From 4fc08e8d683522f255727626197d919a40d4836c Mon Sep 17 00:00:00 2001 From: Chao Zhang Date: Mon, 7 Dec 2015 06:20:02 +0000 Subject: SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition. Implement Customized SecureBoot Mode transition logic according to Mantis 1263, including AuditMode/DeployedMode/PK update management. Also implement image verification logic in AuditMode. Image Certificate & Hash are recorded to EFI Image Execution Table. https://mantis.uefi.org/mantis/view.php?id=1263 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Zeng Star Reviewed-by: Long Qin git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19133 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Library/AuthVariableLib/AuthVariableLib.c | 109 ++++----------------- 1 file changed, 20 insertions(+), 89 deletions(-) (limited to 'SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c') diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index a54eaaa066..dee5e1dd9d 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -33,7 +33,6 @@ UINT32 mMaxKeyNumber; UINT32 mMaxKeyDbSize; UINT8 *mCertDbStore; UINT32 mMaxCertDbSize; -UINT32 mPlatformMode; UINT8 mVendorKeyState; EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID}; @@ -99,6 +98,17 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = { MAX_UINTN } }, + { + &gEdkiiSecureBootModeGuid, + L"SecureBootMode", + { + VAR_CHECK_VARIABLE_PROPERTY_REVISION, + VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY, + VARIABLE_ATTRIBUTE_NV_BS_RT, + sizeof (UINT8), + sizeof (UINT8) + } + } }; VOID **mAuthVarAddressPointer[10]; @@ -132,8 +142,6 @@ AuthVariableLibInitialize ( UINT8 *Data; UINTN DataSize; UINTN CtxSize; - UINT8 SecureBootMode; - UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; @@ -208,31 +216,11 @@ AuthVariableLibInitialize ( mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA)); } - Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME)); - } else { - DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME)); - } - // - // Create "SetupMode" variable with BS+RT attribute set. + // Init Secure Boot variables // - if (EFI_ERROR (Status)) { - mPlatformMode = SETUP_MODE; - } else { - mPlatformMode = USER_MODE; - } - Status = AuthServiceInternalUpdateVariable ( - EFI_SETUP_MODE_NAME, - &gEfiGlobalVariableGuid, - &mPlatformMode, - sizeof(UINT8), - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS - ); - if (EFI_ERROR (Status)) { - return Status; - } + Status = InitSecureBootVariables (); + // // Create "SignatureSupport" variable with BS+RT attribute set. @@ -248,69 +236,6 @@ AuthVariableLibInitialize ( return Status; } - // - // If "SecureBootEnable" variable exists, then update "SecureBoot" variable. - // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE. - // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE. - // - SecureBootEnable = SECURE_BOOT_DISABLE; - Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize); - if (!EFI_ERROR (Status)) { - if (mPlatformMode == SETUP_MODE){ - // - // PK is cleared in runtime. "SecureBootMode" is not updated before reboot - // Delete "SecureBootMode" in SetupMode - // - Status = AuthServiceInternalUpdateVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - &SecureBootEnable, - 0, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS - ); - } else { - SecureBootEnable = *(UINT8 *) Data; - } - } else if (mPlatformMode == USER_MODE) { - // - // "SecureBootEnable" not exist, initialize it in USER_MODE. - // - SecureBootEnable = SECURE_BOOT_ENABLE; - Status = AuthServiceInternalUpdateVariable ( - EFI_SECURE_BOOT_ENABLE_NAME, - &gEfiSecureBootEnableDisableGuid, - &SecureBootEnable, - sizeof (UINT8), - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS - ); - if (EFI_ERROR (Status)) { - return Status; - } - } - - // - // Create "SecureBoot" variable with BS+RT attribute set. - // - if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) { - SecureBootMode = SECURE_BOOT_MODE_ENABLE; - } else { - SecureBootMode = SECURE_BOOT_MODE_DISABLE; - } - Status = AuthServiceInternalUpdateVariable ( - EFI_SECURE_BOOT_MODE_NAME, - &gEfiGlobalVariableGuid, - &SecureBootMode, - sizeof (UINT8), - EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS - ); - if (EFI_ERROR (Status)) { - return Status; - } - - DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode)); - DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode)); - DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable)); - // // Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state. // @@ -455,10 +380,16 @@ AuthVariableLibProcessVariable ( { EFI_STATUS Status; + // + // Process PK, KEK, Sigdb, AuditMode, DeployedMode separately. + // if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){ Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE); } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) { Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE); + } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) + && (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) { + Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes); } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) || -- cgit v1.2.3