From d33896d88d9d32d516129e92e25b80f8fddc6f7b Mon Sep 17 00:00:00 2001 From: Guo Mang Date: Wed, 25 Apr 2018 17:23:25 +0800 Subject: Remove Core Package Remove Core Package since we will use EDK2 code from edk2 repository: https://github.com/tianocore/edk2 Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Guo Mang --- .../EsalVariableDxeSal/AuthService.c | 886 ----- .../EsalVariableDxeSal/AuthService.h | 151 - .../EsalVariableDxeSal/EsalVariableDxeSal.inf | 105 - .../EsalVariableDxeSal/EsalVariableDxeSal.uni | 22 - .../EsalVariableDxeSal/EsalVariableDxeSalExtra.uni | 19 - .../EsalVariableDxeSal/InitVariable.c | 247 -- .../EsalVariableDxeSal/Reclaim.c | 262 -- .../EsalVariableDxeSal/Variable.c | 3257 ---------------- .../EsalVariableDxeSal/Variable.h | 505 --- .../SecureBootConfigDxe/SecureBootConfig.vfr | 570 --- .../SecureBootConfigDevicePath.c | 38 - .../SecureBootConfigDxe/SecureBootConfigDriver.c | 133 - .../SecureBootConfigDxe/SecureBootConfigDxe.inf | 127 - .../SecureBootConfigDxe/SecureBootConfigDxe.uni | 21 - .../SecureBootConfigDxeExtra.uni | 19 - .../SecureBootConfigFileExplorer.c | 422 -- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 4080 -------------------- .../SecureBootConfigDxe/SecureBootConfigImpl.h | 567 --- .../SecureBootConfigDxe/SecureBootConfigMisc.c | 195 - .../SecureBootConfigDxe/SecureBootConfigNvData.h | 133 - .../SecureBootConfigStrings.uni | 116 - 21 files changed, 11875 deletions(-) delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h delete mode 100644 Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni (limited to 'Core/SecurityPkg/VariableAuthenticated') diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c deleted file mode 100644 index 490a8b3417..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.c +++ /dev/null @@ -1,886 +0,0 @@ -/** @file - Implement authentication services for the authenticated variable - service in UEFI2.2. - -Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "Variable.h" -#include "AuthService.h" - -/// -/// Global database array for scratch -/// -UINT32 mPubKeyNumber; -UINT32 mPlatformMode; -EFI_GUID mSignatureSupport[SIGSUPPORT_NUM] = {EFI_CERT_RSA2048_SHA256_GUID, EFI_CERT_RSA2048_SHA1_GUID}; -// -// Public Exponent of RSA Key. -// -CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }; - -/** - Initializes for authenticated varibale service. - - @retval EFI_SUCCESS The function successfully executed. - @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resources. - -**/ -EFI_STATUS -AutenticatedVariableServiceInitialize ( - VOID - ) -{ - EFI_STATUS Status; - VARIABLE_POINTER_TRACK Variable; - UINT8 VarValue; - UINT32 VarAttr; - UINTN DataSize; - UINTN CtxSize; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN Valid; - - ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER)); - - mVariableModuleGlobal->AuthenticatedVariableGuid[Physical] = &gEfiAuthenticatedVariableGuid; - mVariableModuleGlobal->CertRsa2048Sha256Guid[Physical] = &gEfiCertRsa2048Sha256Guid; - mVariableModuleGlobal->ImageSecurityDatabaseGuid[Physical] = &gEfiImageSecurityDatabaseGuid; - - // - // Initialize hash context. - // - CtxSize = Sha256GetContextSize (); - mVariableModuleGlobal->HashContext[Physical] = AllocateRuntimePool (CtxSize); - ASSERT (mVariableModuleGlobal->HashContext[Physical] != NULL); - // - // Check "AuthVarKeyDatabase" variable's existence. - // If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - // - Status = FindVariable ( - mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB], - &gEfiAuthenticatedVariableGuid, - &Variable, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance - ); - - if (Variable.CurrPtr == 0x0) { - VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; - VarValue = 0; - mPubKeyNumber = 0; - Status = UpdateVariable ( - mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB], - &gEfiAuthenticatedVariableGuid, - &VarValue, - sizeof(UINT8), - VarAttr, - 0, - 0, - FALSE, - mVariableModuleGlobal, - &Variable - ); - if (EFI_ERROR (Status)) { - return Status; - } - } else { - // - // Load database in global variable for cache. - // - Valid = IsValidVariableHeader ( - Variable.CurrPtr, - Variable.Volatile, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance, - &VariableHeader - ); - ASSERT (Valid); - - DataSize = DataSizeOfVariable (&VariableHeader); - ASSERT (DataSize <= MAX_KEYDB_SIZE); - GetVariableDataPtr ( - Variable.CurrPtr, - Variable.Volatile, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance, - (CHAR16 *) mVariableModuleGlobal->PubKeyStore - ); - - mPubKeyNumber = (UINT32) (DataSize / EFI_CERT_TYPE_RSA2048_SIZE); - } - // - // Check "SetupMode" variable's existence. - // If it doesn't exist, check PK database's existence to determine the value. - // Then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - // - Status = FindVariable ( - mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE], - &gEfiGlobalVariableGuid, - &Variable, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance - ); - - if (Variable.CurrPtr == 0x0) { - Status = FindVariable ( - mVariableModuleGlobal->VariableName[Physical][VAR_PLATFORM_KEY], - &gEfiGlobalVariableGuid, - &Variable, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance - ); - if (Variable.CurrPtr == 0x0) { - mPlatformMode = SETUP_MODE; - } else { - mPlatformMode = USER_MODE; - } - - VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; - Status = UpdateVariable ( - mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE], - &gEfiGlobalVariableGuid, - &mPlatformMode, - sizeof(UINT8), - VarAttr, - 0, - 0, - FALSE, - mVariableModuleGlobal, - &Variable - ); - if (EFI_ERROR (Status)) { - return Status; - } - } else { - GetVariableDataPtr ( - Variable.CurrPtr, - Variable.Volatile, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance, - (CHAR16 *) &mPlatformMode - ); - } - // - // Check "SignatureSupport" variable's existence. - // If it doesn't exist, then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - // - Status = FindVariable ( - EFI_SIGNATURE_SUPPORT_NAME, - &gEfiGlobalVariableGuid, - &Variable, - &mVariableModuleGlobal->VariableGlobal[Physical], - mVariableModuleGlobal->FvbInstance - ); - - if (Variable.CurrPtr == 0x0) { - VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; - Status = UpdateVariable ( - EFI_SIGNATURE_SUPPORT_NAME, - &gEfiGlobalVariableGuid, - mSignatureSupport, - SIGSUPPORT_NUM * sizeof(EFI_GUID), - VarAttr, - 0, - 0, - FALSE, - mVariableModuleGlobal, - &Variable - ); - } - - return Status; -} - -/** - Add public key in store and return its index. - - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] PubKey The input pointer to Public Key data. - - @return The index of new added item. - -**/ -UINT32 -AddPubKeyInStore ( - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN UINT8 *PubKey - ) -{ - EFI_STATUS Status; - BOOLEAN IsFound; - UINT32 Index; - VARIABLE_POINTER_TRACK Variable; - UINT8 *Ptr; - - if (PubKey == NULL) { - return 0; - } - - Status = FindVariable ( - Global->VariableName[VirtualMode][VAR_AUTH_KEY_DB], - Global->AuthenticatedVariableGuid[VirtualMode], - &Variable, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance - ); - ASSERT_EFI_ERROR (Status); - // - // Check whether the public key entry does exist. - // - IsFound = FALSE; - for (Ptr = Global->PubKeyStore, Index = 1; Index <= mPubKeyNumber; Index++) { - if (CompareMem (Ptr, PubKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) { - IsFound = TRUE; - break; - } - Ptr += EFI_CERT_TYPE_RSA2048_SIZE; - } - - if (!IsFound) { - // - // Add public key in database. - // - if (mPubKeyNumber == MAX_KEY_NUM) { - // - // Notes: Database is full, need enhancement here, currently just return 0. - // - return 0; - } - - CopyMem (Global->PubKeyStore + mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE, PubKey, EFI_CERT_TYPE_RSA2048_SIZE); - Index = ++mPubKeyNumber; - // - // Update public key database variable. - // - Status = UpdateVariable ( - Global->VariableName[VirtualMode][VAR_AUTH_KEY_DB], - Global->AuthenticatedVariableGuid[VirtualMode], - Global->PubKeyStore, - mPubKeyNumber * EFI_CERT_TYPE_RSA2048_SIZE, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, - 0, - 0, - VirtualMode, - Global, - &Variable - ); - ASSERT_EFI_ERROR (Status); - } - - return Index; -} - -/** - Verify data payload with AuthInfo in EFI_CERT_TYPE_RSA2048_SHA256 type. - Follow the steps in UEFI2.2. - - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Data The pointer to data with AuthInfo. - @param[in] DataSize The size of Data. - @param[in] PubKey The public key used for verification. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION Authentication failed. - @retval EFI_SUCCESS Authentication successful. - -**/ -EFI_STATUS -VerifyDataPayload ( - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN UINT8 *Data, - IN UINTN DataSize, - IN UINT8 *PubKey - ) -{ - BOOLEAN Status; - EFI_VARIABLE_AUTHENTICATION *CertData; - EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock; - UINT8 Digest[SHA256_DIGEST_SIZE]; - VOID *Rsa; - VOID *HashContext; - - Rsa = NULL; - CertData = NULL; - CertBlock = NULL; - - if (Data == NULL || PubKey == NULL) { - return EFI_INVALID_PARAMETER; - } - - CertData = (EFI_VARIABLE_AUTHENTICATION *) Data; - CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData); - - // - // wCertificateType should be WIN_CERT_TYPE_EFI_GUID. - // Cert type should be EFI_CERT_TYPE_RSA2048_SHA256. - // - if ((CertData->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) || - !CompareGuid (&CertData->AuthInfo.CertType, Global->CertRsa2048Sha256Guid[VirtualMode]) - ) { - // - // Invalid AuthInfo type, return EFI_SECURITY_VIOLATION. - // - return EFI_SECURITY_VIOLATION; - } - - // - // Hash data payload with SHA256. - // - ZeroMem (Digest, SHA256_DIGEST_SIZE); - HashContext = Global->HashContext[VirtualMode]; - Status = Sha256Init (HashContext); - if (!Status) { - goto Done; - } - Status = Sha256Update (HashContext, Data + AUTHINFO_SIZE, (UINTN) (DataSize - AUTHINFO_SIZE)); - if (!Status) { - goto Done; - } - // - // Hash Monotonic Count. - // - Status = Sha256Update (HashContext, &CertData->MonotonicCount, sizeof (UINT64)); - if (!Status) { - goto Done; - } - Status = Sha256Final (HashContext, Digest); - if (!Status) { - goto Done; - } - // - // Generate & Initialize RSA Context. - // - Rsa = RsaNew (); - ASSERT (Rsa != NULL); - // - // Set RSA Key Components. - // NOTE: Only N and E are needed to be set as RSA public key for signature verification. - // - Status = RsaSetKey (Rsa, RsaKeyN, PubKey, EFI_CERT_TYPE_RSA2048_SIZE); - if (!Status) { - goto Done; - } - Status = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE)); - if (!Status) { - goto Done; - } - // - // Verify the signature. - // - Status = RsaPkcs1Verify ( - Rsa, - Digest, - SHA256_DIGEST_SIZE, - CertBlock->Signature, - EFI_CERT_TYPE_RSA2048_SHA256_SIZE - ); - -Done: - if (Rsa != NULL) { - RsaFree (Rsa); - } - if (Status) { - return EFI_SUCCESS; - } else { - return EFI_SECURITY_VIOLATION; - } -} - - -/** - Update platform mode. - - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Mode SETUP_MODE or USER_MODE. - -**/ -VOID -UpdatePlatformMode ( - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN UINT32 Mode - ) -{ - EFI_STATUS Status; - VARIABLE_POINTER_TRACK Variable; - UINT32 VarAttr; - - Status = FindVariable ( - Global->VariableName[VirtualMode][VAR_SETUP_MODE], - Global->GlobalVariableGuid[VirtualMode], - &Variable, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance - ); - ASSERT_EFI_ERROR (Status); - - mPlatformMode = Mode; - VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS; - Status = UpdateVariable ( - Global->VariableName[VirtualMode][VAR_SETUP_MODE], - Global->GlobalVariableGuid[VirtualMode], - &mPlatformMode, - sizeof(UINT8), - VarAttr, - 0, - 0, - VirtualMode, - Global, - &Variable - ); - ASSERT_EFI_ERROR (Status); -} - -/** - Process variable with platform key for verification. - - @param[in] VariableName The name of Variable to be found. - @param[in] VendorGuid The variable vendor GUID. - @param[in] Data The data pointer. - @param[in] DataSize The size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - @param[in] IsPk Indicates whether to process pk. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable passed validation successfully. - -**/ -EFI_STATUS -ProcessVarWithPk ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL, - IN BOOLEAN IsPk - ) -{ - EFI_STATUS Status; - VARIABLE_POINTER_TRACK PkVariable; - EFI_SIGNATURE_LIST *OldPkList; - EFI_SIGNATURE_DATA *OldPkData; - EFI_VARIABLE_AUTHENTICATION *CertData; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN Valid; - - OldPkList = NULL; - ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER)); - - if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) { - // - // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute. - // - return EFI_INVALID_PARAMETER; - } - - if (mPlatformMode == USER_MODE) { - if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) { - // - // In user mode, PK and KEK should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute. - // - return EFI_INVALID_PARAMETER; - } - - CertData = (EFI_VARIABLE_AUTHENTICATION *) Data; - - if (Variable->CurrPtr != 0x0) { - Valid = IsValidVariableHeader ( - Variable->CurrPtr, - Variable->Volatile, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance, - &VariableHeader - ); - ASSERT (Valid); - - if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) { - // - // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION. - // - return EFI_SECURITY_VIOLATION; - } - } - // - // Get platform key from variable. - // - Status = FindVariable ( - Global->VariableName[VirtualMode][VAR_PLATFORM_KEY], - Global->GlobalVariableGuid[VirtualMode], - &PkVariable, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance - ); - ASSERT_EFI_ERROR (Status); - - ZeroMem (Global->KeyList, MAX_KEYDB_SIZE); - GetVariableDataPtr ( - PkVariable.CurrPtr, - PkVariable.Volatile, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance, - (CHAR16 *) Global->KeyList - ); - - OldPkList = (EFI_SIGNATURE_LIST *) Global->KeyList; - OldPkData = (EFI_SIGNATURE_DATA *) ((UINT8 *) OldPkList + sizeof (EFI_SIGNATURE_LIST) + OldPkList->SignatureHeaderSize); - Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, OldPkData->SignatureData); - if (!EFI_ERROR (Status)) { - Status = UpdateVariable ( - VariableName, - VendorGuid, - (UINT8*)Data + AUTHINFO_SIZE, - DataSize - AUTHINFO_SIZE, - Attributes, - 0, - CertData->MonotonicCount, - VirtualMode, - Global, - Variable - ); - - if (!EFI_ERROR (Status)) { - // - // If delete PK in user mode, need change to setup mode. - // - if ((DataSize == AUTHINFO_SIZE) && IsPk) { - UpdatePlatformMode (VirtualMode, Global, SETUP_MODE); - } - } - } - } else { - Status = UpdateVariable (VariableName, VendorGuid, Data, DataSize, Attributes, 0, 0, VirtualMode, Global, Variable); - // - // If enroll PK in setup mode, need change to user mode. - // - if ((DataSize != 0) && IsPk) { - UpdatePlatformMode (VirtualMode, Global, USER_MODE); - } - } - - return Status; -} - -/** - Process variable with key exchange key for verification. - - @param[in] VariableName The name of Variable to be found. - @param[in] VendorGuid The variable vendor GUID. - @param[in] Data The data pointer. - @param[in] DataSize The size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION The variable did NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable passed validation successfully. - -**/ -EFI_STATUS -ProcessVarWithKek ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL - ) -{ - EFI_STATUS Status; - VARIABLE_POINTER_TRACK KekVariable; - EFI_SIGNATURE_LIST *KekList; - EFI_SIGNATURE_DATA *KekItem; - UINT32 KekCount; - EFI_VARIABLE_AUTHENTICATION *CertData; - EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock; - BOOLEAN IsFound; - UINT32 Index; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN Valid; - - KekList = NULL; - ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER)); - - if (mPlatformMode == USER_MODE) { - if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) { - // - // In user mode, should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute. - // - return EFI_INVALID_PARAMETER; - } - - CertData = (EFI_VARIABLE_AUTHENTICATION *) Data; - CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData); - if (Variable->CurrPtr != 0x0) { - Valid = IsValidVariableHeader ( - Variable->CurrPtr, - Variable->Volatile, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance, - &VariableHeader - ); - ASSERT (Valid); - - if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) { - // - // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION. - // - return EFI_SECURITY_VIOLATION; - } - } - // - // Get KEK database from variable. - // - Status = FindVariable ( - Global->VariableName[VirtualMode][VAR_KEY_EXCHANGE_KEY], - Global->GlobalVariableGuid[VirtualMode], - &KekVariable, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance - ); - ASSERT_EFI_ERROR (Status); - - ZeroMem (Global->KeyList, MAX_KEYDB_SIZE); - GetVariableDataPtr ( - KekVariable.CurrPtr, - KekVariable.Volatile, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance, - (CHAR16 *) Global->KeyList - ); - // - // Enumerate all Kek items in this list to verify the variable certificate data. - // If anyone is authenticated successfully, it means the variable is correct! - // - KekList = (EFI_SIGNATURE_LIST *) Global->KeyList; - IsFound = FALSE; - KekCount = (KekList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - KekList->SignatureHeaderSize) / KekList->SignatureSize; - KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekList + sizeof (EFI_SIGNATURE_LIST) + KekList->SignatureHeaderSize); - for (Index = 0; Index < KekCount; Index++) { - if (CompareMem (KekItem->SignatureData, CertBlock->PublicKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) { - IsFound = TRUE; - break; - } - KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekItem + KekList->SignatureSize); - } - - if (!IsFound) { - return EFI_SECURITY_VIOLATION; - } - - Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, CertBlock->PublicKey); - if (!EFI_ERROR (Status)) { - Status = UpdateVariable ( - VariableName, - VendorGuid, - (UINT8*)Data + AUTHINFO_SIZE, - DataSize - AUTHINFO_SIZE, - Attributes, - 0, - CertData->MonotonicCount, - VirtualMode, - Global, - Variable - ); - } - } else { - // - // If in setup mode, no authentication needed. - // - Status = UpdateVariable ( - VariableName, - VendorGuid, - Data, - DataSize, - Attributes, - 0, - 0, - VirtualMode, - Global, - Variable - ); - } - - return Status; -} - -/** - Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set, and return the index of associated public key. - - @param[in] Data The data pointer. - @param[in] DataSize The size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - @param[out] KeyIndex The output index of corresponding public key in database. - @param[out] MonotonicCount The output value of corresponding Monotonic Count. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_WRITE_PROTECTED The variable is write-protected and needs authentication with - EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS - set, but the AuthInfo does NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable is not write-protected, or passed validation successfully. - -**/ -EFI_STATUS -VerifyVariable ( - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL, - OUT UINT32 *KeyIndex OPTIONAL, - OUT UINT64 *MonotonicCount OPTIONAL - ) -{ - EFI_STATUS Status; - BOOLEAN IsDeletion; - BOOLEAN IsFirstTime; - UINT8 *PubKey; - EFI_VARIABLE_AUTHENTICATION *CertData; - EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN Valid; - - CertData = NULL; - CertBlock = NULL; - PubKey = NULL; - IsDeletion = FALSE; - Valid = FALSE; - - if (KeyIndex != NULL) { - *KeyIndex = 0; - } - // - // Determine if first time SetVariable with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS. - // - ZeroMem (&VariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER)); - if (Variable->CurrPtr != 0x0) { - Valid = IsValidVariableHeader ( - Variable->CurrPtr, - Variable->Volatile, - &Global->VariableGlobal[VirtualMode], - Global->FvbInstance, - &VariableHeader - ); - ASSERT (Valid); - } - - if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) { - if (KeyIndex == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // Determine current operation type. - // - if (DataSize == AUTHINFO_SIZE) { - IsDeletion = TRUE; - } - // - // Determine whether this is the first time with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - // - if (Variable->CurrPtr == 0x0) { - IsFirstTime = TRUE; - } else if (Valid &&(VariableHeader.Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) { - IsFirstTime = TRUE; - } else { - *KeyIndex = VariableHeader.PubKeyIndex; - IsFirstTime = FALSE; - } - } else if (Valid && (VariableHeader.Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) { - // - // If the variable is already write-protected, it always needs authentication before update. - // - return EFI_WRITE_PROTECTED; - } else { - // - // If without EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS, set and attributes collision. - // That means it is not authenticated variable, just return EFI_SUCCESS. - // - return EFI_SUCCESS; - } - - // - // Get PubKey and check Monotonic Count value corresponding to the variable. - // - CertData = (EFI_VARIABLE_AUTHENTICATION *) Data; - CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData); - PubKey = CertBlock->PublicKey; - - if (MonotonicCount != NULL) { - // - // Update Monotonic Count value. - // - *MonotonicCount = CertData->MonotonicCount; - } - - if (!IsFirstTime) { - // - // Check input PubKey. - // - if (CompareMem (PubKey, Global->PubKeyStore + (*KeyIndex - 1) * EFI_CERT_TYPE_RSA2048_SIZE, EFI_CERT_TYPE_RSA2048_SIZE) != 0) { - return EFI_SECURITY_VIOLATION; - } - // - // Compare the current monotonic count and ensure that it is greater than the last SetVariable - // operation with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute set. - // - if (CertData->MonotonicCount <= VariableHeader.MonotonicCount) { - // - // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION. - // - return EFI_SECURITY_VIOLATION; - } - } - // - // Verify the certificate in Data payload. - // - Status = VerifyDataPayload (VirtualMode, Global, Data, DataSize, PubKey); - if (!EFI_ERROR (Status)) { - // - // Now, the signature has been verified! - // - if (IsFirstTime && !IsDeletion) { - // - // Update public key database variable if need and return the index. - // - *KeyIndex = AddPubKeyInStore (VirtualMode, Global, PubKey); - } - } - - return Status; -} - diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h deleted file mode 100644 index f3e15f61e2..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/AuthService.h +++ /dev/null @@ -1,151 +0,0 @@ -/** @file - The internal header file includes the common header files, defines - internal structure and functions used by AuthService module. - -Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef _AUTHSERVICE_H_ -#define _AUTHSERVICE_H_ - -#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256 -#define EFI_CERT_TYPE_RSA2048_SIZE 256 - -/// -/// Size of AuthInfo prior to the data payload -/// -#define AUTHINFO_SIZE (((UINTN)(((EFI_VARIABLE_AUTHENTICATION *) 0)->AuthInfo.CertData)) + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) - -/// -/// Item number of support signature types. -/// -#define SIGSUPPORT_NUM 2 - -/** - Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set, and return the index of associated public key. - - @param[in] Data The data pointer. - @param[in] DataSize The size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - @param[out] KeyIndex The output index of corresponding public key in database. - @param[out] MonotonicCount The output value of corresponding Monotonic Count. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_WRITE_PROTECTED The variable is write-protected and needs authentication with - EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. - @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS - set, but the AuthInfo does NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable is not write-protected, or passed validation successfully. - -**/ -EFI_STATUS -VerifyVariable ( - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL, - OUT UINT32 *KeyIndex OPTIONAL, - OUT UINT64 *MonotonicCount OPTIONAL - ); - -/** - Initializes for authenticated varibale service. - - @retval EFI_SUCCESS The function successfully executed. - @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resources. - -**/ -EFI_STATUS -AutenticatedVariableServiceInitialize ( - VOID - ); - -/** - Initializes for cryptlib service before use, include register algrithm and allocate scratch. - -**/ -VOID -CryptLibraryInitialize ( - VOID - ); - -/** - Process variable with platform key for verification. - - @param[in] VariableName The name of Variable to be found. - @param[in] VendorGuid Variable vendor GUID. - @param[in] Data The data pointer. - @param[in] DataSize The size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - @param[in] IsPk Indicates whether to process pk. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable passed validation successfully. - -**/ -EFI_STATUS -ProcessVarWithPk ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL, - IN BOOLEAN IsPk - ); - -/** - Process variable with key exchange key for verification. - - @param[in] VariableName The name of Variable to be found. - @param[in] VendorGuid The variable vendor GUID. - @param[in] Data The data pointer. - @param[in] DataSize Size of Data found. If size is less than the - data, this value contains the required size. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - @param[in] Attributes The attribute value of the variable. - - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. - @retval EFI_SUCCESS The variable passed validation successfully. - -**/ -EFI_STATUS -ProcessVarWithKek ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable, - IN UINT32 Attributes OPTIONAL - ); - -#endif diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf deleted file mode 100644 index 16caa30dad..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.inf +++ /dev/null @@ -1,105 +0,0 @@ -## @file -# Provides authenticated variable service for IPF platform -# -# This module installs variable arch protocol and variable write arch protocol to provide -# four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo. -# -# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-# This program and the accompanying materials -# are licensed and made available under the terms and conditions of the BSD License -# which accompanies this distribution. The full text of the license may be found at -# http://opensource.org/licenses/bsd-license.php -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -# -## - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = EsalVariableDxeSal - MODULE_UNI_FILE = EsalVariableDxeSal.uni - FILE_GUID = 14610837-4E97-4427-96E0-21D9B2956996 - MODULE_TYPE = DXE_SAL_DRIVER - VERSION_STRING = 1.0 - - ENTRY_POINT = VariableServiceInitialize - -# -# The following information is for reference only and not required by the build tools. -# -# VALID_ARCHITECTURES = IPF -# -# VIRTUAL_ADDRESS_MAP_CALLBACK = VariableClassAddressChangeEvent -# - -[Sources.common] - InitVariable.c - Reclaim.c - Variable.c - Variable.h - AuthService.c - AuthService.h - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - CryptoPkg/CryptoPkg.dec - SecurityPkg/SecurityPkg.dec - -[LibraryClasses] - MemoryAllocationLib - BaseLib - SynchronizationLib - UefiLib - UefiBootServicesTableLib - BaseMemoryLib - DebugLib - UefiRuntimeLib - DxeServicesTableLib - UefiDriverEntryPoint - PcdLib - ExtendedSalLib - BaseCryptLib - HobLib - -[Protocols] - gEfiFirmwareVolumeBlockProtocolGuid ## SOMETIMES_CONSUMES - gEfiFaultTolerantWriteProtocolGuid ## SOMETIMES_CONSUMES - -[Guids] - ## SOMETIMES_CONSUMES ## Variable:L"PK" - ## CONSUMES ## Variable:L"SetupMode" - ## PRODUCES ## Variable:L"SetupMode" - ## CONSUMES ## Variable:L"SignatureSupport" - ## PRODUCES ## Variable:L"SignatureSupport" - gEfiGlobalVariableGuid - - ## PRODUCES ## GUID # Variable store header - ## CONSUMES ## GUID # Variable store header - ## SOMETIMES_CONSUMES ## HOB - ## SOMETIMES_PRODUCES ## SystemTable - gEfiAuthenticatedVariableGuid - - gEfiEventVirtualAddressChangeGuid ## CONSUMES ## Event - gEfiCertRsa2048Sha256Guid ## CONSUMES ## GUID # Unique ID for the format of the CertType. - - ## SOMETIMES_CONSUMES ## Variable:L"DB" - ## SOMETIMES_CONSUMES ## Variable:L"DBX" - gEfiImageSecurityDatabaseGuid - -[Pcd.common] - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableSize ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase ## SOMETIMES_CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize ## CONSUMES - gEfiMdeModulePkgTokenSpaceGuid.PcdHwErrStorageSize ## CONSUMES - -[FeaturePcd.common] - gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics ## CONSUMES # statistic the information of variable. - -[Depex] - gEfiExtendedSalFvBlockServicesProtocolGuid AND gEfiFaultTolerantWriteProtocolGuid - -[UserExtensions.TianoCore."ExtraFiles"] - EsalVariableDxeSalExtra.uni \ No newline at end of file diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni deleted file mode 100644 index 08588fc10d..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSal.uni +++ /dev/null @@ -1,22 +0,0 @@ -// /** @file -// Provides authenticated variable service for IPF platform -// -// This module installs variable arch protocol and variable write arch protocol to provide -// four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo. -// -// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-// -// This program and the accompanying materials -// are licensed and made available under the terms and conditions of the BSD License -// which accompanies this distribution. The full text of the license may be found at -// http://opensource.org/licenses/bsd-license.php -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "Provides authenticated variable service for IPF platform" - -#string STR_MODULE_DESCRIPTION #language en-US "This module installs variable arch protocol and variable write arch protocol to provide four EFI_RUNTIME_SERVICES: SetVariable, GetVariable, GetNextVariableName and QueryVariableInfo." - diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni deleted file mode 100644 index cb65895210..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/EsalVariableDxeSalExtra.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file -// EsalVariableDxeSal Localized Strings and Content -// -// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
-// -// This program and the accompanying materials -// are licensed and made available under the terms and conditions of the BSD License -// which accompanies this distribution. The full text of the license may be found at -// http://opensource.org/licenses/bsd-license.php -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -// -// **/ - -#string STR_PROPERTIES_MODULE_NAME -#language en-US -"Esal Authenticated Variable DXE" - - diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c deleted file mode 100644 index 0f1d645622..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/InitVariable.c +++ /dev/null @@ -1,247 +0,0 @@ -/** @file - Entrypoint of Extended SAL variable service module. - -Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "Variable.h" -#include "AuthService.h" - -// -// Don't use module globals after the SetVirtualAddress map is signaled -// -EFI_EVENT mEfiVirtualNotifyEvent; - -/** - Common entry for Extended SAL Variable Services Class. - - This is the common entry of all functions of Extended SAL Variable Services Class. - - @param[in] FunctionId The Function ID of member function in Extended SAL Variable Services Class. - @param[in] Arg2 The 2nd parameter for SAL procedure call. - @param[in] Arg3 The 3rd parameter for SAL procedure call. - @param[in] Arg4 The 4th parameter for SAL procedure call. - @param[in] Arg5 The 5th parameter for SAL procedure call. - @param[in] Arg6 The 6th parameter for SAL procedure call. - @param[in] Arg7 The 7th parameter for SAL procedure call. - @param[in] Arg8 The 8th parameter for SAL procedure call. - @param[in] VirtualMode The current calling mode for this function. - @param[in] Global The context of this Extended SAL Variable Services Class call. - - @return The register of SAL. - -**/ -SAL_RETURN_REGS -EFIAPI -EsalVariableCommonEntry ( - IN UINT64 FunctionId, - IN UINT64 Arg2, - IN UINT64 Arg3, - IN UINT64 Arg4, - IN UINT64 Arg5, - IN UINT64 Arg6, - IN UINT64 Arg7, - IN UINT64 Arg8, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - SAL_RETURN_REGS ReturnVal; - - ReturnVal.r9 = 0; - ReturnVal.r10 = 0; - ReturnVal.r11 = 0; - - switch (FunctionId) { - case EsalGetVariableFunctionId: - ReturnVal.Status = EsalGetVariable ( - (CHAR16 *) Arg2, - (EFI_GUID *) Arg3, - (UINT32 *) Arg4, - (UINTN *) Arg5, - (VOID *) Arg6, - VirtualMode, - Global - ); - return ReturnVal; - - case EsalGetNextVariableNameFunctionId: - ReturnVal.Status = EsalGetNextVariableName ( - (UINTN *) Arg2, - (CHAR16 *) Arg3, - (EFI_GUID *) Arg4, - VirtualMode, - Global - ); - return ReturnVal; - - case EsalSetVariableFunctionId: - ReturnVal.Status = EsalSetVariable ( - (CHAR16 *) Arg2, - (EFI_GUID *) Arg3, - (UINT32) Arg4, - (UINTN) Arg5, - (VOID *) Arg6, - VirtualMode, - Global - ); - return ReturnVal; - - case EsalQueryVariableInfoFunctionId: - ReturnVal.Status = EsalQueryVariableInfo ( - (UINT32) Arg2, - (UINT64 *) Arg3, - (UINT64 *) Arg4, - (UINT64 *) Arg5, - VirtualMode, - Global - ); - return ReturnVal; - - default: - ReturnVal.Status = EFI_SAL_INVALID_ARGUMENT; - return ReturnVal; - } -} - -/** - Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE. - - This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event. - It convers pointer to new virtual address. - - @param[in] Event The event whose notification function is being invoked. - @param[in] Context The pointer to the notification function's context. - -**/ -VOID -EFIAPI -VariableClassAddressChangeEvent ( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - UINTN Index; - - CopyMem ( - &mVariableModuleGlobal->VariableGlobal[Virtual], - &mVariableModuleGlobal->VariableGlobal[Physical], - sizeof (VARIABLE_GLOBAL) - ); - - EfiConvertPointer ( - 0x0, - (VOID **) &mVariableModuleGlobal->VariableGlobal[Virtual].NonVolatileVariableBase - ); - EfiConvertPointer ( - 0x0, - (VOID **) &mVariableModuleGlobal->VariableGlobal[Virtual].VolatileVariableBase - ); - - mVariableModuleGlobal->PlatformLangCodes[Virtual] = mVariableModuleGlobal->PlatformLangCodes[Physical]; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->PlatformLangCodes[Virtual]); - - mVariableModuleGlobal->LangCodes[Virtual] = mVariableModuleGlobal->LangCodes[Physical]; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->LangCodes[Virtual]); - - mVariableModuleGlobal->PlatformLang[Virtual] = mVariableModuleGlobal->PlatformLang[Physical]; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->PlatformLang[Virtual]); - - CopyMem ( - mVariableModuleGlobal->VariableName[Virtual], - mVariableModuleGlobal->VariableName[Physical], - sizeof (mVariableModuleGlobal->VariableName[Physical]) - ); - for (Index = 0; Index < NUM_VAR_NAME; Index++) { - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->VariableName[Virtual][Index]); - } - - mVariableModuleGlobal->GlobalVariableGuid[Virtual] = &gEfiGlobalVariableGuid; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->GlobalVariableGuid[Virtual]); - - mVariableModuleGlobal->AuthenticatedVariableGuid[Virtual] = &gEfiAuthenticatedVariableGuid; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->AuthenticatedVariableGuid[Virtual]); - - mVariableModuleGlobal->CertRsa2048Sha256Guid[Virtual] = &gEfiCertRsa2048Sha256Guid; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->CertRsa2048Sha256Guid[Virtual]); - - mVariableModuleGlobal->ImageSecurityDatabaseGuid[Virtual] = &gEfiImageSecurityDatabaseGuid; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->ImageSecurityDatabaseGuid[Virtual]); - - mVariableModuleGlobal->HashContext[Virtual] = mVariableModuleGlobal->HashContext[Physical]; - EfiConvertPointer (0x0, (VOID **) &mVariableModuleGlobal->HashContext[Virtual]); -} - -/** - Entry point of Extended SAL Variable service module. - - This function is the entry point of Extended SAL Variable service module. - It registers all functions of Extended SAL Variable class, initializes - variable store for non-volatile and volatile variables, and registers - notification function for EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event. - - @param[in] ImageHandle The Image handle of this driver. - @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE. - - @retval EFI_SUCCESS Extended SAL Variable Services Class successfully registered. - -**/ -EFI_STATUS -EFIAPI -VariableServiceInitialize ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - EFI_STATUS Status; - - Status = gBS->CreateEventEx ( - EVT_NOTIFY_SIGNAL, - TPL_NOTIFY, - VariableClassAddressChangeEvent, - NULL, - &gEfiEventVirtualAddressChangeGuid, - &mEfiVirtualNotifyEvent - ); - - ASSERT_EFI_ERROR (Status); - - Status = VariableCommonInitialize (ImageHandle, SystemTable); - ASSERT_EFI_ERROR (Status); - - // - // Authenticated variable initialize - // - Status = AutenticatedVariableServiceInitialize (); - ASSERT_EFI_ERROR (Status); - - FlushHob2Nv (); - - // - // Register All the Functions with Extended SAL Variable Services Class - // - RegisterEsalClass ( - EFI_EXTENDED_SAL_VARIABLE_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_VARIABLE_SERVICES_PROTOCOL_GUID_HI, - mVariableModuleGlobal, - EsalVariableCommonEntry, - EsalGetVariableFunctionId, - EsalVariableCommonEntry, - EsalGetNextVariableNameFunctionId, - EsalVariableCommonEntry, - EsalSetVariableFunctionId, - EsalVariableCommonEntry, - EsalQueryVariableInfoFunctionId, - NULL - ); - - return EFI_SUCCESS; -} diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c deleted file mode 100644 index 1cbf9ac877..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Reclaim.c +++ /dev/null @@ -1,262 +0,0 @@ -/** @file - Handles non-volatile variable store garbage collection, using FTW - (Fault Tolerant Write) protocol. - -Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "Variable.h" - -/** - Gets firmware volume block handle by given address. - - This function gets firmware volume block handle whose - address range contains the parameter Address. - - @param[in] Address Address which should be contained - by returned FVB handle. - @param[out] FvbHandle Pointer to FVB handle for output. - - @retval EFI_SUCCESS FVB handle successfully returned. - @retval EFI_NOT_FOUND Failed to find FVB handle by address. - -**/ -EFI_STATUS -GetFvbHandleByAddress ( - IN EFI_PHYSICAL_ADDRESS Address, - OUT EFI_HANDLE *FvbHandle - ) -{ - EFI_STATUS Status; - EFI_HANDLE *HandleBuffer; - UINTN HandleCount; - UINTN Index; - EFI_PHYSICAL_ADDRESS FvbBaseAddress; - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *Fvb; - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; - - *FvbHandle = NULL; - // - // Locate all handles with Firmware Volume Block protocol - // - Status = gBS->LocateHandleBuffer ( - ByProtocol, - &gEfiFirmwareVolumeBlockProtocolGuid, - NULL, - &HandleCount, - &HandleBuffer - ); - if (EFI_ERROR (Status)) { - return EFI_NOT_FOUND; - } - // - // Traverse all the handles, searching for the one containing parameter Address - // - for (Index = 0; Index < HandleCount; Index += 1) { - Status = gBS->HandleProtocol ( - HandleBuffer[Index], - &gEfiFirmwareVolumeBlockProtocolGuid, - (VOID **) &Fvb - ); - if (EFI_ERROR (Status)) { - Status = EFI_NOT_FOUND; - break; - } - // - // Checks if the address range of this handle contains parameter Address - // - Status = Fvb->GetPhysicalAddress (Fvb, &FvbBaseAddress); - if (EFI_ERROR (Status)) { - continue; - } - - FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvbBaseAddress); - if ((Address >= FvbBaseAddress) && (Address <= (FvbBaseAddress + FwVolHeader->FvLength))) { - *FvbHandle = HandleBuffer[Index]; - Status = EFI_SUCCESS; - break; - } - } - - FreePool (HandleBuffer); - return Status; -} - -/** - Gets LBA of block and offset by given address. - - This function gets the Logical Block Address (LBA) of firmware - volume block containing the given address, and the offset of - address on the block. - - @param[in] Address Address which should be contained - by returned FVB handle. - @param[out] Lba The pointer to LBA for output. - @param[out] Offset The pointer to offset for output. - - @retval EFI_SUCCESS LBA and offset successfully returned. - @retval EFI_NOT_FOUND Failed to find FVB handle by address. - @retval EFI_ABORTED Failed to find valid LBA and offset. - -**/ -EFI_STATUS -GetLbaAndOffsetByAddress ( - IN EFI_PHYSICAL_ADDRESS Address, - OUT EFI_LBA *Lba, - OUT UINTN *Offset - ) -{ - EFI_STATUS Status; - EFI_HANDLE FvbHandle; - EFI_PHYSICAL_ADDRESS FvbBaseAddress; - EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL *Fvb; - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; - EFI_FV_BLOCK_MAP_ENTRY *FvbMapEntry; - UINT32 LbaIndex; - - *Lba = (EFI_LBA) (-1); - *Offset = 0; - - // - // Gets firmware volume block handle by given address. - // - Status = GetFvbHandleByAddress (Address, &FvbHandle); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = gBS->HandleProtocol ( - FvbHandle, - &gEfiFirmwareVolumeBlockProtocolGuid, - (VOID **) &Fvb - ); - if (EFI_ERROR (Status)) { - return Status; - } - // - // Get the Base Address of FV - // - Status = Fvb->GetPhysicalAddress (Fvb, &FvbBaseAddress); - if (EFI_ERROR (Status)) { - return Status; - } - - FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvbBaseAddress); - - // - // Get the (LBA, Offset) of Address - // - if ((Address >= FvbBaseAddress) && (Address <= (FvbBaseAddress + FwVolHeader->FvLength))) { - if ((FwVolHeader->FvLength) > (FwVolHeader->HeaderLength)) { - // - // BUGBUG: Assume one FV has one type of BlockLength - // - FvbMapEntry = &FwVolHeader->BlockMap[0]; - for (LbaIndex = 1; LbaIndex <= FvbMapEntry->NumBlocks; LbaIndex += 1) { - if (Address < (FvbBaseAddress + FvbMapEntry->Length * LbaIndex)) { - // - // Found the (Lba, Offset) - // - *Lba = LbaIndex - 1; - *Offset = (UINTN) (Address - (FvbBaseAddress + FvbMapEntry->Length * (LbaIndex - 1))); - return EFI_SUCCESS; - } - } - } - } - - return EFI_ABORTED; -} - -/** - Writes a buffer to variable storage space. - - This function writes a buffer to variable storage space into firmware - volume block device. The destination is specified by parameter - VariableBase. Fault Tolerant Write protocol is used for writing. - - @param[in] VariableBase The base address of the variable to write. - @param[in] Buffer Points to the data buffer. - @param[in] BufferSize The number of bytes of the data Buffer. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND Fail to locate Fault Tolerant Write protocol. - @retval Other The function could not complete successfully. - -**/ -EFI_STATUS -FtwVariableSpace ( - IN EFI_PHYSICAL_ADDRESS VariableBase, - IN UINT8 *Buffer, - IN UINTN BufferSize - ) -{ - EFI_STATUS Status; - EFI_HANDLE FvbHandle; - EFI_LBA VarLba; - UINTN VarOffset; - UINT8 *FtwBuffer; - UINTN FtwBufferSize; - EFI_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol; - - // - // Locate Fault Tolerant Write protocol - // - Status = gBS->LocateProtocol ( - &gEfiFaultTolerantWriteProtocolGuid, - NULL, - (VOID **) &FtwProtocol - ); - if (EFI_ERROR (Status)) { - return EFI_NOT_FOUND; - } - // - // Gets firmware volume block handle by VariableBase. - // - Status = GetFvbHandleByAddress (VariableBase, &FvbHandle); - if (EFI_ERROR (Status)) { - return Status; - } - // - // Gets LBA of block and offset by VariableBase. - // - Status = GetLbaAndOffsetByAddress (VariableBase, &VarLba, &VarOffset); - if (EFI_ERROR (Status)) { - return EFI_ABORTED; - } - // - // Prepare for the variable data - // - FtwBufferSize = ((VARIABLE_STORE_HEADER *) ((UINTN) VariableBase))->Size; - FtwBuffer = AllocatePool (FtwBufferSize); - if (FtwBuffer == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - SetMem (FtwBuffer, FtwBufferSize, (UINT8) 0xff); - CopyMem (FtwBuffer, Buffer, BufferSize); - - // - // FTW write record - // - Status = FtwProtocol->Write ( - FtwProtocol, - VarLba, // LBA - VarOffset, // Offset - FtwBufferSize, // NumBytes, - NULL, - FvbHandle, - FtwBuffer - ); - - FreePool (FtwBuffer); - return Status; -} diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c deleted file mode 100644 index dfa85973f4..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.c +++ /dev/null @@ -1,3257 +0,0 @@ -/** @file - The implementation of Extended SAL variable services. - -Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "Variable.h" -#include "AuthService.h" - -// -// Don't use module globals after the SetVirtualAddress map is signaled -// -ESAL_VARIABLE_GLOBAL *mVariableModuleGlobal; -CHAR16 *mVariableName[NUM_VAR_NAME] = { - L"PlatformLangCodes", - L"LangCodes", - L"PlatformLang", - L"Lang", - L"HwErrRec", - AUTHVAR_KEYDB_NAME, - EFI_SETUP_MODE_NAME, - EFI_PLATFORM_KEY_NAME, - EFI_KEY_EXCHANGE_KEY_NAME -}; - -GLOBAL_REMOVE_IF_UNREFERENCED VARIABLE_INFO_ENTRY *gVariableInfo = NULL; - -// -// The current Hii implementation accesses this variable a larg # of times on every boot. -// Other common variables are only accessed a single time. This is why this cache algorithm -// only targets a single variable. Probably to get an performance improvement out of -// a Cache you would need a cache that improves the search performance for a variable. -// -VARIABLE_CACHE_ENTRY mVariableCache[] = { - { - &gEfiGlobalVariableGuid, - L"Lang", - 0x00000000, - 0x00, - NULL - }, - { - &gEfiGlobalVariableGuid, - L"PlatformLang", - 0x00000000, - 0x00, - NULL - } -}; - -/** - Acquires lock only at boot time. Simply returns at runtime. - - This is a temperary function which will be removed when - EfiAcquireLock() in UefiLib can handle the call in UEFI - Runtimer driver in RT phase. - It calls EfiAcquireLock() at boot time, and simply returns - at runtime. - - @param[in] Lock A pointer to the lock to acquire. - -**/ -VOID -AcquireLockOnlyAtBootTime ( - IN EFI_LOCK *Lock - ) -{ - if (!EfiAtRuntime ()) { - EfiAcquireLock (Lock); - } -} - -/** - Releases lock only at boot time. Simply returns at runtime. - - This is a temperary function which will be removed when - EfiReleaseLock() in UefiLib can handle the call in UEFI - Runtimer driver in RT phase. - It calls EfiReleaseLock() at boot time, and simply returns - at runtime - - @param[in] Lock A pointer to the lock to release. - -**/ -VOID -ReleaseLockOnlyAtBootTime ( - IN EFI_LOCK *Lock - ) -{ - if (!EfiAtRuntime ()) { - EfiReleaseLock (Lock); - } -} - -/** - Reads/Writes variable storage, volatile or non-volatile. - - This function reads or writes volatile or non-volatile variable stroage. - For volatile storage, it performs memory copy. - For non-volatile storage, it accesses data on firmware storage. Data - area to access can span multiple firmware blocks. - - @param[in] Write TRUE - Write variable store. - FALSE - Read variable store. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Instance Instance of FV Block services. - @param[in] StartAddress Start address of data to access. - @param[in] DataSize Size of data to access. - @param[in, out] Buffer For write, pointer to the buffer from which data is written. - For read, pointer to the buffer to hold the data read. - - @retval EFI_SUCCESS Variable store successfully accessed. - @retval EFI_INVALID_PARAMETER Data area to access exceeds valid variable storage. - -**/ -EFI_STATUS -AccessVariableStore ( - IN BOOLEAN Write, - IN VARIABLE_GLOBAL *Global, - IN BOOLEAN Volatile, - IN UINTN Instance, - IN EFI_PHYSICAL_ADDRESS StartAddress, - IN UINT32 DataSize, - IN OUT VOID *Buffer - ) -{ - EFI_FV_BLOCK_MAP_ENTRY *PtrBlockMapEntry; - UINTN BlockIndex; - UINTN LinearOffset; - UINTN CurrWriteSize; - UINTN CurrWritePtr; - UINT8 *CurrBuffer; - EFI_LBA LbaNumber; - UINTN Size; - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; - VARIABLE_STORE_HEADER *VolatileBase; - EFI_PHYSICAL_ADDRESS FvVolHdr; - EFI_STATUS Status; - VARIABLE_STORE_HEADER *VariableStoreHeader; - - FvVolHdr = 0; - FwVolHeader = NULL; - - if (Volatile) { - // - // If data is volatile, simply calculate the data pointer and copy memory. - // Data pointer should point to the actual address where data is to be - // accessed. - // - VolatileBase = (VARIABLE_STORE_HEADER *) ((UINTN) Global->VolatileVariableBase); - - if ((StartAddress + DataSize) > ((UINTN) ((UINT8 *) VolatileBase + VolatileBase->Size))) { - return EFI_INVALID_PARAMETER; - } - - // - // For volatile variable, a simple memory copy is enough. - // - if (Write) { - CopyMem ((VOID *) StartAddress, Buffer, DataSize); - } else { - CopyMem (Buffer, (VOID *) StartAddress, DataSize); - } - - return EFI_SUCCESS; - } - - // - // If data is non-volatile, calculate firmware volume header and data pointer. - // - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - GetPhysicalAddressFunctionId, - Instance, - (UINT64) &FvVolHdr, - 0, - 0, - 0, - 0, - 0 - ).Status; - ASSERT_EFI_ERROR (Status); - - FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvVolHdr); - ASSERT (FwVolHeader != NULL); - VariableStoreHeader = (VARIABLE_STORE_HEADER *)(FwVolHeader + 1); - - if ((StartAddress + DataSize) > ((EFI_PHYSICAL_ADDRESS) (UINTN) ((CHAR8 *)VariableStoreHeader + VariableStoreHeader->Size))) { - return EFI_INVALID_PARAMETER; - } - - LinearOffset = (UINTN) FwVolHeader; - CurrWritePtr = StartAddress; - CurrWriteSize = DataSize; - CurrBuffer = Buffer; - LbaNumber = 0; - - if (CurrWritePtr < LinearOffset) { - return EFI_INVALID_PARAMETER; - } - - // - // Traverse data blocks of this firmware storage to find the one where CurrWritePtr locates - // - for (PtrBlockMapEntry = FwVolHeader->BlockMap; PtrBlockMapEntry->NumBlocks != 0; PtrBlockMapEntry++) { - for (BlockIndex = 0; BlockIndex < PtrBlockMapEntry->NumBlocks; BlockIndex++) { - if ((CurrWritePtr >= LinearOffset) && (CurrWritePtr < LinearOffset + PtrBlockMapEntry->Length)) { - // - // Check to see if the data area to access spans multiple blocks. - // - if ((CurrWritePtr + CurrWriteSize) <= (LinearOffset + PtrBlockMapEntry->Length)) { - // - // If data area to access is contained in one block, just access and return. - // - if (Write) { - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - WriteFunctionId, - Instance, - LbaNumber, - (CurrWritePtr - LinearOffset), - (UINT64) &CurrWriteSize, - (UINT64) CurrBuffer, - 0, - 0 - ).Status; - } else { - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - ReadFunctionId, - Instance, - LbaNumber, - (CurrWritePtr - LinearOffset), - (UINT64) &CurrWriteSize, - (UINT64) CurrBuffer, - 0, - 0 - ).Status; - } - return Status; - } else { - // - // If data area to access spans multiple blocks, access this one and adjust for the next one. - // - Size = (UINT32) (LinearOffset + PtrBlockMapEntry->Length - CurrWritePtr); - if (Write) { - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - WriteFunctionId, - Instance, - LbaNumber, - (CurrWritePtr - LinearOffset), - (UINT64) &Size, - (UINT64) CurrBuffer, - 0, - 0 - ).Status; - } else { - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - ReadFunctionId, - Instance, - LbaNumber, - (CurrWritePtr - LinearOffset), - (UINT64) &Size, - (UINT64) CurrBuffer, - 0, - 0 - ).Status; - } - if (EFI_ERROR (Status)) { - return Status; - } - // - // Adjust for the remaining data. - // - CurrWritePtr = LinearOffset + PtrBlockMapEntry->Length; - CurrBuffer = CurrBuffer + Size; - CurrWriteSize = CurrWriteSize - Size; - } - } - - LinearOffset += PtrBlockMapEntry->Length; - LbaNumber++; - } - } - - return EFI_SUCCESS; -} - -/** - Retrieves header of volatile or non-volatile variable stroage. - - @param[in] VarStoreAddress Start address of variable storage. - @param[in] Volatile TRUE - Variable storage is volatile. - FALSE - Variable storage is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VarStoreHeader Pointer to VARIABLE_STORE_HEADER for output. - -**/ -VOID -GetVarStoreHeader ( - IN EFI_PHYSICAL_ADDRESS VarStoreAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT VARIABLE_STORE_HEADER *VarStoreHeader - ) -{ - EFI_STATUS Status; - - Status = AccessVariableStore ( - FALSE, - Global, - Volatile, - Instance, - VarStoreAddress, - sizeof (VARIABLE_STORE_HEADER), - VarStoreHeader - ); - ASSERT_EFI_ERROR (Status); -} - -/** - Checks variable header. - - This function checks if variable header is valid or not. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VariableHeader Pointer to AUTHENTICATED_VARIABLE_HEADER for output. - - @retval TRUE Variable header is valid. - @retval FALSE Variable header is not valid. - -**/ -BOOLEAN -IsValidVariableHeader ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT AUTHENTICATED_VARIABLE_HEADER *VariableHeader OPTIONAL - ) -{ - EFI_STATUS Status; - AUTHENTICATED_VARIABLE_HEADER LocalVariableHeader; - - Status = AccessVariableStore ( - FALSE, - Global, - Volatile, - Instance, - VariableAddress, - sizeof (AUTHENTICATED_VARIABLE_HEADER), - &LocalVariableHeader - ); - - if (EFI_ERROR (Status) || LocalVariableHeader.StartId != VARIABLE_DATA) { - return FALSE; - } - - if (VariableHeader != NULL) { - CopyMem (VariableHeader, &LocalVariableHeader, sizeof (AUTHENTICATED_VARIABLE_HEADER)); - } - - return TRUE; -} - -/** - Gets status of variable store. - - This function gets the current status of variable store. - - @param[in] VarStoreHeader Pointer to header of variable store. - - @retval EfiRaw Variable store status is raw. - @retval EfiValid Variable store status is valid. - @retval EfiInvalid Variable store status is invalid. - -**/ -VARIABLE_STORE_STATUS -GetVariableStoreStatus ( - IN VARIABLE_STORE_HEADER *VarStoreHeader - ) -{ - - if (CompareGuid (&VarStoreHeader->Signature, &gEfiAuthenticatedVariableGuid) && - VarStoreHeader->Format == VARIABLE_STORE_FORMATTED && - VarStoreHeader->State == VARIABLE_STORE_HEALTHY - ) { - - return EfiValid; - } else if (((UINT32 *)(&VarStoreHeader->Signature))[0] == 0xffffffff && - ((UINT32 *)(&VarStoreHeader->Signature))[1] == 0xffffffff && - ((UINT32 *)(&VarStoreHeader->Signature))[2] == 0xffffffff && - ((UINT32 *)(&VarStoreHeader->Signature))[3] == 0xffffffff && - VarStoreHeader->Size == 0xffffffff && - VarStoreHeader->Format == 0xff && - VarStoreHeader->State == 0xff - ) { - - return EfiRaw; - } else { - return EfiInvalid; - } -} - -/** - Gets the size of variable name. - - This function gets the size of variable name. - The variable is specified by its variable header. - If variable header contains raw data, just return 0. - - @param[in] Variable Pointer to the variable header. - - @return Size of variable name in bytes. - -**/ -UINTN -NameSizeOfVariable ( - IN AUTHENTICATED_VARIABLE_HEADER *Variable - ) -{ - if (Variable->State == (UINT8) (-1) || - Variable->DataSize == (UINT32) -1 || - Variable->NameSize == (UINT32) -1 || - Variable->Attributes == (UINT32) -1) { - return 0; - } - return (UINTN) Variable->NameSize; -} - -/** - Gets the size of variable data area. - - This function gets the size of variable data area. - The variable is specified by its variable header. - If variable header contains raw data, just return 0. - - @param[in] Variable Pointer to the variable header. - - @return Size of variable data area in bytes. - -**/ -UINTN -DataSizeOfVariable ( - IN AUTHENTICATED_VARIABLE_HEADER *Variable - ) -{ - if (Variable->State == (UINT8) -1 || - Variable->DataSize == (UINT32) -1 || - Variable->NameSize == (UINT32) -1 || - Variable->Attributes == (UINT32) -1) { - return 0; - } - return (UINTN) Variable->DataSize; -} - -/** - Gets the pointer to variable name. - - This function gets the pointer to variable name. - The variable is specified by its variable header. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VariableName Buffer to hold variable name for output. - -**/ -VOID -GetVariableNamePtr ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT CHAR16 *VariableName - ) -{ - EFI_STATUS Status; - EFI_PHYSICAL_ADDRESS Address; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN IsValid; - - IsValid = IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader); - ASSERT (IsValid); - - // - // Name area follows variable header. - // - Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER); - - Status = AccessVariableStore ( - FALSE, - Global, - Volatile, - Instance, - Address, - VariableHeader.NameSize, - VariableName - ); - ASSERT_EFI_ERROR (Status); -} - -/** - Gets the pointer to variable data area. - - This function gets the pointer to variable data area. - The variable is specified by its variable header. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VariableData Buffer to hold variable data for output. - -**/ -VOID -GetVariableDataPtr ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT CHAR16 *VariableData - ) -{ - EFI_STATUS Status; - EFI_PHYSICAL_ADDRESS Address; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN IsValid; - - IsValid = IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader); - ASSERT (IsValid); - - // - // Data area follows variable name. - // Be careful about pad size for alignment - // - Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER); - Address += NameSizeOfVariable (&VariableHeader); - Address += GET_PAD_SIZE (NameSizeOfVariable (&VariableHeader)); - - Status = AccessVariableStore ( - FALSE, - Global, - Volatile, - Instance, - Address, - VariableHeader.DataSize, - VariableData - ); - ASSERT_EFI_ERROR (Status); -} - - -/** - Gets the pointer to the next variable header. - - This function gets the pointer to the next variable header. - The variable is specified by its variable header. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - - @return Pointer to the next variable header. - NULL if variable header is invalid. - -**/ -EFI_PHYSICAL_ADDRESS -GetNextVariablePtr ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance - ) -{ - EFI_PHYSICAL_ADDRESS Address; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - - if (!IsValidVariableHeader (VariableAddress, Volatile, Global, Instance, &VariableHeader)) { - return 0x0; - } - - // - // Header of next variable follows data area of this variable - // - Address = VariableAddress + sizeof (AUTHENTICATED_VARIABLE_HEADER); - Address += NameSizeOfVariable (&VariableHeader); - Address += GET_PAD_SIZE (NameSizeOfVariable (&VariableHeader)); - Address += DataSizeOfVariable (&VariableHeader); - Address += GET_PAD_SIZE (DataSizeOfVariable (&VariableHeader)); - - // - // Be careful about pad size for alignment - // - return HEADER_ALIGN (Address); -} - -/** - Gets the pointer to the first variable header in given variable store area. - - This function gets the pointer to the first variable header in given variable - store area. The variable store area is given by its start address. - - @param[in] VarStoreHeaderAddress Pointer to the header of variable store area. - - @return Pointer to the first variable header. - -**/ -EFI_PHYSICAL_ADDRESS -GetStartPointer ( - IN EFI_PHYSICAL_ADDRESS VarStoreHeaderAddress - ) -{ - return HEADER_ALIGN (VarStoreHeaderAddress + sizeof (VARIABLE_STORE_HEADER)); -} - -/** - Gets the pointer to the end of given variable store area. - - This function gets the pointer to the end of given variable store area. - The variable store area is given by its start address. - - @param[in] VarStoreHeaderAddress Pointer to the header of variable store area. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - - @return Pointer to the end of given variable store area. - -**/ -EFI_PHYSICAL_ADDRESS -GetEndPointer ( - IN EFI_PHYSICAL_ADDRESS VarStoreHeaderAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance - ) -{ - EFI_STATUS Status; - VARIABLE_STORE_HEADER VariableStoreHeader; - - Status = AccessVariableStore ( - FALSE, - Global, - Volatile, - Instance, - VarStoreHeaderAddress, - sizeof (VARIABLE_STORE_HEADER), - &VariableStoreHeader - ); - - ASSERT_EFI_ERROR (Status); - return HEADER_ALIGN (VarStoreHeaderAddress + VariableStoreHeader.Size); -} - -/** - Updates variable info entry in EFI system table for statistical information. - - Routine used to track statistical information about variable usage. - The data is stored in the EFI system table so it can be accessed later. - VariableInfo.efi can dump out the table. Only Boot Services variable - accesses are tracked by this code. The PcdVariableCollectStatistics - build flag controls if this feature is enabled. - A read that hits in the cache will have Read and Cache true for - the transaction. Data is allocated by this routine, but never - freed. - - @param[in] VariableName Name of the Variable to track. - @param[in] VendorGuid Guid of the Variable to track. - @param[in] Volatile TRUE if volatile FALSE if non-volatile. - @param[in] Read TRUE if GetVariable() was called. - @param[in] Write TRUE if SetVariable() was called. - @param[in] Delete TRUE if deleted via SetVariable(). - @param[in] Cache TRUE for a cache hit. - -**/ -VOID -UpdateVariableInfo ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN BOOLEAN Volatile, - IN BOOLEAN Read, - IN BOOLEAN Write, - IN BOOLEAN Delete, - IN BOOLEAN Cache - ) -{ - VARIABLE_INFO_ENTRY *Entry; - - if (FeaturePcdGet (PcdVariableCollectStatistics)) { - - if (EfiAtRuntime ()) { - // - // Don't collect statistics at runtime - // - return; - } - - if (gVariableInfo == NULL) { - // - // on the first call allocate a entry and place a pointer to it in - // the EFI System Table - // - gVariableInfo = AllocateZeroPool (sizeof (VARIABLE_INFO_ENTRY)); - ASSERT (gVariableInfo != NULL); - - CopyGuid (&gVariableInfo->VendorGuid, VendorGuid); - gVariableInfo->Name = AllocatePool (StrSize (VariableName)); - ASSERT (gVariableInfo->Name != NULL); - StrCpyS (gVariableInfo->Name, StrSize (VariableName) / sizeof (CHAR16), VariableName); - gVariableInfo->Volatile = Volatile; - - gBS->InstallConfigurationTable (&gEfiAuthenticatedVariableGuid, gVariableInfo); - } - - - for (Entry = gVariableInfo; Entry != NULL; Entry = Entry->Next) { - if (CompareGuid (VendorGuid, &Entry->VendorGuid)) { - if (StrCmp (VariableName, Entry->Name) == 0) { - // - // Find the entry matching both variable name and vender GUID, - // and update counters for all types. - // - if (Read) { - Entry->ReadCount++; - } - if (Write) { - Entry->WriteCount++; - } - if (Delete) { - Entry->DeleteCount++; - } - if (Cache) { - Entry->CacheCount++; - } - - return; - } - } - - if (Entry->Next == NULL) { - // - // If the entry is not in the table add it. - // Next iteration of the loop will fill in the data - // - Entry->Next = AllocateZeroPool (sizeof (VARIABLE_INFO_ENTRY)); - ASSERT (Entry->Next != NULL); - - CopyGuid (&Entry->Next->VendorGuid, VendorGuid); - Entry->Next->Name = AllocatePool (StrSize (VariableName)); - ASSERT (Entry->Next->Name != NULL); - StrCpyS (Entry->Next->Name, StrSize (VariableName) / sizeof (CHAR16), VariableName); - Entry->Next->Volatile = Volatile; - } - - } - } -} - -/** - Updates variable in cache. - - This function searches the variable cache. If the variable to set exists in the cache, - it updates the variable in cache. It has the same parameters with UEFI SetVariable() - service. - - @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's - variable. Each VariableName is unique for each VendorGuid. - @param[in] VendorGuid A unique identifier for the vendor. - @param[in] Attributes Attributes bitmask to set for the variable. - @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the - variable to be deleted. - @param[in] Data The contents for the variable. - -**/ -VOID -UpdateVariableCache ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT32 Attributes, - IN UINTN DataSize, - IN VOID *Data - ) -{ - VARIABLE_CACHE_ENTRY *Entry; - UINTN Index; - - if (EfiAtRuntime ()) { - // - // Don't use the cache at runtime - // - return; - } - - // - // Searches cache for the variable to update. If it exists, update it. - // - for (Index = 0, Entry = mVariableCache; Index < sizeof (mVariableCache)/sizeof (VARIABLE_CACHE_ENTRY); Index++, Entry++) { - if (CompareGuid (VendorGuid, Entry->Guid)) { - if (StrCmp (VariableName, Entry->Name) == 0) { - Entry->Attributes = Attributes; - if (DataSize == 0) { - // - // If DataSize is 0, delete the variable. - // - if (Entry->DataSize != 0) { - FreePool (Entry->Data); - } - Entry->DataSize = DataSize; - } else if (DataSize == Entry->DataSize) { - // - // If size of data does not change, simply copy data - // - CopyMem (Entry->Data, Data, DataSize); - } else { - // - // If size of data changes, allocate pool and copy data. - // - Entry->Data = AllocatePool (DataSize); - ASSERT (Entry->Data != NULL); - Entry->DataSize = DataSize; - CopyMem (Entry->Data, Data, DataSize); - } - } - } - } -} - - -/** - Search the cache to check if the variable is in it. - - This function searches the variable cache. If the variable to find exists, return its data - and attributes. - - @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's - variable. Each VariableName is unique for each VendorGuid. - @param[in] VendorGuid A unique identifier for the vendor - @param[out] Attributes Pointer to the attributes bitmask of the variable for output. - @param[in, out] DataSize On input, size of the buffer of Data. - On output, size of the variable's data. - @param[out] Data Pointer to the data buffer for output. - - @retval EFI_SUCCESS VariableGuid & VariableName data was returned. - @retval EFI_NOT_FOUND No matching variable found in cache. - @retval EFI_BUFFER_TOO_SMALL *DataSize is smaller than size of the variable's data to return. - -**/ -EFI_STATUS -FindVariableInCache ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT UINT32 *Attributes OPTIONAL, - IN OUT UINTN *DataSize, - OUT VOID *Data - ) -{ - VARIABLE_CACHE_ENTRY *Entry; - UINTN Index; - - if (EfiAtRuntime ()) { - // - // Don't use the cache at runtime - // - return EFI_NOT_FOUND; - } - - // - // Searches cache for the variable - // - for (Index = 0, Entry = mVariableCache; Index < sizeof (mVariableCache)/sizeof (VARIABLE_CACHE_ENTRY); Index++, Entry++) { - if (CompareGuid (VendorGuid, Entry->Guid)) { - if (StrCmp (VariableName, Entry->Name) == 0) { - if (Entry->DataSize == 0) { - // - // Variable has been deleted so return EFI_NOT_FOUND - // - return EFI_NOT_FOUND; - } else if (Entry->DataSize > *DataSize) { - // - // If buffer is too small, return the size needed and EFI_BUFFER_TOO_SMALL - // - *DataSize = Entry->DataSize; - return EFI_BUFFER_TOO_SMALL; - } else { - // - // If buffer is large enough, return the data - // - *DataSize = Entry->DataSize; - CopyMem (Data, Entry->Data, Entry->DataSize); - // - // If Attributes is not NULL, return the variable's attribute. - // - if (Attributes != NULL) { - *Attributes = Entry->Attributes; - } - return EFI_SUCCESS; - } - } - } - } - - return EFI_NOT_FOUND; -} - -/** - Finds variable in volatile and non-volatile storage areas. - - This code finds variable in volatile and non-volatile storage areas. - If VariableName is an empty string, then we just return the first - qualified variable without comparing VariableName and VendorGuid. - Otherwise, VariableName and VendorGuid are compared. - - @param[in] VariableName Name of the variable to be found. - @param[in] VendorGuid Vendor GUID to be found. - @param[out] PtrTrack VARIABLE_POINTER_TRACK structure for output, - including the range searched and the target position. - @param[in] Global Pointer to VARIABLE_GLOBAL structure, including - base of volatile variable storage area, base of - NV variable storage area, and a lock. - @param[in] Instance Instance of FV Block services. - - @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while - VendorGuid is NULL. - @retval EFI_SUCCESS Variable successfully found. - @retval EFI_INVALID_PARAMETER Variable not found. - -**/ -EFI_STATUS -FindVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT VARIABLE_POINTER_TRACK *PtrTrack, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance - ) -{ - EFI_PHYSICAL_ADDRESS Variable[2]; - EFI_PHYSICAL_ADDRESS InDeletedVariable; - EFI_PHYSICAL_ADDRESS VariableStoreHeader[2]; - UINTN InDeletedStorageIndex; - UINTN Index; - CHAR16 LocalVariableName[MAX_NAME_SIZE]; - BOOLEAN Volatile; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - - // - // 0: Volatile, 1: Non-Volatile - // The index and attributes mapping must be kept in this order as RuntimeServiceGetNextVariableName - // make use of this mapping to implement search algorithme. - // - VariableStoreHeader[0] = Global->VolatileVariableBase; - VariableStoreHeader[1] = Global->NonVolatileVariableBase; - - // - // Start Pointers for the variable. - // Actual Data Pointer where data can be written. - // - Variable[0] = GetStartPointer (VariableStoreHeader[0]); - Variable[1] = GetStartPointer (VariableStoreHeader[1]); - - if (VariableName[0] != 0 && VendorGuid == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // Find the variable by walk through volatile and then non-volatile variable store - // - InDeletedVariable = 0x0; - InDeletedStorageIndex = 0; - Volatile = TRUE; - for (Index = 0; Index < 2; Index++) { - if (Index == 1) { - Volatile = FALSE; - } - while (IsValidVariableHeader (Variable[Index], Volatile, Global, Instance, &VariableHeader)) { - if (VariableHeader.State == VAR_ADDED || - VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED) - ) { - if (!EfiAtRuntime () || ((VariableHeader.Attributes & EFI_VARIABLE_RUNTIME_ACCESS) != 0)) { - if (VariableName[0] == 0) { - // - // If VariableName is an empty string, then we just find the first qualified variable - // without comparing VariableName and VendorGuid - // - if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) { - // - // If variable is in delete transition, record it. - // - InDeletedVariable = Variable[Index]; - InDeletedStorageIndex = Index; - } else { - // - // If variable is not in delete transition, return it. - // - PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[Index]); - PtrTrack->EndPtr = GetEndPointer (VariableStoreHeader[Index], Volatile, Global, Instance); - PtrTrack->CurrPtr = Variable[Index]; - PtrTrack->Volatile = Volatile; - - return EFI_SUCCESS; - } - } else { - // - // If VariableName is not an empty string, then VariableName and VendorGuid are compared. - // - if (CompareGuid (VendorGuid, &VariableHeader.VendorGuid)) { - GetVariableNamePtr ( - Variable[Index], - Volatile, - Global, - Instance, - LocalVariableName - ); - - ASSERT (NameSizeOfVariable (&VariableHeader) != 0); - if (CompareMem (VariableName, LocalVariableName, NameSizeOfVariable (&VariableHeader)) == 0) { - if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) { - // - // If variable is in delete transition, record it. - // We will use if only no VAR_ADDED variable is found. - // - InDeletedVariable = Variable[Index]; - InDeletedStorageIndex = Index; - } else { - // - // If variable is not in delete transition, return it. - // - PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[Index]); - PtrTrack->EndPtr = GetEndPointer (VariableStoreHeader[Index], Volatile, Global, Instance); - PtrTrack->CurrPtr = Variable[Index]; - PtrTrack->Volatile = Volatile; - - return EFI_SUCCESS; - } - } - } - } - } - } - - Variable[Index] = GetNextVariablePtr ( - Variable[Index], - Volatile, - Global, - Instance - ); - } - if (InDeletedVariable != 0x0) { - // - // If no VAR_ADDED variable is found, and only variable in delete transition, then use this one. - // - PtrTrack->StartPtr = GetStartPointer (VariableStoreHeader[InDeletedStorageIndex]); - PtrTrack->EndPtr = GetEndPointer ( - VariableStoreHeader[InDeletedStorageIndex], - (BOOLEAN)(InDeletedStorageIndex == 0), - Global, - Instance - ); - PtrTrack->CurrPtr = InDeletedVariable; - PtrTrack->Volatile = (BOOLEAN)(InDeletedStorageIndex == 0); - return EFI_SUCCESS; - } - } - PtrTrack->CurrPtr = 0x0; - return EFI_NOT_FOUND; -} - -/** - Variable store garbage collection and reclaim operation. - - @param[in] VariableBase Base address of variable store area. - @param[out] LastVariableOffset Offset of last variable. - @param[in] IsVolatile The variable store is volatile or not, - if it is non-volatile, need FTW. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - @param[in] UpdatingVariable Pointer to header of the variable that is being updated. - - @retval EFI_SUCCESS Variable store successfully reclaimed. - @retval EFI_OUT_OF_RESOURCES Fail to allocate memory buffer to hold all valid variables. - -**/ -EFI_STATUS -Reclaim ( - IN EFI_PHYSICAL_ADDRESS VariableBase, - OUT UINTN *LastVariableOffset, - IN BOOLEAN IsVolatile, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN EFI_PHYSICAL_ADDRESS UpdatingVariable - ) -{ - EFI_PHYSICAL_ADDRESS Variable; - EFI_PHYSICAL_ADDRESS AddedVariable; - EFI_PHYSICAL_ADDRESS NextVariable; - EFI_PHYSICAL_ADDRESS NextAddedVariable; - VARIABLE_STORE_HEADER VariableStoreHeader; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - AUTHENTICATED_VARIABLE_HEADER AddedVariableHeader; - CHAR16 VariableName[MAX_NAME_SIZE]; - CHAR16 AddedVariableName[MAX_NAME_SIZE]; - UINT8 *ValidBuffer; - UINTN MaximumBufferSize; - UINTN VariableSize; - UINTN NameSize; - UINT8 *CurrPtr; - BOOLEAN FoundAdded; - EFI_STATUS Status; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - GetVarStoreHeader (VariableBase, IsVolatile, VariableGlobal, Instance, &VariableStoreHeader); - // - // recaluate the total size of Common/HwErr type variables in non-volatile area. - // - if (!IsVolatile) { - Global->CommonVariableTotalSize = 0; - Global->HwErrVariableTotalSize = 0; - } - - // - // Calculate the size of buffer needed to gather all valid variables - // - Variable = GetStartPointer (VariableBase); - MaximumBufferSize = sizeof (VARIABLE_STORE_HEADER); - - while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) { - NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance); - // - // Collect VAR_ADDED variables, and variables in delete transition status. - // - if (VariableHeader.State == VAR_ADDED || - VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED) - ) { - VariableSize = NextVariable - Variable; - MaximumBufferSize += VariableSize; - } - - Variable = NextVariable; - } - - // - // Reserve the 1 Bytes with Oxff to identify the - // end of the variable buffer. - // - MaximumBufferSize += 1; - ValidBuffer = AllocatePool (MaximumBufferSize); - if (ValidBuffer == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - SetMem (ValidBuffer, MaximumBufferSize, 0xff); - - // - // Copy variable store header - // - CopyMem (ValidBuffer, &VariableStoreHeader, sizeof (VARIABLE_STORE_HEADER)); - CurrPtr = (UINT8 *) GetStartPointer ((EFI_PHYSICAL_ADDRESS) ValidBuffer); - - // - // Reinstall all ADDED variables - // - Variable = GetStartPointer (VariableBase); - while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) { - NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance); - if (VariableHeader.State == VAR_ADDED) { - VariableSize = NextVariable - Variable; - CopyMem (CurrPtr, (UINT8 *) Variable, VariableSize); - CurrPtr += VariableSize; - if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - Global->HwErrVariableTotalSize += VariableSize; - } else if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - Global->CommonVariableTotalSize += VariableSize; - } - } - Variable = NextVariable; - } - // - // Reinstall in delete transition variables - // - Variable = GetStartPointer (VariableBase); - while (IsValidVariableHeader (Variable, IsVolatile, VariableGlobal, Instance, &VariableHeader)) { - NextVariable = GetNextVariablePtr (Variable, IsVolatile, VariableGlobal, Instance); - if (VariableHeader.State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) { - - // - // Buffer has cached all ADDED variable. - // Per IN_DELETED variable, we have to guarantee that - // no ADDED one in previous buffer. - // - FoundAdded = FALSE; - AddedVariable = GetStartPointer ((EFI_PHYSICAL_ADDRESS) ValidBuffer); - while (IsValidVariableHeader (AddedVariable, IsVolatile, VariableGlobal, Instance, &AddedVariableHeader)) { - NextAddedVariable = GetNextVariablePtr (AddedVariable, IsVolatile, VariableGlobal, Instance); - NameSize = NameSizeOfVariable (&AddedVariableHeader); - if (CompareGuid (&AddedVariableHeader.VendorGuid, &VariableHeader.VendorGuid) && - NameSize == NameSizeOfVariable (&VariableHeader) - ) { - GetVariableNamePtr (Variable, IsVolatile, VariableGlobal, Instance, VariableName); - GetVariableNamePtr (AddedVariable, IsVolatile, VariableGlobal, Instance, AddedVariableName); - if (CompareMem (VariableName, AddedVariableName, NameSize) == 0) { - // - // If ADDED variable with the same name and vender GUID has been reinstalled, - // then discard this IN_DELETED copy. - // - FoundAdded = TRUE; - break; - } - } - AddedVariable = NextAddedVariable; - } - // - // Add IN_DELETE variables that have not been added to buffer - // - if (!FoundAdded) { - VariableSize = NextVariable - Variable; - CopyMem (CurrPtr, (UINT8 *) Variable, VariableSize); - if (Variable != UpdatingVariable) { - // - // Make this IN_DELETE instance valid if: - // 1. No valid instance of this variable exists. - // 2. It is not the variable that is going to be updated. - // - ((AUTHENTICATED_VARIABLE_HEADER *) CurrPtr)->State = VAR_ADDED; - } - CurrPtr += VariableSize; - if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - Global->HwErrVariableTotalSize += VariableSize; - } else if ((!IsVolatile) && ((((AUTHENTICATED_VARIABLE_HEADER*)Variable)->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - Global->CommonVariableTotalSize += VariableSize; - } - } - } - Variable = NextVariable; - } - - if (IsVolatile) { - // - // If volatile variable store, just copy valid buffer - // - SetMem ((UINT8 *) (UINTN) VariableBase, VariableStoreHeader.Size, 0xff); - CopyMem ((UINT8 *) (UINTN) VariableBase, ValidBuffer, (UINTN) (CurrPtr - (UINT8 *) ValidBuffer)); - Status = EFI_SUCCESS; - } else { - // - // If non-volatile variable store, perform FTW here. - // Write ValidBuffer to destination specified by VariableBase. - // - Status = FtwVariableSpace ( - VariableBase, - ValidBuffer, - (UINTN) (CurrPtr - (UINT8 *) ValidBuffer) - ); - } - if (!EFI_ERROR (Status)) { - *LastVariableOffset = (UINTN) (CurrPtr - (UINT8 *) ValidBuffer); - } else { - *LastVariableOffset = 0; - } - - FreePool (ValidBuffer); - - return Status; -} - -/** - Get index from supported language codes according to language string. - - This code is used to get corresponding index in supported language codes. It can handle - RFC4646 and ISO639 language tags. - In ISO639 language tags, take 3-characters as a delimitation to find matched string and calculate the index. - In RFC4646 language tags, take semicolon as a delimitation to find matched string and calculate the index. - - For example: - SupportedLang = "engfraengfra" - Lang = "eng" - Iso639Language = TRUE - The return value is "0". - Another example: - SupportedLang = "en;fr;en-US;fr-FR" - Lang = "fr-FR" - Iso639Language = FALSE - The return value is "3". - - @param[in] SupportedLang Platform supported language codes. - @param[in] Lang Configured language. - @param[in] Iso639Language A bool value to signify if the handler is operated on ISO639 or RFC4646. - - @return The index of language in the language codes. - -**/ -UINTN -GetIndexFromSupportedLangCodes( - IN CHAR8 *SupportedLang, - IN CHAR8 *Lang, - IN BOOLEAN Iso639Language - ) -{ - UINTN Index; - UINTN CompareLength; - UINTN LanguageLength; - - if (Iso639Language) { - CompareLength = ISO_639_2_ENTRY_SIZE; - for (Index = 0; Index < AsciiStrLen (SupportedLang); Index += CompareLength) { - if (AsciiStrnCmp (Lang, SupportedLang + Index, CompareLength) == 0) { - // - // Successfully find the index of Lang string in SupportedLang string. - // - Index = Index / CompareLength; - return Index; - } - } - ASSERT (FALSE); - return 0; - } else { - // - // Compare RFC4646 language code - // - Index = 0; - for (LanguageLength = 0; Lang[LanguageLength] != '\0'; LanguageLength++); - - for (Index = 0; *SupportedLang != '\0'; Index++, SupportedLang += CompareLength) { - // - // Skip ';' characters in SupportedLang - // - for (; *SupportedLang != '\0' && *SupportedLang == ';'; SupportedLang++); - // - // Determine the length of the next language code in SupportedLang - // - for (CompareLength = 0; SupportedLang[CompareLength] != '\0' && SupportedLang[CompareLength] != ';'; CompareLength++); - - if ((CompareLength == LanguageLength) && - (AsciiStrnCmp (Lang, SupportedLang, CompareLength) == 0)) { - // - // Successfully find the index of Lang string in SupportedLang string. - // - return Index; - } - } - ASSERT (FALSE); - return 0; - } -} - -/** - Get language string from supported language codes according to index. - - This code is used to get corresponding language string in supported language codes. It can handle - RFC4646 and ISO639 language tags. - In ISO639 language tags, take 3-characters as a delimitation. Find language string according to the index. - In RFC4646 language tags, take semicolon as a delimitation. Find language string according to the index. - - For example: - SupportedLang = "engfraengfra" - Index = "1" - Iso639Language = TRUE - The return value is "fra". - Another example: - SupportedLang = "en;fr;en-US;fr-FR" - Index = "1" - Iso639Language = FALSE - The return value is "fr". - - @param[in] SupportedLang Platform supported language codes. - @param[in] Index the index in supported language codes. - @param[in] Iso639Language A bool value to signify if the handler is operated on ISO639 or RFC4646. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @return The language string in the language codes. - -**/ -CHAR8 * -GetLangFromSupportedLangCodes ( - IN CHAR8 *SupportedLang, - IN UINTN Index, - IN BOOLEAN Iso639Language, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - UINTN SubIndex; - UINTN CompareLength; - CHAR8 *Supported; - - SubIndex = 0; - Supported = SupportedLang; - if (Iso639Language) { - // - // according to the index of Lang string in SupportedLang string to get the language. - // As this code will be invoked in RUNTIME, therefore there is not memory allocate/free operation. - // In driver entry, it pre-allocates a runtime attribute memory to accommodate this string. - // - CompareLength = ISO_639_2_ENTRY_SIZE; - Global->Lang[CompareLength] = '\0'; - return CopyMem (Global->Lang, SupportedLang + Index * CompareLength, CompareLength); - - } else { - while (TRUE) { - // - // take semicolon as delimitation, sequentially traverse supported language codes. - // - for (CompareLength = 0; *Supported != ';' && *Supported != '\0'; CompareLength++) { - Supported++; - } - if ((*Supported == '\0') && (SubIndex != Index)) { - // - // Have completed the traverse, but not find corrsponding string. - // This case is not allowed to happen. - // - ASSERT(FALSE); - return NULL; - } - if (SubIndex == Index) { - // - // according to the index of Lang string in SupportedLang string to get the language. - // As this code will be invoked in RUNTIME, therefore there is not memory allocate/free operation. - // In driver entry, it pre-allocates a runtime attribute memory to accommodate this string. - // - Global->PlatformLang[VirtualMode][CompareLength] = '\0'; - return CopyMem (Global->PlatformLang[VirtualMode], Supported - CompareLength, CompareLength); - } - SubIndex++; - - // - // Skip ';' characters in Supported - // - for (; *Supported != '\0' && *Supported == ';'; Supported++); - } - } -} - -/** - Returns a pointer to an allocated buffer that contains the best matching language - from a set of supported languages. - - This function supports both ISO 639-2 and RFC 4646 language codes, but language - code types may not be mixed in a single call to this function. This function - supports a variable argument list that allows the caller to pass in a prioritized - list of language codes to test against all the language codes in SupportedLanguages. - - If SupportedLanguages is NULL, then ASSERT(). - - @param[in] SupportedLanguages A pointer to a Null-terminated ASCII string that - contains a set of language codes in the format - specified by Iso639Language. - @param[in] Iso639Language If TRUE, then all language codes are assumed to be - in ISO 639-2 format. If FALSE, then all language - codes are assumed to be in RFC 4646 language format. - @param[in] VirtualMode Current calling mode for this function. - @param[in] ... A variable argument list that contains pointers to - Null-terminated ASCII strings that contain one or more - language codes in the format specified by Iso639Language. - The first language code from each of these language - code lists is used to determine if it is an exact or - close match to any of the language codes in - SupportedLanguages. Close matches only apply to RFC 4646 - language codes, and the matching algorithm from RFC 4647 - is used to determine if a close match is present. If - an exact or close match is found, then the matching - language code from SupportedLanguages is returned. If - no matches are found, then the next variable argument - parameter is evaluated. The variable argument list - is terminated by a NULL. - - @retval NULL The best matching language could not be found in SupportedLanguages. - @retval NULL There are not enough resources available to return the best matching - language. - @retval Other A pointer to a Null-terminated ASCII string that is the best matching - language in SupportedLanguages. - -**/ -CHAR8 * -VariableGetBestLanguage ( - IN CONST CHAR8 *SupportedLanguages, - IN BOOLEAN Iso639Language, - IN BOOLEAN VirtualMode, - ... - ) -{ - VA_LIST Args; - CHAR8 *Language; - UINTN CompareLength; - UINTN LanguageLength; - CONST CHAR8 *Supported; - CHAR8 *Buffer; - - ASSERT (SupportedLanguages != NULL); - - VA_START (Args, VirtualMode); - while ((Language = VA_ARG (Args, CHAR8 *)) != NULL) { - // - // Default to ISO 639-2 mode - // - CompareLength = 3; - LanguageLength = MIN (3, AsciiStrLen (Language)); - - // - // If in RFC 4646 mode, then determine the length of the first RFC 4646 language code in Language - // - if (!Iso639Language) { - for (LanguageLength = 0; Language[LanguageLength] != 0 && Language[LanguageLength] != ';'; LanguageLength++); - } - - // - // Trim back the length of Language used until it is empty - // - while (LanguageLength > 0) { - // - // Loop through all language codes in SupportedLanguages - // - for (Supported = SupportedLanguages; *Supported != '\0'; Supported += CompareLength) { - // - // In RFC 4646 mode, then Loop through all language codes in SupportedLanguages - // - if (!Iso639Language) { - // - // Skip ';' characters in Supported - // - for (; *Supported != '\0' && *Supported == ';'; Supported++); - // - // Determine the length of the next language code in Supported - // - for (CompareLength = 0; Supported[CompareLength] != 0 && Supported[CompareLength] != ';'; CompareLength++); - // - // If Language is longer than the Supported, then skip to the next language - // - if (LanguageLength > CompareLength) { - continue; - } - } - // - // See if the first LanguageLength characters in Supported match Language - // - if (AsciiStrnCmp (Supported, Language, LanguageLength) == 0) { - VA_END (Args); - - Buffer = Iso639Language ? mVariableModuleGlobal->Lang : mVariableModuleGlobal->PlatformLang[VirtualMode]; - Buffer[CompareLength] = '\0'; - return CopyMem (Buffer, Supported, CompareLength); - } - } - - if (Iso639Language) { - // - // If ISO 639 mode, then each language can only be tested once - // - LanguageLength = 0; - } else { - // - // If RFC 4646 mode, then trim Language from the right to the next '-' character - // - for (LanguageLength--; LanguageLength > 0 && Language[LanguageLength] != '-'; LanguageLength--); - } - } - } - VA_END (Args); - - // - // No matches were found - // - return NULL; -} - -/** - Hook the operations in PlatformLangCodes, LangCodes, PlatformLang and Lang. - - When setting Lang/LangCodes, simultaneously update PlatformLang/PlatformLangCodes. - According to UEFI spec, PlatformLangCodes/LangCodes are only set once in firmware initialization, - and are read-only. Therefore, in variable driver, only store the original value for other use. - - @param[in] VariableName Name of variable. - @param[in] Data Variable data. - @param[in] DataSize Size of data. 0 means delete. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - -**/ -VOID -AutoUpdateLangVariable( - IN CHAR16 *VariableName, - IN VOID *Data, - IN UINTN DataSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - EFI_STATUS Status; - CHAR8 *BestPlatformLang; - CHAR8 *BestLang; - UINTN Index; - UINT32 Attributes; - VARIABLE_POINTER_TRACK Variable; - BOOLEAN SetLanguageCodes; - CHAR16 **PredefinedVariableName; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - // - // Don't do updates for delete operation - // - if (DataSize == 0) { - return; - } - - SetLanguageCodes = FALSE; - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - - PredefinedVariableName = &Global->VariableName[VirtualMode][0]; - if (StrCmp (VariableName, PredefinedVariableName[VAR_PLATFORM_LANG_CODES]) == 0) { - // - // PlatformLangCodes is a volatile variable, so it can not be updated at runtime. - // - if (EfiAtRuntime ()) { - return; - } - - SetLanguageCodes = TRUE; - - // - // According to UEFI spec, PlatformLangCodes is only set once in firmware initialization, and is read-only - // Therefore, in variable driver, only store the original value for other use. - // - if (Global->PlatformLangCodes[VirtualMode] != NULL) { - FreePool (Global->PlatformLangCodes[VirtualMode]); - } - Global->PlatformLangCodes[VirtualMode] = AllocateRuntimeCopyPool (DataSize, Data); - ASSERT (Global->PlatformLangCodes[VirtualMode] != NULL); - - // - // PlatformLang holds a single language from PlatformLangCodes, - // so the size of PlatformLangCodes is enough for the PlatformLang. - // - if (Global->PlatformLang[VirtualMode] != NULL) { - FreePool (Global->PlatformLang[VirtualMode]); - } - Global->PlatformLang[VirtualMode] = AllocateRuntimePool (DataSize); - ASSERT (Global->PlatformLang[VirtualMode] != NULL); - - } else if (StrCmp (VariableName, PredefinedVariableName[VAR_LANG_CODES]) == 0) { - // - // LangCodes is a volatile variable, so it can not be updated at runtime. - // - if (EfiAtRuntime ()) { - return; - } - - SetLanguageCodes = TRUE; - - // - // According to UEFI spec, LangCodes is only set once in firmware initialization, and is read-only - // Therefore, in variable driver, only store the original value for other use. - // - if (Global->LangCodes[VirtualMode] != NULL) { - FreePool (Global->LangCodes[VirtualMode]); - } - Global->LangCodes[VirtualMode] = AllocateRuntimeCopyPool (DataSize, Data); - ASSERT (Global->LangCodes[VirtualMode] != NULL); - } - - if (SetLanguageCodes - && (Global->PlatformLangCodes[VirtualMode] != NULL) - && (Global->LangCodes[VirtualMode] != NULL)) { - // - // Update Lang if PlatformLang is already set - // Update PlatformLang if Lang is already set - // - Status = FindVariable (PredefinedVariableName[VAR_PLATFORM_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance); - if (!EFI_ERROR (Status)) { - // - // Update Lang - // - VariableName = PredefinedVariableName[VAR_PLATFORM_LANG]; - } else { - Status = FindVariable (PredefinedVariableName[VAR_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance); - if (!EFI_ERROR (Status)) { - // - // Update PlatformLang - // - VariableName = PredefinedVariableName[VAR_LANG]; - } else { - // - // Neither PlatformLang nor Lang is set, directly return - // - return; - } - } - Data = (VOID *) GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance); - GetVariableDataPtr ((EFI_PHYSICAL_ADDRESS) Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, (CHAR16 *) Data); - - Status = AccessVariableStore ( - FALSE, - VariableGlobal, - Variable.Volatile, - Instance, - (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable.CurrPtr)->DataSize), - sizeof (DataSize), - &DataSize - ); - ASSERT_EFI_ERROR (Status); - } - - // - // According to UEFI spec, "Lang" and "PlatformLang" is NV|BS|RT attributions. - // - Attributes = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; - - if (StrCmp (VariableName, PredefinedVariableName[VAR_PLATFORM_LANG]) == 0) { - // - // Update Lang when PlatformLangCodes/LangCodes were set. - // - if ((Global->PlatformLangCodes[VirtualMode] != NULL) && (Global->LangCodes[VirtualMode] != NULL)) { - // - // When setting PlatformLang, firstly get most matched language string from supported language codes. - // - BestPlatformLang = VariableGetBestLanguage (Global->PlatformLangCodes[VirtualMode], FALSE, VirtualMode, Data, NULL); - if (BestPlatformLang != NULL) { - // - // Get the corresponding index in language codes. - // - Index = GetIndexFromSupportedLangCodes (Global->PlatformLangCodes[VirtualMode], BestPlatformLang, FALSE); - - // - // Get the corresponding ISO639 language tag according to RFC4646 language tag. - // - BestLang = GetLangFromSupportedLangCodes (Global->LangCodes[VirtualMode], Index, TRUE, VirtualMode, Global); - - // - // Successfully convert PlatformLang to Lang, and set the BestLang value into Lang variable simultaneously. - // - FindVariable (PredefinedVariableName[VAR_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance); - - Status = UpdateVariable ( - PredefinedVariableName[VAR_LANG], - Global->GlobalVariableGuid[VirtualMode], - BestLang, - ISO_639_2_ENTRY_SIZE + 1, - Attributes, - 0, - 0, - VirtualMode, - Global, - &Variable - ); - - DEBUG ((EFI_D_INFO, "Variable Driver Auto Update PlatformLang, PlatformLang:%a, Lang:%a\n", BestPlatformLang, BestLang)); - - ASSERT_EFI_ERROR (Status); - } - } - - } else if (StrCmp (VariableName, PredefinedVariableName[VAR_LANG]) == 0) { - // - // Update PlatformLang when PlatformLangCodes/LangCodes were set. - // - if ((Global->PlatformLangCodes[VirtualMode] != NULL) && (Global->LangCodes[VirtualMode] != NULL)) { - // - // When setting Lang, firstly get most matched language string from supported language codes. - // - BestLang = VariableGetBestLanguage (Global->LangCodes[VirtualMode], TRUE, VirtualMode, Data, NULL); - if (BestLang != NULL) { - // - // Get the corresponding index in language codes. - // - Index = GetIndexFromSupportedLangCodes (Global->LangCodes[VirtualMode], BestLang, TRUE); - - // - // Get the corresponding RFC4646 language tag according to ISO639 language tag. - // - BestPlatformLang = GetLangFromSupportedLangCodes (Global->PlatformLangCodes[VirtualMode], Index, FALSE, VirtualMode, Global); - - // - // Successfully convert Lang to PlatformLang, and set the BestPlatformLang value into PlatformLang variable simultaneously. - // - FindVariable (PredefinedVariableName[VAR_PLATFORM_LANG], Global->GlobalVariableGuid[VirtualMode], &Variable, VariableGlobal, Instance); - - Status = UpdateVariable ( - PredefinedVariableName[VAR_PLATFORM_LANG], - Global->GlobalVariableGuid[VirtualMode], - BestPlatformLang, - AsciiStrSize (BestPlatformLang), - Attributes, - 0, - 0, - VirtualMode, - Global, - &Variable - ); - - DEBUG ((EFI_D_INFO, "Variable Driver Auto Update Lang, Lang:%a, PlatformLang:%a\n", BestLang, BestPlatformLang)); - ASSERT_EFI_ERROR (Status); - } - } - } -} - -/** - Update the variable region with Variable information. These are the same - arguments as the EFI Variable services. - - @param[in] VariableName Name of variable. - @param[in] VendorGuid Guid of variable. - @param[in] Data Variable data. - @param[in] DataSize Size of data. 0 means delete. - @param[in] Attributes Attributes of the variable. - @param[in] KeyIndex Index of associated public key. - @param[in] MonotonicCount Value of associated monotonic count. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - - @retval EFI_SUCCESS The update operation is success. - @retval EFI_OUT_OF_RESOURCES Variable region is full, can not write other data into this region. - -**/ -EFI_STATUS -EFIAPI -UpdateVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN UINT32 Attributes OPTIONAL, - IN UINT32 KeyIndex OPTIONAL, - IN UINT64 MonotonicCount OPTIONAL, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable - ) -{ - EFI_STATUS Status; - AUTHENTICATED_VARIABLE_HEADER *NextVariable; - UINTN VarNameOffset; - UINTN VarDataOffset; - UINTN VarNameSize; - UINTN VarSize; - BOOLEAN Volatile; - UINT8 State; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - AUTHENTICATED_VARIABLE_HEADER *NextVariableHeader; - BOOLEAN Valid; - BOOLEAN Reclaimed; - VARIABLE_STORE_HEADER VariableStoreHeader; - UINTN ScratchSize; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - Reclaimed = FALSE; - - if (Variable->CurrPtr != 0) { - - Valid = IsValidVariableHeader (Variable->CurrPtr, Variable->Volatile, VariableGlobal, Instance, &VariableHeader); - if (!Valid) { - Status = EFI_NOT_FOUND; - goto Done; - } - - // - // Update/Delete existing variable - // - Volatile = Variable->Volatile; - - if (EfiAtRuntime ()) { - // - // If EfiAtRuntime and the variable is Volatile and Runtime Access, - // the volatile is ReadOnly, and SetVariable should be aborted and - // return EFI_WRITE_PROTECTED. - // - if (Variable->Volatile) { - Status = EFI_WRITE_PROTECTED; - goto Done; - } - // - // Only variable have NV attribute can be updated/deleted in Runtime - // - if ((VariableHeader.Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) { - Status = EFI_INVALID_PARAMETER; - goto Done; - } - } - // - // Setting a data variable with no access, or zero DataSize attributes - // specified causes it to be deleted. - // - if (DataSize == 0 || (Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == 0) { - State = VariableHeader.State; - State &= VAR_DELETED; - - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - Variable->Volatile, - Instance, - (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State), - sizeof (UINT8), - &State - ); - if (!EFI_ERROR (Status)) { - UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, FALSE, TRUE, FALSE); - UpdateVariableCache (VariableName, VendorGuid, Attributes, DataSize, Data); - } - goto Done; - } - // - // Logic comes here to update variable. - // If the variable is marked valid and the same data has been passed in - // then return to the caller immediately. - // - if (DataSizeOfVariable (&VariableHeader) == DataSize) { - NextVariable = (AUTHENTICATED_VARIABLE_HEADER *)GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance); - GetVariableDataPtr (Variable->CurrPtr, Variable->Volatile, VariableGlobal, Instance, (CHAR16 *) NextVariable); - if (CompareMem (Data, (VOID *) NextVariable, DataSize) == 0) { - UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, TRUE, FALSE, FALSE); - Status = EFI_SUCCESS; - goto Done; - } - } - if ((VariableHeader.State == VAR_ADDED) || - (VariableHeader.State == (VAR_ADDED & VAR_IN_DELETED_TRANSITION))) { - // - // If new data is different from the old one, mark the old one as VAR_IN_DELETED_TRANSITION. - // It will be deleted if new variable is successfully written. - // - State = VariableHeader.State; - State &= VAR_IN_DELETED_TRANSITION; - - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - Variable->Volatile, - Instance, - (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State), - sizeof (UINT8), - &State - ); - if (EFI_ERROR (Status)) { - goto Done; - } - } - } else { - // - // Create a new variable - // - - // - // Make sure we are trying to create a new variable. - // Setting a data variable with no access, or zero DataSize attributes means to delete it. - // - if (DataSize == 0 || (Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == 0) { - Status = EFI_NOT_FOUND; - goto Done; - } - - // - // Only variable have NV|RT attribute can be created in Runtime - // - if (EfiAtRuntime () && - (((Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0) || ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0))) { - Status = EFI_INVALID_PARAMETER; - goto Done; - } - } - - // - // Function part - create a new variable and copy the data. - // Both update a variable and create a variable will come here. - // - // Tricky part: Use scratch data area at the end of volatile variable store - // as a temporary storage. - // - NextVariable = (AUTHENTICATED_VARIABLE_HEADER *)GetEndPointer (VariableGlobal->VolatileVariableBase, TRUE, VariableGlobal, Instance); - ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)); - NextVariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) NextVariable; - - SetMem (NextVariableHeader, ScratchSize, 0xff); - - NextVariableHeader->StartId = VARIABLE_DATA; - NextVariableHeader->Attributes = Attributes; - NextVariableHeader->PubKeyIndex = KeyIndex; - NextVariableHeader->MonotonicCount = MonotonicCount; - NextVariableHeader->Reserved = 0; - VarNameOffset = sizeof (AUTHENTICATED_VARIABLE_HEADER); - VarNameSize = StrSize (VariableName); - CopyMem ( - (UINT8 *) ((UINTN)NextVariable + VarNameOffset), - VariableName, - VarNameSize - ); - VarDataOffset = VarNameOffset + VarNameSize + GET_PAD_SIZE (VarNameSize); - CopyMem ( - (UINT8 *) ((UINTN)NextVariable + VarDataOffset), - Data, - DataSize - ); - CopyMem (&NextVariableHeader->VendorGuid, VendorGuid, sizeof (EFI_GUID)); - // - // There will be pad bytes after Data, the NextVariable->NameSize and - // NextVariable->DataSize should not include pad size so that variable - // service can get actual size in GetVariable. - // - NextVariableHeader->NameSize = (UINT32)VarNameSize; - NextVariableHeader->DataSize = (UINT32)DataSize; - - // - // The actual size of the variable that stores in storage should - // include pad size. - // - VarSize = VarDataOffset + DataSize + GET_PAD_SIZE (DataSize); - if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) { - // - // Create a nonvolatile variable - // - Volatile = FALSE; - - GetVarStoreHeader (VariableGlobal->NonVolatileVariableBase, FALSE, VariableGlobal, Instance, &VariableStoreHeader); - if ((((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0) - && ((HEADER_ALIGN (VarSize) + Global->HwErrVariableTotalSize) > PcdGet32(PcdHwErrStorageSize))) - || (((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == 0) - && ((HEADER_ALIGN (VarSize) + Global->CommonVariableTotalSize) > VariableStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize)))) { - if (EfiAtRuntime ()) { - Status = EFI_OUT_OF_RESOURCES; - goto Done; - } - // - // Perform garbage collection & reclaim operation - // - Status = Reclaim (VariableGlobal->NonVolatileVariableBase, &(Global->NonVolatileLastVariableOffset), FALSE, VirtualMode, Global, Variable->CurrPtr); - if (EFI_ERROR (Status)) { - goto Done; - } - - Reclaimed = TRUE; - // - // If still no enough space, return out of resources - // - if ((((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0) - && ((HEADER_ALIGN (VarSize) + Global->HwErrVariableTotalSize) > PcdGet32(PcdHwErrStorageSize))) - || (((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == 0) - && ((HEADER_ALIGN (VarSize) + Global->CommonVariableTotalSize) > VariableStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize)))) { - Status = EFI_OUT_OF_RESOURCES; - goto Done; - } - } - // - // Four steps - // 1. Write variable header - // 2. Set variable state to header valid - // 3. Write variable data - // 4. Set variable state to valid - // - // - // Step 1: - // - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - FALSE, - Instance, - VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset, - sizeof (AUTHENTICATED_VARIABLE_HEADER), - (UINT8 *) NextVariable - ); - - if (EFI_ERROR (Status)) { - goto Done; - } - - // - // Step 2: - // - NextVariableHeader->State = VAR_HEADER_VALID_ONLY; - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - FALSE, - Instance, - VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset, - sizeof (AUTHENTICATED_VARIABLE_HEADER), - (UINT8 *) NextVariable - ); - - if (EFI_ERROR (Status)) { - goto Done; - } - // - // Step 3: - // - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - FALSE, - Instance, - VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset + sizeof (AUTHENTICATED_VARIABLE_HEADER), - (UINT32) VarSize - sizeof (AUTHENTICATED_VARIABLE_HEADER), - (UINT8 *) NextVariable + sizeof (AUTHENTICATED_VARIABLE_HEADER) - ); - - if (EFI_ERROR (Status)) { - goto Done; - } - // - // Step 4: - // - NextVariableHeader->State = VAR_ADDED; - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - FALSE, - Instance, - VariableGlobal->NonVolatileVariableBase + Global->NonVolatileLastVariableOffset, - sizeof (AUTHENTICATED_VARIABLE_HEADER), - (UINT8 *) NextVariable - ); - - if (EFI_ERROR (Status)) { - goto Done; - } - - Global->NonVolatileLastVariableOffset += HEADER_ALIGN (VarSize); - - if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != 0) { - Global->HwErrVariableTotalSize += HEADER_ALIGN (VarSize); - } else { - Global->CommonVariableTotalSize += HEADER_ALIGN (VarSize); - } - } else { - // - // Create a volatile variable - // - Volatile = TRUE; - - if ((UINT32) (HEADER_ALIGN(VarSize) + Global->VolatileLastVariableOffset) > - ((VARIABLE_STORE_HEADER *) ((UINTN) (VariableGlobal->VolatileVariableBase)))->Size) { - // - // Perform garbage collection & reclaim operation - // - Status = Reclaim (VariableGlobal->VolatileVariableBase, &Global->VolatileLastVariableOffset, TRUE, VirtualMode, Global, Variable->CurrPtr); - if (EFI_ERROR (Status)) { - goto Done; - } - // - // If still no enough space, return out of resources - // - if ((UINT32) (HEADER_ALIGN (VarSize) + Global->VolatileLastVariableOffset) > - ((VARIABLE_STORE_HEADER *) ((UINTN) (VariableGlobal->VolatileVariableBase)))->Size - ) { - Status = EFI_OUT_OF_RESOURCES; - goto Done; - } - Reclaimed = TRUE; - } - - NextVariableHeader->State = VAR_ADDED; - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - TRUE, - Instance, - VariableGlobal->VolatileVariableBase + Global->VolatileLastVariableOffset, - (UINT32) VarSize, - (UINT8 *) NextVariable - ); - - if (EFI_ERROR (Status)) { - goto Done; - } - - Global->VolatileLastVariableOffset += HEADER_ALIGN (VarSize); - } - // - // Mark the old variable as deleted - // If storage has just been reclaimed, the old variable marked as VAR_IN_DELETED_TRANSITION - // has already been eliminated, so no need to delete it. - // - if (!Reclaimed && !EFI_ERROR (Status) && Variable->CurrPtr != 0) { - State = ((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State; - State &= VAR_DELETED; - - Status = AccessVariableStore ( - TRUE, - VariableGlobal, - Variable->Volatile, - Instance, - (UINTN) &(((AUTHENTICATED_VARIABLE_HEADER *)Variable->CurrPtr)->State), - sizeof (UINT8), - &State - ); - } - - if (!EFI_ERROR (Status)) { - UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, TRUE, FALSE, FALSE); - UpdateVariableCache (VariableName, VendorGuid, Attributes, DataSize, Data); - } - -Done: - return Status; -} - -/** - Implements EsalGetVariable function of Extended SAL Variable Services Class. - - This function implements EsalGetVariable function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service GetVariable(). - - @param[in] VariableName A Null-terminated Unicode string that is the name of - the vendor's variable. - @param[in] VendorGuid A unique identifier for the vendor. - @param[out] Attributes If not NULL, a pointer to the memory location to return the - attributes bitmask for the variable. - @param[in, out] DataSize Size of Data found. If size is less than the - data, this value contains the required size. - @param[out] Data On input, the size in bytes of the return Data buffer. - On output, the size of data returned in Data. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND The variable was not found. - @retval EFI_BUFFER_TOO_SMALL DataSize is too small for the result. DataSize has - been updated with the size needed to complete the request. - @retval EFI_INVALID_PARAMETER VariableName is NULL. - @retval EFI_INVALID_PARAMETER VendorGuid is NULL. - @retval EFI_INVALID_PARAMETER DataSize is NULL. - @retval EFI_INVALID_PARAMETER DataSize is not too small and Data is NULL. - @retval EFI_DEVICE_ERROR The variable could not be retrieved due to a hardware error. - @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure. - -**/ -EFI_STATUS -EFIAPI -EsalGetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT UINT32 *Attributes OPTIONAL, - IN OUT UINTN *DataSize, - OUT VOID *Data, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - VARIABLE_POINTER_TRACK Variable; - UINTN VarDataSize; - EFI_STATUS Status; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - BOOLEAN Valid; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock); - - // - // Check if this variable exists in cache. - // - Status = FindVariableInCache (VariableName, VendorGuid, Attributes, DataSize, Data); - if ((Status == EFI_BUFFER_TOO_SMALL) || (Status == EFI_SUCCESS)){ - // - // If variable exists in cache, just update statistical information for it and finish. - // Here UpdateVariableInfo() has already retrieved data & attributes for output. - // - UpdateVariableInfo (VariableName, VendorGuid, FALSE, TRUE, FALSE, FALSE, TRUE); - goto Done; - } - // - // If variable does not exist in cache, search for it in variable storage area. - // - Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance); - if (Variable.CurrPtr == 0x0 || EFI_ERROR (Status)) { - // - // If it cannot be found in variable storage area, goto Done. - // - goto Done; - } - - Valid = IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, &VariableHeader); - if (!Valid) { - Status = EFI_NOT_FOUND; - goto Done; - } - // - // If variable exists, but not in cache, get its data and attributes, update - // statistical information, and update cache. - // - VarDataSize = DataSizeOfVariable (&VariableHeader); - ASSERT (VarDataSize != 0); - - if (*DataSize >= VarDataSize) { - if (Data == NULL) { - Status = EFI_INVALID_PARAMETER; - goto Done; - } - - GetVariableDataPtr ( - Variable.CurrPtr, - Variable.Volatile, - VariableGlobal, - Instance, - Data - ); - if (Attributes != NULL) { - *Attributes = VariableHeader.Attributes; - } - - *DataSize = VarDataSize; - UpdateVariableInfo (VariableName, VendorGuid, Variable.Volatile, TRUE, FALSE, FALSE, FALSE); - UpdateVariableCache (VariableName, VendorGuid, VariableHeader.Attributes, VarDataSize, Data); - - Status = EFI_SUCCESS; - goto Done; - } else { - // - // If DataSize is too small for the result, return EFI_BUFFER_TOO_SMALL. - // - *DataSize = VarDataSize; - Status = EFI_BUFFER_TOO_SMALL; - goto Done; - } - -Done: - ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock); - return Status; -} - -/** - Implements EsalGetNextVariableName function of Extended SAL Variable Services Class. - - This function implements EsalGetNextVariableName function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service GetNextVariableName(). - - @param[in, out] VariableNameSize Size of the variable - @param[in, out] VariableName On input, supplies the last VariableName that was returned by GetNextVariableName(). - On output, returns the Null-terminated Unicode string of the current variable. - @param[in, out] VendorGuid On input, supplies the last VendorGuid that was returned by GetNextVariableName(). - On output, returns the VendorGuid of the current variable. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND The next variable was not found. - @retval EFI_BUFFER_TOO_SMALL VariableNameSize is too small for the result. - VariableNameSize has been updated with the size needed to complete the request. - @retval EFI_INVALID_PARAMETER VariableNameSize is NULL. - @retval EFI_INVALID_PARAMETER VariableName is NULL. - @retval EFI_INVALID_PARAMETER VendorGuid is NULL. - @retval EFI_DEVICE_ERROR The variable name could not be retrieved due to a hardware error. - -**/ -EFI_STATUS -EFIAPI -EsalGetNextVariableName ( - IN OUT UINTN *VariableNameSize, - IN OUT CHAR16 *VariableName, - IN OUT EFI_GUID *VendorGuid, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - VARIABLE_POINTER_TRACK Variable; - UINTN VarNameSize; - EFI_STATUS Status; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) { - return EFI_INVALID_PARAMETER; - } - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock); - - Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance); - // - // If the variable does not exist, goto Done and return. - // - if (Variable.CurrPtr == 0x0 || EFI_ERROR (Status)) { - goto Done; - } - - if (VariableName[0] != 0) { - // - // If variable name is not NULL, get next variable - // - Variable.CurrPtr = GetNextVariablePtr ( - Variable.CurrPtr, - Variable.Volatile, - VariableGlobal, - Instance - ); - } - - while (TRUE) { - if (Variable.CurrPtr >= Variable.EndPtr || Variable.CurrPtr == 0x0) { - // - // If fail to find a variable in current area, reverse the volatile attribute of area to search. - // - Variable.Volatile = (BOOLEAN) (Variable.Volatile ^ ((BOOLEAN) 0x1)); - // - // Here we depend on the searching sequence of FindVariable(). - // It first searches volatile area, then NV area. - // So if the volatile attribute after switching is non-volatile, it means that we have finished searching volatile area, - // and EFI_NOT_FOUND is returnd. - // Otherwise, it means that we have finished searchig non-volatile area, and we will continue to search volatile area. - // - if (!Variable.Volatile) { - Variable.StartPtr = GetStartPointer (VariableGlobal->NonVolatileVariableBase); - Variable.EndPtr = GetEndPointer (VariableGlobal->NonVolatileVariableBase, FALSE, VariableGlobal, Instance); - } else { - Status = EFI_NOT_FOUND; - goto Done; - } - - Variable.CurrPtr = Variable.StartPtr; - if (!IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, NULL)) { - continue; - } - } - // - // Variable is found - // - if (IsValidVariableHeader (Variable.CurrPtr, Variable.Volatile, VariableGlobal, Instance, &VariableHeader)) { - if ((VariableHeader.State == VAR_ADDED) && - (!(EfiAtRuntime () && ((VariableHeader.Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0)))) { - VarNameSize = NameSizeOfVariable (&VariableHeader); - ASSERT (VarNameSize != 0); - - if (VarNameSize <= *VariableNameSize) { - GetVariableNamePtr ( - Variable.CurrPtr, - Variable.Volatile, - VariableGlobal, - Instance, - VariableName - ); - CopyMem ( - VendorGuid, - &VariableHeader.VendorGuid, - sizeof (EFI_GUID) - ); - Status = EFI_SUCCESS; - } else { - Status = EFI_BUFFER_TOO_SMALL; - } - - *VariableNameSize = VarNameSize; - goto Done; - } - } - - Variable.CurrPtr = GetNextVariablePtr ( - Variable.CurrPtr, - Variable.Volatile, - VariableGlobal, - Instance - ); - } - -Done: - ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock); - return Status; -} - -/** - Implements EsalSetVariable function of Extended SAL Variable Services Class. - - This function implements EsalSetVariable function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service SetVariable(). - - @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's - variable. Each VariableName is unique for each - VendorGuid. VariableName must contain 1 or more - Unicode characters. If VariableName is an empty Unicode - string, then EFI_INVALID_PARAMETER is returned. - @param[in] VendorGuid A unique identifier for the vendor. - @param[in] Attributes Attributes bitmask to set for the variable. - @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the - variable to be deleted. - @param[in] Data The contents for the variable. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as - defined by the Attributes. - @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the - DataSize exceeds the maximum allowed. - @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string. - @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data. - @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure. - @retval EFI_WRITE_PROTECTED The variable in question is read-only. - @retval EFI_WRITE_PROTECTED The variable in question cannot be deleted. - @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure. - @retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found. - -**/ -EFI_STATUS -EFIAPI -EsalSetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT32 Attributes, - IN UINTN DataSize, - IN VOID *Data, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - VARIABLE_POINTER_TRACK Variable; - EFI_STATUS Status; - EFI_PHYSICAL_ADDRESS NextVariable; - EFI_PHYSICAL_ADDRESS Point; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - UINT32 KeyIndex; - UINT64 MonotonicCount; - UINTN PayloadSize; - - // - // Check input parameters - // - if (VariableName == NULL || VariableName[0] == 0 || VendorGuid == NULL) { - return EFI_INVALID_PARAMETER; - } - - if (DataSize != 0 && Data == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // EFI_VARIABLE_RUNTIME_ACCESS bit cannot be set without EFI_VARIABLE_BOOTSERVICE_ACCESS bit. - // - if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) { - return EFI_INVALID_PARAMETER; - } - - if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) { - if (DataSize < AUTHINFO_SIZE) { - // - // Try to write Authencated Variable without AuthInfo - // - return EFI_SECURITY_VIOLATION; - } - PayloadSize = DataSize - AUTHINFO_SIZE; - } else { - PayloadSize = DataSize; - } - - - if ((UINTN)(~0) - PayloadSize < StrSize(VariableName)){ - // - // Prevent whole variable size overflow - // - return EFI_INVALID_PARAMETER; - } - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { - // - // For variable for hardware error record, the size of the VariableName, including the Unicode Null - // in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxHardwareErrorVariableSize) bytes. - // - if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER)) { - return EFI_INVALID_PARAMETER; - } - // - // According to UEFI spec, HARDWARE_ERROR_RECORD variable name convention should be L"HwErrRecXXXX" - // - if (StrnCmp (VariableName, \ - Global->VariableName[VirtualMode][VAR_HW_ERR_REC], \ - StrLen(Global->VariableName[VirtualMode][VAR_HW_ERR_REC])) != 0) { - return EFI_INVALID_PARAMETER; - } - } else { - // - // For variable not for hardware error record, the size of the VariableName, including the - // Unicode Null in bytes plus the DataSize is limited to maximum size of PcdGet32(PcdMaxVariableSize) bytes. - // - if (StrSize (VariableName) + PayloadSize > PcdGet32(PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER)) { - return EFI_INVALID_PARAMETER; - } - } - - AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock); - - // - // Consider reentrant in MCA/INIT/NMI. It needs be reupdated; - // - if (InterlockedIncrement (&Global->ReentrantState) > 1) { - Point = VariableGlobal->NonVolatileVariableBase;; - // - // Parse non-volatile variable data and get last variable offset - // - NextVariable = GetStartPointer (Point); - while (IsValidVariableHeader (NextVariable, FALSE, VariableGlobal, Instance, NULL)) { - NextVariable = GetNextVariablePtr (NextVariable, FALSE, VariableGlobal, Instance); - } - Global->NonVolatileLastVariableOffset = NextVariable - Point; - } - - // - // Check whether the input variable exists - // - - Status = FindVariable (VariableName, VendorGuid, &Variable, VariableGlobal, Instance); - - // - // Hook the operation of setting PlatformLangCodes/PlatformLang and LangCodes/Lang - // - AutoUpdateLangVariable (VariableName, Data, PayloadSize, VirtualMode, Global); - - // - // Process PK, KEK, Sigdb seperately - // - if (CompareGuid (VendorGuid, Global->GlobalVariableGuid[VirtualMode]) && (StrCmp (VariableName, Global->VariableName[VirtualMode][VAR_PLATFORM_KEY]) == 0)) { - Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes, TRUE); - } else if (CompareGuid (VendorGuid, Global->GlobalVariableGuid[VirtualMode]) && (StrCmp (VariableName, Global->VariableName[VirtualMode][VAR_KEY_EXCHANGE_KEY]) == 0)) { - Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes, FALSE); - } else if (CompareGuid (VendorGuid, Global->ImageSecurityDatabaseGuid[VirtualMode])) { - Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, VirtualMode, Global, &Variable, Attributes); - } else { - Status = VerifyVariable (Data, DataSize, VirtualMode, Global, &Variable, Attributes, &KeyIndex, &MonotonicCount); - if (!EFI_ERROR(Status)) { - // - // Verification pass - // - if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) { - // - // Cut the certificate size before set - // - Status = UpdateVariable ( - VariableName, - VendorGuid, - (UINT8*)Data + AUTHINFO_SIZE, - DataSize - AUTHINFO_SIZE, - Attributes, - KeyIndex, - MonotonicCount, - VirtualMode, - Global, - &Variable - ); - } else { - // - // Update variable as usual - // - Status = UpdateVariable ( - VariableName, - VendorGuid, - Data, - DataSize, - Attributes, - 0, - 0, - VirtualMode, - Global, - &Variable - ); - } - } - } - - InterlockedDecrement (&Global->ReentrantState); - ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock); - return Status; -} - -/** - Implements EsalQueryVariableInfo function of Extended SAL Variable Services Class. - - This function implements EsalQueryVariableInfo function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service QueryVariableInfo(). - - @param[in] Attributes Attributes bitmask to specify the type of variables - on which to return information. - @param[out] MaximumVariableStorageSize On output the maximum size of the storage space available for - the EFI variables associated with the attributes specified. - @param[out] RemainingVariableStorageSize Returns the remaining size of the storage space available for EFI - variables associated with the attributes specified. - @param[out] MaximumVariableSize Returns the maximum size of an individual EFI variable - associated with the attributes specified. - @param[in] VirtualMode Current calling mode for this function - @param[in] Global Context of this Extended SAL Variable Services Class call - - @retval EFI_SUCCESS Valid answer returned. - @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied. - @retval EFI_UNSUPPORTED The attribute is not supported on this platform, and the - MaximumVariableStorageSize, RemainingVariableStorageSize, - MaximumVariableSize are undefined. -**/ -EFI_STATUS -EFIAPI -EsalQueryVariableInfo ( - IN UINT32 Attributes, - OUT UINT64 *MaximumVariableStorageSize, - OUT UINT64 *RemainingVariableStorageSize, - OUT UINT64 *MaximumVariableSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ) -{ - EFI_PHYSICAL_ADDRESS Variable; - EFI_PHYSICAL_ADDRESS NextVariable; - UINT64 VariableSize; - EFI_PHYSICAL_ADDRESS VariableStoreHeaderAddress; - BOOLEAN Volatile; - VARIABLE_STORE_HEADER VarStoreHeader; - AUTHENTICATED_VARIABLE_HEADER VariableHeader; - UINT64 CommonVariableTotalSize; - UINT64 HwErrVariableTotalSize; - VARIABLE_GLOBAL *VariableGlobal; - UINT32 Instance; - - CommonVariableTotalSize = 0; - HwErrVariableTotalSize = 0; - - if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) { - return EFI_INVALID_PARAMETER; - } - - if((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == 0) { - // - // Make sure the Attributes combination is supported by the platform. - // - return EFI_UNSUPPORTED; - } else if ((Attributes & (EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS)) == EFI_VARIABLE_RUNTIME_ACCESS) { - // - // Make sure if runtime bit is set, boot service bit is set also. - // - return EFI_INVALID_PARAMETER; - } else if (EfiAtRuntime () && ((Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0)) { - // - // Make sure RT Attribute is set if we are in Runtime phase. - // - return EFI_INVALID_PARAMETER; - } else if ((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { - // - // Make sure Hw Attribute is set with NV. - // - return EFI_INVALID_PARAMETER; - } - - VariableGlobal = &Global->VariableGlobal[VirtualMode]; - Instance = Global->FvbInstance; - - AcquireLockOnlyAtBootTime(&VariableGlobal->VariableServicesLock); - - if((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) { - // - // Query is Volatile related. - // - Volatile = TRUE; - VariableStoreHeaderAddress = VariableGlobal->VolatileVariableBase; - } else { - // - // Query is Non-Volatile related. - // - Volatile = FALSE; - VariableStoreHeaderAddress = VariableGlobal->NonVolatileVariableBase; - } - - // - // Now let's fill *MaximumVariableStorageSize *RemainingVariableStorageSize - // with the storage size (excluding the storage header size). - // - GetVarStoreHeader (VariableStoreHeaderAddress, Volatile, VariableGlobal, Instance, &VarStoreHeader); - - *MaximumVariableStorageSize = VarStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER); - - // Harware error record variable needs larger size. - // - if ((Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - *MaximumVariableStorageSize = PcdGet32(PcdHwErrStorageSize); - *MaximumVariableSize = PcdGet32(PcdMaxHardwareErrorVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER); - } else { - if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) { - ASSERT (PcdGet32(PcdHwErrStorageSize) < VarStoreHeader.Size); - *MaximumVariableStorageSize = VarStoreHeader.Size - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize); - } - - // - // Let *MaximumVariableSize be PcdGet32(PcdMaxVariableSize) with the exception of the variable header size. - // - *MaximumVariableSize = PcdGet32(PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER); - } - - // - // Point to the starting address of the variables. - // - Variable = GetStartPointer (VariableStoreHeaderAddress); - - // - // Now walk through the related variable store. - // - while (IsValidVariableHeader (Variable, Volatile, VariableGlobal, Instance, &VariableHeader) && - (Variable < GetEndPointer (VariableStoreHeaderAddress, Volatile, VariableGlobal, Instance))) { - NextVariable = GetNextVariablePtr (Variable, Volatile, VariableGlobal, Instance); - VariableSize = NextVariable - Variable; - - if (EfiAtRuntime ()) { - // - // we don't take the state of the variables in mind - // when calculating RemainingVariableStorageSize, - // since the space occupied by variables not marked with - // VAR_ADDED is not allowed to be reclaimed in Runtime. - // - if ((VariableHeader.Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { - HwErrVariableTotalSize += VariableSize; - } else { - CommonVariableTotalSize += VariableSize; - } - } else { - // - // Only care about Variables with State VAR_ADDED,because - // the space not marked as VAR_ADDED is reclaimable now. - // - if (VariableHeader.State == VAR_ADDED) { - if ((VariableHeader.Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { - HwErrVariableTotalSize += VariableSize; - } else { - CommonVariableTotalSize += VariableSize; - } - } - } - - // - // Go to the next one - // - Variable = NextVariable; - } - - if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD){ - *RemainingVariableStorageSize = *MaximumVariableStorageSize - HwErrVariableTotalSize; - }else { - *RemainingVariableStorageSize = *MaximumVariableStorageSize - CommonVariableTotalSize; - } - - if (*RemainingVariableStorageSize < sizeof (AUTHENTICATED_VARIABLE_HEADER)) { - *MaximumVariableSize = 0; - } else if ((*RemainingVariableStorageSize - sizeof (AUTHENTICATED_VARIABLE_HEADER)) < *MaximumVariableSize) { - *MaximumVariableSize = *RemainingVariableStorageSize - sizeof (AUTHENTICATED_VARIABLE_HEADER); - } - - ReleaseLockOnlyAtBootTime (&VariableGlobal->VariableServicesLock); - return EFI_SUCCESS; -} - -/** - Notification function of EVT_GROUP_READY_TO_BOOT event group. - - This is a notification function registered on EVT_GROUP_READY_TO_BOOT event group. - When the Boot Manager is about to load and execute a boot option, it reclaims variable - storage if free size is below the threshold. - - @param[in] Event Event whose notification function is being invoked. - @param[in] Context Pointer to the notification function's context. - -**/ -VOID -EFIAPI -ReclaimForOS( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - UINT32 VarSize; - EFI_STATUS Status; - UINTN CommonVariableSpace; - UINTN RemainingCommonVariableSpace; - UINTN RemainingHwErrVariableSpace; - - VarSize = ((VARIABLE_STORE_HEADER *) ((UINTN) mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase))->Size; - Status = EFI_SUCCESS; - // - //Allowable max size of common variable storage space - // - CommonVariableSpace = VarSize - sizeof (VARIABLE_STORE_HEADER) - PcdGet32(PcdHwErrStorageSize); - - RemainingCommonVariableSpace = CommonVariableSpace - mVariableModuleGlobal->CommonVariableTotalSize; - - RemainingHwErrVariableSpace = PcdGet32 (PcdHwErrStorageSize) - mVariableModuleGlobal->HwErrVariableTotalSize; - // - // If the free area is below a threshold, then performs reclaim operation. - // - if ((RemainingCommonVariableSpace < PcdGet32 (PcdMaxVariableSize)) - || ((PcdGet32 (PcdHwErrStorageSize) != 0) && - (RemainingHwErrVariableSpace < PcdGet32 (PcdMaxHardwareErrorVariableSize)))){ - Status = Reclaim ( - mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase, - &mVariableModuleGlobal->NonVolatileLastVariableOffset, - FALSE, - Physical, - mVariableModuleGlobal, - 0x0 - ); - ASSERT_EFI_ERROR (Status); - } -} - -/** - Flush the HOB variable to NV variable storage. -**/ -VOID -FlushHob2Nv ( - VOID - ) -{ - EFI_STATUS Status; - VOID *GuidHob; - VARIABLE_STORE_HEADER *VariableStoreHeader; - AUTHENTICATED_VARIABLE_HEADER *VariableHeader; - // - // Get HOB variable store. - // - GuidHob = GetFirstGuidHob (&gEfiAuthenticatedVariableGuid); - if (GuidHob != NULL) { - VariableStoreHeader = (VARIABLE_STORE_HEADER *) GET_GUID_HOB_DATA (GuidHob); - if (CompareGuid (&VariableStoreHeader->Signature, &gEfiAuthenticatedVariableGuid) && - (VariableStoreHeader->Format == VARIABLE_STORE_FORMATTED) && - (VariableStoreHeader->State == VARIABLE_STORE_HEALTHY) - ) { - DEBUG ((EFI_D_INFO, "HOB Variable Store appears to be valid.\n")); - // - // Flush the HOB variable to NV Variable storage. - // - for ( VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN (VariableStoreHeader + 1) - ; (VariableHeader < (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN ((UINTN) VariableStoreHeader + VariableStoreHeader->Size) - && - (VariableHeader->StartId == VARIABLE_DATA)) - ; VariableHeader = (AUTHENTICATED_VARIABLE_HEADER *) HEADER_ALIGN ((UINTN) (VariableHeader + 1) - + VariableHeader->NameSize + GET_PAD_SIZE (VariableHeader->NameSize) - + VariableHeader->DataSize + GET_PAD_SIZE (VariableHeader->DataSize) - ) - ) { - ASSERT (VariableHeader->State == VAR_ADDED); - ASSERT ((VariableHeader->Attributes & EFI_VARIABLE_NON_VOLATILE) != 0); - Status = EsalSetVariable ( - (CHAR16 *) (VariableHeader + 1), - &VariableHeader->VendorGuid, - VariableHeader->Attributes, - VariableHeader->DataSize, - (UINT8 *) (VariableHeader + 1) + VariableHeader->NameSize + GET_PAD_SIZE (VariableHeader->NameSize), - Physical, - mVariableModuleGlobal - ); - ASSERT_EFI_ERROR (Status); - } - } - } -} - -/** - Initializes variable store area for non-volatile and volatile variable. - - This function allocates and initializes memory space for global context of ESAL - variable service and variable store area for non-volatile and volatile variable. - - @param[in] ImageHandle The Image handle of this driver. - @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE. - - @retval EFI_SUCCESS Function successfully executed. - @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource. - -**/ -EFI_STATUS -VariableCommonInitialize ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - EFI_STATUS Status; - EFI_FIRMWARE_VOLUME_HEADER *FwVolHeader; - EFI_PHYSICAL_ADDRESS CurrPtr; - VARIABLE_STORE_HEADER *VolatileVariableStore; - VARIABLE_STORE_HEADER *VariableStoreHeader; - EFI_PHYSICAL_ADDRESS Variable; - EFI_PHYSICAL_ADDRESS NextVariable; - UINTN VariableSize; - UINT32 Instance; - EFI_PHYSICAL_ADDRESS FvVolHdr; - EFI_PHYSICAL_ADDRESS TempVariableStoreHeader; - EFI_GCD_MEMORY_SPACE_DESCRIPTOR GcdDescriptor; - UINT64 BaseAddress; - UINT64 Length; - UINTN Index; - UINT8 Data; - EFI_PHYSICAL_ADDRESS VariableStoreBase; - UINT64 VariableStoreLength; - EFI_EVENT ReadyToBootEvent; - UINTN ScratchSize; - - // - // Allocate memory for mVariableModuleGlobal - // - mVariableModuleGlobal = AllocateRuntimeZeroPool (sizeof (ESAL_VARIABLE_GLOBAL)); - if (mVariableModuleGlobal == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - mVariableModuleGlobal->GlobalVariableGuid[Physical] = &gEfiGlobalVariableGuid; - CopyMem ( - mVariableModuleGlobal->VariableName[Physical], - mVariableName, - sizeof (mVariableName) - ); - - EfiInitializeLock(&mVariableModuleGlobal->VariableGlobal[Physical].VariableServicesLock, TPL_NOTIFY); - - // - // Note that in EdkII variable driver implementation, Hardware Error Record type variable - // is stored with common variable in the same NV region. So the platform integrator should - // ensure that the value of PcdHwErrStorageSize is less than or equal to the value of - // PcdFlashNvStorageVariableSize. - // - ASSERT (PcdGet32(PcdHwErrStorageSize) <= PcdGet32 (PcdFlashNvStorageVariableSize)); - - // - // Allocate memory for volatile variable store - // - ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)); - VolatileVariableStore = AllocateRuntimePool (PcdGet32 (PcdVariableStoreSize) + ScratchSize); - if (VolatileVariableStore == NULL) { - FreePool (mVariableModuleGlobal); - return EFI_OUT_OF_RESOURCES; - } - - SetMem (VolatileVariableStore, PcdGet32 (PcdVariableStoreSize) + ScratchSize, 0xff); - - // - // Variable Specific Data - // - mVariableModuleGlobal->VariableGlobal[Physical].VolatileVariableBase = (EFI_PHYSICAL_ADDRESS) (UINTN) VolatileVariableStore; - mVariableModuleGlobal->VolatileLastVariableOffset = (UINTN) GetStartPointer ((EFI_PHYSICAL_ADDRESS) VolatileVariableStore) - (UINTN) VolatileVariableStore; - - CopyGuid (&VolatileVariableStore->Signature, &gEfiAuthenticatedVariableGuid); - VolatileVariableStore->Size = PcdGet32 (PcdVariableStoreSize); - VolatileVariableStore->Format = VARIABLE_STORE_FORMATTED; - VolatileVariableStore->State = VARIABLE_STORE_HEALTHY; - VolatileVariableStore->Reserved = 0; - VolatileVariableStore->Reserved1 = 0; - - // - // Get non volatile varaible store - // - TempVariableStoreHeader = (UINT64) PcdGet32 (PcdFlashNvStorageVariableBase); - VariableStoreBase = TempVariableStoreHeader + \ - (((EFI_FIRMWARE_VOLUME_HEADER *) (UINTN) (TempVariableStoreHeader)) -> HeaderLength); - VariableStoreLength = (UINT64) PcdGet32 (PcdFlashNvStorageVariableSize) - \ - (((EFI_FIRMWARE_VOLUME_HEADER *) (UINTN) (TempVariableStoreHeader)) -> HeaderLength); - // - // Mark the variable storage region of the FLASH as RUNTIME - // - BaseAddress = VariableStoreBase & (~EFI_PAGE_MASK); - Length = VariableStoreLength + (VariableStoreBase - BaseAddress); - Length = (Length + EFI_PAGE_SIZE - 1) & (~EFI_PAGE_MASK); - - Status = gDS->GetMemorySpaceDescriptor (BaseAddress, &GcdDescriptor); - if (EFI_ERROR (Status)) { - goto Done; - } - - Status = gDS->SetMemorySpaceAttributes ( - BaseAddress, - Length, - GcdDescriptor.Attributes | EFI_MEMORY_RUNTIME - ); - if (EFI_ERROR (Status)) { - goto Done; - } - // - // Get address of non volatile variable store base. - // - mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase = VariableStoreBase; - - // - // Check Integrity - // - // - // Find the Correct Instance of the FV Block Service. - // - Instance = 0; - CurrPtr = mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase; - - do { - FvVolHdr = 0; - Status = (EFI_STATUS) EsalCall ( - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_LO, - EFI_EXTENDED_SAL_FV_BLOCK_SERVICES_PROTOCOL_GUID_HI, - GetPhysicalAddressFunctionId, - Instance, - (UINT64) &FvVolHdr, - 0, - 0, - 0, - 0, - 0 - ).Status; - if (EFI_ERROR (Status)) { - break; - } - FwVolHeader = (EFI_FIRMWARE_VOLUME_HEADER *) ((UINTN) FvVolHdr); - ASSERT (FwVolHeader != NULL); - if (CurrPtr >= (EFI_PHYSICAL_ADDRESS) FwVolHeader && - CurrPtr < ((EFI_PHYSICAL_ADDRESS) FwVolHeader + FwVolHeader->FvLength)) { - mVariableModuleGlobal->FvbInstance = Instance; - break; - } - - Instance++; - } while (Status == EFI_SUCCESS); - - VariableStoreHeader = (VARIABLE_STORE_HEADER *) CurrPtr; - if (GetVariableStoreStatus (VariableStoreHeader) == EfiValid) { - if (~VariableStoreHeader->Size == 0) { - Status = AccessVariableStore ( - TRUE, - &mVariableModuleGlobal->VariableGlobal[Physical], - FALSE, - mVariableModuleGlobal->FvbInstance, - (UINTN) &VariableStoreHeader->Size, - sizeof (UINT32), - (UINT8 *) &VariableStoreLength - ); - // - // As Variables are stored in NV storage, which are slow devices,such as flash. - // Variable operation may skip checking variable program result to improve performance, - // We can assume Variable program is OK through some check point. - // Variable Store Size Setting should be the first Variable write operation, - // We can assume all Read/Write is OK if we can set Variable store size successfully. - // If write fail, we will assert here. - // - ASSERT(VariableStoreHeader->Size == VariableStoreLength); - - if (EFI_ERROR (Status)) { - goto Done; - } - } - - mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase = (EFI_PHYSICAL_ADDRESS) ((UINTN) CurrPtr); - // - // Parse non-volatile variable data and get last variable offset. - // - Variable = GetStartPointer (CurrPtr); - Status = EFI_SUCCESS; - - while (IsValidVariableHeader (Variable, FALSE, &(mVariableModuleGlobal->VariableGlobal[Physical]), Instance, NULL)) { - NextVariable = GetNextVariablePtr ( - Variable, - FALSE, - &(mVariableModuleGlobal->VariableGlobal[Physical]), - Instance - ); - VariableSize = NextVariable - Variable; - if ((((AUTHENTICATED_VARIABLE_HEADER *)Variable)->Attributes & (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) == (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->HwErrVariableTotalSize += VariableSize; - } else { - mVariableModuleGlobal->CommonVariableTotalSize += VariableSize; - } - - Variable = NextVariable; - } - - mVariableModuleGlobal->NonVolatileLastVariableOffset = (UINTN) Variable - (UINTN) CurrPtr; - - // - // Check if the free area is really free. - // - for (Index = mVariableModuleGlobal->NonVolatileLastVariableOffset; Index < VariableStoreHeader->Size; Index++) { - Data = ((UINT8 *) (UINTN) mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase)[Index]; - if (Data != 0xff) { - // - // There must be something wrong in variable store, do reclaim operation. - // - Status = Reclaim ( - mVariableModuleGlobal->VariableGlobal[Physical].NonVolatileVariableBase, - &mVariableModuleGlobal->NonVolatileLastVariableOffset, - FALSE, - Physical, - mVariableModuleGlobal, - 0x0 - ); - if (EFI_ERROR (Status)) { - goto Done; - } - break; - } - } - - // - // Register the event handling function to reclaim variable for OS usage. - // - Status = EfiCreateEventReadyToBootEx ( - TPL_NOTIFY, - ReclaimForOS, - NULL, - &ReadyToBootEvent - ); - } else { - Status = EFI_VOLUME_CORRUPTED; - DEBUG((EFI_D_ERROR, "Variable Store header is corrupted\n")); - } - -Done: - if (EFI_ERROR (Status)) { - FreePool (mVariableModuleGlobal); - FreePool (VolatileVariableStore); - } - - return Status; -} diff --git a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h b/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h deleted file mode 100644 index b32ef741bf..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/EsalVariableDxeSal/Variable.h +++ /dev/null @@ -1,505 +0,0 @@ -/** @file - Internal header file for Extended SAL variable service module. - -Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef _VARIABLE_H_ -#define _VARIABLE_H_ - -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define MAX_NAME_SIZE 0x100 -#define NUM_VAR_NAME 9 // Number of pre-defined variable name to be referenced -#define VAR_PLATFORM_LANG_CODES 0 // Index of "PlatformLangCodes" variable -#define VAR_LANG_CODES 1 // Index of "LangCodes" variable -#define VAR_PLATFORM_LANG 2 // Index of "PlatformLang" variable -#define VAR_LANG 3 // Index of "Lang" variable -#define VAR_HW_ERR_REC 4 // Index of "HwErrRecXXXX" variable -#define VAR_AUTH_KEY_DB 5 // Index of "AuthVarKeyDatabase" variable -#define VAR_SETUP_MODE 6 // Index of "SetupMode" variable -#define VAR_PLATFORM_KEY 7 // Index of "PK" variable -#define VAR_KEY_EXCHANGE_KEY 8 // Index of "KEK" variable - -/// -/// "AuthVarKeyDatabase" variable for the Public Key store. -/// -#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase" -#define AUTHVAR_KEYDB_NAME_SIZE 38 - -/// -/// The maximum size of the public key database, restricted by maximum individal EFI -/// varible size, and excluding the variable header and name size. -/// -#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (AUTHENTICATED_VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE) -#define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE) - -/// -/// The size of a 3 character ISO639 language code. -/// -#define ISO_639_2_ENTRY_SIZE 3 - -typedef enum { - Physical, - Virtual -} VARIABLE_POINTER_TYPE; - -typedef struct { - EFI_PHYSICAL_ADDRESS CurrPtr; - EFI_PHYSICAL_ADDRESS EndPtr; - EFI_PHYSICAL_ADDRESS StartPtr; - BOOLEAN Volatile; -} VARIABLE_POINTER_TRACK; - -typedef struct { - EFI_PHYSICAL_ADDRESS VolatileVariableBase; - EFI_PHYSICAL_ADDRESS NonVolatileVariableBase; - EFI_LOCK VariableServicesLock; -} VARIABLE_GLOBAL; - -typedef struct { - VARIABLE_GLOBAL VariableGlobal[2]; - CHAR16 *VariableName[2][NUM_VAR_NAME]; - EFI_GUID *GlobalVariableGuid[2]; - UINTN VolatileLastVariableOffset; - UINTN NonVolatileLastVariableOffset; - UINTN CommonVariableTotalSize; - UINTN HwErrVariableTotalSize; - CHAR8 *PlatformLangCodes[2]; - CHAR8 *LangCodes[2]; - CHAR8 *PlatformLang[2]; - CHAR8 Lang[ISO_639_2_ENTRY_SIZE + 1]; - UINT32 FvbInstance; - UINT32 ReentrantState; - EFI_GUID *AuthenticatedVariableGuid[2]; - EFI_GUID *CertRsa2048Sha256Guid[2]; - EFI_GUID *ImageSecurityDatabaseGuid[2]; - VOID *HashContext[2]; // Hash context pointer - UINT8 KeyList[MAX_KEYDB_SIZE]; // Cached Platform Key list - UINT8 PubKeyStore[MAX_KEYDB_SIZE]; // Cached Public Key list -} ESAL_VARIABLE_GLOBAL; - -typedef struct { - EFI_GUID *Guid; - CHAR16 *Name; - UINT32 Attributes; - UINTN DataSize; - VOID *Data; -} VARIABLE_CACHE_ENTRY; - - -extern ESAL_VARIABLE_GLOBAL *mVariableModuleGlobal; - -// -// Functions -// - -/** - Initializes variable store area for non-volatile and volatile variable. - - This function allocates and initializes memory space for global context of ESAL - variable service and variable store area for non-volatile and volatile variable. - - @param[in] ImageHandle The Image handle of this driver. - @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE. - - @retval EFI_SUCCESS Function successfully executed. - @retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resource. - -**/ -EFI_STATUS -VariableCommonInitialize ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ); - -/** - Entry point of Extended SAL Variable service module. - - This function is the entry point of Extended SAL Variable service module. - It registers all functions of Extended SAL Variable class, initializes - variable store for non-volatile and volatile variables, and registers - notification function for EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event. - - @param[in] ImageHandle The Image handle of this driver. - @param[in] SystemTable The pointer of EFI_SYSTEM_TABLE. - - @retval EFI_SUCCESS Extended SAL Variable Services Class successfully registered. - -**/ -EFI_STATUS -EFIAPI -VariableServiceInitialize ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ); - -/** - Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE. - - This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event. - It convers pointer to new virtual address. - - @param[in] Event The event whose notification function is being invoked. - @param[in] Context The pointer to the notification function's context. - -**/ -VOID -EFIAPI -VariableClassAddressChangeEvent ( - IN EFI_EVENT Event, - IN VOID *Context - ); - -/** - Implements EsalGetVariable function of Extended SAL Variable Services Class. - - This function implements EsalGetVariable function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service GetVariable(). - - @param[in] VariableName A Null-terminated Unicode string that is the name of - the vendor's variable. - @param[in] VendorGuid A unique identifier for the vendor. - @param[out] Attributes If not NULL, a pointer to the memory location to return the - attributes bitmask for the variable. - @param[in, out] DataSize Size of Data found. If size is less than the - data, this value contains the required size. - @param[out] Data On input, the size in bytes of the return Data buffer. - On output, the size of data returned in Data. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND The variable was not found. - @retval EFI_BUFFER_TOO_SMALL DataSize is too small for the result. DataSize has - been updated with the size needed to complete the request. - @retval EFI_INVALID_PARAMETER VariableName is NULL. - @retval EFI_INVALID_PARAMETER VendorGuid is NULL. - @retval EFI_INVALID_PARAMETER DataSize is NULL. - @retval EFI_INVALID_PARAMETER DataSize is not too small and Data is NULL. - @retval EFI_DEVICE_ERROR The variable could not be retrieved due to a hardware error. - @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure. - -**/ -EFI_STATUS -EFIAPI -EsalGetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT UINT32 *Attributes OPTIONAL, - IN OUT UINTN *DataSize, - OUT VOID *Data, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ); - -/** - Implements EsalGetNextVariableName function of Extended SAL Variable Services Class. - - This function implements EsalGetNextVariableName function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service GetNextVariableName(). - - @param[in, out] VariableNameSize Size of the variable - @param[in, out] VariableName On input, supplies the last VariableName that was returned by GetNextVariableName(). - On output, returns the Null-terminated Unicode string of the current variable. - @param[in, out] VendorGuid On input, supplies the last VendorGuid that was returned by GetNextVariableName(). - On output, returns the VendorGuid of the current variable. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND The next variable was not found. - @retval EFI_BUFFER_TOO_SMALL VariableNameSize is too small for the result. - VariableNameSize has been updated with the size needed to complete the request. - @retval EFI_INVALID_PARAMETER VariableNameSize is NULL. - @retval EFI_INVALID_PARAMETER VariableName is NULL. - @retval EFI_INVALID_PARAMETER VendorGuid is NULL. - @retval EFI_DEVICE_ERROR The variable name could not be retrieved due to a hardware error. - -**/ -EFI_STATUS -EFIAPI -EsalGetNextVariableName ( - IN OUT UINTN *VariableNameSize, - IN OUT CHAR16 *VariableName, - IN OUT EFI_GUID *VendorGuid, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ); - -/** - Implements EsalSetVariable function of Extended SAL Variable Services Class. - - This function implements EsalSetVariable function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service SetVariable(). - - @param[in] VariableName A Null-terminated Unicode string that is the name of the vendor's - variable. Each VariableName is unique for each - VendorGuid. VariableName must contain 1 or more - Unicode characters. If VariableName is an empty Unicode - string, then EFI_INVALID_PARAMETER is returned. - @param[in] VendorGuid A unique identifier for the vendor. - @param[in] Attributes Attributes bitmask to set for the variable. - @param[in] DataSize The size in bytes of the Data buffer. A size of zero causes the - variable to be deleted. - @param[in] Data The contents for the variable. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - - @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as - defined by the Attributes. - @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the - DataSize exceeds the maximum allowed. - @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string. - @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data. - @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure. - @retval EFI_WRITE_PROTECTED The variable in question is read-only. - @retval EFI_WRITE_PROTECTED The variable in question cannot be deleted. - @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure. - @retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found. - -**/ -EFI_STATUS -EFIAPI -EsalSetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT32 Attributes, - IN UINTN DataSize, - IN VOID *Data, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ); - -/** - Implements EsalQueryVariableInfo function of Extended SAL Variable Services Class. - - This function implements EsalQueryVariableInfo function of Extended SAL Variable Services Class. - It is equivalent in functionality to the EFI Runtime Service QueryVariableInfo(). - - @param[in] Attributes Attributes bitmask to specify the type of variables - on which to return information. - @param[out] MaximumVariableStorageSize On output the maximum size of the storage space available for - the EFI variables associated with the attributes specified. - @param[out] RemainingVariableStorageSize Returns the remaining size of the storage space available for EFI - variables associated with the attributes specified. - @param[out] MaximumVariableSize Returns the maximum size of an individual EFI variable - associated with the attributes specified. - @param[in] VirtualMode Current calling mode for this function - @param[in] Global Context of this Extended SAL Variable Services Class call - - @retval EFI_SUCCESS Valid answer returned. - @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied. - @retval EFI_UNSUPPORTED The attribute is not supported on this platform, and the - MaximumVariableStorageSize, RemainingVariableStorageSize, - MaximumVariableSize are undefined. -**/ -EFI_STATUS -EFIAPI -EsalQueryVariableInfo ( - IN UINT32 Attributes, - OUT UINT64 *MaximumVariableStorageSize, - OUT UINT64 *RemainingVariableStorageSize, - OUT UINT64 *MaximumVariableSize, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global - ); - -/** - Writes a buffer to variable storage space. - - This function writes a buffer to variable storage space into firmware - volume block device. The destination is specified by parameter - VariableBase. Fault Tolerant Write protocol is used for writing. - - @param[in] VariableBase The base address of the variable to write. - @param[in] Buffer Points to the data buffer. - @param[in] BufferSize The number of bytes of the data Buffer. - - @retval EFI_SUCCESS The function completed successfully. - @retval EFI_NOT_FOUND Fail to locate Fault Tolerant Write protocol. - @retval Other The function could not complete successfully. - -**/ -EFI_STATUS -FtwVariableSpace ( - IN EFI_PHYSICAL_ADDRESS VariableBase, - IN UINT8 *Buffer, - IN UINTN BufferSize - ); - -/** - Finds variable in volatile and non-volatile storage areas. - - This code finds variable in volatile and non-volatile storage areas. - If VariableName is an empty string, then we just return the first - qualified variable without comparing VariableName and VendorGuid. - Otherwise, VariableName and VendorGuid are compared. - - @param[in] VariableName Name of the variable to be found. - @param[in] VendorGuid Vendor GUID to be found. - @param[out] PtrTrack VARIABLE_POINTER_TRACK structure for output, - including the range searched and the target position. - @param[in] Global Pointer to VARIABLE_GLOBAL structure, including - base of volatile variable storage area, base of - NV variable storage area, and a lock. - @param[in] Instance Instance of FV Block services. - - @retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while - VendorGuid is NULL. - @retval EFI_SUCCESS Variable successfully found. - @retval EFI_INVALID_PARAMETER Variable not found. - -**/ -EFI_STATUS -FindVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - OUT VARIABLE_POINTER_TRACK *PtrTrack, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance - ); - -/** - Gets the pointer to variable data area. - - This function gets the pointer to variable data area. - The variable is specified by its variable header. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VariableData Buffer to hold variable data for output. - -**/ -VOID -GetVariableDataPtr ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT CHAR16 *VariableData - ); - -/** - Gets the size of variable data area. - - This function gets the size of variable data area. - The variable is specified by its variable header. - If variable header contains raw data, just return 0. - - @param[in] Variable Pointer to the variable header. - - @return Size of variable data area in bytes. - -**/ -UINTN -DataSizeOfVariable ( - IN AUTHENTICATED_VARIABLE_HEADER *Variable - ); - -/** - Update the variable region with Variable information. These are the same - arguments as the EFI Variable services. - - @param[in] VariableName Name of variable. - @param[in] VendorGuid Guid of variable. - @param[in] Data Variable data. - @param[in] DataSize Size of data. 0 means delete. - @param[in] Attributes Attributes of the variable. - @param[in] KeyIndex Index of associated public key. - @param[in] MonotonicCount Value of associated monotonic count. - @param[in] VirtualMode Current calling mode for this function. - @param[in] Global Context of this Extended SAL Variable Services Class call. - @param[in] Variable The variable information which is used to keep track of variable usage. - - @retval EFI_SUCCESS The update operation is success. - @retval EFI_OUT_OF_RESOURCES Variable region is full, can not write other data into this region. - -**/ -EFI_STATUS -EFIAPI -UpdateVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN VOID *Data, - IN UINTN DataSize, - IN UINT32 Attributes OPTIONAL, - IN UINT32 KeyIndex OPTIONAL, - IN UINT64 MonotonicCount OPTIONAL, - IN BOOLEAN VirtualMode, - IN ESAL_VARIABLE_GLOBAL *Global, - IN VARIABLE_POINTER_TRACK *Variable - ); - -/** - Checks variable header. - - This function checks if variable header is valid or not. - - @param[in] VariableAddress Start address of variable header. - @param[in] Volatile TRUE - Variable is volatile. - FALSE - Variable is non-volatile. - @param[in] Global Pointer to VARAIBLE_GLOBAL structure. - @param[in] Instance Instance of FV Block services. - @param[out] VariableHeader Pointer to AUTHENTICATED_VARIABLE_HEADER for output. - - @retval TRUE Variable header is valid. - @retval FALSE Variable header is not valid. - -**/ -BOOLEAN -IsValidVariableHeader ( - IN EFI_PHYSICAL_ADDRESS VariableAddress, - IN BOOLEAN Volatile, - IN VARIABLE_GLOBAL *Global, - IN UINTN Instance, - OUT AUTHENTICATED_VARIABLE_HEADER *VariableHeader OPTIONAL - ); - -/** - Flush the HOB variable to NV variable storage. -**/ -VOID -FlushHob2Nv ( - VOID - ); - -#endif diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr deleted file mode 100644 index bbecff2b08..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr +++ /dev/null @@ -1,570 +0,0 @@ -/** @file - VFR file used by the SecureBoot configuration component. - -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigNvData.h" - -formset - guid = SECUREBOOT_CONFIG_FORM_SET_GUID, - title = STRING_TOKEN(STR_SECUREBOOT_TITLE), - help = STRING_TOKEN(STR_SECUREBOOT_HELP), - classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID, - - varstore SECUREBOOT_CONFIGURATION, - varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID, - name = SECUREBOOT_CONFIGURATION, - guid = SECUREBOOT_CONFIG_FORM_SET_GUID; - - // - // ##1 Form "Secure Boot Configuration" - // - form formid = SECUREBOOT_CONFIGURATION_FORM_ID, - title = STRING_TOKEN(STR_SECUREBOOT_TITLE); - - subtitle text = STRING_TOKEN(STR_NULL); - - text - help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP), - text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT), - text = STRING_TOKEN(STR_SECURE_BOOT_STATE_CONTENT); - - // - // Display of Check Box: Attempt Secure Boot - // - grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1 OR NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1; - checkbox varid = SECUREBOOT_CONFIGURATION.AttemptSecureBoot, - questionid = KEY_SECURE_BOOT_ENABLE, - prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT), - help = STRING_TOKEN(STR_SECURE_BOOT_HELP), - flags = INTERACTIVE | RESET_REQUIRED, - endcheckbox; - endif; - - // - // Display of Oneof: 'Secure Boot Mode' - // - oneof name = SecureBootMode, - questionid = KEY_SECURE_BOOT_MODE, - prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), - help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP), - flags = INTERACTIVE | NUMERIC_SIZE_1, - option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT; - option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0; - endoneof; - - // - // Display of 'Current Secure Boot Mode' - // - suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD; - grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1; - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_OPTION; - endif; - endif; - - endform; - - // - // ##2 Form: 'Custom Secure Boot Options' - // - form formid = FORMID_SECURE_BOOT_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_OPTION_TITLE); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_PK_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_PK_OPTION; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_KEK_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_KEK_OPTION; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_DB_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_DB_OPTION; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_DBX_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_DBX_OPTION; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_DBT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION), - help = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_DBT_OPTION; - - endform; - - // - // ##3 Form: 'PK Options' - // - form formid = FORMID_SECURE_BOOT_PK_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION); - - subtitle text = STRING_TOKEN(STR_NULL); - - // - // Display of 'Enroll PK' - // - grayoutif ideqval SECUREBOOT_CONFIGURATION.HasPk == 1; - goto FORMID_ENROLL_PK_FORM, - prompt = STRING_TOKEN(STR_ENROLL_PK), - help = STRING_TOKEN(STR_ENROLL_PK_HELP), - flags = INTERACTIVE, - key = KEY_ENROLL_PK; - endif; - - subtitle text = STRING_TOKEN(STR_NULL); - - // - // Display of Check Box: 'Delete Pk' - // - grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1; - checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk, - questionid = KEY_SECURE_BOOT_DELETE_PK, - prompt = STRING_TOKEN(STR_DELETE_PK), - help = STRING_TOKEN(STR_DELETE_PK_HELP), - flags = INTERACTIVE | RESET_REQUIRED, - endcheckbox; - endif; - endform; - - // - // ##4 Form: 'Enroll PK' - // - form formid = FORMID_ENROLL_PK_FORM, - title = STRING_TOKEN(STR_ENROLL_PK); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_ENROLL_PK_FORM, - prompt = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE), - help = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE), - flags = INTERACTIVE, - key = FORMID_ENROLL_PK_FORM; - - subtitle text = STRING_TOKEN(STR_NULL); - label FORMID_ENROLL_PK_FORM; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_SAVE_AND_EXIT), - flags = INTERACTIVE| RESET_REQUIRED, - key = KEY_VALUE_SAVE_AND_EXIT_PK; - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_NO_SAVE_AND_EXIT_PK; - - endform; - - // - // ##5 Form: 'KEK Options' - // - form formid = FORMID_SECURE_BOOT_KEK_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION); - - // - // Display of 'Enroll KEK' - // - goto FORMID_ENROLL_KEK_FORM, - prompt = STRING_TOKEN(STR_ENROLL_KEK), - help = STRING_TOKEN(STR_ENROLL_KEK_HELP), - flags = INTERACTIVE; - - subtitle text = STRING_TOKEN(STR_NULL); - - // - // Display of 'Delete KEK' - // - goto FORMID_DELETE_KEK_FORM, - prompt = STRING_TOKEN(STR_DELETE_KEK), - help = STRING_TOKEN(STR_DELETE_KEK_HELP), - flags = INTERACTIVE, - key = KEY_DELETE_KEK; - - subtitle text = STRING_TOKEN(STR_NULL); - endform; - - // - // ##6 Form: 'Enroll KEK' - // - form formid = FORMID_ENROLL_KEK_FORM, - title = STRING_TOKEN(STR_ENROLL_KEK_TITLE); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_ENROLL_KEK_FORM, - prompt = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE), - help = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP), - flags = INTERACTIVE, - key = FORMID_ENROLL_KEK_FORM; - - subtitle text = STRING_TOKEN(STR_NULL); - label FORMID_ENROLL_KEK_FORM; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, - prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), - help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_KEK_GUID, - minsize = SECURE_BOOT_GUID_SIZE, - maxsize = SECURE_BOOT_GUID_SIZE, - endstring; - - subtitle text = STRING_TOKEN(STR_NULL); - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_SAVE_AND_EXIT_KEK; - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_NO_SAVE_AND_EXIT_KEK; - - endform; - - // - // ##7 Form: 'Delete KEK' - // - form formid = FORMID_DELETE_KEK_FORM, - title = STRING_TOKEN(STR_DELETE_KEK_TITLE); - - label LABEL_KEK_DELETE; - label LABEL_END; - - subtitle text = STRING_TOKEN(STR_NULL); - - endform; - - // - // ##8 Form: 'DB Options' - // - form formid = FORMID_SECURE_BOOT_DB_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB, - prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - flags = 0; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_DELETE_SIGNATURE_FROM_DB, - prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - flags = INTERACTIVE, - key = SECUREBOOT_DELETE_SIGNATURE_FROM_DB; - - endform; - - // - // ##9 Form: 'DBX Options' - // - form formid = FORMID_SECURE_BOOT_DBX_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX, - prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - flags = 0; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - flags = INTERACTIVE, - key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX; - - endform; - - // - // ##9 Form: 'DBT Options' - // - form formid = FORMID_SECURE_BOOT_DBT_OPTION_FORM, - title = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, - prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE), - flags = 0; - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, - prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), - flags = INTERACTIVE, - key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT; - - endform; - - // - // Form: 'Delete Signature' for DB Options. - // - form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DB, - title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE); - - label LABEL_DB_DELETE; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - endform; - - // - // Form: 'Delete Signature' for DBX Options. - // - form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE); - - label LABEL_DBX_DELETE; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - endform; - - // - // Form: 'Delete Signature' for DBT Options. - // - form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, - title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE); - - label LABEL_DBT_DELETE; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - endform; - - // - // Form: 'Enroll Signature' for DB options. - // - form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DB, - title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB, - prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - flags = INTERACTIVE, - key = SECUREBOOT_ENROLL_SIGNATURE_TO_DB; - - subtitle text = STRING_TOKEN(STR_NULL); - label SECUREBOOT_ENROLL_SIGNATURE_TO_DB; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, - prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), - help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_SIGNATURE_GUID_DB, - minsize = SECURE_BOOT_GUID_SIZE, - maxsize = SECURE_BOOT_GUID_SIZE, - endstring; - - subtitle text = STRING_TOKEN(STR_NULL); - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_SAVE_AND_EXIT_DB; - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_NO_SAVE_AND_EXIT_DB; - - endform; - - // - // Form: 'Enroll Signature' for DBX options. - // - form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX, - title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX, - prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - flags = INTERACTIVE, - key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX; - - label SECUREBOOT_ENROLL_SIGNATURE_TO_DBX; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3; - string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, - prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), - help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX, - minsize = SECURE_BOOT_GUID_SIZE, - maxsize = SECURE_BOOT_GUID_SIZE, - endstring; - endif; - - disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 1; - oneof name = X509SignatureFormatInDbx, - varid = SECUREBOOT_CONFIGURATION.CertificateFormat, - prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), - help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), - option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT; - option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0; - option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0; - option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0; - endoneof; - endif; - - disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 2; - text - help = STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP), // Help string - text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string - text = STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); // PE image type - endif; - - disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3; - text - help = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP), // Help string - text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string - text = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); // AUTH_2 image type - endif; - - suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4; - checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation, - prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT), - help = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP), - flags = INTERACTIVE, - endcheckbox; - - suppressif ideqval SECUREBOOT_CONFIGURATION.AlwaysRevocation == 1; - date varid = SECUREBOOT_CONFIGURATION.RevocationDate, - prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_PROMPT), - help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_HELP), - flags = STORAGE_NORMAL, - enddate; - - time varid = SECUREBOOT_CONFIGURATION.RevocationTime, - prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_PROMPT), - help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_HELP), - flags = STORAGE_NORMAL, - endtime; - endif; - endif; - - subtitle text = STRING_TOKEN(STR_NULL); - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_SAVE_AND_EXIT_DBX; - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_NO_SAVE_AND_EXIT_DBX; - - endform; - - // - // Form: 'Enroll Signature' for DBT options. - // - form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, - title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE); - - subtitle text = STRING_TOKEN(STR_NULL); - - goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, - prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), - flags = INTERACTIVE, - key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT; - - subtitle text = STRING_TOKEN(STR_NULL); - label SECUREBOOT_ENROLL_SIGNATURE_TO_DBT; - label LABEL_END; - subtitle text = STRING_TOKEN(STR_NULL); - - string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, - prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), - help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), - flags = INTERACTIVE, - key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBT, - minsize = SECURE_BOOT_GUID_SIZE, - maxsize = SECURE_BOOT_GUID_SIZE, - endstring; - - subtitle text = STRING_TOKEN(STR_NULL); - subtitle text = STRING_TOKEN(STR_NULL); - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_SAVE_AND_EXIT_DBT; - - goto FORMID_SECURE_BOOT_OPTION_FORM, - prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT), - flags = INTERACTIVE, - key = KEY_VALUE_NO_SAVE_AND_EXIT_DBT; - - endform; - -endformset; \ No newline at end of file diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c deleted file mode 100644 index 28c4d4f8b6..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDevicePath.c +++ /dev/null @@ -1,38 +0,0 @@ -/** @file - Internal function defines the default device path string for SecureBoot configuration module. - -Copyright (c) 2012 - 2013, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigImpl.h" - - -/** - This function converts an input device structure to a Unicode string. - - @param[in] DevPath A pointer to the device path structure. - - @return A new allocated Unicode string that represents the device path. - -**/ -CHAR16 * -EFIAPI -DevicePathToStr ( - IN EFI_DEVICE_PATH_PROTOCOL *DevPath - ) -{ - return ConvertDevicePathToText ( - DevPath, - FALSE, - TRUE - ); -} - diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c deleted file mode 100644 index 1d6c4ac6e8..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDriver.c +++ /dev/null @@ -1,133 +0,0 @@ -/** @file - The module entry point for SecureBoot configuration module. - -Copyright (c) 2011, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigImpl.h" - -/** - The entry point for SecureBoot configuration driver. - - @param[in] ImageHandle The image handle of the driver. - @param[in] SystemTable The system table. - - @retval EFI_ALREADY_STARTED The driver already exists in system. - @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources. - @retval EFI_SUCCES All the related protocols are installed on the driver. - @retval Others Fail to get the SecureBootEnable variable. - -**/ -EFI_STATUS -EFIAPI -SecureBootConfigDriverEntryPoint ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - EFI_STATUS Status; - SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; - - // - // If already started, return. - // - Status = gBS->OpenProtocol ( - ImageHandle, - &gEfiCallerIdGuid, - NULL, - ImageHandle, - ImageHandle, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - if (!EFI_ERROR (Status)) { - return EFI_ALREADY_STARTED; - } - - // - // Create a private data structure. - // - PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate); - if (PrivateData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Install SecureBoot configuration form - // - Status = InstallSecureBootConfigForm (PrivateData); - if (EFI_ERROR (Status)) { - goto ErrorExit; - } - - // - // Install private GUID. - // - Status = gBS->InstallMultipleProtocolInterfaces ( - &ImageHandle, - &gEfiCallerIdGuid, - PrivateData, - NULL - ); - - if (EFI_ERROR (Status)) { - goto ErrorExit; - } - - return EFI_SUCCESS; - -ErrorExit: - if (PrivateData != NULL) { - UninstallSecureBootConfigForm (PrivateData); - } - - return Status; -} - -/** - Unload the SecureBoot configuration form. - - @param[in] ImageHandle The driver's image handle. - - @retval EFI_SUCCESS The SecureBoot configuration form is unloaded. - @retval Others Failed to unload the form. - -**/ -EFI_STATUS -EFIAPI -SecureBootConfigDriverUnload ( - IN EFI_HANDLE ImageHandle - ) -{ - EFI_STATUS Status; - SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; - - Status = gBS->HandleProtocol ( - ImageHandle, - &gEfiCallerIdGuid, - (VOID **) &PrivateData - ); - if (EFI_ERROR (Status)) { - return Status; - } - - ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE); - - gBS->UninstallMultipleProtocolInterfaces ( - &ImageHandle, - &gEfiCallerIdGuid, - PrivateData, - NULL - ); - - UninstallSecureBootConfigForm (PrivateData); - - return EFI_SUCCESS; -} diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf deleted file mode 100644 index fa7c39d6e5..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ /dev/null @@ -1,127 +0,0 @@ -## @file -# Provides the capbility to configure secure boot in a setup browser -# By this module, user may change the content of DB, DBX, PK and KEK. -# -# Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.
-# This program and the accompanying materials -# are licensed and made available under the terms and conditions of the BSD License -# which accompanies this distribution. The full text of the license may be found at -# http://opensource.org/licenses/bsd-license.php -# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -# -## - -[Defines] - INF_VERSION = 0x00010005 - BASE_NAME = SecureBootConfigDxe - MODULE_UNI_FILE = SecureBootConfigDxe.uni - FILE_GUID = F0E6A44F-7195-41c3-AC64-54F202CD0A21 - MODULE_TYPE = DXE_DRIVER - VERSION_STRING = 1.0 - ENTRY_POINT = SecureBootConfigDriverEntryPoint - UNLOAD_IMAGE = SecureBootConfigDriverUnload - -# -# VALID_ARCHITECTURES = IA32 X64 IPF EBC -# - -[Sources] - SecureBootConfigDriver.c - SecureBootConfigImpl.c - SecureBootConfigFileExplorer.c - SecureBootConfigDevicePath.c - SecureBootConfigMisc.c - SecureBootConfigImpl.h - SecureBootConfig.vfr - SecureBootConfigStrings.uni - SecureBootConfigNvData.h - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec - -[LibraryClasses] - BaseLib - BaseMemoryLib - BaseCryptLib - MemoryAllocationLib - UefiLib - UefiBootServicesTableLib - UefiRuntimeServicesTableLib - UefiDriverEntryPoint - UefiHiiServicesLib - DebugLib - HiiLib - PlatformSecureLib - DevicePathLib - FileExplorerLib - PeCoffLib - -[Guids] - ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" - ## SOMETIMES_PRODUCES ## Variable:L"CustomMode" - gEfiCustomModeEnableGuid - - ## SOMETIMES_CONSUMES ## Variable:L"SecureBootEnable" - ## SOMETIMES_PRODUCES ## Variable:L"SecureBootEnable" - gEfiSecureBootEnableDisableGuid - - ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. - ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. - gEfiCertRsa2048Guid - - ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. - ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. - gEfiCertX509Guid - - ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. - ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. - gEfiCertSha1Guid - - ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature. - ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the signature. - gEfiCertSha256Guid - - ## SOMETIMES_CONSUMES ## Variable:L"db" - ## SOMETIMES_PRODUCES ## Variable:L"db" - ## SOMETIMES_CONSUMES ## Variable:L"dbx" - ## SOMETIMES_PRODUCES ## Variable:L"dbx" - gEfiImageSecurityDatabaseGuid - - ## SOMETIMES_CONSUMES ## Variable:L"SetupMode" - ## SOMETIMES_PRODUCES ## Variable:L"PK" - ## SOMETIMES_CONSUMES ## Variable:L"KEK" - ## SOMETIMES_PRODUCES ## Variable:L"KEK" - ## SOMETIMES_CONSUMES ## Variable:L"SecureBoot" - gEfiGlobalVariableGuid - - gEfiIfrTianoGuid ## PRODUCES ## GUID # HII opcode - ## PRODUCES ## HII - ## CONSUMES ## HII - gSecureBootConfigFormSetGuid - gEfiCertPkcs7Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate. - gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate. - gEfiFileSystemVolumeLabelInfoIdGuid ## SOMETIMES_CONSUMES ## GUID # Indicate the information type - gEfiFileInfoGuid ## SOMETIMES_CONSUMES ## GUID # Indicate the information type - - gEfiCertX509Sha256Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate. - gEfiCertX509Sha384Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate. - gEfiCertX509Sha512Guid ## SOMETIMES_PRODUCES ## GUID # Unique ID for the type of the certificate. - -[Protocols] - gEfiHiiConfigAccessProtocolGuid ## PRODUCES - gEfiDevicePathProtocolGuid ## PRODUCES - gEfiSimpleFileSystemProtocolGuid ## SOMETIMES_CONSUMES - gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES - -[Depex] - gEfiHiiConfigRoutingProtocolGuid AND - gEfiHiiDatabaseProtocolGuid AND - gEfiVariableArchProtocolGuid AND - gEfiVariableWriteArchProtocolGuid - -[UserExtensions.TianoCore."ExtraFiles"] - SecureBootConfigDxeExtra.uni diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni deleted file mode 100644 index d0d2e5ad75..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.uni +++ /dev/null @@ -1,21 +0,0 @@ -// /** @file -// Provides the capbility to configure secure boot in a setup browser -// -// By this module, user may change the content of DB, DBX, PK and KEK. -// -// Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.
-// -// This program and the accompanying materials -// are licensed and made available under the terms and conditions of the BSD License -// which accompanies this distribution. The full text of the license may be found at -// http://opensource.org/licenses/bsd-license.php -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "Provides the capability to configure secure boot in a setup browser" - -#string STR_MODULE_DESCRIPTION #language en-US "By this module, user may change the content of DB, DBX, PK and KEK." - diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni deleted file mode 100644 index 2bc7f3d537..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxeExtra.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file -// SecureBootConfigDxe Localized Strings and Content -// -// Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.
-// -// This program and the accompanying materials -// are licensed and made available under the terms and conditions of the BSD License -// which accompanies this distribution. The full text of the license may be found at -// http://opensource.org/licenses/bsd-license.php -// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. -// -// **/ - -#string STR_PROPERTIES_MODULE_NAME -#language en-US -"Secure Boot Config DXE" - - diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c deleted file mode 100644 index 1b6f888042..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigFileExplorer.c +++ /dev/null @@ -1,422 +0,0 @@ -/** @file - Internal file explorer functions for SecureBoot configuration module. - -Copyright (c) 2012 - 2016, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigImpl.h" - -VOID *mStartOpCodeHandle = NULL; -VOID *mEndOpCodeHandle = NULL; -EFI_IFR_GUID_LABEL *mStartLabel = NULL; -EFI_IFR_GUID_LABEL *mEndLabel = NULL; - -/** - Refresh the global UpdateData structure. - -**/ -VOID -RefreshUpdateData ( - VOID - ) -{ - // - // Free current updated date - // - if (mStartOpCodeHandle != NULL) { - HiiFreeOpCodeHandle (mStartOpCodeHandle); - } - - // - // Create new OpCode Handle - // - mStartOpCodeHandle = HiiAllocateOpCodeHandle (); - - // - // Create Hii Extend Label OpCode as the start opcode - // - mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode ( - mStartOpCodeHandle, - &gEfiIfrTianoGuid, - NULL, - sizeof (EFI_IFR_GUID_LABEL) - ); - mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL; -} - -/** - Clean up the dynamic opcode at label and form specified by both LabelId. - - @param[in] LabelId It is both the Form ID and Label ID for opcode deletion. - @param[in] PrivateData Module private data. - -**/ -VOID -CleanUpPage ( - IN UINT16 LabelId, - IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ) -{ - RefreshUpdateData (); - - // - // Remove all op-codes from dynamic page - // - mStartLabel->Number = LabelId; - HiiUpdateForm ( - PrivateData->HiiHandle, - &gSecureBootConfigFormSetGuid, - LabelId, - mStartOpCodeHandle, // Label LabelId - mEndOpCodeHandle // LABEL_END - ); -} - -/** - This function will open a file or directory referenced by DevicePath. - - This function opens a file with the open mode according to the file path. The - Attributes is valid only for EFI_FILE_MODE_CREATE. - - @param[in, out] FilePath On input, the device path to the file. - On output, the remaining device path. - @param[out] FileHandle Pointer to the file handle. - @param[in] OpenMode The mode to open the file with. - @param[in] Attributes The file's file attributes. - - @retval EFI_SUCCESS The information was set. - @retval EFI_INVALID_PARAMETER One of the parameters has an invalid value. - @retval EFI_UNSUPPORTED Could not open the file path. - @retval EFI_NOT_FOUND The specified file could not be found on the - device or the file system could not be found on - the device. - @retval EFI_NO_MEDIA The device has no medium. - @retval EFI_MEDIA_CHANGED The device has a different medium in it or the - medium is no longer supported. - @retval EFI_DEVICE_ERROR The device reported an error. - @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted. - @retval EFI_WRITE_PROTECTED The file or medium is write protected. - @retval EFI_ACCESS_DENIED The file was opened read only. - @retval EFI_OUT_OF_RESOURCES Not enough resources were available to open the - file. - @retval EFI_VOLUME_FULL The volume is full. -**/ -EFI_STATUS -EFIAPI -OpenFileByDevicePath( - IN OUT EFI_DEVICE_PATH_PROTOCOL **FilePath, - OUT EFI_FILE_HANDLE *FileHandle, - IN UINT64 OpenMode, - IN UINT64 Attributes - ) -{ - EFI_STATUS Status; - EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *EfiSimpleFileSystemProtocol; - EFI_FILE_PROTOCOL *Handle1; - EFI_FILE_PROTOCOL *Handle2; - EFI_HANDLE DeviceHandle; - - if ((FilePath == NULL || FileHandle == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Status = gBS->LocateDevicePath ( - &gEfiSimpleFileSystemProtocolGuid, - FilePath, - &DeviceHandle - ); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = gBS->OpenProtocol( - DeviceHandle, - &gEfiSimpleFileSystemProtocolGuid, - (VOID**)&EfiSimpleFileSystemProtocol, - gImageHandle, - NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL - ); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = EfiSimpleFileSystemProtocol->OpenVolume(EfiSimpleFileSystemProtocol, &Handle1); - if (EFI_ERROR (Status)) { - FileHandle = NULL; - return Status; - } - - // - // go down directories one node at a time. - // - while (!IsDevicePathEnd (*FilePath)) { - // - // For file system access each node should be a file path component - // - if (DevicePathType (*FilePath) != MEDIA_DEVICE_PATH || - DevicePathSubType (*FilePath) != MEDIA_FILEPATH_DP - ) { - FileHandle = NULL; - return (EFI_INVALID_PARAMETER); - } - // - // Open this file path node - // - Handle2 = Handle1; - Handle1 = NULL; - - // - // Try to test opening an existing file - // - Status = Handle2->Open ( - Handle2, - &Handle1, - ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName, - OpenMode &~EFI_FILE_MODE_CREATE, - 0 - ); - - // - // see if the error was that it needs to be created - // - if ((EFI_ERROR (Status)) && (OpenMode != (OpenMode &~EFI_FILE_MODE_CREATE))) { - Status = Handle2->Open ( - Handle2, - &Handle1, - ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName, - OpenMode, - Attributes - ); - } - // - // Close the last node - // - Handle2->Close (Handle2); - - if (EFI_ERROR(Status)) { - return (Status); - } - - // - // Get the next node - // - *FilePath = NextDevicePathNode (*FilePath); - } - - // - // This is a weak spot since if the undefined SHELL_FILE_HANDLE format changes this must change also! - // - *FileHandle = (VOID*)Handle1; - return EFI_SUCCESS; -} - - -/** - Extract filename from device path. The returned buffer is allocated using AllocateCopyPool. - The caller is responsible for freeing the allocated buffer using FreePool(). If return NULL - means not enough memory resource. - - @param DevicePath Device path. - - @retval NULL Not enough memory resourece for AllocateCopyPool. - @retval Other A new allocated string that represents the file name. - -**/ -CHAR16 * -ExtractFileNameFromDevicePath ( - IN EFI_DEVICE_PATH_PROTOCOL *DevicePath - ) -{ - CHAR16 *String; - CHAR16 *MatchString; - CHAR16 *LastMatch; - CHAR16 *FileName; - UINTN Length; - - ASSERT(DevicePath != NULL); - - String = DevicePathToStr(DevicePath); - MatchString = String; - LastMatch = String; - FileName = NULL; - - while(MatchString != NULL){ - LastMatch = MatchString + 1; - MatchString = StrStr(LastMatch,L"\\"); - } - - Length = StrLen(LastMatch); - FileName = AllocateCopyPool ((Length + 1) * sizeof(CHAR16), LastMatch); - if (FileName != NULL) { - *(FileName + Length) = 0; - } - - FreePool(String); - - return FileName; -} - - -/** - Update the form base on the selected file. - - @param FilePath Point to the file path. - @param FormId The form need to display. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. - -**/ -BOOLEAN -UpdatePage( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath, - IN EFI_FORM_ID FormId - ) -{ - CHAR16 *FileName; - EFI_STRING_ID StringToken; - - FileName = NULL; - - if (FilePath != NULL) { - FileName = ExtractFileNameFromDevicePath(FilePath); - } - if (FileName == NULL) { - // - // FileName = NULL has two case: - // 1. FilePath == NULL, not select file. - // 2. FilePath != NULL, but ExtractFileNameFromDevicePath return NULL not enough memory resource. - // In these two case, no need to update the form, and exit the caller function. - // - return TRUE; - } - StringToken = HiiSetString (gSecureBootPrivateData->HiiHandle, 0, FileName, NULL); - - gSecureBootPrivateData->FileContext->FileName = FileName; - - OpenFileByDevicePath( - &FilePath, - &gSecureBootPrivateData->FileContext->FHandle, - EFI_FILE_MODE_READ, - 0 - ); - // - // Create Subtitle op-code for the display string of the option. - // - RefreshUpdateData (); - mStartLabel->Number = FormId; - - HiiCreateSubTitleOpCode ( - mStartOpCodeHandle, - StringToken, - 0, - 0, - 0 - ); - - HiiUpdateForm ( - gSecureBootPrivateData->HiiHandle, - &gSecureBootConfigFormSetGuid, - FormId, - mStartOpCodeHandle, // Label FormId - mEndOpCodeHandle // LABEL_END - ); - - return TRUE; -} - -/** - Update the PK form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdatePKFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ) -{ - return UpdatePage(FilePath, FORMID_ENROLL_PK_FORM); - -} - -/** - Update the KEK form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateKEKFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ) -{ - return UpdatePage(FilePath, FORMID_ENROLL_KEK_FORM); -} - -/** - Update the DB form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ) -{ - return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DB); -} - -/** - Update the DBX form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBXFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ) -{ - return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DBX); -} - -/** - Update the DBT form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBTFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ) -{ - return UpdatePage(FilePath, SECUREBOOT_ENROLL_SIGNATURE_TO_DBT); -} - diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c deleted file mode 100644 index 2eaf24633d..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ /dev/null @@ -1,4080 +0,0 @@ -/** @file - HII Config Access protocol implementation of SecureBoot configuration module. - -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigImpl.h" - -CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"; - -SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate = { - SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE, - { - SecureBootExtractConfig, - SecureBootRouteConfig, - SecureBootCallback - } -}; - -HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = { - { - { - HARDWARE_DEVICE_PATH, - HW_VENDOR_DP, - { - (UINT8) (sizeof (VENDOR_DEVICE_PATH)), - (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8) - } - }, - SECUREBOOT_CONFIG_FORM_SET_GUID - }, - { - END_DEVICE_PATH_TYPE, - END_ENTIRE_DEVICE_PATH_SUBTYPE, - { - (UINT8) (END_DEVICE_PATH_LENGTH), - (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8) - } - } -}; - - -BOOLEAN mIsEnterSecureBootForm = FALSE; - -// -// OID ASN.1 Value for Hash Algorithms -// -UINT8 mHashOidValue[] = { - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, // OBJ_md5 - 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJ_sha1 - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, // OBJ_sha224 - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, // OBJ_sha256 - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, // OBJ_sha384 - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, // OBJ_sha512 - }; - -HASH_TABLE mHash[] = { - { L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL }, - { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final}, - { L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final}, - { L"SHA512", 64, &mHashOidValue[40], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final} -}; - -// -// Variable Definitions -// -UINT32 mPeCoffHeaderOffset = 0; -WIN_CERTIFICATE *mCertificate = NULL; -IMAGE_TYPE mImageType; -UINT8 *mImageBase = NULL; -UINTN mImageSize = 0; -UINT8 mImageDigest[MAX_DIGEST_SIZE]; -UINTN mImageDigestSize; -EFI_GUID mCertType; -EFI_IMAGE_SECURITY_DATA_DIRECTORY *mSecDataDir = NULL; -EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader; - -// -// Possible DER-encoded certificate file suffixes, end with NULL pointer. -// -CHAR16* mDerEncodedSuffix[] = { - L".cer", - L".der", - L".crt", - NULL -}; -CHAR16* mSupportX509Suffix = L"*.cer/der/crt"; - -SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL; - -/** - This code cleans up enrolled file by closing file & free related resources attached to - enrolled file. - - @param[in] FileContext FileContext cached in SecureBootConfig driver - -**/ -VOID -CloseEnrolledFile( - IN SECUREBOOT_FILE_CONTEXT *FileContext -) -{ - if (FileContext->FHandle != NULL) { - CloseFile (FileContext->FHandle); - FileContext->FHandle = NULL; - } - - if (FileContext->FileName != NULL){ - FreePool(FileContext->FileName); - FileContext->FileName = NULL; - } - FileContext->FileType = UNKNOWN_FILE_TYPE; - -} - -/** - This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix. - - @param[in] FileSuffix The suffix of the input certificate file - - @retval TRUE It's a DER-encoded certificate. - @retval FALSE It's NOT a DER-encoded certificate. - -**/ -BOOLEAN -IsDerEncodeCertificate ( - IN CONST CHAR16 *FileSuffix -) -{ - UINTN Index; - for (Index = 0; mDerEncodedSuffix[Index] != NULL; Index++) { - if (StrCmp (FileSuffix, mDerEncodedSuffix[Index]) == 0) { - return TRUE; - } - } - return FALSE; -} - -/** - This code checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format -The function reads file content but won't open/close given FileHandle. - - @param[in] FileHandle The FileHandle to be checked - - @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format. - @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format. - -**/ -BOOLEAN -IsAuthentication2Format ( - IN EFI_FILE_HANDLE FileHandle -) -{ - EFI_STATUS Status; - EFI_VARIABLE_AUTHENTICATION_2 *Auth2; - BOOLEAN IsAuth2Format; - - IsAuth2Format = FALSE; - - // - // Read the whole file content - // - Status = ReadFileContent( - FileHandle, - (VOID **) &mImageBase, - &mImageSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase; - if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) { - goto ON_EXIT; - } - - if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) { - IsAuth2Format = TRUE; - } - -ON_EXIT: - // - // Do not close File. simply check file content - // - if (mImageBase != NULL) { - FreePool (mImageBase); - mImageBase = NULL; - } - - return IsAuth2Format; -} - -/** - Set Secure Boot option into variable space. - - @param[in] VarValue The option of Secure Boot. - - @retval EFI_SUCCESS The operation is finished successfully. - @retval Others Other errors as indicated. - -**/ -EFI_STATUS -SaveSecureBootVariable ( - IN UINT8 VarValue - ) -{ - EFI_STATUS Status; - - Status = gRT->SetVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &VarValue - ); - return Status; -} - -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 - descriptor with the input data. NO authentication is required in this function. - - @param[in, out] DataSize On input, the size of Data buffer in bytes. - On output, the size of data returned in Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be wrapped or - pointer to NULL to wrap an empty payload. - On output, Pointer to the new payload date buffer allocated from pool, - it's caller's responsibility to free the memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed but the - // parameters to the SetVariable() call still need to be prepared as authenticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate - // data in it. - // - Payload = *Data; - PayloadSize = *DataSize; - - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload != NULL) && (PayloadSize != 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status = gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 = 0; - Time.Nanosecond = 0; - Time.TimeZone = 0; - Time.Daylight = 0; - Time.Pad2 = 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload != NULL) { - FreePool(Payload); - } - - *DataSize = DescriptorSize + PayloadSize; - *Data = NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, NO authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data = NULL; - DataSize = 0; - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status = CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data != NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the special mode successfully. - @return other Fail to operate the secure boot mode. - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootMode - ); -} - -/** - Generate the PK signature list from the X509 Certificate storing file (.cer) - - @param[in] X509File FileHandle of X509 Certificate storing file. - @param[out] PkCert Point to the data buffer to store the signature list. - - @return EFI_UNSUPPORTED Unsupported Key Length. - @return EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list. - -**/ -EFI_STATUS -CreatePkX509SignatureList ( - IN EFI_FILE_HANDLE X509File, - OUT EFI_SIGNATURE_LIST **PkCert - ) -{ - EFI_STATUS Status; - UINT8 *X509Data; - UINTN X509DataSize; - EFI_SIGNATURE_DATA *PkCertData; - - X509Data = NULL; - PkCertData = NULL; - X509DataSize = 0; - - Status = ReadFileContent (X509File, (VOID**) &X509Data, &X509DataSize, 0); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (X509Data != NULL); - - // - // Allocate space for PK certificate list and initialize it. - // Create PK database entry with SignatureHeaderSize equals 0. - // - *PkCert = (EFI_SIGNATURE_LIST*) AllocateZeroPool ( - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 - + X509DataSize - ); - if (*PkCert == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - (*PkCert)->SignatureListSize = (UINT32) (sizeof(EFI_SIGNATURE_LIST) - + sizeof(EFI_SIGNATURE_DATA) - 1 - + X509DataSize); - (*PkCert)->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize); - (*PkCert)->SignatureHeaderSize = 0; - CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid); - PkCertData = (EFI_SIGNATURE_DATA*) ((UINTN)(*PkCert) - + sizeof(EFI_SIGNATURE_LIST) - + (*PkCert)->SignatureHeaderSize); - CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid); - // - // Fill the PK database with PKpub data from X509 certificate file. - // - CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize); - -ON_EXIT: - - if (X509Data != NULL) { - FreePool (X509Data); - } - - if (EFI_ERROR(Status) && *PkCert != NULL) { - FreePool (*PkCert); - *PkCert = NULL; - } - - return Status; -} - -/** - Enroll new PK into the System without original PK's authentication. - - The SignatureOwner GUID will be the same with PK's vendorguid. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New PK enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollPlatformKey ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA* Private - ) -{ - EFI_STATUS Status; - UINT32 Attr; - UINTN DataSize; - EFI_SIGNATURE_LIST *PkCert; - UINT16* FilePostFix; - UINTN NameLength; - - if (Private->FileContext->FileName == NULL) { - return EFI_INVALID_PARAMETER; - } - - PkCert = NULL; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Parse the file's postfix. Only support DER encoded X.509 certificate files. - // - NameLength = StrLen (Private->FileContext->FileName); - if (NameLength <= 4) { - return EFI_INVALID_PARAMETER; - } - FilePostFix = Private->FileContext->FileName + NameLength - 4; - if (!IsDerEncodeCertificate(FilePostFix)) { - DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded certificate (%s) is supported.", mSupportX509Suffix)); - return EFI_INVALID_PARAMETER; - } - DEBUG ((EFI_D_INFO, "FileName= %s\n", Private->FileContext->FileName)); - DEBUG ((EFI_D_INFO, "FilePostFix = %s\n", FilePostFix)); - - // - // Prase the selected PK file and generature PK certificate list. - // - Status = CreatePkX509SignatureList ( - Private->FileContext->FHandle, - &PkCert - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (PkCert != NULL); - - // - // Set Platform Key variable. - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - DataSize = PkCert->SignatureListSize; - Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &PkCert); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->SetVariable( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - DataSize, - PkCert - ); - if (EFI_ERROR (Status)) { - if (Status == EFI_OUT_OF_RESOURCES) { - DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n")); - } - goto ON_EXIT; - } - -ON_EXIT: - - if (PkCert != NULL) { - FreePool(PkCert); - } - - CloseEnrolledFile(Private->FileContext); - - return Status; -} - -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - -/** - Enroll a new KEK item from public key storing file (*.pbk). - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New KEK enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollRsa2048ToKek ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private - ) -{ - EFI_STATUS Status; - UINT32 Attr; - UINTN DataSize; - EFI_SIGNATURE_LIST *KekSigList; - UINTN KeyBlobSize; - UINT8 *KeyBlob; - CPL_KEY_INFO *KeyInfo; - EFI_SIGNATURE_DATA *KEKSigData; - UINTN KekSigListSize; - UINT8 *KeyBuffer; - UINTN KeyLenInBytes; - - Attr = 0; - DataSize = 0; - KeyBuffer = NULL; - KeyBlobSize = 0; - KeyBlob = NULL; - KeyInfo = NULL; - KEKSigData = NULL; - KekSigList = NULL; - KekSigListSize = 0; - - // - // Form the KeKpub certificate list into EFI_SIGNATURE_LIST type. - // First, We have to parse out public key data from the pbk key file. - // - Status = ReadFileContent ( - Private->FileContext->FHandle, - (VOID**) &KeyBlob, - &KeyBlobSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (KeyBlob != NULL); - KeyInfo = (CPL_KEY_INFO *) KeyBlob; - if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) { - DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n")); - Status = EFI_UNSUPPORTED; - goto ON_EXIT; - } - - // - // Convert the Public key to fix octet string format represented in RSA PKCS#1. - // - KeyLenInBytes = KeyInfo->KeyLengthInBits / 8; - KeyBuffer = AllocateZeroPool (KeyLenInBytes); - if (KeyBuffer == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - Int2OctStr ( - (UINTN*) (KeyBlob + sizeof (CPL_KEY_INFO)), - KeyLenInBytes / sizeof (UINTN), - KeyBuffer, - KeyLenInBytes - ); - CopyMem(KeyBlob + sizeof(CPL_KEY_INFO), KeyBuffer, KeyLenInBytes); - - // - // Form an new EFI_SIGNATURE_LIST. - // - KekSigListSize = sizeof(EFI_SIGNATURE_LIST) - + sizeof(EFI_SIGNATURE_DATA) - 1 - + WIN_CERT_UEFI_RSA2048_SIZE; - - KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize); - if (KekSigList == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - KekSigList->SignatureListSize = sizeof(EFI_SIGNATURE_LIST) - + sizeof(EFI_SIGNATURE_DATA) - 1 - + WIN_CERT_UEFI_RSA2048_SIZE; - KekSigList->SignatureHeaderSize = 0; - KekSigList->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE; - CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid); - - KEKSigData = (EFI_SIGNATURE_DATA*)((UINT8*)KekSigList + sizeof(EFI_SIGNATURE_LIST)); - CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); - CopyMem ( - KEKSigData->SignatureData, - KeyBlob + sizeof(CPL_KEY_INFO), - WIN_CERT_UEFI_RSA2048_SIZE - ); - - // - // Check if KEK entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new KEK to original variable. - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->GetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - // - // Done. Now we have formed the correct KEKpub database item, just set it into variable storage, - // - Status = gRT->SetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - KekSigListSize, - KekSigList - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - - if (KeyBlob != NULL) { - FreePool (KeyBlob); - } - if (KeyBuffer != NULL) { - FreePool (KeyBuffer); - } - if (KekSigList != NULL) { - FreePool (KekSigList); - } - - return Status; -} - -/** - Enroll a new KEK item from X509 certificate file. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509ToKek ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private - ) -{ - EFI_STATUS Status; - UINTN X509DataSize; - VOID *X509Data; - EFI_SIGNATURE_DATA *KEKSigData; - EFI_SIGNATURE_LIST *KekSigList; - UINTN DataSize; - UINTN KekSigListSize; - UINT32 Attr; - - X509Data = NULL; - X509DataSize = 0; - KekSigList = NULL; - KekSigListSize = 0; - DataSize = 0; - KEKSigData = NULL; - - Status = ReadFileContent ( - Private->FileContext->FHandle, - &X509Data, - &X509DataSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (X509Data != NULL); - - KekSigListSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize; - KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize); - if (KekSigList == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - KekSigList->SignatureListSize = (UINT32) KekSigListSize; - KekSigList->SignatureHeaderSize = 0; - KekSigList->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize); - CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); - - KEKSigData = (EFI_SIGNATURE_DATA*) ((UINT8*) KekSigList + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID); - CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize); - - // - // Check if KEK been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new kek to original variable - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->GetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status = gRT->SetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - KekSigListSize, - KekSigList - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - - if (KekSigList != NULL) { - FreePool (KekSigList); - } - - return Status; -} - -/** - Enroll new KEK into the System without PK's authentication. - The SignatureOwner GUID will be Private->SignatureGUID. - - @param[in] PrivateData The module's private data. - - @retval EFI_SUCCESS New KEK enrolled successful. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval others Fail to enroll KEK data. - -**/ -EFI_STATUS -EnrollKeyExchangeKey ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private - ) -{ - UINT16* FilePostFix; - EFI_STATUS Status; - UINTN NameLength; - - if ((Private->FileContext->FHandle == NULL) || (Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Parse the file's postfix. Supports DER-encoded X509 certificate, - // and .pbk as RSA public key file. - // - NameLength = StrLen (Private->FileContext->FileName); - if (NameLength <= 4) { - return EFI_INVALID_PARAMETER; - } - FilePostFix = Private->FileContext->FileName + NameLength - 4; - if (IsDerEncodeCertificate(FilePostFix)) { - return EnrollX509ToKek (Private); - } else if (CompareMem (FilePostFix, L".pbk",4) == 0) { - return EnrollRsa2048ToKek (Private); - } else { - // - // File type is wrong, simply close it - // - CloseEnrolledFile(Private->FileContext); - - return EFI_INVALID_PARAMETER; - } -} - -/** - Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without - KEK's authentication. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509toSigDB ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN CHAR16 *VariableName - ) -{ - EFI_STATUS Status; - UINTN X509DataSize; - VOID *X509Data; - EFI_SIGNATURE_LIST *SigDBCert; - EFI_SIGNATURE_DATA *SigDBCertData; - VOID *Data; - UINTN DataSize; - UINTN SigDBSize; - UINT32 Attr; - - X509DataSize = 0; - SigDBSize = 0; - DataSize = 0; - X509Data = NULL; - SigDBCert = NULL; - SigDBCertData = NULL; - Data = NULL; - - Status = ReadFileContent ( - Private->FileContext->FHandle, - &X509Data, - &X509DataSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (X509Data != NULL); - - SigDBSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize; - - Data = AllocateZeroPool (SigDBSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill Certificate Database parameters. - // - SigDBCert = (EFI_SIGNATURE_LIST*) Data; - SigDBCert->SignatureListSize = (UINT32) SigDBSize; - SigDBCert->SignatureHeaderSize = 0; - SigDBCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize); - CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid); - - SigDBCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigDBCert + sizeof (EFI_SIGNATURE_LIST)); - CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID); - CopyMem ((UINT8* ) (SigDBCertData->SignatureData), X509Data, X509DataSize); - - // - // Check if signature database entry has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - Status = gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - Status = gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - - if (Data != NULL) { - FreePool (Data); - } - - if (X509Data != NULL) { - FreePool (X509Data); - } - - return Status; -} - -/** - Check whether signature is in specified database. - - @param[in] VariableName Name of database variable that is searched in. - @param[in] Signature Pointer to signature that is searched for. - @param[in] SignatureSize Size of Signature. - - @return TRUE Found the signature in the variable database. - @return FALSE Not found the signature in the variable database. - -**/ -BOOLEAN -IsSignatureFoundInDatabase ( - IN CHAR16 *VariableName, - IN UINT8 *Signature, - IN UINTN SignatureSize - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_DATA *Cert; - UINTN DataSize; - UINT8 *Data; - UINTN Index; - UINTN CertCount; - BOOLEAN IsFound; - - // - // Read signature database variable. - // - IsFound = FALSE; - Data = NULL; - DataSize = 0; - Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); - if (Status != EFI_BUFFER_TOO_SMALL) { - return FALSE; - } - - Data = (UINT8 *) AllocateZeroPool (DataSize); - if (Data == NULL) { - return FALSE; - } - - Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data); - if (EFI_ERROR (Status)) { - goto Done; - } - - // - // Enumerate all signature data in SigDB to check if executable's signature exists. - // - CertList = (EFI_SIGNATURE_LIST *) Data; - while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) { - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - if ((CertList->SignatureSize == sizeof(EFI_SIGNATURE_DATA) - 1 + SignatureSize) && (CompareGuid(&CertList->SignatureType, &gEfiCertX509Guid))) { - for (Index = 0; Index < CertCount; Index++) { - if (CompareMem (Cert->SignatureData, Signature, SignatureSize) == 0) { - // - // Find the signature in database. - // - IsFound = TRUE; - break; - } - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); - } - - if (IsFound) { - break; - } - } - - DataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - } - -Done: - if (Data != NULL) { - FreePool (Data); - } - - return IsFound; -} - -/** - Calculate the hash of a certificate data with the specified hash algorithm. - - @param[in] CertData The certificate data to be hashed. - @param[in] CertSize The certificate size in bytes. - @param[in] HashAlg The specified hash algorithm. - @param[out] CertHash The output digest of the certificate - - @retval TRUE Successfully got the hash of the CertData. - @retval FALSE Failed to get the hash of CertData. - -**/ -BOOLEAN -CalculateCertHash ( - IN UINT8 *CertData, - IN UINTN CertSize, - IN UINT32 HashAlg, - OUT UINT8 *CertHash - ) -{ - BOOLEAN Status; - VOID *HashCtx; - UINTN CtxSize; - UINT8 *TBSCert; - UINTN TBSCertSize; - - HashCtx = NULL; - Status = FALSE; - - if (HashAlg >= HASHALG_MAX) { - return FALSE; - } - - // - // Retrieve the TBSCertificate for Hash Calculation. - // - if (!X509GetTBSCert (CertData, CertSize, &TBSCert, &TBSCertSize)) { - return FALSE; - } - - // - // 1. Initialize context of hash. - // - CtxSize = mHash[HashAlg].GetContextSize (); - HashCtx = AllocatePool (CtxSize); - ASSERT (HashCtx != NULL); - - // - // 2. Initialize a hash context. - // - Status = mHash[HashAlg].HashInit (HashCtx); - if (!Status) { - goto Done; - } - - // - // 3. Calculate the hash. - // - Status = mHash[HashAlg].HashUpdate (HashCtx, TBSCert, TBSCertSize); - if (!Status) { - goto Done; - } - - // - // 4. Get the hash result. - // - ZeroMem (CertHash, mHash[HashAlg].DigestLength); - Status = mHash[HashAlg].HashFinal (HashCtx, CertHash); - -Done: - if (HashCtx != NULL) { - FreePool (HashCtx); - } - - return Status; -} - -/** - Check whether the hash of an X.509 certificate is in forbidden database (DBX). - - @param[in] Certificate Pointer to X.509 Certificate that is searched for. - @param[in] CertSize Size of X.509 Certificate. - - @return TRUE Found the certificate hash in the forbidden database. - @return FALSE Certificate hash is Not found in the forbidden database. - -**/ -BOOLEAN -IsCertHashFoundInDbx ( - IN UINT8 *Certificate, - IN UINTN CertSize - ) -{ - BOOLEAN IsFound; - EFI_STATUS Status; - EFI_SIGNATURE_LIST *DbxList; - EFI_SIGNATURE_DATA *CertHash; - UINTN CertHashCount; - UINTN Index; - UINT32 HashAlg; - UINT8 CertDigest[MAX_DIGEST_SIZE]; - UINT8 *DbxCertHash; - UINTN SiglistHeaderSize; - UINT8 *Data; - UINTN DataSize; - - IsFound = FALSE; - HashAlg = HASHALG_MAX; - Data = NULL; - - // - // Read signature database variable. - // - DataSize = 0; - Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); - if (Status != EFI_BUFFER_TOO_SMALL) { - return FALSE; - } - - Data = (UINT8 *) AllocateZeroPool (DataSize); - if (Data == NULL) { - return FALSE; - } - - Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data); - if (EFI_ERROR (Status)) { - goto Done; - } - - // - // Check whether the certificate hash exists in the forbidden database. - // - DbxList = (EFI_SIGNATURE_LIST *) Data; - while ((DataSize > 0) && (DataSize >= DbxList->SignatureListSize)) { - // - // Determine Hash Algorithm of Certificate in the forbidden database. - // - if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha256Guid)) { - HashAlg = HASHALG_SHA256; - } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha384Guid)) { - HashAlg = HASHALG_SHA384; - } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha512Guid)) { - HashAlg = HASHALG_SHA512; - } else { - DataSize -= DbxList->SignatureListSize; - DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize); - continue; - } - - // - // Calculate the hash value of current db certificate for comparision. - // - if (!CalculateCertHash (Certificate, CertSize, HashAlg, CertDigest)) { - goto Done; - } - - SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize; - CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize); - CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize; - for (Index = 0; Index < CertHashCount; Index++) { - // - // Iterate each Signature Data Node within this CertList for verify. - // - DbxCertHash = CertHash->SignatureData; - if (CompareMem (DbxCertHash, CertDigest, mHash[HashAlg].DigestLength) == 0) { - // - // Hash of Certificate is found in forbidden database. - // - IsFound = TRUE; - goto Done; - } - CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertHash + DbxList->SignatureSize); - } - - DataSize -= DbxList->SignatureListSize; - DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize); - } - -Done: - if (Data != NULL) { - FreePool (Data); - } - - return IsFound; -} - -/** - Check whether the signature list exists in given variable data. - - It searches the signature list for the ceritificate hash by CertType. - If the signature list is found, get the offset of Database for the - next hash of a certificate. - - @param[in] Database Variable data to save signature list. - @param[in] DatabaseSize Variable size. - @param[in] SignatureType The type of the signature. - @param[out] Offset The offset to save a new hash of certificate. - - @return TRUE The signature list is found in the forbidden database. - @return FALSE The signature list is not found in the forbidden database. -**/ -BOOLEAN -GetSignaturelistOffset ( - IN EFI_SIGNATURE_LIST *Database, - IN UINTN DatabaseSize, - IN EFI_GUID *SignatureType, - OUT UINTN *Offset - ) -{ - EFI_SIGNATURE_LIST *SigList; - UINTN SiglistSize; - - if ((Database == NULL) || (DatabaseSize == 0)) { - *Offset = 0; - return FALSE; - } - - SigList = Database; - SiglistSize = DatabaseSize; - while ((SiglistSize > 0) && (SiglistSize >= SigList->SignatureListSize)) { - if (CompareGuid (&SigList->SignatureType, SignatureType)) { - *Offset = DatabaseSize - SiglistSize; - return TRUE; - } - SiglistSize -= SigList->SignatureListSize; - SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize); - } - *Offset = 0; - return FALSE; -} - -/** - Enroll a new X509 certificate hash into Signature Database (dbx) without - KEK's authentication. - - @param[in] PrivateData The module's private data. - @param[in] HashAlg The hash algorithm to enroll the certificate. - @param[in] RevocationDate The revocation date of the certificate. - @param[in] RevocationTime The revocation time of the certificate. - @param[in] AlwaysRevocation Indicate whether the certificate is always revoked. - - @retval EFI_SUCCESS New X509 is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollX509HashtoSigDB ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN UINT32 HashAlg, - IN EFI_HII_DATE *RevocationDate, - IN EFI_HII_TIME *RevocationTime, - IN BOOLEAN AlwaysRevocation - ) -{ - EFI_STATUS Status; - UINTN X509DataSize; - VOID *X509Data; - EFI_SIGNATURE_LIST *SignatureList; - UINTN SignatureListSize; - UINT8 *Data; - UINT8 *NewData; - UINTN DataSize; - UINTN DbSize; - UINT32 Attr; - EFI_SIGNATURE_DATA *SignatureData; - UINTN SignatureSize; - EFI_GUID SignatureType; - UINTN Offset; - UINT8 CertHash[MAX_DIGEST_SIZE]; - UINT16* FilePostFix; - UINTN NameLength; - EFI_TIME *Time; - - X509DataSize = 0; - DbSize = 0; - X509Data = NULL; - SignatureData = NULL; - SignatureList = NULL; - Data = NULL; - NewData = NULL; - - if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Parse the file's postfix. - // - NameLength = StrLen (Private->FileContext->FileName); - if (NameLength <= 4) { - return EFI_INVALID_PARAMETER; - } - FilePostFix = Private->FileContext->FileName + NameLength - 4; - if (!IsDerEncodeCertificate(FilePostFix)) { - // - // Only supports DER-encoded X509 certificate. - // - return EFI_INVALID_PARAMETER; - } - - // - // Get the certificate from file and calculate its hash. - // - Status = ReadFileContent ( - Private->FileContext->FHandle, - &X509Data, - &X509DataSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (X509Data != NULL); - - if (!CalculateCertHash (X509Data, X509DataSize, HashAlg, CertHash)) { - goto ON_EXIT; - } - - // - // Get the variable for enrollment. - // - DataSize = 0; - Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL); - if (Status == EFI_BUFFER_TOO_SMALL) { - Data = (UINT8 *) AllocateZeroPool (DataSize); - if (Data == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - } - - // - // Allocate memory for Signature and fill the Signature - // - SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + sizeof (EFI_TIME) + mHash[HashAlg].DigestLength; - SignatureData = (EFI_SIGNATURE_DATA *) AllocateZeroPool (SignatureSize); - if (SignatureData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - CopyGuid (&SignatureData->SignatureOwner, Private->SignatureGUID); - CopyMem (SignatureData->SignatureData, CertHash, mHash[HashAlg].DigestLength); - - // - // Fill the time. - // - if (!AlwaysRevocation) { - Time = (EFI_TIME *)(&SignatureData->SignatureData + mHash[HashAlg].DigestLength); - Time->Year = RevocationDate->Year; - Time->Month = RevocationDate->Month; - Time->Day = RevocationDate->Day; - Time->Hour = RevocationTime->Hour; - Time->Minute = RevocationTime->Minute; - Time->Second = RevocationTime->Second; - } - - // - // Determine the GUID for certificate hash. - // - switch (HashAlg) { - case HASHALG_SHA256: - SignatureType = gEfiCertX509Sha256Guid; - break; - case HASHALG_SHA384: - SignatureType = gEfiCertX509Sha384Guid; - break; - case HASHALG_SHA512: - SignatureType = gEfiCertX509Sha512Guid; - break; - default: - return FALSE; - } - - // - // Add signature into the new variable data buffer - // - if (GetSignaturelistOffset((EFI_SIGNATURE_LIST *)Data, DataSize, &SignatureType, &Offset)) { - // - // Add the signature to the found signaturelist. - // - DbSize = DataSize + SignatureSize; - NewData = AllocateZeroPool (DbSize); - if (NewData == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - SignatureList = (EFI_SIGNATURE_LIST *)(Data + Offset); - SignatureListSize = (UINTN) ReadUnaligned32 ((UINT32 *)&SignatureList->SignatureListSize); - CopyMem (NewData, Data, Offset + SignatureListSize); - - SignatureList = (EFI_SIGNATURE_LIST *)(NewData + Offset); - WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32)(SignatureListSize + SignatureSize)); - - Offset += SignatureListSize; - CopyMem (NewData + Offset, SignatureData, SignatureSize); - CopyMem (NewData + Offset + SignatureSize, Data + Offset, DataSize - Offset); - - FreePool (Data); - Data = NewData; - DataSize = DbSize; - } else { - // - // Create a new signaturelist, and add the signature into the signaturelist. - // - DbSize = DataSize + sizeof(EFI_SIGNATURE_LIST) + SignatureSize; - NewData = AllocateZeroPool (DbSize); - if (NewData == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - // - // Fill Certificate Database parameters. - // - SignatureList = (EFI_SIGNATURE_LIST*) (NewData + DataSize); - SignatureListSize = sizeof(EFI_SIGNATURE_LIST) + SignatureSize; - WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32) SignatureListSize); - WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureSize, (UINT32) SignatureSize); - CopyGuid (&SignatureList->SignatureType, &SignatureType); - CopyMem ((UINT8* ) SignatureList + sizeof (EFI_SIGNATURE_LIST), SignatureData, SignatureSize); - if ((DataSize != 0) && (Data != NULL)) { - CopyMem (NewData, Data, DataSize); - FreePool (Data); - } - Data = NewData; - DataSize = DbSize; - } - - Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &Data); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = gRT->SetVariable( - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - Attr, - DataSize, - Data - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - - if (Data != NULL) { - FreePool (Data); - } - - if (SignatureData != NULL) { - FreePool (SignatureData); - } - - if (X509Data != NULL) { - FreePool (X509Data); - } - - return Status; -} - -/** - Check whether a certificate from a file exists in dbx. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE1. - - @retval TRUE The X509 certificate is found in dbx successfully. - @retval FALSE The X509 certificate is not found in dbx. -**/ -BOOLEAN -IsX509CertInDbx ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN CHAR16 *VariableName - ) -{ - EFI_STATUS Status; - UINTN X509DataSize; - VOID *X509Data; - BOOLEAN IsFound; - - // - // Read the certificate from file - // - X509DataSize = 0; - X509Data = NULL; - Status = ReadFileContent ( - Private->FileContext->FHandle, - &X509Data, - &X509DataSize, - 0 - ); - if (EFI_ERROR (Status)) { - return FALSE; - } - - // - // Check the raw certificate. - // - IsFound = FALSE; - if (IsSignatureFoundInDatabase (EFI_IMAGE_SECURITY_DATABASE1, X509Data, X509DataSize)) { - IsFound = TRUE; - goto ON_EXIT; - } - - // - // Check the hash of certificate. - // - if (IsCertHashFoundInDbx (X509Data, X509DataSize)) { - IsFound = TRUE; - goto ON_EXIT; - } - -ON_EXIT: - if (X509Data != NULL) { - FreePool (X509Data); - } - - return IsFound; -} - -/** - Reads contents of a PE/COFF image in memory buffer. - - Caution: This function may receive untrusted input. - PE/COFF image is external input, so this function will make sure the PE/COFF image content - read is within the image buffer. - - @param FileHandle Pointer to the file handle to read the PE/COFF image. - @param FileOffset Offset into the PE/COFF image to begin the read operation. - @param ReadSize On input, the size in bytes of the requested read operation. - On output, the number of bytes actually read. - @param Buffer Output buffer that contains the data read from the PE/COFF image. - - @retval EFI_SUCCESS The specified portion of the PE/COFF image was read and the size -**/ -EFI_STATUS -EFIAPI -SecureBootConfigImageRead ( - IN VOID *FileHandle, - IN UINTN FileOffset, - IN OUT UINTN *ReadSize, - OUT VOID *Buffer - ) -{ - UINTN EndPosition; - - if (FileHandle == NULL || ReadSize == NULL || Buffer == NULL) { - return EFI_INVALID_PARAMETER; - } - - if (MAX_ADDRESS - FileOffset < *ReadSize) { - return EFI_INVALID_PARAMETER; - } - - EndPosition = FileOffset + *ReadSize; - if (EndPosition > mImageSize) { - *ReadSize = (UINT32)(mImageSize - FileOffset); - } - - if (FileOffset >= mImageSize) { - *ReadSize = 0; - } - - CopyMem (Buffer, (UINT8 *)((UINTN) FileHandle + FileOffset), *ReadSize); - - return EFI_SUCCESS; -} - -/** - Load PE/COFF image information into internal buffer and check its validity. - - @retval EFI_SUCCESS Successful - @retval EFI_UNSUPPORTED Invalid PE/COFF file - @retval EFI_ABORTED Serious error occurs, like file I/O error etc. - -**/ -EFI_STATUS -LoadPeImage ( - VOID - ) -{ - EFI_IMAGE_DOS_HEADER *DosHdr; - EFI_IMAGE_NT_HEADERS32 *NtHeader32; - EFI_IMAGE_NT_HEADERS64 *NtHeader64; - PE_COFF_LOADER_IMAGE_CONTEXT ImageContext; - EFI_STATUS Status; - - NtHeader32 = NULL; - NtHeader64 = NULL; - - ZeroMem (&ImageContext, sizeof (ImageContext)); - ImageContext.Handle = (VOID *) mImageBase; - ImageContext.ImageRead = (PE_COFF_LOADER_READ_FILE) SecureBootConfigImageRead; - - // - // Get information about the image being loaded - // - Status = PeCoffLoaderGetImageInfo (&ImageContext); - if (EFI_ERROR (Status)) { - // - // The information can't be got from the invalid PeImage - // - DEBUG ((DEBUG_INFO, "SecureBootConfigDxe: PeImage invalid. \n")); - return Status; - } - - // - // Read the Dos header - // - DosHdr = (EFI_IMAGE_DOS_HEADER*)(mImageBase); - if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE) - { - // - // DOS image header is present, - // So read the PE header after the DOS image header - // - mPeCoffHeaderOffset = DosHdr->e_lfanew; - } - else - { - mPeCoffHeaderOffset = 0; - } - - // - // Read PE header and check the signature validity and machine compatibility - // - NtHeader32 = (EFI_IMAGE_NT_HEADERS32*) (mImageBase + mPeCoffHeaderOffset); - if (NtHeader32->Signature != EFI_IMAGE_NT_SIGNATURE) - { - return EFI_UNSUPPORTED; - } - - mNtHeader.Pe32 = NtHeader32; - - // - // Check the architecture field of PE header and get the Certificate Data Directory data - // Note the size of FileHeader field is constant for both IA32 and X64 arch - // - if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA32) - || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_EBC) - || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_ARMTHUMB_MIXED)) { - // - // 32-bits Architecture - // - mImageType = ImageType_IA32; - mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]); - } - else if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA64) - || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_X64) - || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_AARCH64)) { - // - // 64-bits Architecture - // - mImageType = ImageType_X64; - NtHeader64 = (EFI_IMAGE_NT_HEADERS64 *) (mImageBase + mPeCoffHeaderOffset); - mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader64->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]); - } else { - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; -} - -/** - Calculate hash of Pe/Coff image based on the authenticode image hashing in - PE/COFF Specification 8.0 Appendix A - - Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in - the function LoadPeImage (). - - @param[in] HashAlg Hash algorithm type. - - @retval TRUE Successfully hash image. - @retval FALSE Fail in hash image. - -**/ -BOOLEAN -HashPeImage ( - IN UINT32 HashAlg - ) -{ - BOOLEAN Status; - UINT16 Magic; - EFI_IMAGE_SECTION_HEADER *Section; - VOID *HashCtx; - UINTN CtxSize; - UINT8 *HashBase; - UINTN HashSize; - UINTN SumOfBytesHashed; - EFI_IMAGE_SECTION_HEADER *SectionHeader; - UINTN Index; - UINTN Pos; - - HashCtx = NULL; - SectionHeader = NULL; - Status = FALSE; - - if (HashAlg != HASHALG_SHA256) { - return FALSE; - } - - // - // Initialize context of hash. - // - ZeroMem (mImageDigest, MAX_DIGEST_SIZE); - - mImageDigestSize = SHA256_DIGEST_SIZE; - mCertType = gEfiCertSha256Guid; - - CtxSize = mHash[HashAlg].GetContextSize(); - - HashCtx = AllocatePool (CtxSize); - ASSERT (HashCtx != NULL); - - // 1. Load the image header into memory. - - // 2. Initialize a SHA hash context. - Status = mHash[HashAlg].HashInit(HashCtx); - if (!Status) { - goto Done; - } - // - // Measuring PE/COFF Image Header; - // But CheckSum field and SECURITY data directory (certificate) are excluded - // - if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value - // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the - // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC - // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC - // - Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC; - } else { - // - // Get the magic value from the PE/COFF Optional Header - // - Magic = mNtHeader.Pe32->OptionalHeader.Magic; - } - - // - // 3. Calculate the distance from the base of the image header to the image checksum address. - // 4. Hash the image header from its base to beginning of the image checksum. - // - HashBase = mImageBase; - if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // Use PE32 offset. - // - HashSize = (UINTN) (&mNtHeader.Pe32->OptionalHeader.CheckSum) - (UINTN) HashBase; - } else { - // - // Use PE32+ offset. - // - HashSize = (UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.CheckSum) - (UINTN) HashBase; - } - - Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize); - if (!Status) { - goto Done; - } - // - // 5. Skip over the image checksum (it occupies a single ULONG). - // 6. Get the address of the beginning of the Cert Directory. - // 7. Hash everything from the end of the checksum to the start of the Cert Directory. - // - if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // Use PE32 offset. - // - HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.CheckSum + sizeof (UINT32); - HashSize = (UINTN) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN) HashBase; - } else { - // - // Use PE32+ offset. - // - HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32); - HashSize = (UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - (UINTN) HashBase; - } - - Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize); - if (!Status) { - goto Done; - } - // - // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.) - // 9. Hash everything from the end of the Cert Directory to the end of image header. - // - if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // Use PE32 offset - // - HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; - HashSize = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders - ((UINTN) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - (UINTN) mImageBase); - } else { - // - // Use PE32+ offset. - // - HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]; - HashSize = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders - ((UINTN) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - (UINTN) mImageBase); - } - - Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize); - if (!Status) { - goto Done; - } - // - // 10. Set the SUM_OF_BYTES_HASHED to the size of the header. - // - if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // Use PE32 offset. - // - SumOfBytesHashed = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders; - } else { - // - // Use PE32+ offset - // - SumOfBytesHashed = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders; - } - - // - // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER - // structures in the image. The 'NumberOfSections' field of the image - // header indicates how big the table should be. Do not include any - // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero. - // - SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * mNtHeader.Pe32->FileHeader.NumberOfSections); - ASSERT (SectionHeader != NULL); - // - // 12. Using the 'PointerToRawData' in the referenced section headers as - // a key, arrange the elements in the table in ascending order. In other - // words, sort the section headers according to the disk-file offset of - // the section. - // - Section = (EFI_IMAGE_SECTION_HEADER *) ( - mImageBase + - mPeCoffHeaderOffset + - sizeof (UINT32) + - sizeof (EFI_IMAGE_FILE_HEADER) + - mNtHeader.Pe32->FileHeader.SizeOfOptionalHeader - ); - for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) { - Pos = Index; - while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) { - CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER)); - Pos--; - } - CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER)); - Section += 1; - } - - // - // 13. Walk through the sorted table, bring the corresponding section - // into memory, and hash the entire section (using the 'SizeOfRawData' - // field in the section header to determine the amount of data to hash). - // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED . - // 15. Repeat steps 13 and 14 for all the sections in the sorted table. - // - for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) { - Section = &SectionHeader[Index]; - if (Section->SizeOfRawData == 0) { - continue; - } - HashBase = mImageBase + Section->PointerToRawData; - HashSize = (UINTN) Section->SizeOfRawData; - - Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize); - if (!Status) { - goto Done; - } - - SumOfBytesHashed += HashSize; - } - - // - // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra - // data in the file that needs to be added to the hash. This data begins - // at file offset SUM_OF_BYTES_HASHED and its length is: - // FileSize - (CertDirectory->Size) - // - if (mImageSize > SumOfBytesHashed) { - HashBase = mImageBase + SumOfBytesHashed; - if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) { - // - // Use PE32 offset. - // - HashSize = (UINTN)( - mImageSize - - mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - - SumOfBytesHashed); - } else { - // - // Use PE32+ offset. - // - HashSize = (UINTN)( - mImageSize - - mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size - - SumOfBytesHashed); - } - - Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize); - if (!Status) { - goto Done; - } - } - - Status = mHash[HashAlg].HashFinal(HashCtx, mImageDigest); - -Done: - if (HashCtx != NULL) { - FreePool (HashCtx); - } - if (SectionHeader != NULL) { - FreePool (SectionHeader); - } - return Status; -} - -/** - Recognize the Hash algorithm in PE/COFF Authenticode and calculate hash of - Pe/Coff image based on the authenticated image hashing in PE/COFF Specification - 8.0 Appendix A - - @retval EFI_UNSUPPORTED Hash algorithm is not supported. - @retval EFI_SUCCESS Hash successfully. - -**/ -EFI_STATUS -HashPeImageByType ( - VOID - ) -{ - UINT8 Index; - WIN_CERTIFICATE_EFI_PKCS *PkcsCertData; - - PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir->Offset); - - for (Index = 0; Index < HASHALG_MAX; Index++) { - // - // Check the Hash algorithm in PE/COFF Authenticode. - // According to PKCS#7 Definition: - // SignedData ::= SEQUENCE { - // version Version, - // digestAlgorithms DigestAlgorithmIdentifiers, - // contentInfo ContentInfo, - // .... } - // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing - // This field has the fixed offset (+32) in final Authenticode ASN.1 data. - // Fixed offset (+32) is calculated based on two bytes of length encoding. - // - if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) { - // - // Only support two bytes of Long Form of Length Encoding. - // - continue; - } - - // - if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) { - break; - } - } - - if (Index == HASHALG_MAX) { - return EFI_UNSUPPORTED; - } - - // - // HASH PE Image based on Hash algorithm in PE/COFF Authenticode. - // - if (!HashPeImage(Index)) { - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; -} - -/** - Enroll a new executable's signature into Signature Database. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 - or EFI_IMAGE_SECURITY_DATABASE2. - - @retval EFI_SUCCESS New signature is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollAuthentication2Descriptor ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN CHAR16 *VariableName - ) -{ - EFI_STATUS Status; - VOID *Data; - UINTN DataSize; - UINT32 Attr; - - Data = NULL; - - // - // DBT only support DER-X509 Cert Enrollment - // - if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) { - return EFI_UNSUPPORTED; - } - - // - // Read the whole file content - // - Status = ReadFileContent( - Private->FileContext->FHandle, - (VOID **) &mImageBase, - &mImageSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (mImageBase != NULL); - - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - // - // Check if SigDB variable has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - DataSize = 0; - Status = gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - // - // Diretly set AUTHENTICATION_2 data to SetVariable - // - Status = gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - mImageSize, - mImageBase - ); - - DEBUG((DEBUG_INFO, "Enroll AUTH_2 data to Var:%s Status: %x\n", VariableName, Status)); - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Data != NULL) { - FreePool (Data); - } - - if (mImageBase != NULL) { - FreePool (mImageBase); - mImageBase = NULL; - } - - return Status; - -} - - -/** - Enroll a new executable's signature into Signature Database. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 - or EFI_IMAGE_SECURITY_DATABASE2. - - @retval EFI_SUCCESS New signature is enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval EFI_UNSUPPORTED Unsupported command. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -EnrollImageSignatureToSigDB ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN CHAR16 *VariableName - ) -{ - EFI_STATUS Status; - EFI_SIGNATURE_LIST *SigDBCert; - EFI_SIGNATURE_DATA *SigDBCertData; - VOID *Data; - UINTN DataSize; - UINTN SigDBSize; - UINT32 Attr; - WIN_CERTIFICATE_UEFI_GUID *GuidCertData; - - Data = NULL; - GuidCertData = NULL; - - if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) { - return EFI_UNSUPPORTED; - } - - // - // Form the SigDB certificate list. - // Format the data item into EFI_SIGNATURE_LIST type. - // - // We need to parse executable's signature data from specified signed executable file. - // In current implementation, we simply trust the pass-in signed executable file. - // In reality, it's OS's responsibility to verify the signed executable file. - // - - // - // Read the whole file content - // - Status = ReadFileContent( - Private->FileContext->FHandle, - (VOID **) &mImageBase, - &mImageSize, - 0 - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - ASSERT (mImageBase != NULL); - - Status = LoadPeImage (); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - if (mSecDataDir->SizeOfCert == 0) { - if (!HashPeImage (HASHALG_SHA256)) { - Status = EFI_SECURITY_VIOLATION; - goto ON_EXIT; - } - } else { - - // - // Read the certificate data - // - mCertificate = (WIN_CERTIFICATE *)(mImageBase + mSecDataDir->Offset); - - if (mCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) { - GuidCertData = (WIN_CERTIFICATE_UEFI_GUID*) mCertificate; - if (CompareMem (&GuidCertData->CertType, &gEfiCertTypeRsa2048Sha256Guid, sizeof(EFI_GUID)) != 0) { - Status = EFI_ABORTED; - goto ON_EXIT; - } - - if (!HashPeImage (HASHALG_SHA256)) { - Status = EFI_ABORTED; - goto ON_EXIT;; - } - - } else if (mCertificate->wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) { - - Status = HashPeImageByType (); - if (EFI_ERROR (Status)) { - goto ON_EXIT;; - } - } else { - Status = EFI_ABORTED; - goto ON_EXIT; - } - } - - // - // Create a new SigDB entry. - // - SigDBSize = sizeof(EFI_SIGNATURE_LIST) - + sizeof(EFI_SIGNATURE_DATA) - 1 - + (UINT32) mImageDigestSize; - - Data = (UINT8*) AllocateZeroPool (SigDBSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Adjust the Certificate Database parameters. - // - SigDBCert = (EFI_SIGNATURE_LIST*) Data; - SigDBCert->SignatureListSize = (UINT32) SigDBSize; - SigDBCert->SignatureHeaderSize = 0; - SigDBCert->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + (UINT32) mImageDigestSize; - CopyGuid (&SigDBCert->SignatureType, &mCertType); - - SigDBCertData = (EFI_SIGNATURE_DATA*)((UINT8*)SigDBCert + sizeof(EFI_SIGNATURE_LIST)); - CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID); - CopyMem (SigDBCertData->SignatureData, mImageDigest, mImageDigestSize); - - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS - | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - - // - // Check if SigDB variable has been already existed. - // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the - // new signature data to original variable - // - DataSize = 0; - Status = gRT->GetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - NULL, - &DataSize, - NULL - ); - if (Status == EFI_BUFFER_TOO_SMALL) { - Attr |= EFI_VARIABLE_APPEND_WRITE; - } else if (Status != EFI_NOT_FOUND) { - goto ON_EXIT; - } - - // - // Enroll the variable. - // - Status = gRT->SetVariable( - VariableName, - &gEfiImageSecurityDatabaseGuid, - Attr, - SigDBSize, - Data - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - -ON_EXIT: - - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - - if (Data != NULL) { - FreePool (Data); - } - - if (mImageBase != NULL) { - FreePool (mImageBase); - mImageBase = NULL; - } - - return Status; -} - -/** - Enroll signature into DB/DBX/DBT without KEK's authentication. - The SignatureOwner GUID will be Private->SignatureGUID. - - @param[in] PrivateData The module's private data. - @param[in] VariableName Variable name of signature database, must be - EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1. - - @retval EFI_SUCCESS New signature enrolled successfully. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval others Fail to enroll signature data. - -**/ -EFI_STATUS -EnrollSignatureDatabase ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN CHAR16 *VariableName - ) -{ - UINT16* FilePostFix; - EFI_STATUS Status; - UINTN NameLength; - - if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Parse the file's postfix. - // - NameLength = StrLen (Private->FileContext->FileName); - if (NameLength <= 4) { - return EFI_INVALID_PARAMETER; - } - FilePostFix = Private->FileContext->FileName + NameLength - 4; - if (IsDerEncodeCertificate (FilePostFix)) { - // - // Supports DER-encoded X509 certificate. - // - return EnrollX509toSigDB (Private, VariableName); - } else if (IsAuthentication2Format(Private->FileContext->FHandle)){ - return EnrollAuthentication2Descriptor(Private, VariableName); - } else { - return EnrollImageSignatureToSigDB (Private, VariableName); - } -} - -/** - List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT) - by GUID in the page for user to select and delete as needed. - - @param[in] PrivateData Module's private data. - @param[in] VariableName The variable name of the vendor's signature database. - @param[in] VendorGuid A unique identifier for the vendor. - @param[in] LabelNumber Label number to insert opcodes. - @param[in] FormId Form ID of current page. - @param[in] QuestionIdBase Base question id of the signature list. - - @retval EFI_SUCCESS Success to update the signature list page - @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources. - -**/ -EFI_STATUS -UpdateDeletePage ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT16 LabelNumber, - IN EFI_FORM_ID FormId, - IN EFI_QUESTION_ID QuestionIdBase - ) -{ - EFI_STATUS Status; - UINT32 Index; - UINTN CertCount; - UINTN GuidIndex; - VOID *StartOpCodeHandle; - VOID *EndOpCodeHandle; - EFI_IFR_GUID_LABEL *StartLabel; - EFI_IFR_GUID_LABEL *EndLabel; - UINTN DataSize; - UINT8 *Data; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_DATA *Cert; - UINT32 ItemDataSize; - CHAR16 *GuidStr; - EFI_STRING_ID GuidID; - EFI_STRING_ID Help; - - Data = NULL; - CertList = NULL; - Cert = NULL; - GuidStr = NULL; - StartOpCodeHandle = NULL; - EndOpCodeHandle = NULL; - - // - // Initialize the container for dynamic opcodes. - // - StartOpCodeHandle = HiiAllocateOpCodeHandle (); - if (StartOpCodeHandle == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - EndOpCodeHandle = HiiAllocateOpCodeHandle (); - if (EndOpCodeHandle == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Create Hii Extend Label OpCode. - // - StartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode ( - StartOpCodeHandle, - &gEfiIfrTianoGuid, - NULL, - sizeof (EFI_IFR_GUID_LABEL) - ); - StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL; - StartLabel->Number = LabelNumber; - - EndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode ( - EndOpCodeHandle, - &gEfiIfrTianoGuid, - NULL, - sizeof (EFI_IFR_GUID_LABEL) - ); - EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL; - EndLabel->Number = LABEL_END; - - // - // Read Variable. - // - DataSize = 0; - Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data); - if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) { - goto ON_EXIT; - } - - Data = (UINT8 *) AllocateZeroPool (DataSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - GuidStr = AllocateZeroPool (100); - if (GuidStr == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Enumerate all KEK pub data. - // - ItemDataSize = (UINT32) DataSize; - CertList = (EFI_SIGNATURE_LIST *) Data; - GuidIndex = 0; - - while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) { - - if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_SHA1_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_SHA256_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha256Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA256_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha384Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA384_GUID); - } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha512Guid)) { - Help = STRING_TOKEN (STR_CERT_TYPE_X509_SHA512_GUID); - } else { - // - // The signature type is not supported in current implementation. - // - ItemDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - continue; - } - - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - for (Index = 0; Index < CertCount; Index++) { - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList - + sizeof (EFI_SIGNATURE_LIST) - + CertList->SignatureHeaderSize - + Index * CertList->SignatureSize); - // - // Display GUID and help - // - GuidToString (&Cert->SignatureOwner, GuidStr, 100); - GuidID = HiiSetString (PrivateData->HiiHandle, 0, GuidStr, NULL); - HiiCreateCheckBoxOpCode ( - StartOpCodeHandle, - (EFI_QUESTION_ID) (QuestionIdBase + GuidIndex++), - 0, - 0, - GuidID, - Help, - EFI_IFR_FLAG_CALLBACK, - 0, - NULL - ); - } - - ItemDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - } - -ON_EXIT: - HiiUpdateForm ( - PrivateData->HiiHandle, - &gSecureBootConfigFormSetGuid, - FormId, - StartOpCodeHandle, - EndOpCodeHandle - ); - - if (StartOpCodeHandle != NULL) { - HiiFreeOpCodeHandle (StartOpCodeHandle); - } - - if (EndOpCodeHandle != NULL) { - HiiFreeOpCodeHandle (EndOpCodeHandle); - } - - if (Data != NULL) { - FreePool (Data); - } - - if (GuidStr != NULL) { - FreePool (GuidStr); - } - - return EFI_SUCCESS; -} - -/** - Delete a KEK entry from KEK database. - - @param[in] PrivateData Module's private data. - @param[in] QuestionId Question id of the KEK item to delete. - - @retval EFI_SUCCESS Delete kek item successfully. - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. - -**/ -EFI_STATUS -DeleteKeyExchangeKey ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, - IN EFI_QUESTION_ID QuestionId - ) -{ - EFI_STATUS Status; - UINTN DataSize; - UINT8 *Data; - UINT8 *OldData; - UINT32 Attr; - UINT32 Index; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_LIST *NewCertList; - EFI_SIGNATURE_DATA *Cert; - UINTN CertCount; - UINT32 Offset; - BOOLEAN IsKEKItemFound; - UINT32 KekDataSize; - UINTN DeleteKekIndex; - UINTN GuidIndex; - - Data = NULL; - OldData = NULL; - CertList = NULL; - Cert = NULL; - Attr = 0; - DeleteKekIndex = QuestionId - OPTION_DEL_KEK_QUESTION_ID; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Get original KEK variable. - // - DataSize = 0; - Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, NULL, &DataSize, NULL); - if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) { - goto ON_EXIT; - } - - OldData = (UINT8*)AllocateZeroPool(DataSize); - if (OldData == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &Attr, &DataSize, OldData); - if (EFI_ERROR(Status)) { - goto ON_EXIT; - } - - // - // Allocate space for new variable. - // - Data = (UINT8*) AllocateZeroPool (DataSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Enumerate all KEK pub data and erasing the target item. - // - IsKEKItemFound = FALSE; - KekDataSize = (UINT32) DataSize; - CertList = (EFI_SIGNATURE_LIST *) OldData; - Offset = 0; - GuidIndex = 0; - while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) { - if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) { - CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize)); - NewCertList = (EFI_SIGNATURE_LIST *)(Data + Offset); - Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - for (Index = 0; Index < CertCount; Index++) { - if (GuidIndex == DeleteKekIndex ) { - // - // Find it! Skip it! - // - NewCertList->SignatureListSize -= CertList->SignatureSize; - IsKEKItemFound = TRUE; - } else { - // - // This item doesn't match. Copy it to the Data buffer. - // - CopyMem (Data + Offset, Cert, CertList->SignatureSize); - Offset += CertList->SignatureSize; - } - GuidIndex++; - Cert = (EFI_SIGNATURE_DATA *) ((UINT8*) Cert + CertList->SignatureSize); - } - } else { - // - // This List doesn't match. Copy it to the Data buffer. - // - CopyMem (Data + Offset, CertList, CertList->SignatureListSize); - Offset += CertList->SignatureListSize; - } - - KekDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST*) ((UINT8*) CertList + CertList->SignatureListSize); - } - - if (!IsKEKItemFound) { - // - // Doesn't find the Kek Item! - // - Status = EFI_NOT_FOUND; - goto ON_EXIT; - } - - // - // Delete the Signature header if there is no signature in the list. - // - KekDataSize = Offset; - CertList = (EFI_SIGNATURE_LIST*) Data; - Offset = 0; - ZeroMem (OldData, KekDataSize); - while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) { - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - DEBUG ((DEBUG_INFO, " CertCount = %x\n", CertCount)); - if (CertCount != 0) { - CopyMem (OldData + Offset, CertList, CertList->SignatureListSize); - Offset += CertList->SignatureListSize; - } - KekDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - } - - DataSize = Offset; - if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - } - - Status = gRT->SetVariable( - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - Attr, - DataSize, - OldData - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status)); - goto ON_EXIT; - } - -ON_EXIT: - if (Data != NULL) { - FreePool(Data); - } - - if (OldData != NULL) { - FreePool(OldData); - } - - return UpdateDeletePage ( - PrivateData, - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - LABEL_KEK_DELETE, - FORMID_DELETE_KEK_FORM, - OPTION_DEL_KEK_QUESTION_ID - ); -} - -/** - Delete a signature entry from siganture database. - - @param[in] PrivateData Module's private data. - @param[in] VariableName The variable name of the vendor's signature database. - @param[in] VendorGuid A unique identifier for the vendor. - @param[in] LabelNumber Label number to insert opcodes. - @param[in] FormId Form ID of current page. - @param[in] QuestionIdBase Base question id of the signature list. - @param[in] DeleteIndex Signature index to delete. - - @retval EFI_SUCCESS Delete siganture successfully. - @retval EFI_NOT_FOUND Can't find the signature item, - @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. -**/ -EFI_STATUS -DeleteSignature ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT16 LabelNumber, - IN EFI_FORM_ID FormId, - IN EFI_QUESTION_ID QuestionIdBase, - IN UINTN DeleteIndex - ) -{ - EFI_STATUS Status; - UINTN DataSize; - UINT8 *Data; - UINT8 *OldData; - UINT32 Attr; - UINT32 Index; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_LIST *NewCertList; - EFI_SIGNATURE_DATA *Cert; - UINTN CertCount; - UINT32 Offset; - BOOLEAN IsItemFound; - UINT32 ItemDataSize; - UINTN GuidIndex; - - Data = NULL; - OldData = NULL; - CertList = NULL; - Cert = NULL; - Attr = 0; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Get original signature list data. - // - DataSize = 0; - Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, NULL); - if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) { - goto ON_EXIT; - } - - OldData = (UINT8 *) AllocateZeroPool (DataSize); - if (OldData == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - Status = gRT->GetVariable (VariableName, VendorGuid, &Attr, &DataSize, OldData); - if (EFI_ERROR(Status)) { - goto ON_EXIT; - } - - // - // Allocate space for new variable. - // - Data = (UINT8*) AllocateZeroPool (DataSize); - if (Data == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Enumerate all signature data and erasing the target item. - // - IsItemFound = FALSE; - ItemDataSize = (UINT32) DataSize; - CertList = (EFI_SIGNATURE_LIST *) OldData; - Offset = 0; - GuidIndex = 0; - while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) { - if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha256Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha384Guid) || - CompareGuid (&CertList->SignatureType, &gEfiCertX509Sha512Guid) - ) { - // - // Copy EFI_SIGNATURE_LIST header then calculate the signature count in this list. - // - CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize)); - NewCertList = (EFI_SIGNATURE_LIST*) (Data + Offset); - Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - for (Index = 0; Index < CertCount; Index++) { - if (GuidIndex == DeleteIndex) { - // - // Find it! Skip it! - // - NewCertList->SignatureListSize -= CertList->SignatureSize; - IsItemFound = TRUE; - } else { - // - // This item doesn't match. Copy it to the Data buffer. - // - CopyMem (Data + Offset, (UINT8*)(Cert), CertList->SignatureSize); - Offset += CertList->SignatureSize; - } - GuidIndex++; - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); - } - } else { - // - // This List doesn't match. Just copy it to the Data buffer. - // - CopyMem (Data + Offset, (UINT8*)(CertList), CertList->SignatureListSize); - Offset += CertList->SignatureListSize; - } - - ItemDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - } - - if (!IsItemFound) { - // - // Doesn't find the signature Item! - // - Status = EFI_NOT_FOUND; - goto ON_EXIT; - } - - // - // Delete the EFI_SIGNATURE_LIST header if there is no signature in the list. - // - ItemDataSize = Offset; - CertList = (EFI_SIGNATURE_LIST *) Data; - Offset = 0; - ZeroMem (OldData, ItemDataSize); - while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) { - CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; - DEBUG ((DEBUG_INFO, " CertCount = %x\n", CertCount)); - if (CertCount != 0) { - CopyMem (OldData + Offset, (UINT8*)(CertList), CertList->SignatureListSize); - Offset += CertList->SignatureListSize; - } - ItemDataSize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); - } - - DataSize = Offset; - if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - goto ON_EXIT; - } - } - - Status = gRT->SetVariable( - VariableName, - VendorGuid, - Attr, - DataSize, - OldData - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status)); - goto ON_EXIT; - } - -ON_EXIT: - if (Data != NULL) { - FreePool(Data); - } - - if (OldData != NULL) { - FreePool(OldData); - } - - return UpdateDeletePage ( - PrivateData, - VariableName, - VendorGuid, - LabelNumber, - FormId, - QuestionIdBase - ); -} - -/** - - Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT - and STR_CUR_SECURE_BOOT_MODE_CONTENT. - - @param[in] PrivateData Module's private data. - - @return EFI_SUCCESS Update secure boot strings successfully. - @return other Fail to update secure boot strings. - -**/ -EFI_STATUS -UpdateSecureBootString( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private - ) -{ - UINT8 *SecureBoot; - - SecureBoot = NULL; - - // - // Get current secure boot state. - // - GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL); - if (SecureBoot == NULL) { - return EFI_NOT_FOUND; - } - - if (*SecureBoot == SECURE_BOOT_MODE_ENABLE) { - HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL); - } else { - HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL); - } - - FreePool(SecureBoot); - - return EFI_SUCCESS; -} - -/** - This function extracts configuration from variable. - - @param[in] Private Point to SecureBoot configuration driver private data. - @param[in, out] ConfigData Point to SecureBoot configuration private data. - -**/ -VOID -SecureBootExtractConfigFromVariable ( - IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, - IN OUT SECUREBOOT_CONFIGURATION *ConfigData - ) -{ - UINT8 *SecureBootEnable; - UINT8 *SetupMode; - UINT8 *SecureBootMode; - EFI_TIME CurrTime; - - SecureBootEnable = NULL; - SetupMode = NULL; - SecureBootMode = NULL; - - // - // Initilize the Date and Time using system time. - // - ConfigData->CertificateFormat = HASHALG_RAW; - ConfigData->AlwaysRevocation = TRUE; - gRT->GetTime (&CurrTime, NULL); - ConfigData->RevocationDate.Year = CurrTime.Year; - ConfigData->RevocationDate.Month = CurrTime.Month; - ConfigData->RevocationDate.Day = CurrTime.Day; - ConfigData->RevocationTime.Hour = CurrTime.Hour; - ConfigData->RevocationTime.Minute = CurrTime.Minute; - ConfigData->RevocationTime.Second = 0; - if (Private->FileContext->FHandle != NULL) { - ConfigData->FileEnrollType = Private->FileContext->FileType; - } else { - ConfigData->FileEnrollType = UNKNOWN_FILE_TYPE; - } - - // - // If it is Physical Presence User, set the PhysicalPresent to true. - // - if (UserPhysicalPresent()) { - ConfigData->PhysicalPresent = TRUE; - } else { - ConfigData->PhysicalPresent = FALSE; - } - - // - // If there is no PK then the Delete Pk button will be gray. - // - GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); - if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { - ConfigData->HasPk = FALSE; - } else { - ConfigData->HasPk = TRUE; - } - - // - // Check SecureBootEnable & Pk status, fix the inconsistence. - // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable - // Checkbox. - // - ConfigData->AttemptSecureBoot = FALSE; - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - - // - // Fix Pk, SecureBootEnable inconsistence - // - if ((SetupMode != NULL) && (*SetupMode) == USER_MODE) { - ConfigData->HideSecureBoot = FALSE; - if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) { - ConfigData->AttemptSecureBoot = TRUE; - } - } else { - ConfigData->HideSecureBoot = TRUE; - } - - // - // Get the SecureBootMode from CustomMode variable. - // - GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL); - if (SecureBootMode == NULL) { - ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE; - } else { - ConfigData->SecureBootMode = *(SecureBootMode); - } - - if (SecureBootEnable != NULL) { - FreePool (SecureBootEnable); - } - if (SetupMode != NULL) { - FreePool (SetupMode); - } - if (SecureBootMode != NULL) { - FreePool (SecureBootMode); - } -} - -/** - This function allows a caller to extract the current configuration for one - or more named elements from the target driver. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Request A null-terminated Unicode string in - format. - @param[out] Progress On return, points to a character in the Request - string. Points to the string's null terminator if - request was successful. Points to the most recent - '&' before the first failing name/value pair (or - the beginning of the string if the failure is in - the first name/value pair) if the request was not - successful. - @param[out] Results A null-terminated Unicode string in - format which has all values filled - in for the names in the Request string. String to - be allocated by the called function. - - @retval EFI_SUCCESS The Results is filled with the requested values. - @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. - @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name. - @retval EFI_NOT_FOUND Routing data doesn't match any storage in this - driver. - -**/ -EFI_STATUS -EFIAPI -SecureBootExtractConfig ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN CONST EFI_STRING Request, - OUT EFI_STRING *Progress, - OUT EFI_STRING *Results - ) -{ - EFI_STATUS Status; - UINTN BufferSize; - UINTN Size; - SECUREBOOT_CONFIGURATION Configuration; - EFI_STRING ConfigRequest; - EFI_STRING ConfigRequestHdr; - SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; - BOOLEAN AllocatedRequest; - - if (Progress == NULL || Results == NULL) { - return EFI_INVALID_PARAMETER; - } - - AllocatedRequest = FALSE; - ConfigRequestHdr = NULL; - ConfigRequest = NULL; - Size = 0; - - ZeroMem (&Configuration, sizeof (Configuration)); - PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); - *Progress = Request; - - if ((Request != NULL) && !HiiIsConfigHdrMatch (Request, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) { - return EFI_NOT_FOUND; - } - - ZeroMem(&Configuration, sizeof(SECUREBOOT_CONFIGURATION)); - - // - // Get Configuration from Variable. - // - SecureBootExtractConfigFromVariable (PrivateData, &Configuration); - - BufferSize = sizeof (SECUREBOOT_CONFIGURATION); - ConfigRequest = Request; - if ((Request == NULL) || (StrStr (Request, L"OFFSET") == NULL)) { - // - // Request is set to NULL or OFFSET is NULL, construct full request string. - // - // Allocate and fill a buffer large enough to hold the template - // followed by "&OFFSET=0&WIDTH=WWWWWWWWWWWWWWWW" followed by a Null-terminator - // - ConfigRequestHdr = HiiConstructConfigHdr (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, PrivateData->DriverHandle); - Size = (StrLen (ConfigRequestHdr) + 32 + 1) * sizeof (CHAR16); - ConfigRequest = AllocateZeroPool (Size); - ASSERT (ConfigRequest != NULL); - AllocatedRequest = TRUE; - UnicodeSPrint (ConfigRequest, Size, L"%s&OFFSET=0&WIDTH=%016LX", ConfigRequestHdr, (UINT64)BufferSize); - FreePool (ConfigRequestHdr); - ConfigRequestHdr = NULL; - } - - Status = gHiiConfigRouting->BlockToConfig ( - gHiiConfigRouting, - ConfigRequest, - (UINT8 *) &Configuration, - BufferSize, - Results, - Progress - ); - - // - // Free the allocated config request string. - // - if (AllocatedRequest) { - FreePool (ConfigRequest); - } - - // - // Set Progress string to the original request string. - // - if (Request == NULL) { - *Progress = NULL; - } else if (StrStr (Request, L"OFFSET") == NULL) { - *Progress = Request + StrLen (Request); - } - - return Status; -} - -/** - This function processes the results of changes in configuration. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Configuration A null-terminated Unicode string in - format. - @param[out] Progress A pointer to a string filled in with the offset of - the most recent '&' before the first failing - name/value pair (or the beginning of the string if - the failure is in the first name/value pair) or - the terminating NULL if all was successful. - - @retval EFI_SUCCESS The Results is processed successfully. - @retval EFI_INVALID_PARAMETER Configuration is NULL. - @retval EFI_NOT_FOUND Routing data doesn't match any storage in this - driver. - -**/ -EFI_STATUS -EFIAPI -SecureBootRouteConfig ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN CONST EFI_STRING Configuration, - OUT EFI_STRING *Progress - ) -{ - SECUREBOOT_CONFIGURATION IfrNvData; - UINTN BufferSize; - SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; - EFI_STATUS Status; - - if (Configuration == NULL || Progress == NULL) { - return EFI_INVALID_PARAMETER; - } - - *Progress = Configuration; - if (!HiiIsConfigHdrMatch (Configuration, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) { - return EFI_NOT_FOUND; - } - - PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); - - // - // Get Configuration from Variable. - // - SecureBootExtractConfigFromVariable (PrivateData, &IfrNvData); - - // - // Map the Configuration to the configuration block. - // - BufferSize = sizeof (SECUREBOOT_CONFIGURATION); - Status = gHiiConfigRouting->ConfigToBlock ( - gHiiConfigRouting, - Configuration, - (UINT8 *)&IfrNvData, - &BufferSize, - Progress - ); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Store Buffer Storage back to EFI variable if needed - // - if (!IfrNvData.HideSecureBoot) { - Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot); - if (EFI_ERROR (Status)) { - return Status; - } - } - - *Progress = Configuration + StrLen (Configuration); - return EFI_SUCCESS; -} - -/** - This function is called to provide results data to the driver. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Action Specifies the type of action taken by the browser. - @param[in] QuestionId A unique value which is sent to the original - exporting driver so that it can identify the type - of data to expect. - @param[in] Type The type of value for the question. - @param[in] Value A pointer to the data being sent to the original - exporting driver. - @param[out] ActionRequest On return, points to the action requested by the - callback function. - - @retval EFI_SUCCESS The callback successfully handled the action. - @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the - variable and its data. - @retval EFI_DEVICE_ERROR The variable could not be saved. - @retval EFI_UNSUPPORTED The specified Action is not supported by the - callback. - -**/ -EFI_STATUS -EFIAPI -SecureBootCallback ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN EFI_BROWSER_ACTION Action, - IN EFI_QUESTION_ID QuestionId, - IN UINT8 Type, - IN EFI_IFR_TYPE_VALUE *Value, - OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest - ) -{ - EFI_INPUT_KEY Key; - EFI_STATUS Status; - RETURN_STATUS RStatus; - SECUREBOOT_CONFIG_PRIVATE_DATA *Private; - UINTN BufferSize; - SECUREBOOT_CONFIGURATION *IfrNvData; - UINT16 LabelId; - UINT8 *SecureBootEnable; - UINT8 *Pk; - UINT8 *SecureBootMode; - UINT8 *SetupMode; - CHAR16 PromptString[100]; - EFI_DEVICE_PATH_PROTOCOL *File; - UINTN NameLength; - UINT16 *FilePostFix; - SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; - - Status = EFI_SUCCESS; - SecureBootEnable = NULL; - SecureBootMode = NULL; - SetupMode = NULL; - File = NULL; - - if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); - - gSecureBootPrivateData = Private; - - // - // Retrieve uncommitted data from Browser - // - BufferSize = sizeof (SECUREBOOT_CONFIGURATION); - IfrNvData = AllocateZeroPool (BufferSize); - if (IfrNvData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - HiiGetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8 *) IfrNvData); - - if (Action == EFI_BROWSER_ACTION_FORM_OPEN) { - if (QuestionId == KEY_SECURE_BOOT_MODE) { - // - // Update secure boot strings when opening this form - // - Status = UpdateSecureBootString(Private); - SecureBootExtractConfigFromVariable (Private, IfrNvData); - mIsEnterSecureBootForm = TRUE; - } else { - // - // When entering SecureBoot OPTION Form - // always close opened file & free resource - // - if ((QuestionId == KEY_SECURE_BOOT_PK_OPTION) || - (QuestionId == KEY_SECURE_BOOT_KEK_OPTION) || - (QuestionId == KEY_SECURE_BOOT_DB_OPTION) || - (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) || - (QuestionId == KEY_SECURE_BOOT_DBT_OPTION)) { - CloseEnrolledFile(Private->FileContext); - } - } - goto EXIT; - } - - if (Action == EFI_BROWSER_ACTION_RETRIEVE) { - Status = EFI_UNSUPPORTED; - if (QuestionId == KEY_SECURE_BOOT_MODE) { - if (mIsEnterSecureBootForm) { - Value->u8 = SECURE_BOOT_MODE_STANDARD; - Status = EFI_SUCCESS; - } - } - goto EXIT; - } - - if ((Action != EFI_BROWSER_ACTION_CHANGED) && - (Action != EFI_BROWSER_ACTION_CHANGING) && - (Action != EFI_BROWSER_ACTION_FORM_CLOSE) && - (Action != EFI_BROWSER_ACTION_DEFAULT_STANDARD)) { - Status = EFI_UNSUPPORTED; - goto EXIT; - } - - if (Action == EFI_BROWSER_ACTION_CHANGING) { - - switch (QuestionId) { - case KEY_SECURE_BOOT_ENABLE: - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (NULL != SecureBootEnable) { - FreePool (SecureBootEnable); - if (EFI_ERROR (SaveSecureBootVariable (Value->u8))) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"Only Physical Presence User could disable secure boot!", - NULL - ); - Status = EFI_UNSUPPORTED; - } else { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"Configuration changed, please reset the platform to take effect!", - NULL - ); - } - } - break; - - case KEY_SECURE_BOOT_KEK_OPTION: - case KEY_SECURE_BOOT_DB_OPTION: - case KEY_SECURE_BOOT_DBX_OPTION: - case KEY_SECURE_BOOT_DBT_OPTION: - PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); - // - // Clear Signature GUID. - // - ZeroMem (IfrNvData->SignatureGuid, sizeof (IfrNvData->SignatureGuid)); - if (Private->SignatureGUID == NULL) { - Private->SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); - if (Private->SignatureGUID == NULL) { - return EFI_OUT_OF_RESOURCES; - } - } - - // - // Cleanup VFRData once leaving PK/KEK/DB/DBX/DBT enroll/delete page - // - SecureBootExtractConfigFromVariable (PrivateData, IfrNvData); - - if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) { - LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB; - } else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) { - LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX; - } else if (QuestionId == KEY_SECURE_BOOT_DBT_OPTION) { - LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT; - } else { - LabelId = FORMID_ENROLL_KEK_FORM; - } - - // - // Refresh selected file. - // - CleanUpPage (LabelId, Private); - break; - case KEY_SECURE_BOOT_PK_OPTION: - LabelId = FORMID_ENROLL_PK_FORM; - // - // Refresh selected file. - // - CleanUpPage (LabelId, Private); - break; - - case FORMID_ENROLL_PK_FORM: - ChooseFile (NULL, NULL, UpdatePKFromFile, &File); - break; - - case FORMID_ENROLL_KEK_FORM: - ChooseFile (NULL, NULL, UpdateKEKFromFile, &File); - break; - - case SECUREBOOT_ENROLL_SIGNATURE_TO_DB: - ChooseFile (NULL, NULL, UpdateDBFromFile, &File); - break; - - case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX: - ChooseFile (NULL, NULL, UpdateDBXFromFile, &File); - - if (Private->FileContext->FHandle != NULL) { - // - // Parse the file's postfix. - // - NameLength = StrLen (Private->FileContext->FileName); - if (NameLength <= 4) { - return FALSE; - } - FilePostFix = Private->FileContext->FileName + NameLength - 4; - - if (IsDerEncodeCertificate (FilePostFix)) { - // - // Supports DER-encoded X509 certificate. - // - IfrNvData->FileEnrollType = X509_CERT_FILE_TYPE; - } else if (IsAuthentication2Format(Private->FileContext->FHandle)){ - IfrNvData->FileEnrollType = AUTHENTICATION_2_FILE_TYPE; - } else { - IfrNvData->FileEnrollType = PE_IMAGE_FILE_TYPE; - } - Private->FileContext->FileType = IfrNvData->FileEnrollType; - - // - // Clean up Certificate Format if File type is not X509 DER - // - if (IfrNvData->FileEnrollType != X509_CERT_FILE_TYPE) { - IfrNvData->CertificateFormat = HASHALG_RAW; - } - DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", Private->FileContext->FileType)); - } - - break; - - case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: - ChooseFile (NULL, NULL, UpdateDBTFromFile, &File); - break; - - case KEY_SECURE_BOOT_DELETE_PK: - if (Value->u8) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"Are you sure you want to delete PK? Secure boot will be disabled!", - L"Press 'Y' to delete PK and exit, 'N' to discard change and return", - NULL - ); - if (Key.UnicodeChar == 'y' || Key.UnicodeChar == 'Y') { - Status = DeletePlatformKey (); - if (EFI_ERROR (Status)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"Only Physical Presence User could delete PK in custom mode!", - NULL - ); - } - } - } - break; - - case KEY_DELETE_KEK: - UpdateDeletePage ( - Private, - EFI_KEY_EXCHANGE_KEY_NAME, - &gEfiGlobalVariableGuid, - LABEL_KEK_DELETE, - FORMID_DELETE_KEK_FORM, - OPTION_DEL_KEK_QUESTION_ID - ); - break; - - case SECUREBOOT_DELETE_SIGNATURE_FROM_DB: - UpdateDeletePage ( - Private, - EFI_IMAGE_SECURITY_DATABASE, - &gEfiImageSecurityDatabaseGuid, - LABEL_DB_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DB, - OPTION_DEL_DB_QUESTION_ID - ); - break; - - case SECUREBOOT_DELETE_SIGNATURE_FROM_DBX: - UpdateDeletePage ( - Private, - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBX_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - OPTION_DEL_DBX_QUESTION_ID - ); - - break; - - case SECUREBOOT_DELETE_SIGNATURE_FROM_DBT: - UpdateDeletePage ( - Private, - EFI_IMAGE_SECURITY_DATABASE2, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBT_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, - OPTION_DEL_DBT_QUESTION_ID - ); - - break; - - case KEY_VALUE_SAVE_AND_EXIT_KEK: - Status = EnrollKeyExchangeKey (Private); - if (EFI_ERROR (Status)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - L"Only supports DER-encoded X509 certificate", - NULL - ); - } - break; - - case KEY_VALUE_SAVE_AND_EXIT_DB: - Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE); - if (EFI_ERROR (Status)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - L"Only supports DER-encoded X509 certificate and executable EFI image", - NULL - ); - } - break; - - case KEY_VALUE_SAVE_AND_EXIT_DBX: - if (IsX509CertInDbx (Private, EFI_IMAGE_SECURITY_DATABASE1)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"Enrollment failed! Same certificate had already been in the dbx!", - NULL - ); - - // - // Cert already exists in DBX. Close opened file before exit. - // - CloseEnrolledFile(Private->FileContext); - break; - } - - if ((IfrNvData != NULL) && (IfrNvData->CertificateFormat < HASHALG_MAX)) { - Status = EnrollX509HashtoSigDB ( - Private, - IfrNvData->CertificateFormat, - &IfrNvData->RevocationDate, - &IfrNvData->RevocationTime, - IfrNvData->AlwaysRevocation - ); - IfrNvData->CertificateFormat = HASHALG_RAW; - } else { - Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1); - } - if (EFI_ERROR (Status)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - L"Only supports DER-encoded X509 certificate, AUTH_2 format data & executable EFI image", - NULL - ); - } - break; - - case KEY_VALUE_SAVE_AND_EXIT_DBT: - Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE2); - if (EFI_ERROR (Status)) { - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - L"Only supports DER-encoded X509 certificate.", - NULL - ); - } - break; - case KEY_VALUE_SAVE_AND_EXIT_PK: - Status = EnrollPlatformKey (Private); - if (EFI_ERROR (Status)) { - UnicodeSPrint ( - PromptString, - sizeof (PromptString), - L"Only DER encoded certificate file (%s) is supported.", - mSupportX509Suffix - ); - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - PromptString, - NULL - ); - } - break; - default: - if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) && - (QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) { - DeleteKeyExchangeKey (Private, QuestionId); - } else if ((QuestionId >= OPTION_DEL_DB_QUESTION_ID) && - (QuestionId < (OPTION_DEL_DB_QUESTION_ID + OPTION_CONFIG_RANGE))) { - DeleteSignature ( - Private, - EFI_IMAGE_SECURITY_DATABASE, - &gEfiImageSecurityDatabaseGuid, - LABEL_DB_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DB, - OPTION_DEL_DB_QUESTION_ID, - QuestionId - OPTION_DEL_DB_QUESTION_ID - ); - } else if ((QuestionId >= OPTION_DEL_DBX_QUESTION_ID) && - (QuestionId < (OPTION_DEL_DBX_QUESTION_ID + OPTION_CONFIG_RANGE))) { - DeleteSignature ( - Private, - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBX_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - OPTION_DEL_DBX_QUESTION_ID, - QuestionId - OPTION_DEL_DBX_QUESTION_ID - ); - } else if ((QuestionId >= OPTION_DEL_DBT_QUESTION_ID) && - (QuestionId < (OPTION_DEL_DBT_QUESTION_ID + OPTION_CONFIG_RANGE))) { - DeleteSignature ( - Private, - EFI_IMAGE_SECURITY_DATABASE2, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBT_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, - OPTION_DEL_DBT_QUESTION_ID, - QuestionId - OPTION_DEL_DBT_QUESTION_ID - ); - } - break; - - case KEY_VALUE_NO_SAVE_AND_EXIT_PK: - case KEY_VALUE_NO_SAVE_AND_EXIT_KEK: - case KEY_VALUE_NO_SAVE_AND_EXIT_DB: - case KEY_VALUE_NO_SAVE_AND_EXIT_DBX: - case KEY_VALUE_NO_SAVE_AND_EXIT_DBT: - CloseEnrolledFile(Private->FileContext); - - if (Private->SignatureGUID != NULL) { - FreePool (Private->SignatureGUID); - Private->SignatureGUID = NULL; - } - break; - } - } else if (Action == EFI_BROWSER_ACTION_CHANGED) { - switch (QuestionId) { - case KEY_SECURE_BOOT_ENABLE: - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; - break; - case KEY_SECURE_BOOT_MODE: - mIsEnterSecureBootForm = FALSE; - break; - case KEY_SECURE_BOOT_KEK_GUID: - case KEY_SECURE_BOOT_SIGNATURE_GUID_DB: - case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX: - case KEY_SECURE_BOOT_SIGNATURE_GUID_DBT: - ASSERT (Private->SignatureGUID != NULL); - RStatus = StrToGuid (IfrNvData->SignatureGuid, Private->SignatureGUID); - if (RETURN_ERROR (RStatus) || (IfrNvData->SignatureGuid[GUID_STRING_LENGTH] != L'\0')) { - Status = EFI_INVALID_PARAMETER; - break; - } - - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; - break; - case KEY_SECURE_BOOT_DELETE_PK: - GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); - if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { - IfrNvData->DeletePk = TRUE; - IfrNvData->HasPk = FALSE; - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; - } else { - IfrNvData->DeletePk = FALSE; - IfrNvData->HasPk = TRUE; - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; - } - if (SetupMode != NULL) { - FreePool (SetupMode); - } - break; - default: - break; - } - } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) { - if (QuestionId == KEY_HIDE_SECURE_BOOT) { - GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL); - if (Pk == NULL) { - IfrNvData->HideSecureBoot = TRUE; - } else { - FreePool (Pk); - IfrNvData->HideSecureBoot = FALSE; - } - Value->b = IfrNvData->HideSecureBoot; - } - } else if (Action == EFI_BROWSER_ACTION_FORM_CLOSE) { - // - // Force the platform back to Standard Mode once user leave the setup screen. - // - GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL); - if (NULL != SecureBootMode && *SecureBootMode == CUSTOM_SECURE_BOOT_MODE) { - IfrNvData->SecureBootMode = STANDARD_SECURE_BOOT_MODE; - SetSecureBootMode(STANDARD_SECURE_BOOT_MODE); - } - if (SecureBootMode != NULL) { - FreePool (SecureBootMode); - } - } - -EXIT: - - if (!EFI_ERROR (Status)) { - BufferSize = sizeof (SECUREBOOT_CONFIGURATION); - HiiSetBrowserData (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, BufferSize, (UINT8*) IfrNvData, NULL); - } - - FreePool (IfrNvData); - - if (File != NULL){ - FreePool(File); - File = NULL; - } - - return EFI_SUCCESS; -} - -/** - This function publish the SecureBoot configuration Form. - - @param[in, out] PrivateData Points to SecureBoot configuration private data. - - @retval EFI_SUCCESS HII Form is installed successfully. - @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation. - @retval Others Other errors as indicated. - -**/ -EFI_STATUS -InstallSecureBootConfigForm ( - IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ) -{ - EFI_STATUS Status; - EFI_HII_HANDLE HiiHandle; - EFI_HANDLE DriverHandle; - EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess; - - DriverHandle = NULL; - ConfigAccess = &PrivateData->ConfigAccess; - Status = gBS->InstallMultipleProtocolInterfaces ( - &DriverHandle, - &gEfiDevicePathProtocolGuid, - &mSecureBootHiiVendorDevicePath, - &gEfiHiiConfigAccessProtocolGuid, - ConfigAccess, - NULL - ); - if (EFI_ERROR (Status)) { - return Status; - } - - PrivateData->DriverHandle = DriverHandle; - - // - // Publish the HII package list - // - HiiHandle = HiiAddPackages ( - &gSecureBootConfigFormSetGuid, - DriverHandle, - SecureBootConfigDxeStrings, - SecureBootConfigBin, - NULL - ); - if (HiiHandle == NULL) { - gBS->UninstallMultipleProtocolInterfaces ( - DriverHandle, - &gEfiDevicePathProtocolGuid, - &mSecureBootHiiVendorDevicePath, - &gEfiHiiConfigAccessProtocolGuid, - ConfigAccess, - NULL - ); - return EFI_OUT_OF_RESOURCES; - } - - PrivateData->HiiHandle = HiiHandle; - - PrivateData->FileContext = AllocateZeroPool (sizeof (SECUREBOOT_FILE_CONTEXT)); - - if (PrivateData->FileContext == NULL) { - UninstallSecureBootConfigForm (PrivateData); - return EFI_OUT_OF_RESOURCES; - } - - // - // Init OpCode Handle and Allocate space for creation of Buffer - // - mStartOpCodeHandle = HiiAllocateOpCodeHandle (); - if (mStartOpCodeHandle == NULL) { - UninstallSecureBootConfigForm (PrivateData); - return EFI_OUT_OF_RESOURCES; - } - - mEndOpCodeHandle = HiiAllocateOpCodeHandle (); - if (mEndOpCodeHandle == NULL) { - UninstallSecureBootConfigForm (PrivateData); - return EFI_OUT_OF_RESOURCES; - } - - // - // Create Hii Extend Label OpCode as the start opcode - // - mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode ( - mStartOpCodeHandle, - &gEfiIfrTianoGuid, - NULL, - sizeof (EFI_IFR_GUID_LABEL) - ); - mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL; - - // - // Create Hii Extend Label OpCode as the end opcode - // - mEndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode ( - mEndOpCodeHandle, - &gEfiIfrTianoGuid, - NULL, - sizeof (EFI_IFR_GUID_LABEL) - ); - mEndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL; - mEndLabel->Number = LABEL_END; - - return EFI_SUCCESS; -} - -/** - This function removes SecureBoot configuration Form. - - @param[in, out] PrivateData Points to SecureBoot configuration private data. - -**/ -VOID -UninstallSecureBootConfigForm ( - IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ) -{ - // - // Uninstall HII package list - // - if (PrivateData->HiiHandle != NULL) { - HiiRemovePackages (PrivateData->HiiHandle); - PrivateData->HiiHandle = NULL; - } - - // - // Uninstall HII Config Access Protocol - // - if (PrivateData->DriverHandle != NULL) { - gBS->UninstallMultipleProtocolInterfaces ( - PrivateData->DriverHandle, - &gEfiDevicePathProtocolGuid, - &mSecureBootHiiVendorDevicePath, - &gEfiHiiConfigAccessProtocolGuid, - &PrivateData->ConfigAccess, - NULL - ); - PrivateData->DriverHandle = NULL; - } - - if (PrivateData->SignatureGUID != NULL) { - FreePool (PrivateData->SignatureGUID); - } - - if (PrivateData->FileContext != NULL) { - FreePool (PrivateData->FileContext); - } - - FreePool (PrivateData); - - if (mStartOpCodeHandle != NULL) { - HiiFreeOpCodeHandle (mStartOpCodeHandle); - } - - if (mEndOpCodeHandle != NULL) { - HiiFreeOpCodeHandle (mEndOpCodeHandle); - } -} diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h deleted file mode 100644 index 75b18f121c..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h +++ /dev/null @@ -1,567 +0,0 @@ -/** @file - The header file of HII Config Access protocol implementation of SecureBoot - configuration module. - -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __SECUREBOOT_CONFIG_IMPL_H__ -#define __SECUREBOOT_CONFIG_IMPL_H__ - -#include - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "SecureBootConfigNvData.h" - -// -// Tool generated IFR binary data and String package data -// -extern UINT8 SecureBootConfigBin[]; -extern UINT8 SecureBootConfigDxeStrings[]; - -// -// Shared IFR form update data -// -extern VOID *mStartOpCodeHandle; -extern VOID *mEndOpCodeHandle; -extern EFI_IFR_GUID_LABEL *mStartLabel; -extern EFI_IFR_GUID_LABEL *mEndLabel; - -#define MAX_CHAR 480 -#define TWO_BYTE_ENCODE 0x82 - - -// -// SHA-256 digest size in bytes -// -#define SHA256_DIGEST_SIZE 32 -// -// SHA-384 digest size in bytes -// -#define SHA384_DIGEST_SIZE 48 -// -// SHA-512 digest size in bytes -// -#define SHA512_DIGEST_SIZE 64 - -// -// Set max digest size as SHA512 Output (64 bytes) by far -// -#define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE - -#define WIN_CERT_UEFI_RSA2048_SIZE 256 - -// -// Support hash types -// -#define HASHALG_SHA224 0x00000000 -#define HASHALG_SHA256 0x00000001 -#define HASHALG_SHA384 0x00000002 -#define HASHALG_SHA512 0x00000003 -#define HASHALG_RAW 0x00000004 -#define HASHALG_MAX 0x00000004 - - -typedef struct { - UINTN Signature; - LIST_ENTRY Head; - UINTN MenuNumber; -} SECUREBOOT_MENU_OPTION; - -typedef struct { - EFI_FILE_HANDLE FHandle; - UINT16 *FileName; - UINT8 FileType; -} SECUREBOOT_FILE_CONTEXT; - - -// -// We define another format of 5th directory entry: security directory -// -typedef struct { - UINT32 Offset; // Offset of certificate - UINT32 SizeOfCert; // size of certificate appended -} EFI_IMAGE_SECURITY_DATA_DIRECTORY; - -typedef enum{ - ImageType_IA32, - ImageType_X64 -} IMAGE_TYPE; - -/// -/// HII specific Vendor Device Path definition. -/// -typedef struct { - VENDOR_DEVICE_PATH VendorDevicePath; - EFI_DEVICE_PATH_PROTOCOL End; -} HII_VENDOR_DEVICE_PATH; - -typedef struct { - UINTN Signature; - - EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess; - EFI_HII_HANDLE HiiHandle; - EFI_HANDLE DriverHandle; - - SECUREBOOT_FILE_CONTEXT *FileContext; - - EFI_GUID *SignatureGUID; -} SECUREBOOT_CONFIG_PRIVATE_DATA; - -extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate; -extern SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData; - -#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B') -#define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE) - -// -// Cryptograhpic Key Information -// -#pragma pack(1) -typedef struct _CPL_KEY_INFO { - UINT32 KeyLengthInBits; // Key Length In Bits - UINT32 BlockSize; // Operation Block Size in Bytes - UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes - UINT32 KeyType; // Key Type - UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm - UINT32 Flags; // Additional Key Property Flags -} CPL_KEY_INFO; -#pragma pack() - - -/** - Retrieves the size, in bytes, of the context buffer required for hash operations. - - @return The size, in bytes, of the context buffer required for hash operations. - -**/ -typedef -EFI_STATUS -(EFIAPI *HASH_GET_CONTEXT_SIZE)( - VOID - ); - -/** - Initializes user-supplied memory pointed by HashContext as hash context for - subsequent use. - - If HashContext is NULL, then ASSERT(). - - @param[in, out] HashContext Pointer to Context being initialized. - - @retval TRUE HASH context initialization succeeded. - @retval FALSE HASH context initialization failed. - -**/ -typedef -BOOLEAN -(EFIAPI *HASH_INIT)( - IN OUT VOID *HashContext - ); - - -/** - Performs digest on a data buffer of the specified length. This function can - be called multiple times to compute the digest of long or discontinuous data streams. - - If HashContext is NULL, then ASSERT(). - - @param[in, out] HashContext Pointer to the MD5 context. - @param[in] Data Pointer to the buffer containing the data to be hashed. - @param[in] DataLength Length of Data buffer in bytes. - - @retval TRUE HASH data digest succeeded. - @retval FALSE Invalid HASH context. After HashFinal function has been called, the - HASH context cannot be reused. - -**/ -typedef -BOOLEAN -(EFIAPI *HASH_UPDATE)( - IN OUT VOID *HashContext, - IN CONST VOID *Data, - IN UINTN DataLength - ); - -/** - Completes hash computation and retrieves the digest value into the specified - memory. After this function has been called, the context cannot be used again. - - If HashContext is NULL, then ASSERT(). - If HashValue is NULL, then ASSERT(). - - @param[in, out] HashContext Pointer to the MD5 context - @param[out] HashValue Pointer to a buffer that receives the HASH digest - value (16 bytes). - - @retval TRUE HASH digest computation succeeded. - @retval FALSE HASH digest computation failed. - -**/ -typedef -BOOLEAN -(EFIAPI *HASH_FINAL)( - IN OUT VOID *HashContext, - OUT UINT8 *HashValue - ); - -// -// Hash Algorithm Table -// -typedef struct { - CHAR16 *Name; ///< Name for Hash Algorithm - UINTN DigestLength; ///< Digest Length - UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value - UINTN OidLength; ///< Length of Hash OID Value - HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function - HASH_INIT HashInit; ///< Pointer to Hash Init function - HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function - HASH_FINAL HashFinal; ///< Pointer to Hash Final function -} HASH_TABLE; - -typedef struct { - WIN_CERTIFICATE Hdr; - UINT8 CertData[1]; -} WIN_CERTIFICATE_EFI_PKCS; - - -/** - This function publish the SecureBoot configuration Form. - - @param[in, out] PrivateData Points to SecureBoot configuration private data. - - @retval EFI_SUCCESS HII Form is installed successfully. - @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation. - @retval Others Other errors as indicated. - -**/ -EFI_STATUS -InstallSecureBootConfigForm ( - IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ); - - -/** - This function removes SecureBoot configuration Form. - - @param[in, out] PrivateData Points to SecureBoot configuration private data. - -**/ -VOID -UninstallSecureBootConfigForm ( - IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ); - - -/** - This function allows a caller to extract the current configuration for one - or more named elements from the target driver. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Request A null-terminated Unicode string in - format. - @param[out] Progress On return, points to a character in the Request - string. Points to the string's null terminator if - request was successful. Points to the most recent - '&' before the first failing name/value pair (or - the beginning of the string if the failure is in - the first name/value pair) if the request was not - successful. - @param[out] Results A null-terminated Unicode string in - format which has all values filled - in for the names in the Request string. String to - be allocated by the called function. - - @retval EFI_SUCCESS The Results is filled with the requested values. - @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. - @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name. - @retval EFI_NOT_FOUND Routing data doesn't match any storage in this - driver. - -**/ -EFI_STATUS -EFIAPI -SecureBootExtractConfig ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN CONST EFI_STRING Request, - OUT EFI_STRING *Progress, - OUT EFI_STRING *Results - ); - - -/** - This function processes the results of changes in configuration. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Configuration A null-terminated Unicode string in - format. - @param[out] Progress A pointer to a string filled in with the offset of - the most recent '&' before the first failing - name/value pair (or the beginning of the string if - the failure is in the first name/value pair) or - the terminating NULL if all was successful. - - @retval EFI_SUCCESS The Results is processed successfully. - @retval EFI_INVALID_PARAMETER Configuration is NULL. - @retval EFI_NOT_FOUND Routing data doesn't match any storage in this - driver. - -**/ -EFI_STATUS -EFIAPI -SecureBootRouteConfig ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN CONST EFI_STRING Configuration, - OUT EFI_STRING *Progress - ); - - -/** - This function processes the results of changes in configuration. - - @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. - @param[in] Action Specifies the type of action taken by the browser. - @param[in] QuestionId A unique value which is sent to the original - exporting driver so that it can identify the type - of data to expect. - @param[in] Type The type of value for the question. - @param[in] Value A pointer to the data being sent to the original - exporting driver. - @param[out] ActionRequest On return, points to the action requested by the - callback function. - - @retval EFI_SUCCESS The callback successfully handled the action. - @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the - variable and its data. - @retval EFI_DEVICE_ERROR The variable could not be saved. - @retval EFI_UNSUPPORTED The specified Action is not supported by the - callback. - -**/ -EFI_STATUS -EFIAPI -SecureBootCallback ( - IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, - IN EFI_BROWSER_ACTION Action, - IN EFI_QUESTION_ID QuestionId, - IN UINT8 Type, - IN EFI_IFR_TYPE_VALUE *Value, - OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest - ); - - -/** - This function converts an input device structure to a Unicode string. - - @param[in] DevPath A pointer to the device path structure. - - @return A new allocated Unicode string that represents the device path. - -**/ -CHAR16 * -EFIAPI -DevicePathToStr ( - IN EFI_DEVICE_PATH_PROTOCOL *DevPath - ); - - -/** - Clean up the dynamic opcode at label and form specified by both LabelId. - - @param[in] LabelId It is both the Form ID and Label ID for opcode deletion. - @param[in] PrivateData Module private data. - -**/ -VOID -CleanUpPage ( - IN UINT16 LabelId, - IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData - ); - - -/** - Read file content into BufferPtr, the size of the allocate buffer - is *FileSize plus AddtionAllocateSize. - - @param[in] FileHandle The file to be read. - @param[in, out] BufferPtr Pointers to the pointer of allocated buffer. - @param[out] FileSize Size of input file - @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated. - In case the buffer need to contain others besides the file content. - - @retval EFI_SUCCESS The file was read into the buffer. - @retval EFI_INVALID_PARAMETER A parameter was invalid. - @retval EFI_OUT_OF_RESOURCES A memory allocation failed. - @retval others Unexpected error. - -**/ -EFI_STATUS -ReadFileContent ( - IN EFI_FILE_HANDLE FileHandle, - IN OUT VOID **BufferPtr, - OUT UINTN *FileSize, - IN UINTN AddtionAllocateSize - ); - - -/** - Close an open file handle. - - @param[in] FileHandle The file handle to close. - -**/ -VOID -CloseFile ( - IN EFI_FILE_HANDLE FileHandle - ); - - -/** - Converts a nonnegative integer to an octet string of a specified length. - - @param[in] Integer Pointer to the nonnegative integer to be converted - @param[in] IntSizeInWords Length of integer buffer in words - @param[out] OctetString Converted octet string of the specified length - @param[in] OSSizeInBytes Intended length of resulting octet string in bytes - -Returns: - - @retval EFI_SUCCESS Data conversion successfully - @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string - -**/ -EFI_STATUS -EFIAPI -Int2OctStr ( - IN CONST UINTN *Integer, - IN UINTN IntSizeInWords, - OUT UINT8 *OctetString, - IN UINTN OSSizeInBytes - ); - -/** - Worker function that prints an EFI_GUID into specified Buffer. - - @param[in] Guid Pointer to GUID to print. - @param[in] Buffer Buffer to print Guid into. - @param[in] BufferSize Size of Buffer. - - @retval Number of characters printed. - -**/ -UINTN -GuidToString ( - IN EFI_GUID *Guid, - IN CHAR16 *Buffer, - IN UINTN BufferSize - ); - -/** - Update the PK form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdatePKFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ); - -/** - Update the KEK form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateKEKFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ); - -/** - Update the DB form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ); - -/** - Update the DBX form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBXFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ); - -/** - Update the DBT form base on the input file path info. - - @param FilePath Point to the file path. - - @retval TRUE Exit caller function. - @retval FALSE Not exit caller function. -**/ -BOOLEAN -EFIAPI -UpdateDBTFromFile ( - IN EFI_DEVICE_PATH_PROTOCOL *FilePath - ); - -#endif diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c deleted file mode 100644 index 038707ca83..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigMisc.c +++ /dev/null @@ -1,195 +0,0 @@ -/** @file - Helper functions for SecureBoot configuration module. - -Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#include "SecureBootConfigImpl.h" - -/** - Read file content into BufferPtr, the size of the allocate buffer - is *FileSize plus AddtionAllocateSize. - - @param[in] FileHandle The file to be read. - @param[in, out] BufferPtr Pointers to the pointer of allocated buffer. - @param[out] FileSize Size of input file - @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated. - In case the buffer need to contain others besides the file content. - - @retval EFI_SUCCESS The file was read into the buffer. - @retval EFI_INVALID_PARAMETER A parameter was invalid. - @retval EFI_OUT_OF_RESOURCES A memory allocation failed. - @retval others Unexpected error. - -**/ -EFI_STATUS -ReadFileContent ( - IN EFI_FILE_HANDLE FileHandle, - IN OUT VOID **BufferPtr, - OUT UINTN *FileSize, - IN UINTN AddtionAllocateSize - ) - -{ - UINTN BufferSize; - UINT64 SourceFileSize; - VOID *Buffer; - EFI_STATUS Status; - - if ((FileHandle == NULL) || (FileSize == NULL)) { - return EFI_INVALID_PARAMETER; - } - - Buffer = NULL; - - // - // Get the file size - // - Status = FileHandle->SetPosition (FileHandle, (UINT64) -1); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - Status = FileHandle->GetPosition (FileHandle, &SourceFileSize); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - Status = FileHandle->SetPosition (FileHandle, 0); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - BufferSize = (UINTN) SourceFileSize + AddtionAllocateSize; - Buffer = AllocateZeroPool(BufferSize); - if (Buffer == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - BufferSize = (UINTN) SourceFileSize; - *FileSize = BufferSize; - - Status = FileHandle->Read (FileHandle, &BufferSize, Buffer); - if (EFI_ERROR (Status) || BufferSize != *FileSize) { - FreePool (Buffer); - Buffer = NULL; - Status = EFI_BAD_BUFFER_SIZE; - goto ON_EXIT; - } - -ON_EXIT: - - *BufferPtr = Buffer; - return Status; -} - -/** - Close an open file handle. - - @param[in] FileHandle The file handle to close. - -**/ -VOID -CloseFile ( - IN EFI_FILE_HANDLE FileHandle - ) -{ - if (FileHandle != NULL) { - FileHandle->Close (FileHandle); - } -} - -/** - Convert a nonnegative integer to an octet string of a specified length. - - @param[in] Integer Pointer to the nonnegative integer to be converted - @param[in] IntSizeInWords Length of integer buffer in words - @param[out] OctetString Converted octet string of the specified length - @param[in] OSSizeInBytes Intended length of resulting octet string in bytes - -Returns: - - @retval EFI_SUCCESS Data conversion successfully - @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string - -**/ -EFI_STATUS -EFIAPI -Int2OctStr ( - IN CONST UINTN *Integer, - IN UINTN IntSizeInWords, - OUT UINT8 *OctetString, - IN UINTN OSSizeInBytes - ) -{ - CONST UINT8 *Ptr1; - UINT8 *Ptr2; - - for (Ptr1 = (CONST UINT8 *)Integer, Ptr2 = OctetString + OSSizeInBytes - 1; - Ptr1 < (UINT8 *)(Integer + IntSizeInWords) && Ptr2 >= OctetString; - Ptr1++, Ptr2--) { - *Ptr2 = *Ptr1; - } - - for (; Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords) && *Ptr1 == 0; Ptr1++); - - if (Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords)) { - return EFI_BUFFER_TOO_SMALL; - } - - if (Ptr2 >= OctetString) { - ZeroMem (OctetString, Ptr2 - OctetString + 1); - } - - return EFI_SUCCESS; -} - -/** - Worker function that prints an EFI_GUID into specified Buffer. - - @param[in] Guid Pointer to GUID to print. - @param[in] Buffer Buffer to print Guid into. - @param[in] BufferSize Size of Buffer. - - @retval Number of characters printed. - -**/ -UINTN -GuidToString ( - IN EFI_GUID *Guid, - IN CHAR16 *Buffer, - IN UINTN BufferSize - ) -{ - UINTN Size; - - Size = UnicodeSPrint ( - Buffer, - BufferSize, - L"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x", - (UINTN)Guid->Data1, - (UINTN)Guid->Data2, - (UINTN)Guid->Data3, - (UINTN)Guid->Data4[0], - (UINTN)Guid->Data4[1], - (UINTN)Guid->Data4[2], - (UINTN)Guid->Data4[3], - (UINTN)Guid->Data4[4], - (UINTN)Guid->Data4[5], - (UINTN)Guid->Data4[6], - (UINTN)Guid->Data4[7] - ); - - // - // SPrint will null terminate the string. The -1 skips the null - // - return Size - 1; -} diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h deleted file mode 100644 index 6b69f92b26..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h +++ /dev/null @@ -1,133 +0,0 @@ -/** @file - Header file for NV data structure definition. - -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__ -#define __SECUREBOOT_CONFIG_NV_DATA_H__ - -#include -#include - -// -// Used by VFR for form or button identification -// -#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001 -#define SECUREBOOT_CONFIGURATION_FORM_ID 0x01 -#define FORMID_SECURE_BOOT_OPTION_FORM 0x02 -#define FORMID_SECURE_BOOT_PK_OPTION_FORM 0x03 -#define FORMID_SECURE_BOOT_KEK_OPTION_FORM 0x04 -#define FORMID_SECURE_BOOT_DB_OPTION_FORM 0x05 -#define FORMID_SECURE_BOOT_DBX_OPTION_FORM 0x06 -#define FORMID_ENROLL_PK_FORM 0x07 -#define SECUREBOOT_ADD_PK_FILE_FORM_ID 0x08 -#define FORMID_ENROLL_KEK_FORM 0x09 -#define FORMID_DELETE_KEK_FORM 0x0a -#define SECUREBOOT_ENROLL_SIGNATURE_TO_DB 0x0b -#define SECUREBOOT_DELETE_SIGNATURE_FROM_DB 0x0c -#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX 0x0d -#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX 0x0e -#define FORMID_SECURE_BOOT_DBT_OPTION_FORM 0x14 -#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBT 0x15 -#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBT 0x16 - -#define SECURE_BOOT_MODE_CUSTOM 0x01 -#define SECURE_BOOT_MODE_STANDARD 0x00 - -#define KEY_SECURE_BOOT_ENABLE 0x1000 -#define KEY_SECURE_BOOT_MODE 0x1001 -#define KEY_VALUE_SAVE_AND_EXIT_DB 0x1002 -#define KEY_VALUE_NO_SAVE_AND_EXIT_DB 0x1003 -#define KEY_VALUE_SAVE_AND_EXIT_PK 0x1004 -#define KEY_VALUE_NO_SAVE_AND_EXIT_PK 0x1005 -#define KEY_VALUE_SAVE_AND_EXIT_KEK 0x1008 -#define KEY_VALUE_NO_SAVE_AND_EXIT_KEK 0x1009 -#define KEY_VALUE_SAVE_AND_EXIT_DBX 0x100a -#define KEY_VALUE_NO_SAVE_AND_EXIT_DBX 0x100b -#define KEY_HIDE_SECURE_BOOT 0x100c -#define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d -#define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e - -#define KEY_SECURE_BOOT_OPTION 0x1100 -#define KEY_SECURE_BOOT_PK_OPTION 0x1101 -#define KEY_SECURE_BOOT_KEK_OPTION 0x1102 -#define KEY_SECURE_BOOT_DB_OPTION 0x1103 -#define KEY_SECURE_BOOT_DBX_OPTION 0x1104 -#define KEY_SECURE_BOOT_DELETE_PK 0x1105 -#define KEY_ENROLL_PK 0x1106 -#define KEY_ENROLL_KEK 0x1107 -#define KEY_DELETE_KEK 0x1108 -#define KEY_SECURE_BOOT_KEK_GUID 0x110a -#define KEY_SECURE_BOOT_SIGNATURE_GUID_DB 0x110b -#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX 0x110c -#define KEY_SECURE_BOOT_DBT_OPTION 0x110d -#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBT 0x110e - -#define LABEL_KEK_DELETE 0x1200 -#define LABEL_DB_DELETE 0x1201 -#define LABEL_DBX_DELETE 0x1202 -#define LABEL_DBT_DELETE 0x1203 -#define LABEL_END 0xffff - - -#define SECURE_BOOT_MAX_ATTEMPTS_NUM 255 - -#define CONFIG_OPTION_OFFSET 0x2000 - -#define OPTION_CONFIG_QUESTION_ID 0x2000 -#define OPTION_CONFIG_RANGE 0x1000 - -// -// Question ID 0x2000 ~ 0x2FFF is for KEK -// -#define OPTION_DEL_KEK_QUESTION_ID 0x2000 -// -// Question ID 0x3000 ~ 0x3FFF is for DB -// -#define OPTION_DEL_DB_QUESTION_ID 0x3000 -// -// Question ID 0x4000 ~ 0x4FFF is for DBX -// -#define OPTION_DEL_DBX_QUESTION_ID 0x4000 - -// -// Question ID 0x5000 ~ 0x5FFF is for DBT -// -#define OPTION_DEL_DBT_QUESTION_ID 0x5000 - -#define SECURE_BOOT_GUID_SIZE 36 -#define SECURE_BOOT_GUID_STORAGE_SIZE 37 - -#define UNKNOWN_FILE_TYPE 0 -#define X509_CERT_FILE_TYPE 1 -#define PE_IMAGE_FILE_TYPE 2 -#define AUTHENTICATION_2_FILE_TYPE 3 - -// -// Nv Data structure referenced by IFR -// -typedef struct { - BOOLEAN AttemptSecureBoot; // Attempt to enable/disable Secure Boot - BOOLEAN HideSecureBoot; // Hiden Attempt Secure Boot - CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE]; - BOOLEAN PhysicalPresent; // If a Physical Present User - UINT8 SecureBootMode; // Secure Boot Mode: Standard Or Custom - BOOLEAN DeletePk; - BOOLEAN HasPk; // If Pk is existed it is true - BOOLEAN AlwaysRevocation; // If the certificate is always revoked. Revocation time is hidden - UINT8 CertificateFormat; // The type of the certificate - EFI_HII_DATE RevocationDate; // The revocation date of the certificate - EFI_HII_TIME RevocationTime; // The revocation time of the certificate - UINT8 FileEnrollType; // File type of sigunature enroll -} SECUREBOOT_CONFIGURATION; - -#endif diff --git a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni b/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni deleted file mode 100644 index 320cc79c47..0000000000 --- a/Core/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni +++ /dev/null @@ -1,116 +0,0 @@ -/** @file - String definitions for Secure Boot Configuration form. - -Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at -http://opensource.org/licenses/bsd-license.php - -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, -WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - -**/ - -#langdef en-US "English" - -#string STR_SECUREBOOT_TITLE #language en-US "Secure Boot Configuration" -#string STR_SECUREBOOT_HELP #language en-US "Press to select Secure Boot options." - -#string STR_NULL #language en-US "" -#string STR_DBX_SUBTITLE_TEXT #language en-US "" - -#string STR_SECURE_BOOT_STATE_PROMPT #language en-US "Current Secure Boot State" -#string STR_SECURE_BOOT_STATE_HELP #language en-US "Current Secure Boot state: enabled or disabled." -#string STR_SECURE_BOOT_STATE_CONTENT #language en-US " " - -#string STR_SECURE_BOOT_PROMPT #language en-US "Attempt Secure Boot" -#string STR_SECURE_BOOT_HELP #language en-US "Enable/Disable the Secure Boot feature after platform reset" - -#string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signature" -#string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signature" - -#string STR_SECURE_BOOT_SIGNATURE_GUID #language en-US "Signature GUID" -#string STR_SECURE_BOOT_SIGNATURE_GUID_HELP #language en-US "Input digit character in 11111111-2222-3333-4444-1234567890ab format." -#string STR_SECURE_BOOT_ADD_SIGNATURE_FILE #language en-US "Enroll Signature Using File" - -#string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Format" -#string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "X509 DER-Cert enrolled. Select different option to enroll it into DBX." -#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "X509 CERT SHA256" -#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "X509 CERT SHA384" -#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "X509 CERT SHA512" -#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "X509 CERT" - -#string STR_DBX_PE_IMAGE_FORMAT_HELP #language en-US "PE image enrolled. Use SHA256 hash to enroll it into DBX" -#string STR_DBX_PE_FORMAT_SHA256 #language en-US "PE Image SHA256" - -#string STR_DBX_AUTH_2_FORMAT_HELP #language en-US "VARIABLE_AUTHENICATION_2 binary enrolled. Use raw binary to enroll it into DBX" -#string STR_DBX_AUTH_2_FORMAT #language en-US "VARIABLE_AUTHENICATION_2" - -#string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocation Time" -#string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the revocation time of the certificate" -#string STR_CERTIFICATE_REVOCATION_DATE_PROMPT #language en-US " Revocation Date" -#string STR_CERTIFICATE_REVOCATION_DATE_HELP #language en-US "Input the revocation date of the certificate" - -#string STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT #language en-US "Always Revocation" -#string STR_ALWAYS_CERTIFICATE_REVOCATION_HELP #language en-US "Indicate whether the certificate is always revoked." - - -#string STR_SAVE_SIGNATURE_FILE #language en-US "Save Signature File" - -#string STR_SAVE_AND_EXIT #language en-US "Commit Changes and Exit" -#string STR_NO_SAVE_AND_EXIT #language en-US "Discard Changes and Exit" - -#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer" - -#string STR_SECURE_BOOT_MODE_PROMPT #language en-US "Secure Boot Mode" -#string STR_SECURE_BOOT_MODE_HELP #language en-US "Secure Boot Mode: Custom Mode or Standard Mode" - -#string STR_STANDARD_MODE #language en-US "Standard Mode" -#string STR_CUSTOM_MODE #language en-US "Custom Mode" - -#string STR_SECURE_BOOT_OPTION #language en-US "Custom Secure Boot Options" -#string STR_SECURE_BOOT_OPTION_HELP #language en-US "Enter into Custom Secure Boot Options Form" - -#string STR_SECURE_BOOT_OPTION_TITLE #language en-US "Custom Secure Boot Options" - -#string STR_SECURE_BOOT_PK_OPTION #language en-US "PK Options" -#string STR_SECURE_BOOT_PK_OPTION_HELP #language en-US "Enroll/Delete PK" -#string STR_SECURE_BOOT_KEK_OPTION #language en-US "KEK Options" -#string STR_SECURE_BOOT_KEK_OPTION_HELP #language en-US "Enroll/Delete KEK" -#string STR_SECURE_BOOT_DB_OPTION #language en-US "DB Options" -#string STR_SECURE_BOOT_DB_OPTION_HELP #language en-US "Enroll/Delete Signature" -#string STR_SECURE_BOOT_DBX_OPTION #language en-US "DBX Options" -#string STR_SECURE_BOOT_DBX_OPTION_HELP #language en-US "Enroll/Delete DBX" -#string STR_SECURE_BOOT_DBT_OPTION #language en-US "DBT Options" -#string STR_SECURE_BOOT_DBT_OPTION_HELP #language en-US "Enroll/Delete DBT" - -#string STR_ENROLL_PK #language en-US "Enroll PK" -#string STR_ENROLL_PK_HELP #language en-US "Enter into Enroll PK Form" -#string STR_SAVE_PK_FILE #language en-US "Save PK file" -#string STR_SECURE_BOOT_ENROLL_PK_FILE #language en-US "Enroll PK Using File" - -#string STR_DELETE_PK #language en-US "Delete Pk" -#string STR_DELETE_PK_HELP #language en-US "Choose to Delete PK, Otherwise keep the PK" - -#string STR_ENROLL_PK_TITLE #language en-US "Enroll PK" - -#string STR_ENROLL_KEK #language en-US "Enroll KEK" -#string STR_ENROLL_KEK_HELP #language en-US "Enter into Enroll KEK Form" - -#string STR_DELETE_KEK #language en-US "Delete KEK" -#string STR_DELETE_KEK_HELP #language en-US "Enter into Delete KEK Form" - -#string STR_ENROLL_KEK_TITLE #language en-US "Enroll KEK" -#string STR_DELETE_KEK_TITLE #language en-US "Delete KEK" - -#string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE #language en-US "Enroll KEK using File" -#string STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP #language en-US "Read the public key of KEK from file" -#string STR_FILE_EXPLORER_TITLE #language en-US "File Explorer" -#string STR_CERT_TYPE_RSA2048_SHA256_GUID #language en-US "RSA2048_SHA256_GUID" -#string STR_CERT_TYPE_PCKS7_GUID #language en-US "PKCS7_GUID" -#string STR_CERT_TYPE_SHA1_GUID #language en-US "SHA1_GUID" -#string STR_CERT_TYPE_SHA256_GUID #language en-US "SHA256_GUID" -#string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SHA256_GUID" -#string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SHA384_GUID" -#string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SHA512_GUID" -- cgit v1.2.3