SecurityPkg: Remove Counter Based AuthVariable support

Remove counter based auth variable support. also modify several function
descriptors to accommodate the change

Cc: Long Qin <qin.long@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
This commit is contained in:
Zhang, Chao B
2017-10-24 14:52:10 +08:00
parent b5cbef4eff
commit 0130fddeb3
6 changed files with 37 additions and 628 deletions

View File

@@ -58,35 +58,6 @@ typedef enum {
AuthVarTypePayload
} AUTHVAR_TYPE;
///
/// "AuthVarKeyDatabase" variable for the Public Key store
/// of variables with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
///
/// GUID: gEfiAuthenticatedVariableGuid
///
/// We need maintain atomicity.
///
/// Format:
/// +----------------------------+
/// | AUTHVAR_KEY_DB_DATA | <-- First AuthVarKey
/// +----------------------------+
/// | ...... |
/// +----------------------------+
/// | AUTHVAR_KEY_DB_DATA | <-- Last AuthKey
/// +----------------------------+
///
#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
#define EFI_CERT_TYPE_RSA2048_SIZE 256
#pragma pack(1)
typedef struct {
UINT32 KeyIndex;
UINT8 KeyData[EFI_CERT_TYPE_RSA2048_SIZE];
} AUTHVAR_KEY_DB_DATA;
#pragma pack()
///
/// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX
/// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS|EFI_VARIABLE_NON_VOLATILE set.
@@ -122,10 +93,6 @@ typedef struct {
} AUTH_CERT_DB_DATA;
#pragma pack()
extern UINT8 *mPubKeyStore;
extern UINT32 mPubKeyNumber;
extern UINT32 mMaxKeyNumber;
extern UINT32 mMaxKeyDbSize;
extern UINT8 *mCertDbStore;
extern UINT32 mMaxCertDbSize;
extern UINT32 mPlatformMode;
@@ -295,7 +262,7 @@ ProcessVarWithKek (
);
/**
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
@@ -312,9 +279,9 @@ ProcessVarWithKek (
@return EFI_INVALID_PARAMETER Invalid parameter.
@return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
@return EFI_OUT_OF_RESOURCES The Database to save the public key is full.
@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
set, but the AuthInfo does NOT pass the validation
check carried out by the firmware.
@return EFI_SUCCESS Variable is not write-protected or pass validation successfully.
@@ -379,34 +346,6 @@ AuthServiceInternalUpdateVariable (
IN UINT32 Attributes
);
/**
Update the variable region with Variable information.
@param[in] VariableName Name of variable.
@param[in] VendorGuid Guid of variable.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data.
@param[in] Attributes Attribute value of the variable.
@param[in] KeyIndex Index of associated public key.
@param[in] MonotonicCount Value of associated monotonic count.
@retval EFI_SUCCESS The update operation is success.
@retval EFI_INVALID_PARAMETER Invalid parameter.
@retval EFI_WRITE_PROTECTED Variable is write-protected.
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
**/
EFI_STATUS
AuthServiceInternalUpdateVariableWithMonotonicCount (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN UINT32 Attributes,
IN UINT32 KeyIndex,
IN UINT64 MonotonicCount
);
/**
Update the variable region with Variable information.