SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition.

Implement Customized SecureBoot Mode transition logic according to Mantis 1263, including AuditMode/DeployedMode/PK update management. Also implement image verification logic in AuditMode. Image Certificate & Hash are recorded to EFI Image Execution Table. https://mantis.uefi.org/mantis/view.php?id=1263 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Zeng Star <star.zeng@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19133 6f19259b-4bc3-4df7-8a09-765794883524
author: Chao Zhang <chao.b.zhang@intel.com> 2015-12-07 06:20:02 +0000
committer: czhang46 <czhang46@Edk2> 2015-12-07 06:20:02 +0000
commit: 4fc08e8d683522f255727626197d919a40d4836c (patch)
tree: 6358202293021f6508e1417ebf68d3530037b185 /SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
parent: af9af05bec5b1880f8e4f9142ecc0044fd0acb33 (diff)
download: edk2-platforms-4fc08e8d683522f255727626197d919a40d4836c.tar.xz
1 files changed, 20 insertions, 89 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index a54eaaa066..dee5e1dd9d 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -33,7 +33,6 @@ UINT32   mMaxKeyNumber;
 UINT32   mMaxKeyDbSize;
 UINT8    *mCertDbStore;
 UINT32   mMaxCertDbSize;
-UINT32   mPlatformMode;
 UINT8    mVendorKeyState;
 
 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
@@ -99,6 +98,17 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
       MAX_UINTN
     }
   },
+  {
+    &gEdkiiSecureBootModeGuid,
+    L"SecureBootMode",
+    {
+      VAR_CHECK_VARIABLE_PROPERTY_REVISION,
+      VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
+      VARIABLE_ATTRIBUTE_NV_BS_RT,
+      sizeof (UINT8),
+      sizeof (UINT8)
+    }
+  }
 };
 
 VOID **mAuthVarAddressPointer[10];
@@ -132,8 +142,6 @@ AuthVariableLibInitialize (
   UINT8                 *Data;
   UINTN                 DataSize;
   UINTN                 CtxSize;
-  UINT8                 SecureBootMode;
-  UINT8                 SecureBootEnable;
   UINT8                 CustomMode;
   UINT32                ListSize;
 
@@ -208,31 +216,11 @@ AuthVariableLibInitialize (
     mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
   }
 
-  Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
-  } else {
-    DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
-  }
-
   //
-  // Create "SetupMode" variable with BS+RT attribute set.
+  // Init Secure Boot variables
   //
-  if (EFI_ERROR (Status)) {
-    mPlatformMode = SETUP_MODE;
-  } else {
-    mPlatformMode = USER_MODE;
-  }
-  Status = AuthServiceInternalUpdateVariable (
-             EFI_SETUP_MODE_NAME,
-             &gEfiGlobalVariableGuid,
-             &mPlatformMode,
-             sizeof(UINT8),
-             EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
-             );
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
+  Status = InitSecureBootVariables ();
+
 
   //
   // Create "SignatureSupport" variable with BS+RT attribute set.
@@ -249,69 +237,6 @@ AuthVariableLibInitialize (
   }
 
   //
-  // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
-  // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
-  // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
-  //
-  SecureBootEnable = SECURE_BOOT_DISABLE;
-  Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
-  if (!EFI_ERROR (Status)) {
-    if (mPlatformMode == SETUP_MODE){
-      //
-      // PK is cleared in runtime. "SecureBootMode" is not updated before reboot
-      // Delete "SecureBootMode" in SetupMode
-      //
-      Status = AuthServiceInternalUpdateVariable (
-                 EFI_SECURE_BOOT_ENABLE_NAME,
-                 &gEfiSecureBootEnableDisableGuid,
-                 &SecureBootEnable,
-                 0,
-                 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
-                 );
-    } else {
-      SecureBootEnable = *(UINT8 *) Data;
-    }
-  } else if (mPlatformMode == USER_MODE) {
-    //
-    // "SecureBootEnable" not exist, initialize it in USER_MODE.
-    //
-    SecureBootEnable = SECURE_BOOT_ENABLE;
-    Status = AuthServiceInternalUpdateVariable (
-               EFI_SECURE_BOOT_ENABLE_NAME,
-               &gEfiSecureBootEnableDisableGuid,
-               &SecureBootEnable,
-               sizeof (UINT8),
-               EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
-               );
-    if (EFI_ERROR (Status)) {
-      return Status;
-    }
-  }
-
-  //
-  // Create "SecureBoot" variable with BS+RT attribute set.
-  //
-  if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
-    SecureBootMode = SECURE_BOOT_MODE_ENABLE;
-  } else {
-    SecureBootMode = SECURE_BOOT_MODE_DISABLE;
-  }
-  Status = AuthServiceInternalUpdateVariable (
-             EFI_SECURE_BOOT_MODE_NAME,
-             &gEfiGlobalVariableGuid,
-             &SecureBootMode,
-             sizeof (UINT8),
-             EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
-             );
-  if (EFI_ERROR (Status)) {
-    return Status;
-  }
-
-  DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
-  DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
-  DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
-
-  //
   // Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
   //
   CustomMode = STANDARD_SECURE_BOOT_MODE;
@@ -455,10 +380,16 @@ AuthVariableLibProcessVariable (
 {
   EFI_STATUS        Status;
 
+  //
+  // Process PK, KEK, Sigdb, AuditMode, DeployedMode separately.
+  //
   if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
     Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
   } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
     Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
+  } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) 
+          && (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) {
+    Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes);
   } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
              ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE)  == 0) ||
               (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
author	Chao Zhang <chao.b.zhang@intel.com>	2015-12-07 06:20:02 +0000
committer	czhang46 <czhang46@Edk2>	2015-12-07 06:20:02 +0000
commit	4fc08e8d683522f255727626197d919a40d4836c (patch)
tree	6358202293021f6508e1417ebf68d3530037b185 /SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
parent	af9af05bec5b1880f8e4f9142ecc0044fd0acb33 (diff)
download	edk2-platforms-4fc08e8d683522f255727626197d919a40d4836c.tar.xz