SecurityPkg: Remove Counter Based AuthVariable support
Remove counter based auth variable support. also modify several function descriptors to accommodate the change Cc: Long Qin <qin.long@intel.com> Cc: Star Zeng <star.zeng@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Long Qin <qin.long@intel.com>
This commit is contained in:
@@ -27,10 +27,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||
///
|
||||
/// Global database array for scratch
|
||||
///
|
||||
UINT8 *mPubKeyStore;
|
||||
UINT32 mPubKeyNumber;
|
||||
UINT32 mMaxKeyNumber;
|
||||
UINT32 mMaxKeyDbSize;
|
||||
UINT8 *mCertDbStore;
|
||||
UINT32 mMaxCertDbSize;
|
||||
UINT32 mPlatformMode;
|
||||
@@ -77,17 +73,6 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
|
||||
sizeof (UINT8)
|
||||
}
|
||||
},
|
||||
{
|
||||
&gEfiAuthenticatedVariableGuid,
|
||||
AUTHVAR_KEYDB_NAME,
|
||||
{
|
||||
VAR_CHECK_VARIABLE_PROPERTY_REVISION,
|
||||
VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
|
||||
VARIABLE_ATTRIBUTE_NV_BS_RT_AW,
|
||||
sizeof (UINT8),
|
||||
MAX_UINTN
|
||||
}
|
||||
},
|
||||
{
|
||||
&gEfiCertDbGuid,
|
||||
EFI_CERT_DB_NAME,
|
||||
@@ -112,7 +97,7 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
|
||||
},
|
||||
};
|
||||
|
||||
VOID **mAuthVarAddressPointer[10];
|
||||
VOID **mAuthVarAddressPointer[9];
|
||||
|
||||
AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
|
||||
|
||||
@@ -138,7 +123,6 @@ AuthVariableLibInitialize (
|
||||
)
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
UINT8 VarValue;
|
||||
UINT32 VarAttr;
|
||||
UINT8 *Data;
|
||||
UINTN DataSize;
|
||||
@@ -163,16 +147,6 @@ AuthVariableLibInitialize (
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
//
|
||||
// Reserve runtime buffer for public key database. The size excludes variable header and name size.
|
||||
//
|
||||
mMaxKeyDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (AUTHVAR_KEYDB_NAME));
|
||||
mMaxKeyNumber = mMaxKeyDbSize / sizeof (AUTHVAR_KEY_DB_DATA);
|
||||
mPubKeyStore = AllocateRuntimePool (mMaxKeyDbSize);
|
||||
if (mPubKeyStore == NULL) {
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
//
|
||||
// Reserve runtime buffer for certificate database. The size excludes variable header and name size.
|
||||
// Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
|
||||
@@ -183,43 +157,6 @@ AuthVariableLibInitialize (
|
||||
return EFI_OUT_OF_RESOURCES;
|
||||
}
|
||||
|
||||
//
|
||||
// Check "AuthVarKeyDatabase" variable's existence.
|
||||
// If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
|
||||
//
|
||||
Status = AuthServiceInternalFindVariable (
|
||||
AUTHVAR_KEYDB_NAME,
|
||||
&gEfiAuthenticatedVariableGuid,
|
||||
(VOID **) &Data,
|
||||
&DataSize
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
|
||||
VarValue = 0;
|
||||
mPubKeyNumber = 0;
|
||||
Status = AuthServiceInternalUpdateVariable (
|
||||
AUTHVAR_KEYDB_NAME,
|
||||
&gEfiAuthenticatedVariableGuid,
|
||||
&VarValue,
|
||||
sizeof(UINT8),
|
||||
VarAttr
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
} else {
|
||||
//
|
||||
// Load database in global variable for cache.
|
||||
//
|
||||
ASSERT ((DataSize != 0) && (Data != NULL));
|
||||
//
|
||||
// "AuthVarKeyDatabase" is an internal variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
|
||||
// Therefore, there is no memory overflow in underlying CopyMem.
|
||||
//
|
||||
CopyMem (mPubKeyStore, (UINT8 *) Data, DataSize);
|
||||
mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
|
||||
}
|
||||
|
||||
Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
|
||||
@@ -422,16 +359,15 @@ AuthVariableLibInitialize (
|
||||
AuthVarLibContextOut->StructSize = sizeof (AUTH_VAR_LIB_CONTEXT_OUT);
|
||||
AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
|
||||
AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
|
||||
mAuthVarAddressPointer[0] = (VOID **) &mPubKeyStore;
|
||||
mAuthVarAddressPointer[1] = (VOID **) &mCertDbStore;
|
||||
mAuthVarAddressPointer[2] = (VOID **) &mHashCtx;
|
||||
mAuthVarAddressPointer[3] = (VOID **) &mAuthVarLibContextIn;
|
||||
mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindVariable),
|
||||
mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),
|
||||
mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),
|
||||
mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),
|
||||
mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
|
||||
mAuthVarAddressPointer[9] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),
|
||||
mAuthVarAddressPointer[0] = (VOID **) &mCertDbStore;
|
||||
mAuthVarAddressPointer[1] = (VOID **) &mHashCtx;
|
||||
mAuthVarAddressPointer[2] = (VOID **) &mAuthVarLibContextIn;
|
||||
mAuthVarAddressPointer[3] = (VOID **) &(mAuthVarLibContextIn->FindVariable),
|
||||
mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),
|
||||
mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),
|
||||
mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),
|
||||
mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
|
||||
mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),
|
||||
AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
|
||||
AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
|
||||
|
||||
@@ -439,7 +375,7 @@ AuthVariableLibInitialize (
|
||||
}
|
||||
|
||||
/**
|
||||
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
|
||||
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
|
||||
|
||||
@param[in] VariableName Name of the variable.
|
||||
@param[in] VendorGuid Variable vendor GUID.
|
||||
@@ -452,8 +388,7 @@ AuthVariableLibInitialize (
|
||||
@retval EFI_INVALID_PARAMETER Invalid parameter.
|
||||
@retval EFI_WRITE_PROTECTED Variable is write-protected.
|
||||
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
|
||||
@retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
|
||||
or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS
|
||||
@retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS
|
||||
set, but the AuthInfo does NOT pass the validation
|
||||
check carried out by the firmware.
|
||||
@retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
|
||||
|
Reference in New Issue
Block a user