1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
|
//**********************************************************************
//**********************************************************************
//** **
//** (C)Copyright 1985-2015, American Megatrends, Inc. **
//** **
//** All Rights Reserved. **
//** **
//** 5555 Oakbrook Pkwy, Suite 200, Norcross, GA 30093 **
//** **
//** Phone: (770)-246-8600 **
//** **
//**********************************************************************
//**********************************************************************
//**********************************************************************
// $Header: /Alaska/SOURCE/Modules/SecureBoot_WIN8/AuthenticatedVariable_efi/AuthVariable.h 17 3/09/15 4:27p Alexp $
//
// $Revision: 17 $
//
// $Date: 3/09/15 4:27p $
//**********************************************************************
// Revision History
// ----------------
// $Log: /Alaska/SOURCE/Modules/SecureBoot_WIN8/AuthenticatedVariable_efi/AuthVariable.h $
//
// 17 3/09/15 4:27p Alexp
// Update year 2015 in the file header
//
// 16 2/08/13 5:15p Alexp
// Optimized the code flow fro Auth2 Variables.
//
// 15 12/07/12 3:45p Alexp
// define AVAR_TRACE macro
//
// 14 11/19/12 4:41p Alexp
// Fix for Win8 SecureBoot logo requirement: restore Secure Boot state
// across flash updates.
// Move all secure boot Setup settings to a separate varstore variable.
// Preserve var across re-flash
//
// 13 10/16/12 3:45p Alexp
// Implemented R/O Variables support via fixed and OEM defined (eLink)
// lists
//
// 12 8/27/12 10:42a Alexp
// GetmSecureBootSupport():
// Add input parameter SetupMode to control state of
// Setup Flag:SecureBootSupport
//
// 11 2/27/12 6:52p Alexp
// removed AuthenticatedVariableServiceInitialize()
//
// 10 2/03/12 9:56a Alexp
// EIP#82122. WHCK "Secure Boot Manual Logo Test" fails
// Fixed Append logic to process multiple sig data instances in a single
// Signature List block
// New logic will remove dupplicated certs and update new SigList header.
//
// 9 8/18/11 5:59p Alexp
// renamed func SecureBootSupport()
//
// 8 8/18/11 4:53p Alexp
// removed AuthVar mailbox
//
// 7 8/16/11 7:18p Alexp
// added Mailbox variable AuthVarMAilbox to syncronize local state between
// DXE and SMM AuthVariable services
//
// 6 8/05/11 3:12p Alexp
// add mkime prototyte define
//
// 5 8/04/11 7:12p Alexp
//
// 4 6/30/11 4:02p Alexp
// added Callback event on Setup Mode change request form Security Setup
// Page.
//
// 3 6/24/11 7:04p Alexp
// fixed ValidateSignatureList () logic. Added Certificate RSA2048 to
// supported Signatures
//
// 2 6/23/11 6:19p Alexp
// Added ValidateSigList() function
//
// 5 6/09/11 5:49p Alexp
// add new parameter to ValidateSelfSigned - Operation.
//
// 4 6/02/11 5:52p Alexp
// add ValidateSelfSigned certificates func definition
//
// 2 5/19/11 4:59p Alexp
// Major code revamp to be able to handle of handling Secure vars in Setup
// Mode
// TBD: TimeBased certificates from Msft fail to process. Not compiled as
// Authenticode format
//
// 4 3/31/11 6:28p Alexp
// Add SHA256 to supported SignatureList
//
//
//**********************************************************************
//<AMI_FHDR_START>
//
// Name: AuthVariable.h Implement authentication services for the authenticated variable
// service in UEFI2.2+
//
// Description:
//
//<AMI_FHDR_END>
//**********************************************************************
#ifndef _AUTHVARIABLE_H_
#define _AUTHVARIABLE_H_
#include <Efi.h>
// All are EDKII defined headers
#include "WinCertificate.h"
#include "ImageAuthentication.h"
#include <Protocol/Hash.h>
#define HASH_SHA256_LEN sizeof(EFI_SHA256_HASH) // 32
#define HASH_SHA1_LEN sizeof(EFI_SHA1_HASH)
#define RSA2048_PUB_KEY_LEN DEFAULT_RSA_KEY_MODULUS_LEN // 256
#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE RSA2048_PUB_KEY_LEN
#define EFI_CERT_TYPE_RSA2048_SIZE RSA2048_PUB_KEY_LEN
//
// EFI_VARIABLE_AUTHENTICATION descriptor
//
// A authentication authentication method descriptor template
// AuthInfo is a WIN_CERTIFICATE using the wCertificateType
// WIN_CERTIFICATE_UEFI_GUID and the CertType
// EFI_CERT_TYPE_RSA2048_SHA256.
//
#ifndef EFI_VARIABLE_AUTHENTICATION
typedef struct {
UINT64 MonotonicCount;
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION;
#endif
//
// EFI_VARIABLE_AUTHENTICATION_2 descriptor
//
// A time-based authentication method descriptor template
//
#ifndef EFI_VARIABLE_AUTHENTICATION_2
typedef struct {
EFI_TIME TimeStamp;
WIN_CERTIFICATE_UEFI_GUID AuthInfo;
} EFI_VARIABLE_AUTHENTICATION_2;
#endif
///
/// Size of AuthInfo prior to the data payload
///
#define AUTHINFO_SIZE(Cert) (((UINTN)(((EFI_VARIABLE_AUTHENTICATION *) Cert)->AuthInfo.Hdr.dwLength)) + sizeof(UINT64))
#define AUTHINFO_2_SIZE(Cert) (((UINTN)(((EFI_VARIABLE_AUTHENTICATION_2 *) Cert)->AuthInfo.Hdr.dwLength)) + sizeof(EFI_TIME))
#ifdef EFI_DEBUG
#define AVAR_TRACE(Arguments) { if (!AVarRuntime) TRACE(Arguments); }
#else
#define AVAR_TRACE(Arguments)
#endif
typedef enum {
IsPkVarType = 0,
IsKekVarType,
IsDbVarType,
IsPrivateVarType
} AUTHVAR_TYPE;
VOID AuthVariableServiceInitSMM (VOID );
VOID AuthVariableServiceInit ( VOID );
EFI_STATUS VerifyVariable (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINT32 *Attributes,
IN VOID **Data,
IN UINTN *DataSize,
IN VOID *OldData,
IN UINTN OldDataSize,
IN OUT EXT_SEC_FLAGS *ExtFlags
);
EFI_STATUS FindInSignatureDb (
IN EFI_GUID *VendorGuid,
IN UINT32 Attributes,
IN VOID *Data,
IN UINTN *DataSize,
IN VOID *SigDB,
IN UINTN SigDBSize
);
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Variable Auth Hdr EFI_VARIABLE_AUTHENTICATION
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EFI_STATUS VerifyVariable1 (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINT32 Attributes,
IN VOID **Data,
IN UINTN *DataSize,
IN VOID *OldData,
IN UINTN OldDataSize,
IN OUT EXT_SEC_FLAGS *ExtFlags
);
EFI_STATUS VerifyDataPayload (
IN VOID *Data,
IN UINTN DataSize,
IN UINT8 *PubKey
);
EFI_STATUS ProcessVarWithPk (
IN VOID *Data,
IN UINTN DataSize,
IN UINT32 Attributes,
IN BOOLEAN IsPk
);
EFI_STATUS ProcessVarWithKek (
IN VOID *Data,
IN UINTN DataSize,
IN UINT32 Attributes
);
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Variable Auth Hdr EFI_VARIABLE_AUTHENTICATION_2
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EFI_STATUS VerifyVariable2 (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINT32 Attributes,
IN VOID **Data,
IN UINTN *DataSize,
IN VOID *OldData,
IN UINTN OldDataSize,
IN OUT EXT_SEC_FLAGS *ExtFlags
);
EFI_STATUS ValidateSelfSigned (
IN UINT8 *Pkcs7Cert,
IN UINTN Pkcs7Cert_len,
IN OUT UINT8 **pDigest,
IN OUT UINTN *Digest_len,
IN UINT8 Operation
);
EFI_STATUS ConstructDataParameter (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINT32 Attributes,
IN VOID *Data,
IN UINTN DataSize,
OUT UINT8 *pDigest,
OUT UINTN *Digest_len,
IN UINT8 Mutex
);
EFI_STATUS ProcessVarWithPk2 (
IN UINT8 *Pkcs7Cert,
IN UINTN Pkcs7Cert_len,
IN UINT8 *pDigest,
IN UINTN Digest_len
);
EFI_STATUS ProcessVarWithKek2 (
IN UINT8 *Pkcs7Cert,
IN UINTN Pkcs7Cert_len,
IN UINT8 *pDigest,
IN UINTN Digest_len
);
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// Misc auxilary functions
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INTN StrCmp16(CHAR16 *Dest, CHAR16 *Src);
UINT32 StrSize16(CHAR16 *String);
BOOLEAN IsPkVar(
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
);
BOOLEAN IsKekVar(
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
);
BOOLEAN IsDbVar(
IN EFI_GUID *VendorGuid
);
EFI_STATUS GetPlatformMode (
VOID
);
EFI_STATUS GetmSecureBootSupport (
UINT8
);
VOID UpdatePlatformMode (
IN UINT8 Mode
);
EFI_STATUS ValidateSignatureList (
IN VOID *Data,
IN UINTN DataSize
);
UINT64 mkLongTime (
EFI_TIME *TimeStamp
);
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
// NVRAM module defined auxilary functions
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EFI_STATUS FindVariable(
IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid,
OUT UINT32 *Attributes OPTIONAL,
IN OUT UINTN *DataSize, OUT VOID **Data
);
EFI_STATUS DxeSetVariable(
IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid,
IN UINT32 Attributes, IN UINTN DataSize, IN VOID *Data
);
EFI_STATUS DxeGetVariable(
IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid,
OUT UINT32 *Attributes OPTIONAL,
IN OUT UINTN *DataSize, OUT VOID *Data
);
#endif // _AUTHVARIABLE_H_
//**********************************************************************
//**********************************************************************
//** **
//** (C)Copyright 1985-2015, American Megatrends, Inc. **
//** **
//** All Rights Reserved. **
//** **
//** 5555 Oakbrook Parkway, Suite 200, Norcross, GA 30093 **
//** **
//** Phone: (770)-246-8600 **
//** **
//**********************************************************************
//**********************************************************************
|
