From 2d3fb919872aaf67b8246fadc7bd20aa5d80dd43 Mon Sep 17 00:00:00 2001 From: xdu2 Date: Fri, 28 Oct 2011 09:55:09 +0000 Subject: SecurityPkg: Update VariableAuthenticated driver with following changes: 1. Remove memory allocation code in runtime. 2. Exclude NULL terminator in VariableName for serialization data in time-based variable authentication. 3. Add support for enroll PK with WRITE_ACCESS attribute. 4. Initialize SetupMode variable with correct NV attribute. 5. Add support for APPEND_WRITE attribute for non-existing Variable. 6. Clear KEK, DB and DBX as well as PK when user request to clear platform keys. 7. Check duplicated EFI_SIGNATURE_DATA for Variable formatted as EFI_SIGNATURE_LIST when APPEND_WRITE attribute is set. 8. Not change SecureBoot Variable in runtime, only update it in boot time since this Variable indicates firmware operating mode. 9. Save time stamp of PK when PK is set with TIME_BASED_WRITE_ACCESS attribute in setup mode. 10. Update to use PcdMaxVariableSize instead of PcdMaxAppendVariableSize for append operation. Signed-off-by: xdu2 Reviewed-by: tye git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12599 6f19259b-4bc3-4df7-8a09-765794883524 --- .../VariableAuthenticated/RuntimeDxe/AuthService.h | 74 +++++++++++++++++----- 1 file changed, 59 insertions(+), 15 deletions(-) (limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h') diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h index 6b0db74c81..54e2ac0a43 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h @@ -3,12 +3,12 @@ internal structure and functions used by AuthService module. Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
-This program and the accompanying materials -are licensed and made available under the terms and conditions of the BSD License -which accompanies this distribution. The full text of the license may be found at +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php -THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. **/ @@ -20,9 +20,17 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define EFI_CERT_TYPE_RSA2048_SIZE 256 /// -/// Size of AuthInfo prior to the data payload +/// Size of AuthInfo prior to the data payload. /// -#define AUTHINFO_SIZE (((UINTN)(((EFI_VARIABLE_AUTHENTICATION *) 0)->AuthInfo.CertData)) + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) +#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \ + (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \ + sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256)) + +#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ + (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength) + +#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \ + (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData))) /// /// "AuthVarKeyDatabase" variable for the Public Key store. @@ -58,8 +66,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set. @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS - set, but the AuthInfo does NOT pass the validation - check carried out by the firmware. + set, but the AuthInfo does NOT pass the validation + check carried out by the firmware. @return EFI_SUCCESS Variable is not write-protected, or passed validation successfully. **/ @@ -73,6 +81,20 @@ ProcessVariable ( IN UINT32 Attributes ); +/** + Update platform mode. + + @param[in] Mode SETUP_MODE or USER_MODE. + + @return EFI_INVALID_PARAMETER Invalid parameter. + @return EFI_SUCCESS Update platform mode successfully. + +**/ +EFI_STATUS +UpdatePlatformMode ( + IN UINT32 Mode + ); + /** Initializes for authenticated varibale service. @@ -107,8 +129,8 @@ CryptLibraryInitialize ( @param[in] IsPk Indicate whether it is to process pk. @return EFI_INVALID_PARAMETER Invalid parameter - @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. + @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation + check carried out by the firmware. @return EFI_SUCCESS Variable passed validation successfully. **/ @@ -135,8 +157,8 @@ ProcessVarWithPk ( @param[in] Attributes Attribute value of the variable. @return EFI_INVALID_PARAMETER Invalid parameter. - @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. + @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation + check carried out by the firmware. @return EFI_SUCCESS Variable passed validation successfully. **/ @@ -150,6 +172,27 @@ ProcessVarWithKek ( IN UINT32 Attributes OPTIONAL ); +/** + Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA + will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA + will be ignored. + + @param[in, out] Data Pointer to original EFI_SIGNATURE_LIST. + @param[in] DataSize Size of Data buffer. + @param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended. + @param[in] NewDataSize Size of NewData buffer. + + @return Size of the merged buffer. + +**/ +UINTN +AppendSignatureList ( + IN OUT VOID *Data, + IN UINTN DataSize, + IN VOID *NewData, + IN UINTN NewDataSize + ); + /** Compare two EFI_TIME data. @@ -182,8 +225,8 @@ CompareTimeStamp ( @param[out] VarDel Delete the variable or not. @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation - check carried out by the firmware. + @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation + check carried out by the firmware. @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack of resources. @retval EFI_SUCCESS Variable pass validation successfully. @@ -205,5 +248,6 @@ extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE]; extern UINT32 mPubKeyNumber; extern VOID *mHashCtx; extern VOID *mStorageArea; - +extern UINT8 *mSerializationRuntimeBuffer; + #endif -- cgit v1.2.3