From a555940b2d4cb525d8c2bfcf16fbaab89157556f Mon Sep 17 00:00:00 2001 From: Fu Siyuan Date: Thu, 12 Sep 2013 05:23:28 +0000 Subject: =?UTF-8?q?Add=20=E2=80=9CVendorKeys=E2=80=9D=20variable=20for=20i?= =?UTF-8?q?ndicating=20out=20of=20band=20key=20modification.=20Signed-off-?= =?UTF-8?q?by:=20Fu=20Siyuan=20=20Reviewed-by:=20Ye?= =?UTF-8?q?=20Ting=20=20Reviewed-by:=20Dong=20Guo=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524 --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 120 ++++++++++++++++++++- .../VariableAuthenticated/RuntimeDxe/Variable.c | 3 +- .../RuntimeDxe/VariableRuntimeDxe.inf | 1 + .../RuntimeDxe/VariableSmm.inf | 1 + 4 files changed, 121 insertions(+), 4 deletions(-) (limited to 'SecurityPkg/VariableAuthenticated') diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 7da0d63aba..909de960b7 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -36,6 +36,8 @@ UINT8 mPubKeyStore[MAX_KEYDB_SIZE]; UINT32 mPubKeyNumber; UINT8 mCertDbStore[MAX_CERTDB_SIZE]; UINT32 mPlatformMode; +UINT8 mVendorKeyState; + EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID}; // // Public Exponent of RSA Key. @@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SetupMode" varable with BS+RT attribute set. + // Create "SetupMode" variable with BS+RT attribute set. // FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (PkVariable.CurrPtr == NULL) { @@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SignatureSupport" varable with BS+RT attribute set. + // Create "SignatureSupport" variable with BS+RT attribute set. // FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); Status = UpdateVariable ( @@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SecureBoot" varable with BS+RT attribute set. + // Create "SecureBoot" variable with BS+RT attribute set. // if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) { SecureBootMode = SECURE_BOOT_MODE_ENABLE; @@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize ( } } + // + // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly. + // + FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + if (Variable.CurrPtr != NULL) { + mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr)); + } else { + // + // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state. + // + mVendorKeyState = VENDOR_KEYS_VALID; + Status = UpdateVariable ( + EFI_VENDOR_KEYS_NV_VARIABLE_NAME, + &gEfiVendorKeysNvGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + // + // Create "VendorKeys" variable with BS+RT attribute set. + // + FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + Status = UpdateVariable ( + EFI_VENDOR_KEYS_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + + DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState)); + return Status; } @@ -911,6 +961,56 @@ CheckSignatureListFormat( return EFI_SUCCESS; } +/** + Update "VendorKeys" variable to record the out of band secure boot key modification. + + @return EFI_SUCCESS Variable is updated successfully. + @return Others Failed to update variable. + +**/ +EFI_STATUS +VendorKeyIsModified ( + VOID + ) +{ + EFI_STATUS Status; + VARIABLE_POINTER_TRACK Variable; + + if (mVendorKeyState == VENDOR_KEYS_MODIFIED) { + return EFI_SUCCESS; + } + mVendorKeyState = VENDOR_KEYS_MODIFIED; + + FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + Status = UpdateVariable ( + EFI_VENDOR_KEYS_NV_VARIABLE_NAME, + &gEfiVendorKeysNvGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + + FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + return UpdateVariable ( + EFI_VENDOR_KEYS_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); +} + /** Process variable with platform key for verification. @@ -985,6 +1085,13 @@ ProcessVarWithPk ( Variable, &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp ); + if (EFI_ERROR(Status)) { + return Status; + } + + if (mPlatformMode != SETUP_MODE) { + Status = VendorKeyIsModified (); + } } else if (mPlatformMode == USER_MODE) { // // Verify against X509 Cert in PK database. @@ -1117,6 +1224,13 @@ ProcessVarWithKek ( Variable, &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp ); + if (EFI_ERROR (Status)) { + return Status; + } + + if (mPlatformMode != SETUP_MODE) { + Status = VendorKeyIsModified (); + } } return Status; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 5261157ff2..5ff48cff2f 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2500,7 +2500,8 @@ IsReadOnlyVariable ( if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) { if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) || (StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) || - (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) { + (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0) || + (StrCmp (VariableName, EFI_VENDOR_KEYS_VARIABLE_NAME) == 0)) { return TRUE; } } diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index 4904adae2e..7f8c28ec72 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -80,6 +80,7 @@ gEfiCertRsa2048Guid gEfiSecureBootEnableDisableGuid gEfiCustomModeEnableGuid + gEfiVendorKeysNvGuid gEfiSystemNvDataFvGuid ## CONSUMES gEfiCertDbGuid gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf index 4180309c7f..5a40823097 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf @@ -86,6 +86,7 @@ gEfiCertRsa2048Guid gEfiSecureBootEnableDisableGuid gEfiCustomModeEnableGuid + gEfiVendorKeysNvGuid gEfiSystemNvDataFvGuid ## CONSUMES gEfiCertDbGuid gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES -- cgit v1.2.3