1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
//**********************************************************************
//**********************************************************************
//** **
//** (C)Copyright 1985-2012 American Megatrends, Inc. **
//** **
//** All Rights Reserved. **
//** **
//** 5555 Oakbrook Pkwy, Suite 200, Norcross, GA 30093 **
//** **
//** Phone: (770)-246-8600 **
//** **
//**********************************************************************
//**********************************************************************
//**********************************************************************
// $Header: /Alaska/BIN/Modules/CryptoPkg/AmiCertificate.h 8 6/18/13 12:45p Alexp $
//
// $Revision: 8 $
//
// $Date: 6/18/13 12:45p $
//**********************************************************************
// Revision History
// ----------------
// $Log: /Alaska/BIN/Modules/CryptoPkg/AmiCertificate.h $
//
// 8 6/18/13 12:45p Alexp
// Added Platform FwKey HOB structure
//
// 7 11/20/12 2:30p Alexp
// add macro "offsetof"
//
// 6 11/13/12 11:47a Alexp
// EIP#105015
// Add GUID defines for x509 Public Key file type and
// Pkcs#7 Cert verification function in Crypto PPI
//
// 5 5/18/12 11:56a Alexp
// add Extended FwCapsule GUID flags
//
// 4 2/29/12 3:58p Alexp
// Add PR_KEY_FFS_FILE_SHA256_GUID for PR Key file in SHA256 Hash format
//
// 3 11/01/11 4:49p Alexp
// formatted headers to be displayed properly in CHM file
//
// 2 7/19/11 2:13p Alexp
// removed obsolete FW capsule structures
//
// 2 5/17/11 5:11p Alexp
// commented out obsolete FW capsule structures
//
// 11 5/05/11 3:38p Alexp
// update Hdr information
//
// 8 4/18/11 7:10p Alexp
// change Aptio Hdr format to support RomMap
//
// 6 4/11/11 12:54p Alexp
// New Capsule Certificate format, Key GUIDs reshuffle
//
// 5 4/05/11 6:30p Alexp
// add new guid for Fw Signing Key image
//
//**********************************************************************
//<AMI_FHDR_START>
//
// Name: AmiCertificate.h
//
// Description: AMI FW Certificate defines and data structures
//
//<AMI_FHDR_END>
//**********************************************************************
#ifndef __AMI_CERTIFICATE_H__
#define __AMI_CERTIFICATE_H__
#include <Efi.h>
// All are EDKII defined headers
#include "WinCertificate.h"
#include "ImageAuthentication.h"
#include <AmiHobs.h>
#ifndef ROM_AREA
#include <RomLayout.h>
#endif
#pragma pack(1)
#ifndef offsetof
#define offsetof(st, m) \
((UINTN) ( (char *)&((st *)0)->m - (char *)0 ))
#endif
//**********************************************************************
// AMI FW Certificate defines
//**********************************************************************
// Aptio FW Capsule
// Update CapsuleMain.c and CapsuleRt.c to process APTIO_FW_CAPSULE_GUID capsules as normal CAPSULE
//#define APTIO_FW_CAPSULE_GUID \
// { 0xc50e4b4a, 0x302, 0x41fe, 0x9b, 0x99, 0x43, 0xde, 0x77, 0x7, 0x6, 0x3f }
// FW Capsule with extended header fields.
//4A3CA68B-7723-48FB-803D-578CC1FEC44D
#define APTIO_FW_CAPSULE_GUID \
{ 0x4A3CA68B, 0x7723, 0x48FB, 0x80, 0x3d, 0x57, 0x8c, 0xc1, 0xfe, 0xc4, 0x4d }
//3FEEC852-F14C-4E7F-97FD-4C3A8C5BBECC
// Key format: Raw 256 byte N-Modulus of RSA2048 Key
#define PR_KEY_FFS_FILE_RAW_GUID \
{ 0x3FEEC852, 0xF14C, 0x4E7F, 0x97, 0xFD, 0x4C, 0x3A, 0x8C, 0x5B, 0xBE, 0xCC }
// 5B85965C-455D-4CC6-9C4C-7F086967D2B0
// Key format: SHA256 hash of 256 byte N-Modulus of RSA2048 Key
#define PR_KEY_FFS_FILE_SHA256_GUID \
{ 0x05B85965C, 0x455D, 0x4CC6, 0x9C, 0x4C, 0x7F, 0x08, 0x69, 0x67, 0xD2, 0xB0 }
// 3A666558-43E3-4D25-9169-DB81F5DB42E1
// Key format: x509 ASN.1 DER containing RSA2048 Public Key
#define PR_KEY_FFS_FILE_X509_GUID \
{ 0x3A666558, 0x43E3, 0x4D25, 0x91, 0x69, 0xdb, 0x81, 0xf5, 0xdb, 0x42, 0xe1 }
// APTIO Patform Fw Root Signing key identifier
// {4E0F9BD4-E338-4B26-843E-BD3AD9B2837B}
#define PR_KEY_GUID \
{ 0x4E0F9BD4, 0xE338, 0x4B26, 0x84, 0x3E, 0xBD, 0x3A, 0xD9, 0xB2, 0x83, 0x7B }
//9E625A27-4840-47CC-A6B5-1E9311CFC60E
//#define PK_PUB_FFS_FILE_EFI_AUTH_VAR_GUID \
// { 0x9E625A27, 0x4840, 0x47CC, 0xA6, 0xB5, 0x1E, 0x93, 0x11, 0xCF, 0xC6, 0x0E }
// APTIO PK Key identifier
// {A6C0E11E-929E-42b3-90CC-4F778E03FF57}
//#define PKPUB_KEY_GUID \
// { 0xa6c0e11e, 0x929e, 0x42b3, 0x90, 0xcc, 0x4f, 0x77, 0x8e, 0x3, 0xff, 0x57 }
// The 256 byte buffer containing the public modulus of RSA2048 Public Key
// Second part of the Public key, public exponent (e), must be hardwired elsewhere in the FW (recommended value of e=65537).
// use EFI_CERT_RSA2048_GUID instead
//#define AMI_PB_KEY_RSA2048_GUID \
// { 0x04627B9B, 0x385E, 0x4744, 0x90, 0x21, 0xE6, 0x63, 0x19, 0xF2, 0x03, 0x94 }
// AMI APTIO 4 Signature Owner id.
// An identifier which identifies the agent which added the signature to the list.
#define AMI_APTIO_SIG_OWNER_GUID \
{ 0x26DC4851, 0x195F, 0x4AE1, 0x9A, 0x19, 0xFB, 0xF8, 0x83, 0xBB, 0xB3, 0x5E }
//Platform FwKey GUIDed HOB
//Header HobGUID = PR_KEY_GUID
typedef struct {
EFI_HOB_GUID_TYPE Header;
EFI_GUID KeyGuid;
EFI_PHYSICAL_ADDRESS KeyAddress;
UINT32 KeySize;
} FW_KEY_HOB;
// Modified version of Win Uefi Cert. CertData is not defined in here
typedef struct {
WIN_CERTIFICATE Hdr;
EFI_GUID CertType;
// UINT8 CertData[1];
// EFI_CERT_BLOCK_RSA_2048_SHA256 CertData;
} WIN_CERTIFICATE_UEFI_GUID_1;
//<AMI_SHDR_START>
//----------------------------------------------------------------------------
// Name: AMI_CERTIFICATE_RSA2048_SHA256
//
// Description: Certificate which encapsulates the UEFI RSA2048_SHA256 digital signature.
//
// The WIN_CERTIFICATE_UEFI_GUID structure is derived from
// WIN_CERTIFICATE and encapsulate the information needed to
// implement the digital signature algorithm
// Hdr.Hdr.wRevision = 0x0200
// Hdr.Hdr.wCertificateType = 0x0EF1; WIN_CERT_TYPE_EFI_GUID
// Hdr.CertType = EFI_CERT_TYPE_RSA2048_SHA256_GUID;
//
// Fields: Name Type Description
//----------------------------------------------------------------------------
// Hdr WIN_CERTIFICATE_UEFI_GUID encapsulate the information needed to implement the digital signature algorithm
// CertData EFI_CERT_BLOCK_RSA_2048_SHA256 Signature and Public key
//----------------------------------------------------------------------------
//<AMI_SHDR_END>
typedef struct {
WIN_CERTIFICATE_UEFI_GUID_1 Hdr; // 24
EFI_CERT_BLOCK_RSA_2048_SHA256 CertData; // 16+256+256
} AMI_CERTIFICATE_RSA2048_SHA256;
//(sizeof(AMI_CERTIFICATE_RSA2048_SHA256) == 552);
//<AMI_SHDR_START>
//----------------------------------------------------------------------------
// Name: FW_CERTIFICATE
//
// Description: Aptio FW Capsule certificate block
//
// Fields: Name Type Description
//----------------------------------------------------------------------------
// SignCert AMI_CERTIFICATE_RSA2048_SHA256 Certificate contains a signature of a Capsule's payload and Signer's public key
// RootCert EFI_CERT_BLOCK_RSA_2048_SHA256 Certificate contains a signature of a Signer's public key signed by the
// Root Key, whose public portion is also included into this certificate.
// For Aptio FW update process to succeed, either of these keys must match the instance of a Platform FW Key in the Flash.
//
//----------------------------------------------------------------------------
//<AMI_SHDR_END>
typedef struct {
AMI_CERTIFICATE_RSA2048_SHA256 SignCert; // 24+16+256+256
EFI_CERT_BLOCK_RSA_2048_SHA256 RootCert; // 16+256+256
} FW_CERTIFICATE;
//(sizeof(FW_CERTIFICATE) == 1112);
//<AMI_SHDR_START>
//----------------------------------------------------------------------------
// Name: APTIO_FW_CAPSULE_HEADER
//
// Description: Enhanced APTIO FW CAPSULE with certificate and the map of the modules in the
// capsule's volume to be included into the signature calculation
// Fields:
// Name Type Description
//----------------------------------------------------------------------------
// CapHdr EFI_CAPSULE_HEADER UEFI 2.0 Capsule Hdr. Use APTIO_FW_CAPSULE_2_GUID
// RomImageOffset UINT16 offset within the Fw Capsule header to the FW image
// RomLayoutOffset UINT16 offset to the FW discriptor table used for signature calculation
// FWCert FW_CERTIFICATE Certificate block. Format may change based on WIN_CERTIFICATE header Type.
// Hdr.CertType = EFI_CERT_TYPE_RSA2048_SHA256_GUID;
// Hdr.CertType = EFI_CERT_TYPE_PKCS7_GUID;
// ....
// RomAreaMap ROM_AREA
// ....
// Payload
//----------------------------------------------------------------------------
//<AMI_SHDR_END>
typedef struct {
EFI_CAPSULE_HEADER CapHdr;
UINT16 RomImageOffset;
UINT16 RomLayoutOffset;
FW_CERTIFICATE FWCert;
ROM_AREA RomAreaMap[1];
} APTIO_FW_CAPSULE_HEADER;
// CapHdr.Flags Extended FwCapsule GUID flags
// RSA Signature padding scheme:
// 0-PKCS1v5
// 1-PSS
#define CAPSULE_FLAGS_RSA_PSS_PADDING_SCHEME 0x00000001
// Blocks used for signing by Signing Certificate:
// 0-RomMap + Payload
// 1-FwCapHdr + RomMap + Payload
#define CAPSULE_FLAGS_CAPHDR_IN_SIGNCERT 0x00000002
// Blocks used for signing by Root Certificate:
// 0-FwCert.SignCert structure
// 1-FwCert.SignCert.PublicKey field
#define CAPSULE_FLAGS_SIGNKEY_IN_ROOTCERT 0x00000004
// Validity of the Signatures within FwCert block
// 0-Capsule Payload signatures are current in FwCert block
// 1-Capsule Payload Signatures are invalid
#define CAPSULE_FLAGS_FWCERTBLOCK_VALID 0x00000008
#pragma pack()
#endif
//**********************************************************************
//**********************************************************************
//** **
//** (C)Copyright 1985-2012 American Megatrends, Inc. **
//** **
//** All Rights Reserved. **
//** **
//** 5555 Oakbrook Pkwy, Suite 200, Norcross, GA 30093 **
//** **
//** Phone: (770)-246-8600 **
//** **
//**********************************************************************
//**********************************************************************
//**********************************************************************
|
