1. Remove “Force clear PK” feature in AuthVarialbe driver.

2. Update API ForceClearPK() to UserPhysicalPresent() in PlatformSecureLib. 2. Update SecureBootConfigDxe driver and AuthVariable driver to support Custom Secure Boot Mode feature. 3. Fix some bugs in AuthVariable driver. Signed-off-by: sfu5 Reviewed-by: tye Reviewed-by: gdong1 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13144 6f19259b-4bc3-4df7-8a09-765794883524
author: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> 2012-03-27 08:17:23 +0000
committer: sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524> 2012-03-27 08:17:23 +0000
commit: ecc722ad418a926af4e383f8977444717786fe20 (patch)
tree: 3289cf72cd9714daea187a8f1a785b17d70e68e0 /SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
parent: f95f107c8e8bb8d3f35609f4555faa132e162bdd (diff)
download: edk2-platforms-ecc722ad418a926af4e383f8977444717786fe20.tar.xz
1 files changed, 429 insertions, 5 deletions
diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
index 603044d26e..7891503631 100644
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@@ -2,7 +2,7 @@
   The header file of HII Config Access protocol implementation of SecureBoot
   configuration module.
 
-Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -20,6 +20,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include <Protocol/HiiConfigAccess.h>
 #include <Protocol/HiiConfigRouting.h>
+#include <Protocol/SimpleFileSystem.h>
+#include <Protocol/BlockIo.h>
+#include <Protocol/DevicePath.h>
+#include <Protocol/DevicePathToText.h>
+#include <Protocol/DebugPort.h>
+#include <Protocol/LoadFile.h>
 
 #include <Library/BaseLib.h>
 #include <Library/BaseMemoryLib.h>
@@ -32,17 +38,158 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Library/HiiLib.h>
 #include <Library/DevicePathLib.h>
 #include <Library/PrintLib.h>
-
+#include <Library/PlatformSecureLib.h>
+#include <Library/BaseCryptLib.h>
 #include <Guid/MdeModuleHii.h>
 #include <Guid/AuthenticatedVariableFormat.h>
+#include <Guid/FileSystemVolumeLabelInfo.h>
+#include <Guid/ImageAuthentication.h>
+#include <Guid/FileInfo.h>
 
 #include "SecureBootConfigNvData.h"
 
 //
 // Tool generated IFR binary data and String package data
 //
-extern UINT8                        SecureBootConfigBin[];
-extern UINT8                        SecureBootConfigDxeStrings[];
+extern  UINT8                      SecureBootConfigBin[];
+extern  UINT8                      SecureBootConfigDxeStrings[];
+
+//
+// Shared IFR form update data
+//
+extern  VOID                       *mStartOpCodeHandle;
+extern  VOID                       *mEndOpCodeHandle;
+extern  EFI_IFR_GUID_LABEL         *mStartLabel;
+extern  EFI_IFR_GUID_LABEL         *mEndLabel;
+
+#define MAX_CHAR              480
+#define TWO_BYTE_ENCODE       0x82
+
+//
+// SHA-1 digest size in bytes.
+//
+#define SHA1_DIGEST_SIZE    20
+//
+// SHA-256 digest size in bytes
+//
+#define SHA256_DIGEST_SIZE  32
+//
+// Set max digest size as SHA256 Output (32 bytes) by far
+//
+#define MAX_DIGEST_SIZE    SHA256_DIGEST_SIZE
+
+#define WIN_CERT_UEFI_RSA2048_SIZE               256
+
+//
+// Support hash types
+//
+#define HASHALG_SHA1                           0x00000000
+#define HASHALG_SHA224                         0x00000001
+#define HASHALG_SHA256                         0x00000002
+#define HASHALG_SHA384                         0x00000003
+#define HASHALG_SHA512                         0x00000004
+#define HASHALG_MAX                            0x00000005
+
+
+#define SECUREBOOT_MENU_OPTION_SIGNATURE   SIGNATURE_32 ('S', 'b', 'M', 'u')
+#define SECUREBOOT_MENU_ENTRY_SIGNATURE    SIGNATURE_32 ('S', 'b', 'M', 'r')
+
+typedef struct {
+  EFI_DEVICE_PATH_PROTOCOL  Header;
+  EFI_GUID                  Guid;
+  UINT8                     VendorDefinedData[1];
+} VENDOR_DEVICE_PATH_WITH_DATA;
+
+typedef struct {
+  EFI_DEVICE_PATH_PROTOCOL  Header;
+  UINT16                    NetworkProtocol;
+  UINT16                    LoginOption;
+  UINT64                    Lun;
+  UINT16                    TargetPortalGroupTag;
+  CHAR16                    TargetName[1];
+} ISCSI_DEVICE_PATH_WITH_NAME;
+
+typedef enum _FILE_EXPLORER_DISPLAY_CONTEXT {
+  FileExplorerDisplayFileSystem,
+  FileExplorerDisplayDirectory,
+  FileExplorerDisplayUnknown
+} FILE_EXPLORER_DISPLAY_CONTEXT;
+
+typedef enum _FILE_EXPLORER_STATE {
+  FileExplorerStateInActive                      = 0,
+  FileExplorerStateEnrollPkFile,
+  FileExplorerStateEnrollKekFile,
+  FileExplorerStateEnrollSignatureFileToDb,
+  FileExplorerStateEnrollSignatureFileToDbx,
+  FileExplorerStateUnknown
+} FILE_EXPLORER_STATE;
+
+typedef struct {
+  CHAR16  *Str;
+  UINTN   Len;
+  UINTN   Maxlen;
+} POOL_PRINT;
+
+typedef
+VOID
+(*DEV_PATH_FUNCTION) (
+  IN OUT POOL_PRINT       *Str,
+  IN VOID                 *DevPath
+  );
+
+typedef struct {
+  UINT8             Type;
+  UINT8             SubType;
+  DEV_PATH_FUNCTION Function;
+} DEVICE_PATH_STRING_TABLE;
+
+typedef struct {
+  UINTN             Signature;
+  LIST_ENTRY        Head;
+  UINTN             MenuNumber;
+} SECUREBOOT_MENU_OPTION;
+
+extern  SECUREBOOT_MENU_OPTION     FsOptionMenu;
+extern  SECUREBOOT_MENU_OPTION     DirectoryMenu;
+
+typedef struct {
+  UINTN             Signature;
+  LIST_ENTRY        Link;
+  UINTN             OptionNumber;
+  UINT16            *DisplayString;
+  UINT16            *HelpString;
+  EFI_STRING_ID     DisplayStringToken;
+  EFI_STRING_ID     HelpStringToken;
+  VOID              *FileContext;
+} SECUREBOOT_MENU_ENTRY;
+
+typedef struct {
+  EFI_HANDLE                        Handle;
+  EFI_DEVICE_PATH_PROTOCOL          *DevicePath;
+  EFI_FILE_HANDLE                   FHandle;
+  UINT16                            *FileName;
+  EFI_FILE_SYSTEM_VOLUME_LABEL      *Info;
+
+  BOOLEAN                           IsRoot;
+  BOOLEAN                           IsDir;
+  BOOLEAN                           IsRemovableMedia;
+  BOOLEAN                           IsLoadFile;
+  BOOLEAN                           IsBootLegacy;
+} SECUREBOOT_FILE_CONTEXT;
+
+
+//
+// We define another format of 5th directory entry: security directory
+//
+typedef struct {
+  UINT32               Offset;      // Offset of certificate
+  UINT32               SizeOfCert;  // size of certificate appended
+} EFI_IMAGE_SECURITY_DATA_DIRECTORY;
+
+typedef enum{
+  ImageType_IA32,
+  ImageType_X64
+} IMAGE_TYPE;
 
 ///
 /// HII specific Vendor Device Path definition.
@@ -59,6 +206,13 @@ typedef struct {
   EFI_HII_HANDLE                    HiiHandle;
   EFI_HANDLE                        DriverHandle;
 
+  FILE_EXPLORER_STATE               FeCurrentState;
+  FILE_EXPLORER_DISPLAY_CONTEXT     FeDisplayContext;
+
+  SECUREBOOT_MENU_ENTRY             *MenuEntry;
+  SECUREBOOT_FILE_CONTEXT           *FileContext;
+
+  EFI_GUID                          *SignatureGUID;
 } SECUREBOOT_CONFIG_PRIVATE_DATA;
 
 extern SECUREBOOT_CONFIG_PRIVATE_DATA      mSecureBootConfigPrivateDateTemplate;
@@ -66,13 +220,123 @@ extern SECUREBOOT_CONFIG_PRIVATE_DATA      mSecureBootConfigPrivateDateTemplate;
 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE     SIGNATURE_32 ('S', 'E', 'C', 'B')
 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a)  CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
 
+//
+// Cryptograhpic Key Information
+//
+#pragma pack (push, 1)
+typedef struct _CPL_KEY_INFO {
+  UINT32        KeyLengthInBits;    // Key Length In Bits
+  UINT32        BlockSize;          // Operation Block Size in Bytes
+  UINT32        CipherBlockSize;    // Output Cipher Block Size in Bytes
+  UINT32        KeyType;            // Key Type
+  UINT32        CipherMode;         // Cipher Mode for Symmetric Algorithm
+  UINT32        Flags;              // Additional Key Property Flags
+} CPL_KEY_INFO;
+#pragma pack (pop)
+
+
+/**
+  Retrieves the size, in bytes, of the context buffer required for hash operations.
+
+  @return  The size, in bytes, of the context buffer required for hash operations.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *HASH_GET_CONTEXT_SIZE)(
+  VOID
+  );
+
+/**
+  Initializes user-supplied memory pointed by HashContext as hash context for
+  subsequent use.
+
+  If HashContext is NULL, then ASSERT().
+
+  @param[in, out]  HashContext  Pointer to  Context being initialized.
+
+  @retval TRUE   HASH context initialization succeeded.
+  @retval FALSE  HASH context initialization failed.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *HASH_INIT)(
+  IN OUT  VOID  *HashContext
+  );
+
+
+/**
+  Performs digest on a data buffer of the specified length. This function can
+  be called multiple times to compute the digest of long or discontinuous data streams.
+
+  If HashContext is NULL, then ASSERT().
+
+  @param[in, out]  HashContext  Pointer to the MD5 context.
+  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
+  @param[in]       DataLength  Length of Data buffer in bytes.
+
+  @retval TRUE   HASH data digest succeeded.
+  @retval FALSE  Invalid HASH context. After HashFinal function has been called, the
+                 HASH context cannot be reused.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *HASH_UPDATE)(
+  IN OUT  VOID        *HashContext,
+  IN      CONST VOID  *Data,
+  IN      UINTN       DataLength
+  );
+
+/**
+  Completes hash computation and retrieves the digest value into the specified
+  memory. After this function has been called, the context cannot be used again.
+
+  If HashContext is NULL, then ASSERT().
+  If HashValue is NULL, then ASSERT().
+
+  @param[in, out]  HashContext  Pointer to the MD5 context
+  @param[out]      HashValue   Pointer to a buffer that receives the HASH digest
+                               value (16 bytes).
+
+  @retval TRUE   HASH digest computation succeeded.
+  @retval FALSE  HASH digest computation failed.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *HASH_FINAL)(
+  IN OUT  VOID   *HashContext,
+  OUT     UINT8  *HashValue
+  );
+
+//
+// Hash Algorithm Table
+//
+typedef struct {
+  CHAR16                   *Name;           ///< Name for Hash Algorithm
+  UINTN                    DigestLength;    ///< Digest Length
+  UINT8                    *OidValue;       ///< Hash Algorithm OID ASN.1 Value 
+  UINTN                    OidLength;       ///< Length of Hash OID Value
+  HASH_GET_CONTEXT_SIZE    GetContextSize;  ///< Pointer to Hash GetContentSize function
+  HASH_INIT                HashInit;        ///< Pointer to Hash Init function
+  HASH_UPDATE              HashUpdate;      ///< Pointer to Hash Update function
+  HASH_FINAL               HashFinal;       ///< Pointer to Hash Final function
+} HASH_TABLE;
+
+typedef struct {
+  WIN_CERTIFICATE Hdr;
+  UINT8           CertData[1];
+} WIN_CERTIFICATE_EFI_PKCS;
+
 
 /**
   This function publish the SecureBoot configuration Form.
 
   @param[in, out]  PrivateData   Points to SecureBoot configuration private data.
 
-  @retval EFI_SUCCESS            HII Form is installed for this network device.
+  @retval EFI_SUCCESS            HII Form is installed successfully.
   @retval EFI_OUT_OF_RESOURCES   Not enough resource for HII Form installation.
   @retval Others                 Other errors as indicated.
 
@@ -82,6 +346,7 @@ InstallSecureBootConfigForm (
   IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA  *PrivateData
   );
 
+
 /**
   This function removes SecureBoot configuration Form.
 
@@ -93,6 +358,7 @@ UninstallSecureBootConfigForm (
   IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA    *PrivateData
   );
 
+
 /**
   This function allows a caller to extract the current configuration for one
   or more named elements from the target driver.
@@ -128,6 +394,7 @@ SecureBootExtractConfig (
        OUT EFI_STRING                            *Results
   );
 
+
 /**
   This function processes the results of changes in configuration.
 
@@ -154,6 +421,7 @@ SecureBootRouteConfig (
        OUT EFI_STRING                          *Progress
   );
 
+
 /**
   This function processes the results of changes in configuration.
 
@@ -187,4 +455,160 @@ SecureBootCallback (
      OUT EFI_BROWSER_ACTION_REQUEST            *ActionRequest
   );
 
+
+/**
+  This function converts an input device structure to a Unicode string.
+
+  @param[in] DevPath                  A pointer to the device path structure.
+
+  @return A new allocated Unicode string that represents the device path.
+
+**/
+CHAR16 *
+EFIAPI
+DevicePathToStr (
+  IN EFI_DEVICE_PATH_PROTOCOL     *DevPath
+  );
+
+
+/**
+  Clean up the dynamic opcode at label and form specified by both LabelId. 
+
+  @param[in] LabelId         It is both the Form ID and Label ID for opcode deletion.
+  @param[in] PrivateData     Module private data.
+
+**/
+VOID
+CleanUpPage (
+  IN UINT16                           LabelId,
+  IN SECUREBOOT_CONFIG_PRIVATE_DATA   *PrivateData
+  );
+
+
+/**
+  Update the file explorer page with the refreshed file system.
+
+  @param[in] PrivateData     Module private data.
+  @param[in] KeyValue        Key value to identify the type of data to expect.
+
+  @retval  TRUE           Inform the caller to create a callback packet to exit file explorer.
+  @retval  FALSE          Indicate that there is no need to exit file explorer.
+
+**/
+BOOLEAN
+UpdateFileExplorer (
+  IN SECUREBOOT_CONFIG_PRIVATE_DATA   *PrivateData,
+  IN UINT16                           KeyValue
+  );
+
+
+/**
+  Free resources allocated in Allocate Rountine.
+
+  @param[in, out]  MenuOption        Menu to be freed
+  
+**/
+VOID
+FreeMenu (
+  IN OUT SECUREBOOT_MENU_OPTION        *MenuOption
+  );
+
+
+/**
+  Read file content into BufferPtr, the size of the allocate buffer 
+  is *FileSize plus AddtionAllocateSize.
+
+  @param[in]       FileHandle            The file to be read.
+  @param[in, out]  BufferPtr             Pointers to the pointer of allocated buffer.
+  @param[out]      FileSize              Size of input file
+  @param[in]       AddtionAllocateSize   Addtion size the buffer need to be allocated. 
+                                         In case the buffer need to contain others besides the file content.
+  
+  @retval   EFI_SUCCESS                  The file was read into the buffer.
+  @retval   EFI_INVALID_PARAMETER        A parameter was invalid.
+  @retval   EFI_OUT_OF_RESOURCES         A memory allocation failed.
+  @retval   others                       Unexpected error.
+
+**/
+EFI_STATUS
+ReadFileContent (
+  IN      EFI_FILE_HANDLE           FileHandle,
+  IN OUT  VOID                      **BufferPtr,
+     OUT  UINTN                     *FileSize,
+  IN      UINTN                     AddtionAllocateSize
+  );
+
+
+/**
+  Close an open file handle.
+
+  @param[in] FileHandle           The file handle to close.
+  
+**/
+VOID
+CloseFile (
+  IN EFI_FILE_HANDLE   FileHandle
+  );
+
+
+/**
+  Converts a nonnegative integer to an octet string of a specified length.
+
+  @param[in]   Integer          Pointer to the nonnegative integer to be converted
+  @param[in]   IntSizeInWords   Length of integer buffer in words
+  @param[out]  OctetString      Converted octet string of the specified length 
+  @param[in]   OSSizeInBytes    Intended length of resulting octet string in bytes
+
+Returns:
+
+  @retval   EFI_SUCCESS            Data conversion successfully
+  @retval   EFI_BUFFER_TOOL_SMALL  Buffer is too small for output string
+
+**/
+EFI_STATUS
+EFIAPI
+Int2OctStr (
+  IN     CONST UINTN       *Integer,
+  IN     UINTN             IntSizeInWords,
+     OUT UINT8             *OctetString,
+  IN     UINTN             OSSizeInBytes
+  );
+
+
+/**
+  Convert a String to Guid Value.
+
+  @param[in]   Str        Specifies the String to be converted.
+  @param[in]   StrLen     Number of Unicode Characters of String (exclusive \0)
+  @param[out]  Guid       Return the result Guid value.
+
+  @retval    EFI_SUCCESS           The operation is finished successfully.
+  @retval    EFI_NOT_FOUND         Invalid string.
+
+**/
+EFI_STATUS
+StringToGuid (
+  IN   CHAR16           *Str, 
+  IN   UINTN            StrLen, 
+  OUT  EFI_GUID         *Guid
+  );
+
+
+/**
+  Worker function that prints an EFI_GUID into specified Buffer.
+
+  @param[in]     Guid          Pointer to GUID to print.
+  @param[in]     Buffer        Buffer to print Guid into.
+  @param[in]     BufferSize    Size of Buffer.
+  
+  @retval    Number of characters printed.
+
+**/
+UINTN
+GuidToString (
+  IN  EFI_GUID  *Guid,
+  IN  CHAR16    *Buffer,
+  IN  UINTN     BufferSize
+  );
+
 #endif
author	sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>	2012-03-27 08:17:23 +0000
committer	sfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>	2012-03-27 08:17:23 +0000
commit	ecc722ad418a926af4e383f8977444717786fe20 (patch)
tree	3289cf72cd9714daea187a8f1a785b17d70e68e0 /SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
parent	f95f107c8e8bb8d3f35609f4555faa132e162bdd (diff)
download	edk2-platforms-ecc722ad418a926af4e383f8977444717786fe20.tar.xz