From bd86cb029242314c4274242612cfd79964cfbf17 Mon Sep 17 00:00:00 2001 From: lgao4 Date: Wed, 2 Sep 2009 09:23:28 +0000 Subject: 1. Add TCG MOR (Memory Overwrite request) definition from TCG Platform Reset Attack Mitigation Specification.pdf. 2. Add WIN certificate definition from 2.3. 3. Add the signed Image verification definition from UEFI 2.3. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9226 6f19259b-4bc3-4df7-8a09-765794883524 --- MdePkg/Include/Guid/ImageAuthentication.h | 221 +++++++++++++++++++++++++++ MdePkg/Include/Guid/MemoryOverwriteControl.h | 76 +++++++++ MdePkg/Include/Guid/WinCertificate.h | 128 ++++++++++++++++ MdePkg/Include/Protocol/AuthenticationInfo.h | 68 ++++----- MdePkg/Include/Protocol/Hash.h | 23 ++- MdePkg/Include/Uefi/UefiMultiPhase.h | 109 +------------ MdePkg/MdePkg.dec | 27 ++++ 7 files changed, 496 insertions(+), 156 deletions(-) create mode 100644 MdePkg/Include/Guid/ImageAuthentication.h create mode 100644 MdePkg/Include/Guid/MemoryOverwriteControl.h create mode 100644 MdePkg/Include/Guid/WinCertificate.h (limited to 'MdePkg') diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h new file mode 100644 index 0000000000..b965a42549 --- /dev/null +++ b/MdePkg/Include/Guid/ImageAuthentication.h @@ -0,0 +1,221 @@ +/** @file + Platform Key, Key Exchange Key, and Image signature database are defined + for the signed image validation. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + GUIDs defined in UEFI 2.2 spec. +**/ + +#ifndef __IMAGE_AUTHTICATION_H__ +#define __IMAGE_AUTHTICATION_H__ + +#include + +#define EFI_IMAGE_SECURITY_DATABASE_GUID \ + { \ + 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \ + } + +/// +/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID +/// for the authorized signature database. +/// +#define EFI_IMAGE_SECURITY_DATABASE L"db" +/// +/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID +/// for the forbidden signature database. +/// +#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx" + +#define SETUP_MODE 1 +#define USER_MODE 0 +/// +/// Globally "SetupMode" variable to specify whether the system is currently operating +/// in setup mode (1) or not (0). All other values are reserved. +/// +#define EFI_SETUP_MODE_NAME L"SetupMode" +/// +/// Globally "PK" variable for the Platform Key Signature Database. +/// +#define EFI_PLATFORM_KEY_NAME L"PK" +/// +/// Globally "KEK" variable for the Key Exchange Key Signature Database. +/// +#define EFI_KEY_EXCHANGE_KEY_NAME L"KEK" +/// +/// Globally "SignatureSupport" variable returns an array of GUIDs, +/// with each GUID representing a type of signature which the platform +/// firmware supports for images and other data. +/// +#define EFI_SIGNATURE_SUPPORT_NAME L"SignatureSupport" + +//*********************************************************************** +// Signature Database +//*********************************************************************** +/// +/// The format of a signature database. +/// +#pragma pack(1) + +typedef struct { + /// + /// An identifier which identifies the agent which added the signature to the list. + /// + EFI_GUID SignatureOwner; + /// + /// The format of the signature is defined by the SignatureType. + /// + UINT8 SignatureData[1]; +} EFI_SIGNATURE_DATA; + +typedef struct { + /// + /// Type of the signature. GUID signature types are defined in below. + /// + EFI_GUID SignatureType; + /// + /// Total size of the signature list, including this header. + /// + UINT32 SignatureListSize; + /// + /// Size of the signature header which precedes the array of signatures. + /// + UINT32 SignatureHeaderSize; + /// + /// Size of each signature. + /// + UINT32 SignatureSize; + /// + /// Header before the array of signatures. The format of this header is specified + /// by the SignatureType. + /// UINT8 SignatureHeader[SignatureHeaderSize]; + /// + /// An array of signatures. Each signature is SignatureSize bytes in length. + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; + /// +} EFI_SIGNATURE_LIST; + +#pragma pack() + +/// +/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size should +/// always be 0. The SignatureSize should always be 32 bytes. +/// +#define EFI_CERT_SHA256_GUID \ + { \ + 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \ + } + +/// +/// This identifies a signature containing an RSA-2048 key. The SignatureHeader size should +/// always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_GUID \ + { \ + 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ + } + +/// +/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The +/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_SHA256_GUID \ + { \ + 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \ + } + +/// +/// This identifies a signature containing a SHA-1 hash. The SignatureHeader size should always +/// be 0. The SignatureSize should always be 20 bytes +/// +#define EFI_CERT_SHA1_GUID \ + { \ + 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \ + } + +/// +/// This identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The +/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_SHA1_GUID \ + { \ + 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \ + } + +/// +/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 certificate then +/// verification of the signature of an image should validate the public key certificate in the image using +/// certificate path verification, up to this X.509 certificate as a trusted root. +/// +#define EFI_CERT_X509 \ + { \ + 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \ + } + +//*********************************************************************** +// Image Execution Information Table Definition +//*********************************************************************** +typedef UINT32 EFI_IMAGE_EXECUTION_ACTION; + +#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007 + +// +// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table +// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID. +// +typedef struct { + /// + /// Describes the action taken by the firmware regarding this image. + /// + EFI_IMAGE_EXECUTION_ACTION Action; + /// + /// Size of all of the entire structure. + /// + UINT32 InfoSize; + /// + /// If this image was a UEFI device driver (for option ROM, for example) this is the + /// null-terminated, user-friendly name for the device. If the image was for an application, + /// then this is the name of the application. If this cannot be determined, then a simple + /// NULL character should be put in this position. + /// CHAR16 Name[]; + /// + + /// + /// For device drivers, this is the device path of the device for which this device driver + /// was intended. In some cases, the driver itself may be stored as part of the system + /// firmware, but this field should record the device's path, not the firmware path. For + /// applications, this is the device path of the application. If this cannot be determined, + /// a simple end-of-path device node should be put in this position. + /// EFI_DEVICE_PATH_PROTOCOL DevicePath; + /// + + /// + /// The image digest of the image. The certificate type must be one of the hash types. + /// The hash type must match the type used in the Signature field. + /// + WIN_CERTIFICATE ImageHash; + /// + /// Zero or more image signatures. If the image contained no signtures, + /// then this field is empty. + /// + WIN_CERTIFICATE Signature; +} EFI_IMAGE_EXECUTION_INFO; + +extern EFI_GUID gEfiImageSecurityDatabaseGuid; +extern EFI_GUID gEfiCertSha256Guid; +extern EFI_GUID gEfiCertRsa2048Guid; +extern EFI_GUID gEfiCertRsa2048Sha256Guid; +extern EFI_GUID gEfiCertSha1Guid; +extern EFI_GUID gEfiCertRsa2048Sha1Guid; +extern EFI_GUID gEfiCertX509Guid; + +#endif diff --git a/MdePkg/Include/Guid/MemoryOverwriteControl.h b/MdePkg/Include/Guid/MemoryOverwriteControl.h new file mode 100644 index 0000000000..ac50ecd603 --- /dev/null +++ b/MdePkg/Include/Guid/MemoryOverwriteControl.h @@ -0,0 +1,76 @@ +/** @file + GUID used for MemoryOverwriteRequestControl UEFI variable defined in + TCG Platform Reset Attack Mitigation Specification 1.00. + See http://trustedcomputinggroup.org for the latest specification + + The purpose of the MemoryOverwriteRequestControl UEFI variable is to give users (e.g., OS, loader) the ability to + indicate to the platform that secrets are present in memory and that the platform firmware must clear memory upon + a restart. The OS loader should not create the variable. Rather, the firmware is required to create it. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_ +#define _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_ + +#define MEMORY_ONLY_RESET_CONTROL_GUID \ + { \ + 0xe20939be, 0x32d4, 0x41be, {0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29} \ + } + +/// +/// Variable name is "MemoryOverwriteRequestControl" and it is a 1 byte unsigned value. +/// The attributes should be: +/// EFI_VARIABLE_NON_VOLATILE | +/// EFI_VARIABLE_BOOTSERVICE_ACCESS | +/// EFI_VARIABLE_RUNTIME_ACCESS +/// +#define MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME L"MemoryOverwriteRequestControl" + +/// +/// 0 = Firmware MUST clear the MOR bi +/// 1 = Firmware MUST set the MOR bit +/// +#define MOR_CLEAR_MEMORY_BIT_MASK 0x01 + +/// +/// 0 = Firmware MAY autodetect a clean shutdown of the Static RTM OS. +/// 1 = Firmware MUST NOT autodetect a clean shutdown of the Static RTM OS. +/// +#define MOR_DISABLEAUTODETECT_BIT_MASK 0x10 + +/// +/// MOR field bit offset +/// +#define MOR_CLEAR_MEMORY_BIT_OFFSET 0 +#define MOR_DISABLEAUTODETECT_BIT_OFFSET 4 + +/** + Return the ClearMemory bit value 0 or 1. + + @param mor 1 byte value that contains ClearMemory and DisableAutoDetect bit. + + @return ClearMemory bit value +**/ +#define MOR_CLEAR_MEMORY_VALUE(mor) (((UINT8)(mor) & MOR_CLEAR_MEMORY_BIT_MASK) >> MOR_CLEAR_MEMORY_BIT_OFFSET) + +/** + Return the DisableAutoDetect bit value 0 or 1. + + @param mor 1 byte value that contains ClearMemory and DisableAutoDetect bit. + + @return DisableAutoDetect bit value +**/ +#define MOR_DISABLE_AUTO_DETECT_VALUE(mor) (((UINT8)(mor) & MOR_DISABLEAUTODETECT_BIT_MASK) >> MOR_DISABLEAUTODETECT_BIT_OFFSET) + +extern EFI_GUID gEfiMemoryOverwriteControlDataGuid; + +#endif diff --git a/MdePkg/Include/Guid/WinCertificate.h b/MdePkg/Include/Guid/WinCertificate.h new file mode 100644 index 0000000000..f7a4190c2e --- /dev/null +++ b/MdePkg/Include/Guid/WinCertificate.h @@ -0,0 +1,128 @@ +/** @file + GUID for UEFI WIN_CERTIFICATE structure. + + Copyright (c) 2006 - 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + GUID defined in UEFI 2.0 spec. +**/ + +#ifndef __EFI_WIN_CERTIFICATE_H__ +#define __EFI_WIN_CERTIFICATE_H__ + +// +// _WIN_CERTIFICATE.wCertificateType +// +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 +#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 +#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 + +/// +/// The WIN_CERTIFICATE structure is part of the PE/COFF specification. +/// +typedef struct { + /// + /// The length of the entire certificate, + /// including the length of the header, in bytes. + /// + UINT32 dwLength; + /// + /// The revision level of the WIN_CERTIFICATE + /// structure. The current revision level is 0x0200. + /// + UINT16 wRevision; + /// + /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI + /// certificate types. The UEFI specification reserves the range of + /// certificate type values from 0x0EF0 to 0x0EFF. + /// + UINT16 wCertificateType; + /// + /// The following is the actual certificate. The format of + /// the certificate depends on wCertificateType. + /// + /// UINT8 bCertificate[ANYSIZE_ARRAY]; + /// +} WIN_CERTIFICATE; + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertType +/// +#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ + {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertData +/// +typedef struct { + UINT32 HashType; + UINT8 PublicKey[256]; + UINT8 Signature[256]; +} EFI_CERT_BLOCK_RSA_2048_SHA256; + + +/// +/// Certificate which encapsulates a GUID-specific digital signature +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the unique id which determines the + /// format of the CertData. . + /// + EFI_GUID CertType; + /// + /// The following is the certificate data. The format of + /// the data is determined by the CertType. + /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID, + /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure. + /// + UINT8 CertData[1]; +} WIN_CERTIFICATE_UEFI_GUID; + + +/// +/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. +/// +/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from +/// WIN_CERTIFICATE and encapsulate the information needed to +/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as +/// specified in RFC2437. +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the hashing algorithm which was performed on the + /// UEFI executable when creating the digital signature. + /// + EFI_GUID HashAlgorithm; + /// + /// The following is the actual digital signature. The + /// size of the signature is the same size as the key + /// (1024-bit key is 128 bytes) and can be determined by + /// subtracting the length of the other parts of this header + /// from the total length of the certificate as found in + /// Hdr.dwLength. + /// + /// UINT8 Signature[]; + /// +} WIN_CERTIFICATE_EFI_PKCS1_15; + +extern EFI_GUID gEfiCertTypeRsa2048Sha256Guid; + +#endif diff --git a/MdePkg/Include/Protocol/AuthenticationInfo.h b/MdePkg/Include/Protocol/AuthenticationInfo.h index b520327834..a3c9b97377 100644 --- a/MdePkg/Include/Protocol/AuthenticationInfo.h +++ b/MdePkg/Include/Protocol/AuthenticationInfo.h @@ -34,6 +34,7 @@ typedef struct _EFI_AUTHENTICATION_INFO_PROTOCOL EFI_AUTHENTICATION_INFO_PROTOCOL; +#pragma pack(1) typedef struct { /// /// Authentication Type GUID. @@ -52,7 +53,7 @@ typedef struct { /// /// RADIUS Server IPv4 or IPv6 Address /// - EFI_IPv6_ADDRESS RadiusIpAddr; ///< IPv4 or IPv6 address + UINT8 RadiusIpAddr[16]; ///< IPv4 or IPv6 address /// /// Reserved for future use @@ -62,7 +63,7 @@ typedef struct { /// /// Network Access Server IPv4 or IPv6 Address (OPTIONAL) /// - EFI_IPv6_ADDRESS NasIpAddr; ///< IPv4 or IPv6 address + UINT8 NasIpAddr[16]; ///< IPv4 or IPv6 address /// /// Network Access Server Secret Length in bytes (OPTIONAL) @@ -70,29 +71,27 @@ typedef struct { UINT16 NasSecretLength; /// - /// Network Access Server secret (OPTIONAL) + /// Network Access Server Secret (OPTIONAL) /// - UINT8 *NasSecret; + UINT8 NasSecret[1]; + /// + /// CHAP Initiator Secret length in bytes on offset NasSecret + NasSecretLength. /// - /// CHAP Initiator Secret length in bytes - /// - UINT16 ChapSecretLength; - + /// UINT16 ChapSecretLength; /// /// CHAP Initiator Secret /// - UINT8 *ChapSecret; - + /// UINT8 ChapSecret[]; /// - /// CHAP Initiator Name Length in bytes + /// CHAP Initiator Name Length in bytes on offset ChapSecret + ChapSecretLength /// - UINT16 ChapNameLength; - + /// UINT16 ChapNameLength; /// /// CHAP Initiator Name /// - UINT8 *ChapName; + /// UINT8 ChapName[]; + /// } CHAP_RADIUS_AUTH_NODE; typedef struct { @@ -111,45 +110,42 @@ typedef struct { /// /// User Secret /// - UINT8 *UserSecret; + UINT8 UserSecret[1]; /// - /// User Name Length in bytes + /// User Name Length in bytes on offset UserSecret + UserSecretLength /// - UINT16 UserNameLength; - + /// UINT16 UserNameLength; /// /// User Name /// - UINT8 *UserName; - + /// UINT8 *UserName; /// - /// CHAP Initiator Secret length in bytes + /// CHAP Initiator Secret length in bytes on offset UserName + UserNameLength /// - UINT16 ChapSecretLength; - + /// UINT16 ChapSecretLength; /// /// CHAP Initiator Secret /// - UINT8 *ChapSecret; - + /// UINT8 *ChapSecret; /// - /// CHAP Initiator Name Length in bytes + /// CHAP Initiator Name Length in bytes on offset ChapSecret + ChapSecretLength /// - UINT16 ChapNameLength; - + /// UINT16 ChapNameLength; /// /// CHAP Initiator Name /// - UINT8 *ChapName; + /// UINT8 *ChapName; + /// } CHAP_LOCAL_AUTH_NODE; +#pragma pack() /** Retrieves the authentication information associated with a particular controller handle. - @param This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL - @param ControllerHandle Handle to the Controller - @param Buffer Pointer to the authentication information. + @param[in] This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL + @param[in] ControllerHandle Handle to the Controller + @param[out] Buffer Pointer to the authentication information. @retval EFI_SUCCESS Successfully retrieved authentication information for the given ControllerHandle @retval EFI_INVALID_PARAMETER No matching authentication information found for the given ControllerHandle @@ -163,14 +159,14 @@ EFI_STATUS IN EFI_AUTHENTICATION_INFO_PROTOCOL *This, IN EFI_HANDLE *ControllerHandle, OUT VOID *Buffer - ); + ); /** Set the authentication information for a given controller handle. - @param This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL - @param ControllerHandle Handle to the Controller - @param Buffer Pointer to the authentication information. + @param[in] This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL + @param[in] ControllerHandle Handle to the Controller + @param[in] Buffer Pointer to the authentication information. @retval EFI_SUCCESS Successfully set authentication information for the given ControllerHandle @retval EFI_UNSUPPORTED If the platform policies do not allow setting of the authentication diff --git a/MdePkg/Include/Protocol/Hash.h b/MdePkg/Include/Protocol/Hash.h index fda852fd90..b9ed6daa6d 100644 --- a/MdePkg/Include/Protocol/Hash.h +++ b/MdePkg/Include/Protocol/Hash.h @@ -4,7 +4,6 @@ The EFI Hash Service Binding Protocol is used to locate hashing services support provided by a driver and to create and destroy instances of the EFI Hash Protocol so that a multiple drivers can use the underlying hashing services. - The EFI Service Binding Protocol defines the generic Service Binding Protocol functions. Copyright (c) 2006 - 2009, Intel Corporation All rights reserved. This program and the accompanying materials @@ -81,9 +80,9 @@ typedef union { /** Returns the size of the hash which results from a specific algorithm. - @param This Points to this instance of EFI_HASH_PROTOCOL. - @param HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. - @param HashSize Holds the returned size of the algorithm's hash. + @param[in] This Points to this instance of EFI_HASH_PROTOCOL. + @param[in] HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. + @param[out] HashSize Holds the returned size of the algorithm's hash. @retval EFI_SUCCESS Hash size returned successfully. @retval EFI_INVALID_PARAMETER HashSize is NULL @@ -102,14 +101,14 @@ EFI_STATUS /** Returns the size of the hash which results from a specific algorithm. - @param This Points to this instance of EFI_HASH_PROTOCOL. - @param HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. - @param Extend Specifies whether to create a new hash (FALSE) or extend the specified - existing hash (TRUE). - @param Message Points to the start of the message. - @param MessageSize The size of Message, in bytes. - @param Hash On input, if Extend is TRUE, then this holds the hash to extend. On - output, holds the resulting hash computed from the message. + @param[in] This Points to this instance of EFI_HASH_PROTOCOL. + @param[in] HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. + @param[in] Extend Specifies whether to create a new hash (FALSE) or extend the specified + existing hash (TRUE). + @param[in] Message Points to the start of the message. + @param[in] MessageSize The size of Message, in bytes. + @param[in,out] Hash On input, if Extend is TRUE, then this holds the hash to extend. On + output, holds the resulting hash computed from the message. @retval EFI_SUCCESS Hash returned successfully. @retval EFI_INVALID_PARAMETER Message or Hash is NULL diff --git a/MdePkg/Include/Uefi/UefiMultiPhase.h b/MdePkg/Include/Uefi/UefiMultiPhase.h index f82a8ae792..7c4cec1103 100644 --- a/MdePkg/Include/Uefi/UefiMultiPhase.h +++ b/MdePkg/Include/Uefi/UefiMultiPhase.h @@ -15,6 +15,7 @@ #ifndef __UEFI_MULTIPHASE_H__ #define __UEFI_MULTIPHASE_H__ +#include /// /// Enumeration of memory types introduced in UEFI. /// @@ -130,114 +131,6 @@ typedef struct { /// #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 -// -// _WIN_CERTIFICATE.wCertificateType -// -#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 -#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 - -/// -/// The WIN_CERTIFICATE structure is part of the PE/COFF specification. -/// -typedef struct _WIN_CERTIFICATE { - /// - /// The length of the entire certificate, - /// including the length of the header, in bytes. - /// - UINT32 dwLength; - /// - /// The revision level of the WIN_CERTIFICATE - /// structure. The current revision level is 0x0200. - /// - UINT16 wRevision; - /// - /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI - /// certificate types. The UEFI specification reserves the range of - /// certificate type values from 0x0EF0 to 0x0EFF. - /// - UINT16 wCertificateType; - /// - /// The following is the actual certificate. The format of - /// the certificate depends on wCertificateType. - /// - /// UINT8 bCertificate[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE; - -/// -/// WIN_CERTIFICATE_UEFI_GUID.CertType -/// -#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ - {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } - -/// -/// WIN_CERTIFICATE_UEFI_GUID.CertData -/// -typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 { - UINT32 HashType; - UINT8 PublicKey[256]; - UINT8 Signature[256]; -} EFI_CERT_BLOCK_RSA_2048_SHA256; - - -/// -/// Certificate which encapsulates a GUID-specific digital signature -/// -typedef struct _WIN_CERTIFICATE_UEFI_GUID { - /// - /// This is the standard WIN_CERTIFICATE header, where - /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. - /// - WIN_CERTIFICATE Hdr; - /// - /// This is the unique id which determines the - /// format of the CertData. In this case, the - /// value is EFI_CERT_TYPE_RSA2048_SHA256_GUID. - /// - EFI_GUID CertType; - /// - /// The following is the certificate data. The format of - /// the data is determined by the CertType. In this case the value is - /// EFI_CERT_BLOCK_RSA_2048_SHA256. - /// - /// UINT8 CertData[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE_UEFI_GUID; - - -/// -/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. -/// -/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from -/// WIN_CERTIFICATE and encapsulate the information needed to -/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as -/// specified in RFC2437. -/// -typedef struct _WIN_CERTIFICATE_EFI_PKCS1_15 { - /// - /// This is the standard WIN_CERTIFICATE header, where - /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. - /// - WIN_CERTIFICATE Hdr; - /// - /// This is the hashing algorithm which was performed on the - /// UEFI executable when creating the digital signature. - /// - EFI_GUID HashAlgorithm; - /// - /// The following is the actual digital signature. The - /// size of the signature is the same size as the key - /// (1024-bit key is 128 bytes) and can be determined by - /// subtracting the length of the other parts of this header - /// from the total length of the certificate as found in - /// Hdr.dwLength. - /// - /// UINT8 Signature[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE_EFI_PKCS1_15; - - - /// /// AuthInfo is a WIN_CERTIFICATE using the wCertificateType /// WIN_CERTIFICATE_UEFI_GUID and the CertType diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index acbd6a69c8..72baed191e 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -317,6 +317,33 @@ ## Include/Guid/HiiPlatformSetupFormset.h gEfiHiiPlatformSetupFormsetGuid = { 0x93039971, 0x8545, 0x4b04, { 0xb4, 0x5e, 0x32, 0xeb, 0x83, 0x26, 0x04, 0x0e }} + ## Include/Guid/MemoryOverwriteControl.h + gEfiMemoryOverwriteControlDataGuid = { 0xe20939be, 0x32d4, 0x41be, {0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29 }} + + ## Include/Guid/WinCertificate.h + gEfiCertTypeRsa2048Sha256Guid = { 0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf }} + + ## Include/Guid/ImageAuthentication.h + gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Sha256Guid = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Sha1Guid = {0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertX509Guid = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 }} + # # GUID defined in PI1.0 # -- cgit v1.2.3