1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
/** @file
The internal header file includes the common header files, defines
internal structure and functions used by AuthService module.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _AUTHSERVICE_H_
#define _AUTHSERVICE_H_
#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
#define EFI_CERT_TYPE_RSA2048_SIZE 256
///
/// Size of AuthInfo prior to the data payload.
///
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
///
/// "AuthVarKeyDatabase" variable for the Public Key store.
///
#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
#define AUTHVAR_KEYDB_NAME_SIZE 38
///
/// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.
///
#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)
#define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
///
/// Item number of support signature types.
///
#define SIGSUPPORT_NUM 2
/**
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Variable The variable information which is used to keep track of variable usage.
@param[in] Attributes Attribute value of the variable.
@return EFI_INVALID_PARAMETER Invalid parameter
@return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
set, but the AuthInfo does NOT pass the validation
check carried out by the firmware.
@return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.
**/
EFI_STATUS
ProcessVariable (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN VARIABLE_POINTER_TRACK *Variable,
IN UINT32 Attributes
);
/**
Update platform mode.
@param[in] Mode SETUP_MODE or USER_MODE.
@return EFI_INVALID_PARAMETER Invalid parameter.
@return EFI_SUCCESS Update platform mode successfully.
**/
EFI_STATUS
UpdatePlatformMode (
IN UINT32 Mode
);
/**
Initializes for authenticated varibale service.
@retval EFI_SUCCESS Function successfully executed.
@retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
**/
EFI_STATUS
AutenticatedVariableServiceInitialize (
VOID
);
/**
Initializes for cryptlib service before use, include register algrithm and allocate scratch.
**/
VOID
CryptLibraryInitialize (
VOID
);
/**
Process variable with platform key for verification.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Variable The variable information which is used to keep track of variable usage.
@param[in] Attributes Attribute value of the variable.
@param[in] IsPk Indicate whether it is to process pk.
@return EFI_INVALID_PARAMETER Invalid parameter
@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
check carried out by the firmware.
@return EFI_SUCCESS Variable passed validation successfully.
**/
EFI_STATUS
ProcessVarWithPk (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN VARIABLE_POINTER_TRACK *Variable,
IN UINT32 Attributes OPTIONAL,
IN BOOLEAN IsPk
);
/**
Process variable with key exchange key for verification.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Variable The variable information that is used to keep track of variable usage.
@param[in] Attributes Attribute value of the variable.
@return EFI_INVALID_PARAMETER Invalid parameter.
@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
check carried out by the firmware.
@return EFI_SUCCESS Variable passed validation successfully.
**/
EFI_STATUS
ProcessVarWithKek (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN VARIABLE_POINTER_TRACK *Variable,
IN UINT32 Attributes OPTIONAL
);
/**
Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA
will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
will be ignored.
@param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
@param[in] DataSize Size of Data buffer.
@param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
@param[in] NewDataSize Size of NewData buffer.
@return Size of the merged buffer.
**/
UINTN
AppendSignatureList (
IN OUT VOID *Data,
IN UINTN DataSize,
IN VOID *NewData,
IN UINTN NewDataSize
);
/**
Compare two EFI_TIME data.
@param FirstTime A pointer to the first EFI_TIME data.
@param SecondTime A pointer to the second EFI_TIME data.
@retval TRUE The FirstTime is not later than the SecondTime.
@retval FALSE The FirstTime is later than the SecondTime.
**/
BOOLEAN
CompareTimeStamp (
IN EFI_TIME *FirstTime,
IN EFI_TIME *SecondTime
);
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Variable The variable information which is used to keep track of variable usage.
@param[in] Attributes Attribute value of the variable.
@param[in] Pk Verify against PK or KEK database.
@param[out] VarDel Delete the variable or not.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
check carried out by the firmware.
@retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
of resources.
@retval EFI_SUCCESS Variable pass validation successfully.
**/
EFI_STATUS
VerifyTimeBasedPayload (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN VARIABLE_POINTER_TRACK *Variable,
IN UINT32 Attributes,
IN BOOLEAN Pk,
OUT BOOLEAN *VarDel
);
extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
extern UINT32 mPubKeyNumber;
extern VOID *mHashCtx;
extern VOID *mStorageArea;
extern UINT8 *mSerializationRuntimeBuffer;
#endif
|
