;
- default:
- return FALSE;
- }
-
- //
- // Add signature into the new variable data buffer
- //
- if (GetSignaturelistOffset((EFI_SIGNATURE_LIST *)Data, DataSize, &SignatureType, &Offset)) {
- //
- // Add the signature to the found signaturelist.
- //
- DbSize = DataSize + SignatureSize;
- NewData = AllocateZeroPool (DbSize);
- if (NewData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- SignatureList = (EFI_SIGNATURE_LIST *)(Data + Offset);
- SignatureListSize = (UINTN) ReadUnaligned32 ((UINT32 *)&SignatureList->SignatureListSize);
- CopyMem (NewData, Data, Offset + SignatureListSize);
-
- SignatureList = (EFI_SIGNATURE_LIST *)(NewData + Offset);
- WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32)(SignatureListSize + SignatureSize));
-
- Offset += SignatureListSize;
- CopyMem (NewData + Offset, SignatureData, SignatureSize);
- CopyMem (NewData + Offset + SignatureSize, Data + Offset, DataSize - Offset);
-
- FreePool (Data);
- Data = NewData;
- DataSize = DbSize;
- } else {
- //
- // Create a new signaturelist, and add the signature into the signaturelist.
- //
- DbSize = DataSize + sizeof(EFI_SIGNATURE_LIST) + SignatureSize;
- NewData = AllocateZeroPool (DbSize);
- if (NewData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- //
- // Fill Certificate Database parameters.
- //
- SignatureList = (EFI_SIGNATURE_LIST*) (NewData + DataSize);
- SignatureListSize = sizeof(EFI_SIGNATURE_LIST) + SignatureSize;
- WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32) SignatureListSize);
- WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureSize, (UINT32) SignatureSize);
- CopyGuid (&SignatureList->SignatureType, &SignatureType);
- CopyMem ((UINT8* ) SignatureList + sizeof (EFI_SIGNATURE_LIST), SignatureData, SignatureSize);
- if ((DataSize != 0) && (Data != NULL)) {
- CopyMem (NewData, Data, DataSize);
- FreePool (Data);
- }
- Data = NewData;
- DataSize = DbSize;
- }
-
- Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &Data);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = gRT->SetVariable(
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- DataSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (SignatureData != NULL) {
- FreePool (SignatureData);
- }
-
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- return Status;
-}
-
-/**
- Check whether a certificate from a file exists in dbx.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval TRUE The X509 certificate is found in dbx successfully.
- @retval FALSE The X509 certificate is not found in dbx.
-**/
-BOOLEAN
-IsX509CertInDbx (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- BOOLEAN IsFound;
-
- //
- // Read the certificate from file
- //
- X509DataSize = 0;
- X509Data = NULL;
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- //
- // Check the raw certificate.
- //
- IsFound = FALSE;
- if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, X509Data, X509DataSize)) {
- IsFound = TRUE;
- goto ON_EXIT;
- }
-
- //
- // Check the hash of certificate.
- //
- if (IsCertHashFoundInDbx (X509Data, X509DataSize)) {
- IsFound = TRUE;
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- return IsFound;
-}
-
-/**
- Reads contents of a PE/COFF image in memory buffer.
-
- Caution: This function may receive untrusted input.
- PE/COFF image is external input, so this function will make sure the PE/COFF image content
- read is within the image buffer.
-
- @param FileHandle Pointer to the file handle to read the PE/COFF image.
- @param FileOffset Offset into the PE/COFF image to begin the read operation.
- @param ReadSize On input, the size in bytes of the requested read operation.
- On output, the number of bytes actually read.
- @param Buffer Output buffer that contains the data read from the PE/COFF image.
-
- @retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size
-**/
-EFI_STATUS
-EFIAPI
-SecureBootConfigImageRead (
- IN VOID *FileHandle,
- IN UINTN FileOffset,
- IN OUT UINTN *ReadSize,
- OUT VOID *Buffer
- )
-{
- UINTN EndPosition;
-
- if (FileHandle == NULL || ReadSize == NULL || Buffer == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (MAX_ADDRESS - FileOffset < *ReadSize) {
- return EFI_INVALID_PARAMETER;
- }
-
- EndPosition = FileOffset + *ReadSize;
- if (EndPosition > mImageSize) {
- *ReadSize = (UINT32)(mImageSize - FileOffset);
- }
-
- if (FileOffset >= mImageSize) {
- *ReadSize = 0;
- }
-
- CopyMem (Buffer, (UINT8 *)((UINTN) FileHandle + FileOffset), *ReadSize);
-
- return EFI_SUCCESS;
-}
-
-/**
- Load PE/COFF image information into internal buffer and check its validity.
-
- @retval EFI_SUCCESS Successful
- @retval EFI_UNSUPPORTED Invalid PE/COFF file
- @retval EFI_ABORTED Serious error occurs, like file I/O error etc.
-
-**/
-EFI_STATUS
-LoadPeImage (
- VOID
- )
-{
- EFI_IMAGE_DOS_HEADER *DosHdr;
- EFI_IMAGE_NT_HEADERS32 *NtHeader32;
- EFI_IMAGE_NT_HEADERS64 *NtHeader64;
- PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
- EFI_STATUS Status;
-
- NtHeader32 = NULL;
- NtHeader64 = NULL;
-
- ZeroMem (&ImageContext, sizeof (ImageContext));
- ImageContext.Handle = (VOID *) mImageBase;
- ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE) SecureBootConfigImageRead;
-
- //
- // Get information about the image being loaded
- //
- Status = PeCoffLoaderGetImageInfo (&ImageContext);
- if (EFI_ERROR (Status)) {
- //
- // The information can't be got from the invalid PeImage
- //
- DEBUG ((DEBUG_INFO, "SecureBootConfigDxe: PeImage invalid. \n"));
- return Status;
- }
-
- //
- // Read the Dos header
- //
- DosHdr = (EFI_IMAGE_DOS_HEADER*)(mImageBase);
- if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE)
- {
- //
- // DOS image header is present,
- // So read the PE header after the DOS image header
- //
- mPeCoffHeaderOffset = DosHdr->e_lfanew;
- }
- else
- {
- mPeCoffHeaderOffset = 0;
- }
-
- //
- // Read PE header and check the signature validity and machine compatibility
- //
- NtHeader32 = (EFI_IMAGE_NT_HEADERS32*) (mImageBase + mPeCoffHeaderOffset);
- if (NtHeader32->Signature != EFI_IMAGE_NT_SIGNATURE)
- {
- return EFI_UNSUPPORTED;
- }
-
- mNtHeader.Pe32 = NtHeader32;
-
- //
- // Check the architecture field of PE header and get the Certificate Data Directory data
- // Note the size of FileHeader field is constant for both IA32 and X64 arch
- //
- if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA32)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_EBC)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_ARMTHUMB_MIXED)) {
- //
- // 32-bits Architecture
- //
- mImageType = ImageType_IA32;
- mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]);
- }
- else if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA64)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_X64)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_AARCH64)) {
- //
- // 64-bits Architecture
- //
- mImageType = ImageType_X64;
- NtHeader64 = (EFI_IMAGE_NT_HEADERS64 *) (mImageBase + mPeCoffHeaderOffset);
- mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader64->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]);
- } else {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Calculate hash of Pe/Coff image based on the authenticode image hashing in
- PE/COFF Specification 8.0 Appendix A
-
- Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in
- the function LoadPeImage ().
-
- @param[in] HashAlg Hash algorithm type.
-
- @retval TRUE Successfully hash image.
- @retval FALSE Fail in hash image.
-
-**/
-BOOLEAN
-HashPeImage (
- IN UINT32 HashAlg
- )
-{
- BOOLEAN Status;
- UINT16 Magic;
- EFI_IMAGE_SECTION_HEADER *Section;
- VOID *HashCtx;
- UINTN CtxSize;
- UINT8 *HashBase;
- UINTN HashSize;
- UINTN SumOfBytesHashed;
- EFI_IMAGE_SECTION_HEADER *SectionHeader;
- UINTN Index;
- UINTN Pos;
-
- HashCtx = NULL;
- SectionHeader = NULL;
- Status = FALSE;
-
- if (HashAlg != HASHALG_SHA256) {
- return FALSE;
- }
-
- //
- // Initialize context of hash.
- //
- ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
-
- mImageDigestSize = SHA256_DIGEST_SIZE;
- mCertType = gEfiCertSha256Guid;
-
- CtxSize = mHash[HashAlg].GetContextSize();
-
- HashCtx = AllocatePool (CtxSize);
- ASSERT (HashCtx != NULL);
-
- // 1. Load the image header into memory.
-
- // 2. Initialize a SHA hash context.
- Status = mHash[HashAlg].HashInit(HashCtx);
- if (!Status) {
- goto Done;
- }
- //
- // Measuring PE/COFF Image Header;
- // But CheckSum field and SECURITY data directory (certificate) are excluded
- //
- if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value
- // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the
- // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC
- // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC
- //
- Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC;
- } else {
- //
- // Get the magic value from the PE/COFF Optional Header
- //
- Magic = mNtHeader.Pe32->OptionalHeader.Magic;
- }
-
- //
- // 3. Calculate the distance from the base of the image header to the image checksum address.
- // 4. Hash the image header from its base to beginning of the image checksum.
- //
- HashBase = mImageBase;
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashSize = (UINTN) (&mNtHeader.Pe32->OptionalHeader.CheckSum) - (UINTN) HashBase;
- } else {
- //
- // Use PE32+ offset.
- //
- HashSize = (UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.CheckSum) - (UINTN) HashBase;
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 5. Skip over the image checksum (it occupies a single ULONG).
- // 6. Get the address of the beginning of the Cert Directory.
- // 7. Hash everything from the end of the checksum to the start of the Cert Directory.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);
- HashSize = (UINTN) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN) HashBase;
- } else {
- //
- // Use PE32+ offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);
- HashSize = (UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN) HashBase;
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.)
- // 9. Hash everything from the end of the Cert Directory to the end of image header.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
- HashSize = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders - ((UINTN) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - (UINTN) mImageBase);
- } else {
- //
- // Use PE32+ offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
- HashSize = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders - ((UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - (UINTN) mImageBase);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 10. Set the SUM_OF_BYTES_HASHED to the size of the header.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- SumOfBytesHashed = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders;
- } else {
- //
- // Use PE32+ offset
- //
- SumOfBytesHashed = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders;
- }
-
- //
- // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER
- // structures in the image. The 'NumberOfSections' field of the image
- // header indicates how big the table should be. Do not include any
- // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero.
- //
- SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * mNtHeader.Pe32->FileHeader.NumberOfSections);
- ASSERT (SectionHeader != NULL);
- //
- // 12. Using the 'PointerToRawData' in the referenced section headers as
- // a key, arrange the elements in the table in ascending order. In other
- // words, sort the section headers according to the disk-file offset of
- // the section.
- //
- Section = (EFI_IMAGE_SECTION_HEADER *) (
- mImageBase +
- mPeCoffHeaderOffset +
- sizeof (UINT32) +
- sizeof (EFI_IMAGE_FILE_HEADER) +
- mNtHeader.Pe32->FileHeader.SizeOfOptionalHeader
- );
- for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {
- Pos = Index;
- while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) {
- CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER));
- Pos--;
- }
- CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER));
- Section += 1;
- }
-
- //
- // 13. Walk through the sorted table, bring the corresponding section
- // into memory, and hash the entire section (using the 'SizeOfRawData'
- // field in the section header to determine the amount of data to hash).
- // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED .
- // 15. Repeat steps 13 and 14 for all the sections in the sorted table.
- //
- for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {
- Section = &SectionHeader[Index];
- if (Section->SizeOfRawData == 0) {
- continue;
- }
- HashBase = mImageBase + Section->PointerToRawData;
- HashSize = (UINTN) Section->SizeOfRawData;
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
-
- SumOfBytesHashed += HashSize;
- }
-
- //
- // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra
- // data in the file that needs to be added to the hash. This data begins
- // at file offset SUM_OF_BYTES_HASHED and its length is:
- // FileSize - (CertDirectory->Size)
- //
- if (mImageSize > SumOfBytesHashed) {
- HashBase = mImageBase + SumOfBytesHashed;
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashSize = (UINTN)(
- mImageSize -
- mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
- SumOfBytesHashed);
- } else {
- //
- // Use PE32+ offset.
- //
- HashSize = (UINTN)(
- mImageSize -
- mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
- SumOfBytesHashed);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- }
-
- Status = mHash[HashAlg].HashFinal(HashCtx, mImageDigest);
-
-Done:
- if (HashCtx != NULL) {
- FreePool (HashCtx);
- }
- if (SectionHeader != NULL) {
- FreePool (SectionHeader);
- }
- return Status;
-}
-
-/**
- Recognize the Hash algorithm in PE/COFF Authenticode and calculate hash of
- Pe/Coff image based on the authenticated image hashing in PE/COFF Specification
- 8.0 Appendix A
-
- @retval EFI_UNSUPPORTED Hash algorithm is not supported.
- @retval EFI_SUCCESS Hash successfully.
-
-**/
-EFI_STATUS
-HashPeImageByType (
- VOID
- )
-{
- UINT8 Index;
- WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
-
- PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir->Offset);
-
- for (Index = 0; Index < HASHALG_MAX; Index++) {
- //
- // Check the Hash algorithm in PE/COFF Authenticode.
- // According to PKCS#7 Definition:
- // SignedData ::= SEQUENCE {
- // version Version,
- // digestAlgorithms DigestAlgorithmIdentifiers,
- // contentInfo ContentInfo,
- // .... }
- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
- // Fixed offset (+32) is calculated based on two bytes of length encoding.
- //
- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
- //
- // Only support two bytes of Long Form of Length Encoding.
- //
- continue;
- }
-
- //
- if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
- break;
- }
- }
-
- if (Index == HASHALG_MAX) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // HASH PE Image based on Hash algorithm in PE/COFF Authenticode.
- //
- if (!HashPeImage(Index)) {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Enroll a new executable's signature into Signature Database.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1
- or EFI_IMAGE_SECURITY_DATABASE2.
-
- @retval EFI_SUCCESS New signature is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollAuthentication2Descriptor (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- VOID *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- Data = NULL;
-
- //
- // DBT only support DER-X509 Cert Enrollment
- //
- if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // Read the whole file content
- //
- Status = ReadFileContent(
- Private->FileContext->FHandle,
- (VOID **) &mImageBase,
- &mImageSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (mImageBase != NULL);
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- //
- // Check if SigDB variable has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- DataSize = 0;
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- //
- // Diretly set AUTHENTICATION_2 data to SetVariable
- //
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- mImageSize,
- mImageBase
- );
-
- DEBUG((DEBUG_INFO, "Enroll AUTH_2 data to Var:%s Status: %x\n", VariableName, Status));
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (mImageBase != NULL) {
- FreePool (mImageBase);
- mImageBase = NULL;
- }
-
- return Status;
-
-}
-
-
-/**
- Enroll a new executable's signature into Signature Database.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1
- or EFI_IMAGE_SECURITY_DATABASE2.
-
- @retval EFI_SUCCESS New signature is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollImageSignatureToSigDB (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
- WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
-
- Data = NULL;
- GuidCertData = NULL;
-
- if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // Form the SigDB certificate list.
- // Format the data item into EFI_SIGNATURE_LIST type.
- //
- // We need to parse executable's signature data from specified signed executable file.
- // In current implementation, we simply trust the pass-in signed executable file.
- // In reality, it's OS's responsibility to verify the signed executable file.
- //
-
- //
- // Read the whole file content
- //
- Status = ReadFileContent(
- Private->FileContext->FHandle,
- (VOID **) &mImageBase,
- &mImageSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (mImageBase != NULL);
-
- Status = LoadPeImage ();
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- if (mSecDataDir->SizeOfCert == 0) {
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_SECURITY_VIOLATION;
- goto ON_EXIT;
- }
- } else {
-
- //
- // Read the certificate data
- //
- mCertificate = (WIN_CERTIFICATE *)(mImageBase + mSecDataDir->Offset);
-
- if (mCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
- GuidCertData = (WIN_CERTIFICATE_UEFI_GUID*) mCertificate;
- if (CompareMem (&GuidCertData->CertType, &gEfiCertTypeRsa2048Sha256Guid, sizeof(EFI_GUID)) != 0) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_ABORTED;
- goto ON_EXIT;;
- }
-
- } else if (mCertificate->wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
-
- Status = HashPeImageByType ();
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;;
- }
- } else {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
- }
-
- //
- // Create a new SigDB entry.
- //
- SigDBSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + (UINT32) mImageDigestSize;
-
- Data = (UINT8*) AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Adjust the Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST*) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + (UINT32) mImageDigestSize;
- CopyGuid (&SigDBCert->SignatureType, &mCertType);
-
- SigDBCertData = (EFI_SIGNATURE_DATA*)((UINT8*)SigDBCert + sizeof(EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);
- CopyMem (SigDBCertData->SignatureData, mImageDigest, mImageDigestSize);
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- //
- // Check if SigDB variable has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- DataSize = 0;
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- //
- // Enroll the variable.
- //
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (mImageBase != NULL) {
- FreePool (mImageBase);
- mImageBase = NULL;
- }
-
- return Status;
-}
-
-/**
- Enroll signature into DB/DBX/DBT without KEK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New signature enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll signature data.
-
-**/
-EFI_STATUS
-EnrollSignatureDatabase (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- UINT16* FilePostFix;
- EFI_STATUS Status;
- UINTN NameLength;
-
- if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Parse the file's postfix.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (IsDerEncodeCertificate (FilePostFix)) {
- //
- // Supports DER-encoded X509 certificate.
- //
- return EnrollX509toSigDB (Private, VariableName);
- } else if (IsAuthentication2Format(Private->FileContext->FHandle)){
- return EnrollAuthentication2Descriptor(Private, VariableName);
- } else {
- return EnrollImageSignatureToSigDB (Private, VariableName);
- }
-}
-
-/**
- List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT)
- by GUID in the page for user to select and delete as needed.
-
- @param[in] PrivateData Module's private data.
- @param[in] VariableName The variable name of the vendor's signature database.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] LabelNumber Label number to insert opcodes.
- @param[in] FormId Form ID of current page.
- @param[in] QuestionIdBase Base question id of the signature list.
-
- @retval EFI_SUCCESS Success to update the signature list page
- @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources.
-
-**/
-EFI_STATUS
-UpdateDeletePage (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT16 LabelNumber,
- IN EFI_FORM_ID FormId,
- IN EFI_QUESTION_ID QuestionIdBase
- )
-{
- EFI_STATUS Status;
- UINT32 Index;
- UINTN CertCount;
- UINTN GuidIndex;
- VOID *StartOpCodeHandle;
- VOID *EndOpCodeHandle;
- EFI_IFR_GUID_LABEL *StartLabel;
- EFI_IFR_GUID_LABEL *EndLabel;
- UINTN DataSize;
- UINT8 *Data;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
- UINT32 ItemDataSize;
- CHAR16 *GuidStr;
- EFI_STRING_ID GuidID;
- EFI_STRING_ID Help;
-
- Data = NULL;
- CertList = NULL;
- Cert = NULL;
- GuidStr = NULL;
- StartOpCodeHandle = NULL;
- EndOpCodeHandle = NULL;
-
- //
- // Initialize the container for dynamic opcodes.
- //
- StartOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (StartOpCodeHandle == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- EndOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (EndOpCodeHandle == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Create Hii Extend Label OpCode.
- //
- StartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- StartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- StartLabel->Number = LabelNumber;
-
- EndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- EndOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- EndLabel->Number = LABEL_END;
-
- //
- // Read Variable.
- //
- DataSize = 0;
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- Data = (UINT8 *) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- GuidStr = AllocateZeroPool (100);
- if (GuidStr == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all KEK pub data.
- //
- ItemDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) Data;
- GuidIndex = 0;
-
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
-
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_SHA1_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_SHA256_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha256Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA256_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha384Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA384_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha512Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA512_GUID);
- } else {
- //
- // The signature type is not supported in current implementation.
- //
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- continue;
- }
-
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList
- + sizeof (EFI_SIGNATURE_LIST)
- + CertList->SignatureHeaderSize
- + Index * CertList->SignatureSize);
- //
- // Display GUID and help
- //
- GuidToString (&Cert->SignatureOwner, GuidStr, 100);
- GuidID = HiiSetString (PrivateData->HiiHandle, 0, GuidStr, NULL);
- HiiCreateCheckBoxOpCode (
- StartOpCodeHandle,
- (EFI_QUESTION_ID) (QuestionIdBase + GuidIndex++),
- 0,
- 0,
- GuidID,
- Help,
- EFI_IFR_FLAG_CALLBACK,
- 0,
- NULL
- );
- }
-
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
-ON_EXIT:
- HiiUpdateForm (
- PrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- FormId,
- StartOpCodeHandle,
- EndOpCodeHandle
- );
-
- if (StartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (StartOpCodeHandle);
- }
-
- if (EndOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (EndOpCodeHandle);
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (GuidStr != NULL) {
- FreePool (GuidStr);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Delete a KEK entry from KEK database.
-
- @param[in] PrivateData Module's private data.
- @param[in] QuestionId Question id of the KEK item to delete.
-
- @retval EFI_SUCCESS Delete kek item successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-DeleteKeyExchangeKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN EFI_QUESTION_ID QuestionId
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT8 *Data;
- UINT8 *OldData;
- UINT32 Attr;
- UINT32 Index;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_LIST *NewCertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN CertCount;
- UINT32 Offset;
- BOOLEAN IsKEKItemFound;
- UINT32 KekDataSize;
- UINTN DeleteKekIndex;
- UINTN GuidIndex;
-
- Data = NULL;
- OldData = NULL;
- CertList = NULL;
- Cert = NULL;
- Attr = 0;
- DeleteKekIndex = QuestionId - OPTION_DEL_KEK_QUESTION_ID;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Get original KEK variable.
- //
- DataSize = 0;
- Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, NULL, &DataSize, NULL);
- if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- OldData = (UINT8*)AllocateZeroPool(DataSize);
- if (OldData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &Attr, &DataSize, OldData);
- if (EFI_ERROR(Status)) {
- goto ON_EXIT;
- }
-
- //
- // Allocate space for new variable.
- //
- Data = (UINT8*) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all KEK pub data and erasing the target item.
- //
- IsKEKItemFound = FALSE;
- KekDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) OldData;
- Offset = 0;
- GuidIndex = 0;
- while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
- NewCertList = (EFI_SIGNATURE_LIST *)(Data + Offset);
- Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- if (GuidIndex == DeleteKekIndex ) {
- //
- // Find it! Skip it!
- //
- NewCertList->SignatureListSize -= CertList->SignatureSize;
- IsKEKItemFound = TRUE;
- } else {
- //
- // This item doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, Cert, CertList->SignatureSize);
- Offset += CertList->SignatureSize;
- }
- GuidIndex++;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8*) Cert + CertList->SignatureSize);
- }
- } else {
- //
- // This List doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, CertList, CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
-
- KekDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST*) ((UINT8*) CertList + CertList->SignatureListSize);
- }
-
- if (!IsKEKItemFound) {
- //
- // Doesn't find the Kek Item!
- //
- Status = EFI_NOT_FOUND;
- goto ON_EXIT;
- }
-
- //
- // Delete the Signature header if there is no signature in the list.
- //
- KekDataSize = Offset;
- CertList = (EFI_SIGNATURE_LIST*) Data;
- Offset = 0;
- ZeroMem (OldData, KekDataSize);
- while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- DEBUG ((DEBUG_INFO, " CertCount = %x\n", CertCount));
- if (CertCount != 0) {
- CopyMem (OldData + Offset, CertList, CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
- KekDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- DataSize = Offset;
- if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- Status = CreateTimeBasedPayload (&DataSize, &OldData);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- OldData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (Data != NULL) {
- FreePool(Data);
- }
-
- if (OldData != NULL) {
- FreePool(OldData);
- }
-
- return UpdateDeletePage (
- PrivateData,
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- LABEL_KEK_DELETE,
- FORMID_DELETE_KEK_FORM,
- OPTION_DEL_KEK_QUESTION_ID
- );
-}
-
-/**
- Delete a signature entry from siganture database.
-
- @param[in] PrivateData Module's private data.
- @param[in] VariableName The variable name of the vendor's signature database.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] LabelNumber Label number to insert opcodes.
- @param[in] FormId Form ID of current page.
- @param[in] QuestionIdBase Base question id of the signature list.
- @param[in] DeleteIndex Signature index to delete.
-
- @retval EFI_SUCCESS Delete siganture successfully.
- @retval EFI_NOT_FOUND Can't find the signature item,
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-**/
-EFI_STATUS
-DeleteSignature (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT16 LabelNumber,
- IN EFI_FORM_ID FormId,
- IN EFI_QUESTION_ID QuestionIdBase,
- IN UINTN DeleteIndex
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT8 *Data;
- UINT8 *OldData;
- UINT32 Attr;
- UINT32 Index;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_LIST *NewCertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN CertCount;
- UINT32 Offset;
- BOOLEAN IsItemFound;
- UINT32 ItemDataSize;
- UINTN GuidIndex;
-
- Data = NULL;
- OldData = NULL;
- CertList = NULL;
- Cert = NULL;
- Attr = 0;
-
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Get original signature list data.
- //
- DataSize = 0;
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, NULL);
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- OldData = (UINT8 *) AllocateZeroPool (DataSize);
- if (OldData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (VariableName, VendorGuid, &Attr, &DataSize, OldData);
- if (EFI_ERROR(Status)) {
- goto ON_EXIT;
- }
-
- //
- // Allocate space for new variable.
- //
- Data = (UINT8*) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all signature data and erasing the target item.
- //
- IsItemFound = FALSE;
- ItemDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) OldData;
- Offset = 0;
- GuidIndex = 0;
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha256Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha384Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha512Guid)
- ) {
- //
- // Copy EFI_SIGNATURE_LIST header then calculate the signature count in this list.
- //
- CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
- NewCertList = (EFI_SIGNATURE_LIST*) (Data + Offset);
- Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- if (GuidIndex == DeleteIndex) {
- //
- // Find it! Skip it!
- //
- NewCertList->SignatureListSize -= CertList->SignatureSize;
- IsItemFound = TRUE;
- } else {
- //
- // This item doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, (UINT8*)(Cert), CertList->SignatureSize);
- Offset += CertList->SignatureSize;
- }
- GuidIndex++;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
- }
- } else {
- //
- // This List doesn't match. Just copy it to the Data buffer.
- //
- CopyMem (Data + Offset, (UINT8*)(CertList), CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
-
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- if (!IsItemFound) {
- //
- // Doesn't find the signature Item!
- //
- Status = EFI_NOT_FOUND;
- goto ON_EXIT;
- }
-
- //
- // Delete the EFI_SIGNATURE_LIST header if there is no signature in the list.
- //
- ItemDataSize = Offset;
- CertList = (EFI_SIGNATURE_LIST *) Data;
- Offset = 0;
- ZeroMem (OldData, ItemDataSize);
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- DEBUG ((DEBUG_INFO, " CertCount = %x\n", CertCount));
- if (CertCount != 0) {
- CopyMem (OldData + Offset, (UINT8*)(CertList), CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- DataSize = Offset;
- if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- Status = CreateTimeBasedPayload (&DataSize, &OldData);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
- }
-
- Status = gRT->SetVariable(
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- OldData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (Data != NULL) {
- FreePool(Data);
- }
-
- if (OldData != NULL) {
- FreePool(OldData);
- }
-
- return UpdateDeletePage (
- PrivateData,
- VariableName,
- VendorGuid,
- LabelNumber,
- FormId,
- QuestionIdBase
- );
-}
-
-/**
-
- Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT
- and STR_CUR_SECURE_BOOT_MODE_CONTENT.
-
- @param[in] PrivateData Module's private data.
-
- @return EFI_SUCCESS Update secure boot strings successfully.
- @return other Fail to update secure boot strings.
-
-**/
-EFI_STATUS
-UpdateSecureBootString(
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- UINT8 *SecureBoot;
-
- SecureBoot = NULL;
-
- //
- // Get current secure boot state.
- //
- GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
- if (SecureBoot == NULL) {
- return EFI_NOT_FOUND;
- }
-
- if (*SecureBoot == SECURE_BOOT_MODE_ENABLE) {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL);
- } else {
- HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL);
- }
-
- FreePool(SecureBoot);
-
- return EFI_SUCCESS;
-}
-
-/**
- This function extracts configuration from variable.
-
- @param[in] Private Point to SecureBoot configuration driver private data.
- @param[in, out] ConfigData Point to SecureBoot configuration private data.
-
-**/
-VOID
-SecureBootExtractConfigFromVariable (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN OUT SECUREBOOT_CONFIGURATION *ConfigData
- )
-{
- UINT8 *SecureBootEnable;
- UINT8 *SetupMode;
- UINT8 *SecureBootMode;
- EFI_TIME CurrTime;
-
- SecureBootEnable = NULL;
- SetupMode = NULL;
- SecureBootMode = NULL;
-
- //
- // Initilize the Date and Time using system time.
- //
- ConfigData->CertificateFormat = HASHALG_RAW;
- ConfigData->AlwaysRevocation = TRUE;
- gRT->GetTime (&CurrTime, NULL);
- ConfigData->RevocationDate.Year = CurrTime.Year;
- ConfigData->RevocationDate.Month = CurrTime.Month;
- ConfigData->RevocationDate.Day = CurrTime.Day;
- ConfigData->RevocationTime.Hour = CurrTime.Hour;
- ConfigData->RevocationTime.Minute = CurrTime.Minute;
- ConfigData->RevocationTime.Second = 0;
- if (Private->FileContext->FHandle != NULL) {
- ConfigData->FileEnrollType = Private->FileContext->FileType;
- } else {
- ConfigData->FileEnrollType = UNKNOWN_FILE_TYPE;
- }
-
- //
- // If it is Physical Presence User, set the PhysicalPresent to true.
- //
- if (UserPhysicalPresent()) {
- ConfigData->PhysicalPresent = TRUE;
- } else {
- ConfigData->PhysicalPresent = FALSE;
- }
-
- //
- // If there is no PK then the Delete Pk button will be gray.
- //
- GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
- if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
- ConfigData->HasPk = FALSE;
- } else {
- ConfigData->HasPk = TRUE;
- }
-
- //
- // Check SecureBootEnable & Pk status, fix the inconsistence.
- // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
- // Checkbox.
- //
- ConfigData->AttemptSecureBoot = FALSE;
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
-
- //
- // Fix Pk, SecureBootEnable inconsistence
- //
- if ((SetupMode != NULL) && (*SetupMode) == USER_MODE) {
- ConfigData->HideSecureBoot = FALSE;
- if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) {
- ConfigData->AttemptSecureBoot = TRUE;
- }
- } else {
- ConfigData->HideSecureBoot = TRUE;
- }
-
- //
- // Get the SecureBootMode from CustomMode variable.
- //
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
- if (SecureBootMode == NULL) {
- ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
- } else {
- ConfigData->SecureBootMode = *(SecureBootMode);
- }
-
- if (SecureBootEnable != NULL) {
- FreePool (SecureBootEnable);
- }
- if (SetupMode != NULL) {
- FreePool (SetupMode);
- }
- if (SecureBootMode != NULL) {
- FreePool (SecureBootMode);
- }
-}
-
-/**
- This function allows a caller to extract the current configuration for one
- or more named elements from the target driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Request A null-terminated Unicode string in
- <ConfigRequest> format.
- @param[out] Progress On return, points to a character in the Request
- string. Points to the string's null terminator if
- request was successful. Points to the most recent
- '&' before the first failing name/value pair (or
- the beginning of the string if the failure is in
- the first name/value pair) if the request was not
- successful.
- @param[out] Results A null-terminated Unicode string in
- <ConfigAltResp> format which has all values filled
- in for the names in the Request string. String to
- be allocated by the called function.
-
- @retval EFI_SUCCESS The Results is filled with the requested values.
- @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
- @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootExtractConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Request,
- OUT EFI_STRING *Progress,
- OUT EFI_STRING *Results
- )
-{
- EFI_STATUS Status;
- UINTN BufferSize;
- UINTN Size;
- SECUREBOOT_CONFIGURATION Configuration;
- EFI_STRING ConfigRequest;
- EFI_STRING ConfigRequestHdr;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
- BOOLEAN AllocatedRequest;
-
- if (Progress == NULL || Results == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- AllocatedRequest = FALSE;
- ConfigRequestHdr = NULL;
- ConfigRequest = NULL;
- Size = 0;
-
- ZeroMem (&Configuration, sizeof (Configuration));
- PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
- *Progress = Request;
-
- if ((Request != NULL) && !HiiIsConfigHdrMatch (Request, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
- return EFI_NOT_FOUND;
- }
-
- ZeroMem(&Configuration, sizeof(SECUREBOOT_CONFIGURATION));
-
- //
- // Get Configuration from Variable.
- //
- SecureBootExtractConfigFromVariable (PrivateData, &Configuration);
-
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- ConfigRequest = Request;
- if ((Request == NULL) || (StrStr (Request, L"OFFSET") == NULL)) {
- //
- // Request is set to NULL or OFFSET is NULL, construct full request string.
- //
- // Allocate and fill a buffer large enough to hold the <ConfigHdr> template
- // followed by "&OFFSET=0&WIDTH=WWWWWWWWWWWWWWWW" followed by a Null-terminator
- //
- ConfigRequestHdr = HiiConstructConfigHdr (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, PrivateData->DriverHandle);
- Size = (StrLen (ConfigRequestHdr) + 32 + 1) * sizeof (CHAR16);
- ConfigRequest = AllocateZeroPool (Size);
- ASSERT (ConfigRequest != NULL);
- AllocatedRequest = TRUE;
- UnicodeSPrint (ConfigRequest, Size, L"%s&OFFSET=0&WIDTH=%016LX", ConfigRequestHdr, (UINT64)BufferSize);
- FreePool (ConfigRequestHdr);
- ConfigRequestHdr = NULL;
- }
-
- Status = gHiiConfigRouting->BlockToConfig (
- gHiiConfigRouting,
- ConfigRequest,
- (UINT8 *) &Configuration,
- BufferSize,
- Results,
- Progress
- );
-
- //
- // Free the allocated config request string.
- //
- if (AllocatedRequest) {
- FreePool (ConfigRequest);
- }
-
- //
- // Set Progress string to the original request string.
- //
- if (Request == NULL) {
- *Progress = NULL;
- } else if (StrStr (Request, L"OFFSET") == NULL) {
- *Progress = Request + StrLen (Request);
- }
-
- return Status;
-}
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
- format.
- @param[out] Progress A pointer to a string filled in with the offset of
- the most recent '&' before the first failing
- name/value pair (or the beginning of the string if
- the failure is in the first name/value pair) or
- the terminating NULL if all was successful.
-
- @retval EFI_SUCCESS The Results is processed successfully.
- @retval EFI_INVALID_PARAMETER Configuration is NULL.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootRouteConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Configuration,
- OUT EFI_STRING *Progress
- )
-{
- SECUREBOOT_CONFIGURATION IfrNvData;
- UINTN BufferSize;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
- EFI_STATUS Status;
-
- if (Configuration == NULL || Progress == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- *Progress = Configuration;
- if (!HiiIsConfigHdrMatch (Configuration, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
- return EFI_NOT_FOUND;
- }
-
- PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
-
- //
- // Get Configuration from Variable.
- //
- SecureBootExtractConfigFromVariable (PrivateData, &IfrNvData);
-
- //
- // Map the Configuration to the configuration block.
- //
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- Status = gHiiConfigRouting->ConfigToBlock (
- gHiiConfigRouting,
- Configuration,
- (UINT8 *)&IfrNvData,
- &BufferSize,
- Progress
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Store Buffer Storage back to EFI variable if needed
- //
- if (!IfrNvData.HideSecureBoot) {
- Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- }
-
- *Progress = Configuration + StrLen (Configuration);
- return EFI_SUCCESS;
-}
-
-/**
- This function is called to provide results data to the driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Action Specifies the type of action taken by the browser.
- @param[in] QuestionId A unique value which is sent to the original
- exporting driver so that it can identify the type
- of data to expect.
- @param[in] Type The type of value for the question.
- @param[in] Value A pointer to the data being sent to the original
- exporting driver.
- @param[out] ActionRequest On return, points to the action requested by the
- callback function.
-
- @retval EFI_SUCCESS The callback successfully handled the action.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
- variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved.
- @retval EFI_UNSUPPORTED The specified Action is not supported by the
- callback.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootCallback (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN EFI_BROWSER_ACTION Action,
- IN EFI_QUESTION_ID QuestionId,
- IN UINT8 Type,
- IN EFI_IFR_TYPE_VALUE *Value,
- OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
- )
-{
- EFI_INPUT_KEY Key;
- EFI_STATUS Status;
- RETURN_STATUS RStatus;
- SECUREBOOT_CONFIG_PRIVATE_DATA *Private;
- UINTN BufferSize;
- SECUREBOOT_CONFIGURATION *IfrNvData;
- UINT16 LabelId;
- UINT8 *SecureBootEnable;
- UINT8 *Pk;
- UINT8 *SecureBootMode;
- UINT8 *SetupMode;
- CHAR16 PromptString[100];
- EFI_DEVICE_PATH_PROTOCOL *File;
- UINTN NameLength;
- UINT16 *FilePostFix;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
-
- Status = EFI_SUCCESS;
- SecureBootEnable = NULL;
- SecureBootMode = NULL;
- SetupMode = NULL;
- File = NULL;
-
- if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
-
- gSecureBootPrivateData = Private;
-
- //
- // Retrieve uncommitted data from Browser
- //
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- IfrNvData = AllocateZeroPool (BufferSize);
- if (IfrNvData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- HiiGetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8 *) IfrNvData);
-
- if (Action == EFI_BROWSER_ACTION_FORM_OPEN) {
- if (QuestionId == KEY_SECURE_BOOT_MODE) {
- //
- // Update secure boot strings when opening this form
- //
- Status = UpdateSecureBootString(Private);
- SecureBootExtractConfigFromVariable (Private, IfrNvData);
- mIsEnterSecureBootForm = TRUE;
- } else {
- //
- // When entering SecureBoot OPTION Form
- // always close opened file & free resource
- //
- if ((QuestionId == KEY_SECURE_BOOT_PK_OPTION) ||
- (QuestionId == KEY_SECURE_BOOT_KEK_OPTION) ||
- (QuestionId == KEY_SECURE_BOOT_DB_OPTION) ||
- (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) ||
- (QuestionId == KEY_SECURE_BOOT_DBT_OPTION)) {
- CloseEnrolledFile(Private->FileContext);
- }
- }
- goto EXIT;
- }
-
- if (Action == EFI_BROWSER_ACTION_RETRIEVE) {
- Status = EFI_UNSUPPORTED;
- if (QuestionId == KEY_SECURE_BOOT_MODE) {
- if (mIsEnterSecureBootForm) {
- Value->u8 = SECURE_BOOT_MODE_STANDARD;
- Status = EFI_SUCCESS;
- }
- }
- goto EXIT;
- }
-
- if ((Action != EFI_BROWSER_ACTION_CHANGED) &&
- (Action != EFI_BROWSER_ACTION_CHANGING) &&
- (Action != EFI_BROWSER_ACTION_FORM_CLOSE) &&
- (Action != EFI_BROWSER_ACTION_DEFAULT_STANDARD)) {
- Status = EFI_UNSUPPORTED;
- goto EXIT;
- }
-
- if (Action == EFI_BROWSER_ACTION_CHANGING) {
-
- switch (QuestionId) {
- case KEY_SECURE_BOOT_ENABLE:
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (NULL != SecureBootEnable) {
- FreePool (SecureBootEnable);
- if (EFI_ERROR (SaveSecureBootVariable (Value->u8))) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Only Physical Presence User could disable secure boot!",
- NULL
- );
- Status = EFI_UNSUPPORTED;
- } else {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Configuration changed, please reset the platform to take effect!",
- NULL
- );
- }
- }
- break;
-
- case KEY_SECURE_BOOT_KEK_OPTION:
- case KEY_SECURE_BOOT_DB_OPTION:
- case KEY_SECURE_BOOT_DBX_OPTION:
- case KEY_SECURE_BOOT_DBT_OPTION:
- PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
- //
- // Clear Signature GUID.
- //
- ZeroMem (IfrNvData->SignatureGuid, sizeof (IfrNvData->SignatureGuid));
- if (Private->SignatureGUID == NULL) {
- Private->SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
- if (Private->SignatureGUID == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- }
-
- //
- // Cleanup VFRData once leaving PK/KEK/DB/DBX/DBT enroll/delete page
- //
- SecureBootExtractConfigFromVariable (PrivateData, IfrNvData);
-
- if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) {
- LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- } else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) {
- LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- } else if (QuestionId == KEY_SECURE_BOOT_DBT_OPTION) {
- LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT;
- } else {
- LabelId = FORMID_ENROLL_KEK_FORM;
- }
-
- //
- // Refresh selected file.
- //
- CleanUpPage (LabelId, Private);
- break;
- case KEY_SECURE_BOOT_PK_OPTION:
- LabelId = FORMID_ENROLL_PK_FORM;
- //
- // Refresh selected file.
- //
- CleanUpPage (LabelId, Private);
- break;
-
- case FORMID_ENROLL_PK_FORM:
- ChooseFile (NULL, NULL, UpdatePKFromFile, &File);
- break;
-
- case FORMID_ENROLL_KEK_FORM:
- ChooseFile (NULL, NULL, UpdateKEKFromFile, &File);
- break;
-
- case SECUREBOOT_ENROLL_SIGNATURE_TO_DB:
- ChooseFile (NULL, NULL, UpdateDBFromFile, &File);
- break;
-
- case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX:
- ChooseFile (NULL, NULL, UpdateDBXFromFile, &File);
-
- if (Private->FileContext->FHandle != NULL) {
- //
- // Parse the file's postfix.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return FALSE;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
-
- if (IsDerEncodeCertificate (FilePostFix)) {
- //
- // Supports DER-encoded X509 certificate.
- //
- IfrNvData->FileEnrollType = X509_CERT_FILE_TYPE;
- } else if (IsAuthentication2Format(Private->FileContext->FHandle)){
- IfrNvData->FileEnrollType = AUTHENTICATION_2_FILE_TYPE;
- } else {
- IfrNvData->FileEnrollType = PE_IMAGE_FILE_TYPE;
- }
- Private->FileContext->FileType = IfrNvData->FileEnrollType;
-
- //
- // Clean up Certificate Format if File type is not X509 DER
- //
- if (IfrNvData->FileEnrollType != X509_CERT_FILE_TYPE) {
- IfrNvData->CertificateFormat = HASHALG_RAW;
- }
- DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", Private->FileContext->FileType));
- }
-
- break;
-
- case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT:
- ChooseFile (NULL, NULL, UpdateDBTFromFile, &File);
- break;
-
- case KEY_SECURE_BOOT_DELETE_PK:
- if (Value->u8) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Are you sure you want to delete PK? Secure boot will be disabled!",
- L"Press 'Y' to delete PK and exit, 'N' to discard change and return",
- NULL
- );
- if (Key.UnicodeChar == 'y' || Key.UnicodeChar == 'Y') {
- Status = DeletePlatformKey ();
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Only Physical Presence User could delete PK in custom mode!",
- NULL
- );
- }
- }
- }
- break;
-
- case KEY_DELETE_KEK:
- UpdateDeletePage (
- Private,
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- LABEL_KEK_DELETE,
- FORMID_DELETE_KEK_FORM,
- OPTION_DEL_KEK_QUESTION_ID
- );
- break;
-
- case SECUREBOOT_DELETE_SIGNATURE_FROM_DB:
- UpdateDeletePage (
- Private,
- EFI_IMAGE_SECURITY_DATABASE,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DB_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- OPTION_DEL_DB_QUESTION_ID
- );
- break;
-
- case SECUREBOOT_DELETE_SIGNATURE_FROM_DBX:
- UpdateDeletePage (
- Private,
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBX_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- OPTION_DEL_DBX_QUESTION_ID
- );
-
- break;
-
- case SECUREBOOT_DELETE_SIGNATURE_FROM_DBT:
- UpdateDeletePage (
- Private,
- EFI_IMAGE_SECURITY_DATABASE2,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBT_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
- OPTION_DEL_DBT_QUESTION_ID
- );
-
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_KEK:
- Status = EnrollKeyExchangeKey (Private);
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- L"Only supports DER-encoded X509 certificate",
- NULL
- );
- }
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_DB:
- Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE);
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- L"Only supports DER-encoded X509 certificate and executable EFI image",
- NULL
- );
- }
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_DBX:
- if (IsX509CertInDbx (Private, EFI_IMAGE_SECURITY_DATABASE1)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Enrollment failed! Same certificate had already been in the dbx!",
- NULL
- );
-
- //
- // Cert already exists in DBX. Close opened file before exit.
- //
- CloseEnrolledFile(Private->FileContext);
- break;
- }
-
- if ((IfrNvData != NULL) && (IfrNvData->CertificateFormat < HASHALG_MAX)) {
- Status = EnrollX509HashtoSigDB (
- Private,
- IfrNvData->CertificateFormat,
- &IfrNvData->RevocationDate,
- &IfrNvData->RevocationTime,
- IfrNvData->AlwaysRevocation
- );
- IfrNvData->CertificateFormat = HASHALG_RAW;
- } else {
- Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);
- }
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- L"Only supports DER-encoded X509 certificate, AUTH_2 format data & executable EFI image",
- NULL
- );
- }
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_DBT:
- Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE2);
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- L"Only supports DER-encoded X509 certificate.",
- NULL
- );
- }
- break;
- case KEY_VALUE_SAVE_AND_EXIT_PK:
- Status = EnrollPlatformKey (Private);
- if (EFI_ERROR (Status)) {
- UnicodeSPrint (
- PromptString,
- sizeof (PromptString),
- L"Only DER encoded certificate file (%s) is supported.",
- mSupportX509Suffix
- );
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- PromptString,
- NULL
- );
- }
- break;
- default:
- if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteKeyExchangeKey (Private, QuestionId);
- } else if ((QuestionId >= OPTION_DEL_DB_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_DB_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteSignature (
- Private,
- EFI_IMAGE_SECURITY_DATABASE,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DB_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- OPTION_DEL_DB_QUESTION_ID,
- QuestionId - OPTION_DEL_DB_QUESTION_ID
- );
- } else if ((QuestionId >= OPTION_DEL_DBX_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_DBX_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteSignature (
- Private,
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBX_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- OPTION_DEL_DBX_QUESTION_ID,
- QuestionId - OPTION_DEL_DBX_QUESTION_ID
- );
- } else if ((QuestionId >= OPTION_DEL_DBT_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_DBT_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteSignature (
- Private,
- EFI_IMAGE_SECURITY_DATABASE2,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBT_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
- OPTION_DEL_DBT_QUESTION_ID,
- QuestionId - OPTION_DEL_DBT_QUESTION_ID
- );
- }
- break;
-
- case KEY_VALUE_NO_SAVE_AND_EXIT_PK:
- case KEY_VALUE_NO_SAVE_AND_EXIT_KEK:
- case KEY_VALUE_NO_SAVE_AND_EXIT_DB:
- case KEY_VALUE_NO_SAVE_AND_EXIT_DBX:
- case KEY_VALUE_NO_SAVE_AND_EXIT_DBT:
- CloseEnrolledFile(Private->FileContext);
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
- break;
- }
- } else if (Action == EFI_BROWSER_ACTION_CHANGED) {
- switch (QuestionId) {
- case KEY_SECURE_BOOT_ENABLE:
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- break;
- case KEY_SECURE_BOOT_MODE:
- mIsEnterSecureBootForm = FALSE;
- break;
- case KEY_SECURE_BOOT_KEK_GUID:
- case KEY_SECURE_BOOT_SIGNATURE_GUID_DB:
- case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX:
- case KEY_SECURE_BOOT_SIGNATURE_GUID_DBT:
- ASSERT (Private->SignatureGUID != NULL);
- RStatus = StrToGuid (IfrNvData->SignatureGuid, Private->SignatureGUID);
- if (RETURN_ERROR (RStatus) || (IfrNvData->SignatureGuid[GUID_STRING_LENGTH] != L'\0')) {
- Status = EFI_INVALID_PARAMETER;
- break;
- }
-
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- break;
- case KEY_SECURE_BOOT_DELETE_PK:
- GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
- if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
- IfrNvData->DeletePk = TRUE;
- IfrNvData->HasPk = FALSE;
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
- } else {
- IfrNvData->DeletePk = FALSE;
- IfrNvData->HasPk = TRUE;
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- }
- if (SetupMode != NULL) {
- FreePool (SetupMode);
- }
- break;
- default:
- break;
- }
- } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) {
- if (QuestionId == KEY_HIDE_SECURE_BOOT) {
- GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL);
- if (Pk == NULL) {
- IfrNvData->HideSecureBoot = TRUE;
- } else {
- FreePool (Pk);
- IfrNvData->HideSecureBoot = FALSE;
- }
- Value->b = IfrNvData->HideSecureBoot;
- }
- } else if (Action == EFI_BROWSER_ACTION_FORM_CLOSE) {
- //
- // Force the platform back to Standard Mode once user leave the setup screen.
- //
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
- if (NULL != SecureBootMode && *SecureBootMode == CUSTOM_SECURE_BOOT_MODE) {
- IfrNvData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
- SetSecureBootMode(STANDARD_SECURE_BOOT_MODE);
- }
- if (SecureBootMode != NULL) {
- FreePool (SecureBootMode);
- }
- }
-
-EXIT:
-
- if (!EFI_ERROR (Status)) {
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- HiiSetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8*) IfrNvData, NULL);
- }
-
- FreePool (IfrNvData);
-
- if (File != NULL){
- FreePool(File);
- File = NULL;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- This function publish the SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
- @retval EFI_SUCCESS HII Form is installed successfully.
- @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-InstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- EFI_STATUS Status;
- EFI_HII_HANDLE HiiHandle;
- EFI_HANDLE DriverHandle;
- EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
-
- DriverHandle = NULL;
- ConfigAccess = &PrivateData->ConfigAccess;
- Status = gBS->InstallMultipleProtocolInterfaces (
- &DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- ConfigAccess,
- NULL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- PrivateData->DriverHandle = DriverHandle;
-
- //
- // Publish the HII package list
- //
- HiiHandle = HiiAddPackages (
- &gSecureBootConfigFormSetGuid,
- DriverHandle,
- SecureBootConfigDxeStrings,
- SecureBootConfigBin,
- NULL
- );
- if (HiiHandle == NULL) {
- gBS->UninstallMultipleProtocolInterfaces (
- DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- ConfigAccess,
- NULL
- );
- return EFI_OUT_OF_RESOURCES;
- }
-
- PrivateData->HiiHandle = HiiHandle;
-
- PrivateData->FileContext = AllocateZeroPool (sizeof (SECUREBOOT_FILE_CONTEXT));
-
- if (PrivateData->FileContext == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Init OpCode Handle and Allocate space for creation of Buffer
- //
- mStartOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (mStartOpCodeHandle == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- mEndOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (mEndOpCodeHandle == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Create Hii Extend Label OpCode as the start opcode
- //
- mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mStartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
-
- //
- // Create Hii Extend Label OpCode as the end opcode
- //
- mEndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mEndOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mEndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- mEndLabel->Number = LABEL_END;
-
- return EFI_SUCCESS;
-}
-
-/**
- This function removes SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
-**/
-VOID
-UninstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- //
- // Uninstall HII package list
- //
- if (PrivateData->HiiHandle != NULL) {
- HiiRemovePackages (PrivateData->HiiHandle);
- PrivateData->HiiHandle = NULL;
- }
-
- //
- // Uninstall HII Config Access Protocol
- //
- if (PrivateData->DriverHandle != NULL) {
- gBS->UninstallMultipleProtocolInterfaces (
- PrivateData->DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- &PrivateData->ConfigAccess,
- NULL
- );
- PrivateData->DriverHandle = NULL;
- }
-
- if (PrivateData->SignatureGUID != NULL) {
- FreePool (PrivateData->SignatureGUID);
- }
-
- if (PrivateData->FileContext != NULL) {
- FreePool (PrivateData->FileContext);
- }
-
- FreePool (PrivateData);
-
- if (mStartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mStartOpCodeHandle);
- }
-
- if (mEndOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mEndOpCodeHandle);
- }
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h deleted file mode 100644 index 75b18f121c..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h +++ /dev/null @@ -1,567 +0,0 @@ -/** @file
- The header file of HII Config Access protocol implementation of SecureBoot
- configuration module.
-
-Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __SECUREBOOT_CONFIG_IMPL_H__
-#define __SECUREBOOT_CONFIG_IMPL_H__
-
-#include <Uefi.h>
-
-#include <Protocol/HiiConfigAccess.h>
-#include <Protocol/HiiConfigRouting.h>
-#include <Protocol/SimpleFileSystem.h>
-#include <Protocol/BlockIo.h>
-#include <Protocol/DevicePath.h>
-#include <Protocol/DebugPort.h>
-#include <Protocol/LoadFile.h>
-
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiHiiServicesLib.h>
-#include <Library/UefiLib.h>
-#include <Library/HiiLib.h>
-#include <Library/DevicePathLib.h>
-#include <Library/PrintLib.h>
-#include <Library/PlatformSecureLib.h>
-#include <Library/BaseCryptLib.h>
-#include <Library/FileExplorerLib.h>
-#include <Library/PeCoffLib.h>
-
-#include <Guid/MdeModuleHii.h>
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/FileSystemVolumeLabelInfo.h>
-#include <Guid/ImageAuthentication.h>
-#include <Guid/FileInfo.h>
-#include <Guid/WinCertificate.h>
-
-#include "SecureBootConfigNvData.h"
-
-//
-// Tool generated IFR binary data and String package data
-//
-extern UINT8 SecureBootConfigBin[];
-extern UINT8 SecureBootConfigDxeStrings[];
-
-//
-// Shared IFR form update data
-//
-extern VOID *mStartOpCodeHandle;
-extern VOID *mEndOpCodeHandle;
-extern EFI_IFR_GUID_LABEL *mStartLabel;
-extern EFI_IFR_GUID_LABEL *mEndLabel;
-
-#define MAX_CHAR 480
-#define TWO_BYTE_ENCODE 0x82
-
-
-//
-// SHA-256 digest size in bytes
-//
-#define SHA256_DIGEST_SIZE 32
-//
-// SHA-384 digest size in bytes
-//
-#define SHA384_DIGEST_SIZE 48
-//
-// SHA-512 digest size in bytes
-//
-#define SHA512_DIGEST_SIZE 64
-
-//
-// Set max digest size as SHA512 Output (64 bytes) by far
-//
-#define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
-
-#define WIN_CERT_UEFI_RSA2048_SIZE 256
-
-//
-// Support hash types
-//
-#define HASHALG_SHA224 0x00000000
-#define HASHALG_SHA256 0x00000001
-#define HASHALG_SHA384 0x00000002
-#define HASHALG_SHA512 0x00000003
-#define HASHALG_RAW 0x00000004
-#define HASHALG_MAX 0x00000004
-
-
-typedef struct {
- UINTN Signature;
- LIST_ENTRY Head;
- UINTN MenuNumber;
-} SECUREBOOT_MENU_OPTION;
-
-typedef struct {
- EFI_FILE_HANDLE FHandle;
- UINT16 *FileName;
- UINT8 FileType;
-} SECUREBOOT_FILE_CONTEXT;
-
-
-//
-// We define another format of 5th directory entry: security directory
-//
-typedef struct {
- UINT32 Offset; // Offset of certificate
- UINT32 SizeOfCert; // size of certificate appended
-} EFI_IMAGE_SECURITY_DATA_DIRECTORY;
-
-typedef enum{
- ImageType_IA32,
- ImageType_X64
-} IMAGE_TYPE;
-
-///
-/// HII specific Vendor Device Path definition.
-///
-typedef struct {
- VENDOR_DEVICE_PATH VendorDevicePath;
- EFI_DEVICE_PATH_PROTOCOL End;
-} HII_VENDOR_DEVICE_PATH;
-
-typedef struct {
- UINTN Signature;
-
- EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
- EFI_HII_HANDLE HiiHandle;
- EFI_HANDLE DriverHandle;
-
- SECUREBOOT_FILE_CONTEXT *FileContext;
-
- EFI_GUID *SignatureGUID;
-} SECUREBOOT_CONFIG_PRIVATE_DATA;
-
-extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
-extern SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData;
-
-#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
-#define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
-
-//
-// Cryptograhpic Key Information
-//
-#pragma pack(1)
-typedef struct _CPL_KEY_INFO {
- UINT32 KeyLengthInBits; // Key Length In Bits
- UINT32 BlockSize; // Operation Block Size in Bytes
- UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
- UINT32 KeyType; // Key Type
- UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
- UINT32 Flags; // Additional Key Property Flags
-} CPL_KEY_INFO;
-#pragma pack()
-
-
-/**
- Retrieves the size, in bytes, of the context buffer required for hash operations.
-
- @return The size, in bytes, of the context buffer required for hash operations.
-
-**/
-typedef
-EFI_STATUS
-(EFIAPI *HASH_GET_CONTEXT_SIZE)(
- VOID
- );
-
-/**
- Initializes user-supplied memory pointed by HashContext as hash context for
- subsequent use.
-
- If HashContext is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to Context being initialized.
-
- @retval TRUE HASH context initialization succeeded.
- @retval FALSE HASH context initialization failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_INIT)(
- IN OUT VOID *HashContext
- );
-
-
-/**
- Performs digest on a data buffer of the specified length. This function can
- be called multiple times to compute the digest of long or discontinuous data streams.
-
- If HashContext is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to the MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataLength Length of Data buffer in bytes.
-
- @retval TRUE HASH data digest succeeded.
- @retval FALSE Invalid HASH context. After HashFinal function has been called, the
- HASH context cannot be reused.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_UPDATE)(
- IN OUT VOID *HashContext,
- IN CONST VOID *Data,
- IN UINTN DataLength
- );
-
-/**
- Completes hash computation and retrieves the digest value into the specified
- memory. After this function has been called, the context cannot be used again.
-
- If HashContext is NULL, then ASSERT().
- If HashValue is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to the MD5 context
- @param[out] HashValue Pointer to a buffer that receives the HASH digest
- value (16 bytes).
-
- @retval TRUE HASH digest computation succeeded.
- @retval FALSE HASH digest computation failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_FINAL)(
- IN OUT VOID *HashContext,
- OUT UINT8 *HashValue
- );
-
-//
-// Hash Algorithm Table
-//
-typedef struct {
- CHAR16 *Name; ///< Name for Hash Algorithm
- UINTN DigestLength; ///< Digest Length
- UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
- UINTN OidLength; ///< Length of Hash OID Value
- HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
- HASH_INIT HashInit; ///< Pointer to Hash Init function
- HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
- HASH_FINAL HashFinal; ///< Pointer to Hash Final function
-} HASH_TABLE;
-
-typedef struct {
- WIN_CERTIFICATE Hdr;
- UINT8 CertData[1];
-} WIN_CERTIFICATE_EFI_PKCS;
-
-
-/**
- This function publish the SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
- @retval EFI_SUCCESS HII Form is installed successfully.
- @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-InstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- This function removes SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
-**/
-VOID
-UninstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- This function allows a caller to extract the current configuration for one
- or more named elements from the target driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Request A null-terminated Unicode string in
- <ConfigRequest> format.
- @param[out] Progress On return, points to a character in the Request
- string. Points to the string's null terminator if
- request was successful. Points to the most recent
- '&' before the first failing name/value pair (or
- the beginning of the string if the failure is in
- the first name/value pair) if the request was not
- successful.
- @param[out] Results A null-terminated Unicode string in
- <ConfigAltResp> format which has all values filled
- in for the names in the Request string. String to
- be allocated by the called function.
-
- @retval EFI_SUCCESS The Results is filled with the requested values.
- @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
- @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootExtractConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Request,
- OUT EFI_STRING *Progress,
- OUT EFI_STRING *Results
- );
-
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
- format.
- @param[out] Progress A pointer to a string filled in with the offset of
- the most recent '&' before the first failing
- name/value pair (or the beginning of the string if
- the failure is in the first name/value pair) or
- the terminating NULL if all was successful.
-
- @retval EFI_SUCCESS The Results is processed successfully.
- @retval EFI_INVALID_PARAMETER Configuration is NULL.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootRouteConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Configuration,
- OUT EFI_STRING *Progress
- );
-
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Action Specifies the type of action taken by the browser.
- @param[in] QuestionId A unique value which is sent to the original
- exporting driver so that it can identify the type
- of data to expect.
- @param[in] Type The type of value for the question.
- @param[in] Value A pointer to the data being sent to the original
- exporting driver.
- @param[out] ActionRequest On return, points to the action requested by the
- callback function.
-
- @retval EFI_SUCCESS The callback successfully handled the action.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
- variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved.
- @retval EFI_UNSUPPORTED The specified Action is not supported by the
- callback.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootCallback (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN EFI_BROWSER_ACTION Action,
- IN EFI_QUESTION_ID QuestionId,
- IN UINT8 Type,
- IN EFI_IFR_TYPE_VALUE *Value,
- OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
- );
-
-
-/**
- This function converts an input device structure to a Unicode string.
-
- @param[in] DevPath A pointer to the device path structure.
-
- @return A new allocated Unicode string that represents the device path.
-
-**/
-CHAR16 *
-EFIAPI
-DevicePathToStr (
- IN EFI_DEVICE_PATH_PROTOCOL *DevPath
- );
-
-
-/**
- Clean up the dynamic opcode at label and form specified by both LabelId.
-
- @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
- @param[in] PrivateData Module private data.
-
-**/
-VOID
-CleanUpPage (
- IN UINT16 LabelId,
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- Read file content into BufferPtr, the size of the allocate buffer
- is *FileSize plus AddtionAllocateSize.
-
- @param[in] FileHandle The file to be read.
- @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
- @param[out] FileSize Size of input file
- @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
- In case the buffer need to contain others besides the file content.
-
- @retval EFI_SUCCESS The file was read into the buffer.
- @retval EFI_INVALID_PARAMETER A parameter was invalid.
- @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
- @retval others Unexpected error.
-
-**/
-EFI_STATUS
-ReadFileContent (
- IN EFI_FILE_HANDLE FileHandle,
- IN OUT VOID **BufferPtr,
- OUT UINTN *FileSize,
- IN UINTN AddtionAllocateSize
- );
-
-
-/**
- Close an open file handle.
-
- @param[in] FileHandle The file handle to close.
-
-**/
-VOID
-CloseFile (
- IN EFI_FILE_HANDLE FileHandle
- );
-
-
-/**
- Converts a nonnegative integer to an octet string of a specified length.
-
- @param[in] Integer Pointer to the nonnegative integer to be converted
- @param[in] IntSizeInWords Length of integer buffer in words
- @param[out] OctetString Converted octet string of the specified length
- @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
-
-Returns:
-
- @retval EFI_SUCCESS Data conversion successfully
- @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
-
-**/
-EFI_STATUS
-EFIAPI
-Int2OctStr (
- IN CONST UINTN *Integer,
- IN UINTN IntSizeInWords,
- OUT UINT8 *OctetString,
- IN UINTN OSSizeInBytes
- );
-
-/**
- Worker function that prints an EFI_GUID into specified Buffer.
-
- @param[in] Guid Pointer to GUID to print.
- @param[in] Buffer Buffer to print Guid into.
- @param[in] BufferSize Size of Buffer.
-
- @retval Number of characters printed.
-
-**/
-UINTN
-GuidToString (
- IN EFI_GUID *Guid,
- IN CHAR16 *Buffer,
- IN UINTN BufferSize
- );
-
-/**
- Update the PK form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdatePKFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- );
-
-/**
- Update the KEK form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateKEKFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- );
-
-/**
- Update the DB form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- );
-
-/**
- Update the DBX form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBXFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- );
-
-/**
- Update the DBT form base on the input file path info.
-
- @param FilePath Point to the file path.
-
- @retval TRUE Exit caller function.
- @retval FALSE Not exit caller function.
-**/
-BOOLEAN
-EFIAPI
-UpdateDBTFromFile (
- IN EFI_DEVICE_PATH_PROTOCOL *FilePath
- );
-
-#endif
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c deleted file mode 100644 index 038707ca83..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c +++ /dev/null @@ -1,195 +0,0 @@ -/** @file
- Helper functions for SecureBoot configuration module.
-
-Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-/**
- Read file content into BufferPtr, the size of the allocate buffer
- is *FileSize plus AddtionAllocateSize.
-
- @param[in] FileHandle The file to be read.
- @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
- @param[out] FileSize Size of input file
- @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
- In case the buffer need to contain others besides the file content.
-
- @retval EFI_SUCCESS The file was read into the buffer.
- @retval EFI_INVALID_PARAMETER A parameter was invalid.
- @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
- @retval others Unexpected error.
-
-**/
-EFI_STATUS
-ReadFileContent (
- IN EFI_FILE_HANDLE FileHandle,
- IN OUT VOID **BufferPtr,
- OUT UINTN *FileSize,
- IN UINTN AddtionAllocateSize
- )
-
-{
- UINTN BufferSize;
- UINT64 SourceFileSize;
- VOID *Buffer;
- EFI_STATUS Status;
-
- if ((FileHandle == NULL) || (FileSize == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Buffer = NULL;
-
- //
- // Get the file size
- //
- Status = FileHandle->SetPosition (FileHandle, (UINT64) -1);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Status = FileHandle->GetPosition (FileHandle, &SourceFileSize);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Status = FileHandle->SetPosition (FileHandle, 0);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- BufferSize = (UINTN) SourceFileSize + AddtionAllocateSize;
- Buffer = AllocateZeroPool(BufferSize);
- if (Buffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- BufferSize = (UINTN) SourceFileSize;
- *FileSize = BufferSize;
-
- Status = FileHandle->Read (FileHandle, &BufferSize, Buffer);
- if (EFI_ERROR (Status) || BufferSize != *FileSize) {
- FreePool (Buffer);
- Buffer = NULL;
- Status = EFI_BAD_BUFFER_SIZE;
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- *BufferPtr = Buffer;
- return Status;
-}
-
-/**
- Close an open file handle.
-
- @param[in] FileHandle The file handle to close.
-
-**/
-VOID
-CloseFile (
- IN EFI_FILE_HANDLE FileHandle
- )
-{
- if (FileHandle != NULL) {
- FileHandle->Close (FileHandle);
- }
-}
-
-/**
- Convert a nonnegative integer to an octet string of a specified length.
-
- @param[in] Integer Pointer to the nonnegative integer to be converted
- @param[in] IntSizeInWords Length of integer buffer in words
- @param[out] OctetString Converted octet string of the specified length
- @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
-
-Returns:
-
- @retval EFI_SUCCESS Data conversion successfully
- @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
-
-**/
-EFI_STATUS
-EFIAPI
-Int2OctStr (
- IN CONST UINTN *Integer,
- IN UINTN IntSizeInWords,
- OUT UINT8 *OctetString,
- IN UINTN OSSizeInBytes
- )
-{
- CONST UINT8 *Ptr1;
- UINT8 *Ptr2;
-
- for (Ptr1 = (CONST UINT8 *)Integer, Ptr2 = OctetString + OSSizeInBytes - 1;
- Ptr1 < (UINT8 *)(Integer + IntSizeInWords) && Ptr2 >= OctetString;
- Ptr1++, Ptr2--) {
- *Ptr2 = *Ptr1;
- }
-
- for (; Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords) && *Ptr1 == 0; Ptr1++);
-
- if (Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords)) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (Ptr2 >= OctetString) {
- ZeroMem (OctetString, Ptr2 - OctetString + 1);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Worker function that prints an EFI_GUID into specified Buffer.
-
- @param[in] Guid Pointer to GUID to print.
- @param[in] Buffer Buffer to print Guid into.
- @param[in] BufferSize Size of Buffer.
-
- @retval Number of characters printed.
-
-**/
-UINTN
-GuidToString (
- IN EFI_GUID *Guid,
- IN CHAR16 *Buffer,
- IN UINTN BufferSize
- )
-{
- UINTN Size;
-
- Size = UnicodeSPrint (
- Buffer,
- BufferSize,
- L"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
- (UINTN)Guid->Data1,
- (UINTN)Guid->Data2,
- (UINTN)Guid->Data3,
- (UINTN)Guid->Data4[0],
- (UINTN)Guid->Data4[1],
- (UINTN)Guid->Data4[2],
- (UINTN)Guid->Data4[3],
- (UINTN)Guid->Data4[4],
- (UINTN)Guid->Data4[5],
- (UINTN)Guid->Data4[6],
- (UINTN)Guid->Data4[7]
- );
-
- //
- // SPrint will null terminate the string. The -1 skips the null
- //
- return Size - 1;
-}
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h deleted file mode 100644 index 6b69f92b26..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h +++ /dev/null @@ -1,133 +0,0 @@ -/** @file
- Header file for NV data structure definition.
-
-Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__
-#define __SECUREBOOT_CONFIG_NV_DATA_H__
-
-#include <Guid/HiiPlatformSetupFormset.h>
-#include <Guid/SecureBootConfigHii.h>
-
-//
-// Used by VFR for form or button identification
-//
-#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001
-#define SECUREBOOT_CONFIGURATION_FORM_ID 0x01
-#define FORMID_SECURE_BOOT_OPTION_FORM 0x02
-#define FORMID_SECURE_BOOT_PK_OPTION_FORM 0x03
-#define FORMID_SECURE_BOOT_KEK_OPTION_FORM 0x04
-#define FORMID_SECURE_BOOT_DB_OPTION_FORM 0x05
-#define FORMID_SECURE_BOOT_DBX_OPTION_FORM 0x06
-#define FORMID_ENROLL_PK_FORM 0x07
-#define SECUREBOOT_ADD_PK_FILE_FORM_ID 0x08
-#define FORMID_ENROLL_KEK_FORM 0x09
-#define FORMID_DELETE_KEK_FORM 0x0a
-#define SECUREBOOT_ENROLL_SIGNATURE_TO_DB 0x0b
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DB 0x0c
-#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX 0x0d
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX 0x0e
-#define FORMID_SECURE_BOOT_DBT_OPTION_FORM 0x14
-#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBT 0x15
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBT 0x16
-
-#define SECURE_BOOT_MODE_CUSTOM 0x01
-#define SECURE_BOOT_MODE_STANDARD 0x00
-
-#define KEY_SECURE_BOOT_ENABLE 0x1000
-#define KEY_SECURE_BOOT_MODE 0x1001
-#define KEY_VALUE_SAVE_AND_EXIT_DB 0x1002
-#define KEY_VALUE_NO_SAVE_AND_EXIT_DB 0x1003
-#define KEY_VALUE_SAVE_AND_EXIT_PK 0x1004
-#define KEY_VALUE_NO_SAVE_AND_EXIT_PK 0x1005
-#define KEY_VALUE_SAVE_AND_EXIT_KEK 0x1008
-#define KEY_VALUE_NO_SAVE_AND_EXIT_KEK 0x1009
-#define KEY_VALUE_SAVE_AND_EXIT_DBX 0x100a
-#define KEY_VALUE_NO_SAVE_AND_EXIT_DBX 0x100b
-#define KEY_HIDE_SECURE_BOOT 0x100c
-#define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d
-#define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e
-
-#define KEY_SECURE_BOOT_OPTION 0x1100
-#define KEY_SECURE_BOOT_PK_OPTION 0x1101
-#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
-#define KEY_SECURE_BOOT_DB_OPTION 0x1103
-#define KEY_SECURE_BOOT_DBX_OPTION 0x1104
-#define KEY_SECURE_BOOT_DELETE_PK 0x1105
-#define KEY_ENROLL_PK 0x1106
-#define KEY_ENROLL_KEK 0x1107
-#define KEY_DELETE_KEK 0x1108
-#define KEY_SECURE_BOOT_KEK_GUID 0x110a
-#define KEY_SECURE_BOOT_SIGNATURE_GUID_DB 0x110b
-#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX 0x110c
-#define KEY_SECURE_BOOT_DBT_OPTION 0x110d
-#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBT 0x110e
-
-#define LABEL_KEK_DELETE 0x1200
-#define LABEL_DB_DELETE 0x1201
-#define LABEL_DBX_DELETE 0x1202
-#define LABEL_DBT_DELETE 0x1203
-#define LABEL_END 0xffff
-
-
-#define SECURE_BOOT_MAX_ATTEMPTS_NUM 255
-
-#define CONFIG_OPTION_OFFSET 0x2000
-
-#define OPTION_CONFIG_QUESTION_ID 0x2000
-#define OPTION_CONFIG_RANGE 0x1000
-
-//
-// Question ID 0x2000 ~ 0x2FFF is for KEK
-//
-#define OPTION_DEL_KEK_QUESTION_ID 0x2000
-//
-// Question ID 0x3000 ~ 0x3FFF is for DB
-//
-#define OPTION_DEL_DB_QUESTION_ID 0x3000
-//
-// Question ID 0x4000 ~ 0x4FFF is for DBX
-//
-#define OPTION_DEL_DBX_QUESTION_ID 0x4000
-
-//
-// Question ID 0x5000 ~ 0x5FFF is for DBT
-//
-#define OPTION_DEL_DBT_QUESTION_ID 0x5000
-
-#define SECURE_BOOT_GUID_SIZE 36
-#define SECURE_BOOT_GUID_STORAGE_SIZE 37
-
-#define UNKNOWN_FILE_TYPE 0
-#define X509_CERT_FILE_TYPE 1
-#define PE_IMAGE_FILE_TYPE 2
-#define AUTHENTICATION_2_FILE_TYPE 3
-
-//
-// Nv Data structure referenced by IFR
-//
-typedef struct {
- BOOLEAN AttemptSecureBoot; // Attempt to enable/disable Secure Boot
- BOOLEAN HideSecureBoot; // Hiden Attempt Secure Boot
- CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
- BOOLEAN PhysicalPresent; // If a Physical Present User
- UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom
- BOOLEAN DeletePk;
- BOOLEAN HasPk; // If Pk is existed it is true
- BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden
- UINT8 CertificateFormat; // The type of the certificate
- EFI_HII_DATE RevocationDate; // The revocation date of the certificate
- EFI_HII_TIME RevocationTime; // The revocation time of the certificate
- UINT8 FileEnrollType; // File type of sigunature enroll
-} SECUREBOOT_CONFIGURATION;
-
-#endif
diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni deleted file mode 100644 index 320cc79c47..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni +++ /dev/null @@ -1,116 +0,0 @@ -/** @file
- String definitions for Secure Boot Configuration form.
-
-Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#langdef en-US "English"
-
-#string STR_SECUREBOOT_TITLE #language en-US "Secure Boot Configuration"
-#string STR_SECUREBOOT_HELP #language en-US "Press <Enter> to select Secure Boot options."
-
-#string STR_NULL #language en-US ""
-#string STR_DBX_SUBTITLE_TEXT #language en-US ""
-
-#string STR_SECURE_BOOT_STATE_PROMPT #language en-US "Current Secure Boot State"
-#string STR_SECURE_BOOT_STATE_HELP #language en-US "Current Secure Boot state: enabled or disabled."
-#string STR_SECURE_BOOT_STATE_CONTENT #language en-US " "
-
-#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot"
-#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset"
-
-#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature"
-#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature"
-
-#string STR_SECURE_BOOT_SIGNATURE_GUID #language en-US "Signature GUID"
-#string STR_SECURE_BOOT_SIGNATURE_GUID_HELP #language en-US "Input digit character in 11111111-2222-3333-4444-1234567890ab format."
-#string STR_SECURE_BOOT_ADD_SIGNATURE_FILE #language en-US "Enroll Signature Using File"
-
-#string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Format"
-#string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "X509 DER-Cert enrolled. Select different option to enroll it into DBX."
-#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "X509 CERT SHA256"
-#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "X509 CERT SHA384"
-#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "X509 CERT SHA512"
-#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "X509 CERT"
-
-#string STR_DBX_PE_IMAGE_FORMAT_HELP #language en-US "PE image enrolled. Use SHA256 hash to enroll it into DBX"
-#string STR_DBX_PE_FORMAT_SHA256 #language en-US "PE Image SHA256"
-
-#string STR_DBX_AUTH_2_FORMAT_HELP #language en-US "VARIABLE_AUTHENICATION_2 binary enrolled. Use raw binary to enroll it into DBX"
-#string STR_DBX_AUTH_2_FORMAT #language en-US "VARIABLE_AUTHENICATION_2"
-
-#string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocation Time"
-#string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the revocation time of the certificate"
-#string STR_CERTIFICATE_REVOCATION_DATE_PROMPT #language en-US " Revocation Date"
-#string STR_CERTIFICATE_REVOCATION_DATE_HELP #language en-US "Input the revocation date of the certificate"
-
-#string STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT #language en-US "Always Revocation"
-#string STR_ALWAYS_CERTIFICATE_REVOCATION_HELP #language en-US "Indicate whether the certificate is always revoked."
-
-
-#string STR_SAVE_SIGNATURE_FILE #language en-US "Save Signature File"
-
-#string STR_SAVE_AND_EXIT #language en-US "Commit Changes and Exit"
-#string STR_NO_SAVE_AND_EXIT #language en-US "Discard Changes and Exit"
-
-#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
-
-#string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode"
-#string STR_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode: Custom Mode or Standard Mode"
-
-#string STR_STANDARD_MODE #language en-US "Standard Mode"
-#string STR_CUSTOM_MODE #language en-US "Custom Mode"
-
-#string STR_SECURE_BOOT_OPTION #language en-US "Custom Secure Boot Options"
-#string STR_SECURE_BOOT_OPTION_HELP #language en-US "Enter into Custom Secure Boot Options Form"
-
-#string STR_SECURE_BOOT_OPTION_TITLE #language en-US "Custom Secure Boot Options"
-
-#string STR_SECURE_BOOT_PK_OPTION #language en-US "PK Options"
-#string STR_SECURE_BOOT_PK_OPTION_HELP #language en-US "Enroll/Delete PK"
-#string STR_SECURE_BOOT_KEK_OPTION #language en-US "KEK Options"
-#string STR_SECURE_BOOT_KEK_OPTION_HELP #language en-US "Enroll/Delete KEK"
-#string STR_SECURE_BOOT_DB_OPTION #language en-US "DB Options"
-#string STR_SECURE_BOOT_DB_OPTION_HELP #language en-US "Enroll/Delete Signature"
-#string STR_SECURE_BOOT_DBX_OPTION #language en-US "DBX Options"
-#string STR_SECURE_BOOT_DBX_OPTION_HELP #language en-US "Enroll/Delete DBX"
-#string STR_SECURE_BOOT_DBT_OPTION #language en-US "DBT Options"
-#string STR_SECURE_BOOT_DBT_OPTION_HELP #language en-US "Enroll/Delete DBT"
-
-#string STR_ENROLL_PK #language en-US "Enroll PK"
-#string STR_ENROLL_PK_HELP #language en-US "Enter into Enroll PK Form"
-#string STR_SAVE_PK_FILE #language en-US "Save PK file"
-#string STR_SECURE_BOOT_ENROLL_PK_FILE #language en-US "Enroll PK Using File"
-
-#string STR_DELETE_PK #language en-US "Delete Pk"
-#string STR_DELETE_PK_HELP #language en-US "Choose to Delete PK, Otherwise keep the PK"
-
-#string STR_ENROLL_PK_TITLE #language en-US "Enroll PK"
-
-#string STR_ENROLL_KEK #language en-US "Enroll KEK"
-#string STR_ENROLL_KEK_HELP #language en-US "Enter into Enroll KEK Form"
-
-#string STR_DELETE_KEK #language en-US "Delete KEK"
-#string STR_DELETE_KEK_HELP #language en-US "Enter into Delete KEK Form"
-
-#string STR_ENROLL_KEK_TITLE #language en-US "Enroll KEK"
-#string STR_DELETE_KEK_TITLE #language en-US "Delete KEK"
-
-#string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE #language en-US "Enroll KEK using File"
-#string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read the public key of KEK from file"
-#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer"
-#string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048_SHA256_GUID"
-#string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID"
-#string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID"
-#string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_GUID"
-#string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SHA256_GUID"
-#string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SHA384_GUID"
-#string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID"
|