sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update UID drivers to align with latest UEFI spec 2.3.1.

Browse Source 
Signed-off-by: gdong1
Reviewed-by: tye
Reviewed-by: qianouyang

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12567 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
gdong1
2011-10-26 02:03:57 +00:00
parent 5f4ef94a55
commit 0c5b25f021
10 changed files with 1333 additions and 1699 deletions
Download Patch File Download Diff File Expand all files Collapse all files

702
SecurityPkg/UserIdentification/UserProfileManagerDxe/ModifyAccessPolicy.c Normal file
View File

@@ -0,0 +1,702 @@
/** @file
The functions for access policy modification.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "UserProfileManager.h"
/**
Collect all the access policy data to mUserInfo.AccessPolicy,
and save it to user profile.
**/
VOID
SaveAccessPolicy (
VOID
)
{
EFI_STATUS Status;
UINTN OffSet;
UINTN Size;
EFI_USER_INFO_ACCESS_CONTROL Control;
EFI_USER_INFO_HANDLE UserInfo;
EFI_USER_INFO *Info;
if (mUserInfo.AccessPolicy != NULL) {
FreePool (mUserInfo.AccessPolicy);
}
mUserInfo.AccessPolicy = NULL;
mUserInfo.AccessPolicyLen = 0;
mUserInfo.AccessPolicyModified = TRUE;
OffSet = 0;
//
// Save access right.
//
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL);
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = mAccessInfo.AccessRight;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
//
// Save access setup.
//
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + sizeof (EFI_GUID);
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_SETUP;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
if (mAccessInfo.AccessSetup == ACCESS_SETUP_NORMAL) {
CopyGuid ((EFI_GUID *) (mUserInfo.AccessPolicy + OffSet), &gEfiUserInfoAccessSetupNormalGuid);
} else if (mAccessInfo.AccessSetup == ACCESS_SETUP_RESTRICTED) {
CopyGuid ((EFI_GUID *) (mUserInfo.AccessPolicy + OffSet), &gEfiUserInfoAccessSetupRestrictedGuid);
} else if (mAccessInfo.AccessSetup == ACCESS_SETUP_ADMIN) {
CopyGuid ((EFI_GUID *) (mUserInfo.AccessPolicy + OffSet), &gEfiUserInfoAccessSetupAdminGuid);
}
OffSet += sizeof (EFI_GUID);
//
// Save access of boot order.
//
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + sizeof (UINT32);
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_BOOT_ORDER;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
CopyMem ((UINT8 *) (mUserInfo.AccessPolicy + OffSet), &mAccessInfo.AccessBootOrder, sizeof (UINT32));
OffSet += sizeof (UINT32);
//
// Save permit load.
//
if (mAccessInfo.LoadPermitLen > 0) {
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + mAccessInfo.LoadPermitLen;
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_PERMIT_LOAD;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
CopyMem (mUserInfo.AccessPolicy + OffSet, mAccessInfo.LoadPermit, mAccessInfo.LoadPermitLen);
OffSet += mAccessInfo.LoadPermitLen;
}
//
// Save forbid load.
//
if (mAccessInfo.LoadForbidLen > 0) {
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + mAccessInfo.LoadForbidLen;
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_FORBID_LOAD;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
CopyMem (mUserInfo.AccessPolicy + OffSet, mAccessInfo.LoadForbid, mAccessInfo.LoadForbidLen);
OffSet += mAccessInfo.LoadForbidLen;
}
//
// Save permit connect.
//
if (mAccessInfo.ConnectPermitLen > 0) {
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + mAccessInfo.ConnectPermitLen;
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_PERMIT_CONNECT;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
CopyMem (mUserInfo.AccessPolicy + OffSet, mAccessInfo.ConnectPermit, mAccessInfo.ConnectPermitLen);
OffSet += mAccessInfo.ConnectPermitLen;
}
//
// Save forbid connect.
//
if (mAccessInfo.ConnectForbidLen > 0) {
Size = sizeof (EFI_USER_INFO_ACCESS_CONTROL) + mAccessInfo.ConnectForbidLen;
if (mUserInfo.AccessPolicyLen - OffSet < Size) {
ExpandMemory (OffSet, Size);
}
Control.Type = EFI_USER_INFO_ACCESS_FORBID_CONNECT;
Control.Size = (UINT32) Size;
CopyMem (mUserInfo.AccessPolicy + OffSet, &Control, sizeof (Control));
OffSet += sizeof (Control);
CopyMem (mUserInfo.AccessPolicy + OffSet, mAccessInfo.ConnectForbid, mAccessInfo.ConnectForbidLen);
OffSet += mAccessInfo.ConnectForbidLen;
}
mUserInfo.AccessPolicyLen = OffSet;
//
// Save access policy.
//
if (mUserInfo.AccessPolicyModified && (mUserInfo.AccessPolicyLen > 0)) {
Info = AllocateZeroPool (sizeof (EFI_USER_INFO) + mUserInfo.AccessPolicyLen);
if (Info == NULL) {
return ;
}
Status = FindInfoByType (mModifyUser, EFI_USER_INFO_ACCESS_POLICY_RECORD, &UserInfo);
if (!EFI_ERROR (Status)) {
Info->InfoType = EFI_USER_INFO_ACCESS_POLICY_RECORD;
Info->InfoAttribs = EFI_USER_INFO_STORAGE_PLATFORM_NV |
EFI_USER_INFO_PUBLIC |
EFI_USER_INFO_EXCLUSIVE;
Info->InfoSize = (UINT32) (sizeof (EFI_USER_INFO) + mUserInfo.AccessPolicyLen);
CopyMem ((UINT8 *) (Info + 1), mUserInfo.AccessPolicy, mUserInfo.AccessPolicyLen);
Status = mUserManager->SetInfo (
mUserManager,
mModifyUser,
&UserInfo,
Info,
Info->InfoSize
);
mUserInfo.AccessPolicyModified = FALSE;
}
FreePool (Info);
}
if (mAccessInfo.ConnectForbid != NULL) {
FreePool (mAccessInfo.ConnectForbid);
mAccessInfo.ConnectForbid = NULL;
}
if (mAccessInfo.ConnectPermit != NULL) {
FreePool (mAccessInfo.ConnectPermit);
mAccessInfo.ConnectPermit = NULL;
}
if (mAccessInfo.LoadForbid != NULL) {
FreePool (mAccessInfo.LoadForbid);
mAccessInfo.LoadForbid = NULL;
}
if (mAccessInfo.LoadPermit != NULL) {
FreePool (mAccessInfo.LoadPermit);
mAccessInfo.LoadPermit = NULL;
}
}
/**
Create an action OpCode with QuestionID and DevicePath on a given OpCodeHandle.
@param[in] QuestionID The question ID.
@param[in] DevicePath Points to device path.
@param[in] OpCodeHandle Points to container for dynamic created opcodes.
**/
VOID
AddDevicePath (
IN UINTN QuestionID,
IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,
IN VOID *OpCodeHandle
)
{
EFI_STATUS Status;
EFI_DEVICE_PATH_PROTOCOL *Next;
EFI_STRING_ID NameID;
EFI_STRING DriverName;
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL *DevicePathText;
//
// Locate device path to text protocol.
//
Status = gBS->LocateProtocol (
&gEfiDevicePathToTextProtocolGuid,
NULL,
(VOID **) &DevicePathText
);
if (EFI_ERROR (Status)) {
return ;
}
//
// Get driver file name node.
//
Next = DevicePath;
while (!IsDevicePathEnd (Next)) {
DevicePath = Next;
Next = NextDevicePathNode (Next);
}
//
// Display the device path in form.
//
DriverName = DevicePathText->ConvertDevicePathToText (DevicePath, FALSE, FALSE);
NameID = HiiSetString (mCallbackInfo->HiiHandle, 0, DriverName, NULL);
FreePool (DriverName);
if (NameID == 0) {
return ;
}
HiiCreateActionOpCode (
OpCodeHandle, // Container for dynamic created opcodes
(UINT16) QuestionID, // Question ID
NameID, // Prompt text
STRING_TOKEN (STR_NULL_STRING), // Help text
EFI_IFR_FLAG_CALLBACK, // Question flag
0 // Action String ID
);
}
/**
Check whether the DevicePath is in the device path forbid list
(mAccessInfo.LoadForbid).
@param[in] DevicePath Points to device path.
@retval TRUE The DevicePath is in the device path forbid list.
@retval FALSE The DevicePath is not in the device path forbid list.
**/
BOOLEAN
IsLoadForbidden (
IN EFI_DEVICE_PATH_PROTOCOL *DevicePath
)
{
UINTN OffSet;
UINTN DPSize;
UINTN Size;
EFI_DEVICE_PATH_PROTOCOL *Dp;
OffSet = 0;
Size = GetDevicePathSize (DevicePath);
//
// Check each device path.
//
while (OffSet < mAccessInfo.LoadForbidLen) {
Dp = (EFI_DEVICE_PATH_PROTOCOL *) (mAccessInfo.LoadForbid + OffSet);
DPSize = GetDevicePathSize (Dp);
//
// Compare device path.
//
if ((DPSize == Size) && (CompareMem (DevicePath, Dp, Size) == 0)) {
return TRUE;
}
OffSet += DPSize;
}
return FALSE;
}
/**
Display the permit load device path in the loadable device path list.
**/
VOID
DisplayLoadPermit(
VOID
)
{
EFI_STATUS Status;
CHAR16 *Order;
UINTN OrderSize;
UINTN ListCount;
UINTN Index;
UINT8 *Var;
UINT8 *VarPtr;
CHAR16 VarName[12];
VOID *StartOpCodeHandle;
VOID *EndOpCodeHandle;
EFI_IFR_GUID_LABEL *StartLabel;
EFI_IFR_GUID_LABEL *EndLabel;
//
// Get DriverOrder.
//
OrderSize = 0;
Status = gRT->GetVariable (
L"DriverOrder",
&gEfiGlobalVariableGuid,
NULL,
&OrderSize,
NULL
);
if (Status != EFI_BUFFER_TOO_SMALL) {
return ;
}
Order = AllocateZeroPool (OrderSize);
if (Order == NULL) {
return ;
}
Status = gRT->GetVariable (
L"DriverOrder",
&gEfiGlobalVariableGuid,
NULL,
&OrderSize,
Order
);
if (EFI_ERROR (Status)) {
return ;
}
//
// Initialize the container for dynamic opcodes.
//
StartOpCodeHandle = HiiAllocateOpCodeHandle ();
ASSERT (StartOpCodeHandle != NULL);
EndOpCodeHandle = HiiAllocateOpCodeHandle ();
ASSERT (EndOpCodeHandle != NULL);
//
// Create Hii Extend Label OpCode.
//
StartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
StartOpCodeHandle,
&gEfiIfrTianoGuid,
NULL,
sizeof (EFI_IFR_GUID_LABEL)
);
StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
StartLabel->Number = LABEL_PERMIT_LOAD_FUNC;
EndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
EndOpCodeHandle,
&gEfiIfrTianoGuid,
NULL,
sizeof (EFI_IFR_GUID_LABEL)
);
EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
EndLabel->Number = LABEL_END;
//
// Add each driver option.
//
Var = NULL;
ListCount = OrderSize / sizeof (UINT16);
for (Index = 0; Index < ListCount; Index++) {
//
// Get driver device path.
//
UnicodeSPrint (VarName, sizeof (VarName), L"Driver%04x", Order[Index]);
Var = GetEfiGlobalVariable (VarName);
if (Var == NULL) {
continue;
}
//
// Check whether the driver is already forbidden.
//
VarPtr = Var;
//
// Skip attribute.
//
VarPtr += sizeof (UINT32);
//
// Skip device path lenth.
//
VarPtr += sizeof (UINT16);
//
// Skip descript string.
//
VarPtr += StrSize ((UINT16 *) VarPtr);
if (IsLoadForbidden ((EFI_DEVICE_PATH_PROTOCOL *) VarPtr)) {
FreePool (Var);
Var = NULL;
continue;
}
AddDevicePath (
KEY_MODIFY_USER | KEY_MODIFY_AP_DP | KEY_LOAD_PERMIT_MODIFY | Order[Index],
(EFI_DEVICE_PATH_PROTOCOL *) VarPtr,
StartOpCodeHandle
);
FreePool (Var);
Var = NULL;
}
HiiUpdateForm (
mCallbackInfo->HiiHandle, // HII handle
&gUserProfileManagerGuid, // Formset GUID
FORMID_PERMIT_LOAD_DP, // Form ID
StartOpCodeHandle, // Label for where to insert opcodes
EndOpCodeHandle // Replace data
);
HiiFreeOpCodeHandle (StartOpCodeHandle);
HiiFreeOpCodeHandle (EndOpCodeHandle);
//
// Clear Environment.
//
if (Var != NULL) {
FreePool (Var);
}
FreePool (Order);
}
/**
Display the forbid load device path list (mAccessInfo.LoadForbid).
**/
VOID
DisplayLoadForbid (
VOID
)
{
UINTN Offset;
UINTN DPSize;
UINTN Index;
EFI_DEVICE_PATH_PROTOCOL *Dp;
VOID *StartOpCodeHandle;
VOID *EndOpCodeHandle;
EFI_IFR_GUID_LABEL *StartLabel;
EFI_IFR_GUID_LABEL *EndLabel;
//
// Initialize the container for dynamic opcodes.
//
StartOpCodeHandle = HiiAllocateOpCodeHandle ();
ASSERT (StartOpCodeHandle != NULL);
EndOpCodeHandle = HiiAllocateOpCodeHandle ();
ASSERT (EndOpCodeHandle != NULL);
//
// Create Hii Extend Label OpCode.
//
StartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
StartOpCodeHandle,
&gEfiIfrTianoGuid,
NULL,
sizeof (EFI_IFR_GUID_LABEL)
);
StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
StartLabel->Number = LABLE_FORBID_LOAD_FUNC;
EndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
EndOpCodeHandle,
&gEfiIfrTianoGuid,
NULL,
sizeof (EFI_IFR_GUID_LABEL)
);
EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
EndLabel->Number = LABEL_END;
//
// Add each forbid load drivers.
//
Offset = 0;
Index = 0;
while (Offset < mAccessInfo.LoadForbidLen) {
Dp = (EFI_DEVICE_PATH_PROTOCOL *) (mAccessInfo.LoadForbid + Offset);
DPSize = GetDevicePathSize (Dp);
AddDevicePath (
KEY_MODIFY_USER | KEY_MODIFY_AP_DP | KEY_LOAD_FORBID_MODIFY | Index,
Dp,
StartOpCodeHandle
);
Index++;
Offset += DPSize;
}
HiiUpdateForm (
mCallbackInfo->HiiHandle, // HII handle
&gUserProfileManagerGuid, // Formset GUID
FORMID_FORBID_LOAD_DP, // Form ID
StartOpCodeHandle, // Label for where to insert opcodes
EndOpCodeHandle // Replace data
);
HiiFreeOpCodeHandle (StartOpCodeHandle);
HiiFreeOpCodeHandle (EndOpCodeHandle);
}
/**
Display the permit connect device path.
**/
VOID
DisplayConnectPermit (
VOID
)
{
//
// Note:
// As no architect protocol/interface to be called in ConnectController()
// to verify the device path, just add a place holder for permitted connect
// device path.
//
}
/**
Display the forbid connect device path list.
**/
VOID
DisplayConnectForbid (
VOID
)
{
//
// Note:
// As no architect protocol/interface to be called in ConnectController()
// to verify the device path, just add a place holder for forbidden connect
// device path.
//
}
/**
Delete the specified device path by DriverIndex from the forbid device path
list (mAccessInfo.LoadForbid).
@param[in] DriverIndex The index of driver in forbidden device path list.
**/
VOID
DeleteFromForbidLoad (
IN UINT16 DriverIndex
)
{
UINTN OffSet;
UINTN DPSize;
UINTN OffLen;
EFI_DEVICE_PATH_PROTOCOL *Dp;
OffSet = 0;
//
// Find the specified device path.
//
while ((OffSet < mAccessInfo.LoadForbidLen) && (DriverIndex > 0)) {
Dp = (EFI_DEVICE_PATH_PROTOCOL *) (mAccessInfo.LoadForbid + OffSet);
DPSize = GetDevicePathSize (Dp);
OffSet += DPSize;
DriverIndex--;
}
//
// Specified device path found.
//
if (DriverIndex == 0) {
Dp = (EFI_DEVICE_PATH_PROTOCOL *) (mAccessInfo.LoadForbid + OffSet);
DPSize = GetDevicePathSize (Dp);
OffLen = mAccessInfo.LoadForbidLen - OffSet - DPSize;
if (OffLen > 0) {
CopyMem (
mAccessInfo.LoadForbid + OffSet,
mAccessInfo.LoadForbid + OffSet + DPSize,
OffLen
);
}
mAccessInfo.LoadForbidLen -= DPSize;
}
}
/**
Add the specified device path by DriverIndex to the forbid device path
list (mAccessInfo.LoadForbid).
@param[in] DriverIndex The index of driver saved in driver options.
**/
VOID
AddToForbidLoad (
IN UINT16 DriverIndex
)
{
UINTN DevicePathLen;
UINT8 *Var;
UINT8 *VarPtr;
UINTN NewLen;
UINT8 *NewFL;
CHAR16 VarName[13];
//
// Get loadable driver device path.
//
UnicodeSPrint (VarName, sizeof (VarName), L"Driver%04x", DriverIndex);
Var = GetEfiGlobalVariable (VarName);
if (Var == NULL) {
return;
}
//
// Save forbid load driver.
//
VarPtr = Var;
//
// Skip attribute.
//
VarPtr += sizeof (UINT32);
DevicePathLen = *(UINT16 *) VarPtr;
//
// Skip device path length.
//
VarPtr += sizeof (UINT16);
//
// Skip description string.
//
VarPtr += StrSize ((UINT16 *) VarPtr);
NewLen = mAccessInfo.LoadForbidLen + DevicePathLen;
NewFL = AllocateZeroPool (NewLen);
if (NewFL == NULL) {
FreePool (Var);
return ;
}
if (mAccessInfo.LoadForbidLen > 0) {
CopyMem (NewFL, mAccessInfo.LoadForbid, mAccessInfo.LoadForbidLen);
FreePool (mAccessInfo.LoadForbid);
}
CopyMem (NewFL + mAccessInfo.LoadForbidLen, VarPtr, DevicePathLen);
mAccessInfo.LoadForbidLen = NewLen;
mAccessInfo.LoadForbid = NewFL;
FreePool (Var);
}

518
SecurityPkg/UserIdentification/UserProfileManagerDxe/ModifyIdentityPolicy.c Normal file
View File

@@ -0,0 +1,518 @@
/** @file
The functions for identification policy modification.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "UserProfileManager.h"
/**
Verify the new identity policy in the current implementation. The same credential
provider can't appear twice in one identity policy.
@param[in] NewGuid Points to the credential provider guid.
@retval TRUE The NewGuid was found in the identity policy.
@retval FALSE The NewGuid was not found.
**/
BOOLEAN
ProviderAlreadyInPolicy (
IN EFI_GUID *NewGuid
)
{
UINTN Offset;
EFI_USER_INFO_IDENTITY_POLICY *Identity;
EFI_INPUT_KEY Key;
Offset = 0;
while (Offset < mUserInfo.NewIdentityPolicyLen) {
Identity = (EFI_USER_INFO_IDENTITY_POLICY *) (mUserInfo.NewIdentityPolicy + Offset);
if (Identity->Type == EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER) {
if (CompareGuid (NewGuid, (EFI_GUID *) (Identity + 1))) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"This Credential Provider Are Already Used!",
L"",
L"Press Any Key to Continue ...",
NULL
);
return TRUE;
}
}
Offset += Identity->Length;
}
return FALSE;
}
/**
Add or delete the user's credential record in the provider.
@param[in] ProviderGuid Point to credential provider guid.
@param[in] User Points to user profile.
@retval EFI_SUCCESS Add or delete record successfully.
@retval Others Fail to add or delete record.
**/
EFI_STATUS
EnrollUserOnProvider (
IN EFI_USER_INFO_IDENTITY_POLICY *Identity,
IN EFI_USER_PROFILE_HANDLE User
)
{
UINTN Index;
EFI_USER_CREDENTIAL2_PROTOCOL *UserCredential;
//
// Find the specified credential provider.
//
for (Index = 0; Index < mProviderInfo->Count; Index++) {
UserCredential = mProviderInfo->Provider[Index];
if (CompareGuid ((EFI_GUID *)(Identity + 1), &UserCredential->Identifier)) {
return UserCredential->Enroll (UserCredential, User);
}
}
return EFI_NOT_FOUND;
}
/**
Delete the User's credential record on the provider.
@param[in] Identity Point to EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER user info.
@param[in] User Points to user profile.
@retval EFI_SUCCESS Delete User's credential record successfully.
@retval Others Fail to add or delete record.
**/
EFI_STATUS
DeleteUserOnProvider (
IN EFI_USER_INFO_IDENTITY_POLICY *Identity,
IN EFI_USER_PROFILE_HANDLE User
)
{
UINTN Index;
EFI_USER_CREDENTIAL2_PROTOCOL *UserCredential;
//
// Find the specified credential provider.
//
for (Index = 0; Index < mProviderInfo->Count; Index++) {
UserCredential = mProviderInfo->Provider[Index];
if (CompareGuid ((EFI_GUID *)(Identity + 1), &UserCredential->Identifier)) {
return UserCredential->Delete (UserCredential, User);
}
}
return EFI_NOT_FOUND;
}
/**
Delete User's credental from all the providers that exist in User's identity policy.
@param[in] IdentityPolicy Point to User's identity policy.
@param[in] IdentityPolicyLen The length of the identity policy.
@param[in] User Points to user profile.
**/
VOID
DeleteCredentialFromProviders (
IN UINT8 *IdentityPolicy,
IN UINTN IdentityPolicyLen,
IN EFI_USER_PROFILE_HANDLE User
)
{
EFI_USER_INFO_IDENTITY_POLICY *Identity;
UINTN Offset;
Offset = 0;
while (Offset < IdentityPolicyLen) {
Identity = (EFI_USER_INFO_IDENTITY_POLICY *) (IdentityPolicy + Offset);
if (Identity->Type == EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER) {
//
// Delete the user on this provider.
//
DeleteUserOnProvider (Identity, User);
}
Offset += Identity->Length;
}
}
/**
Remove the provider in FindIdentity from the user identification information record.
@param[in, out] NewInfo On entry, points to the user information to remove provider.
On return, points to the user information the provider is removed.
@param[in] FindIdentity Point to the user identity policy.
@retval TRUE The provider is removed successfully.
@retval FALSE Fail to remove the provider.
**/
BOOLEAN
DeleteProviderFromPolicy (
IN EFI_USER_INFO_IDENTITY_POLICY *IdentityPolicy,
IN UINTN Offset
)
{
UINTN RemainingLen;
UINTN DeleteLen;
if (IdentityPolicy->Length == mUserInfo.NewIdentityPolicyLen) {
//
// Only one credential provider in the identification policy.
// Set the new policy to be TRUE after removed the provider.
//
IdentityPolicy->Type = EFI_USER_INFO_IDENTITY_TRUE;
IdentityPolicy->Length = sizeof (EFI_USER_INFO_IDENTITY_POLICY);
mUserInfo.NewIdentityPolicyLen = IdentityPolicy->Length;
return TRUE;
}
DeleteLen = IdentityPolicy->Length + sizeof(EFI_USER_INFO_IDENTITY_POLICY);
if ((Offset + IdentityPolicy->Length) != mUserInfo.NewIdentityPolicyLen) {
//
// This provider is not the last item in the identification policy, delete it and the connector.
//
RemainingLen = mUserInfo.NewIdentityPolicyLen - Offset - DeleteLen;
CopyMem ((UINT8 *) IdentityPolicy, (UINT8 *) IdentityPolicy + DeleteLen, RemainingLen);
}
mUserInfo.NewIdentityPolicyLen -= DeleteLen;
return FALSE;
}
/**
Update the mUserInfo.NewIdentityPolicy, and UI when 'add option' is pressed.
**/
VOID
AddProviderToPolicy (
IN EFI_GUID *NewGuid
)
{
UINT8 *NewPolicyInfo;
UINTN NewPolicyInfoLen;
EFI_USER_INFO_IDENTITY_POLICY *Policy;
//
// Allocate memory for the new identity policy.
//
NewPolicyInfoLen = mUserInfo.NewIdentityPolicyLen + sizeof (EFI_USER_INFO_IDENTITY_POLICY) + sizeof (EFI_GUID);
if (mUserInfo.NewIdentityPolicyLen > 0) {
//
// It is not the first provider in the policy. Add a connector before provider.
//
NewPolicyInfoLen += sizeof (EFI_USER_INFO_IDENTITY_POLICY);
}
NewPolicyInfo = AllocateZeroPool (NewPolicyInfoLen);
if (NewPolicyInfo == NULL) {
return ;
}
NewPolicyInfoLen = 0;
if (mUserInfo.NewIdentityPolicyLen > 0) {
//
// Save orginal policy.
//
CopyMem (NewPolicyInfo, mUserInfo.NewIdentityPolicy, mUserInfo.NewIdentityPolicyLen);
//
// Save logical connector.
//
Policy = (EFI_USER_INFO_IDENTITY_POLICY *) (NewPolicyInfo + mUserInfo.NewIdentityPolicyLen);
if (mConncetLogical == 0) {
Policy->Type = EFI_USER_INFO_IDENTITY_AND;
} else {
Policy->Type = EFI_USER_INFO_IDENTITY_OR;
}
Policy->Length = sizeof (EFI_USER_INFO_IDENTITY_POLICY);
NewPolicyInfoLen = mUserInfo.NewIdentityPolicyLen + Policy->Length;
FreePool (mUserInfo.NewIdentityPolicy);
}
//
// Save credential provider.
//
Policy = (EFI_USER_INFO_IDENTITY_POLICY *) (NewPolicyInfo + NewPolicyInfoLen);
Policy->Length = sizeof (EFI_USER_INFO_IDENTITY_POLICY) + sizeof (EFI_GUID);
Policy->Type = EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER;
CopyGuid ((EFI_GUID *) (Policy + 1), NewGuid);
NewPolicyInfoLen += Policy->Length;
//
// Update identity policy choice.
//
mUserInfo.NewIdentityPolicy = NewPolicyInfo;
mUserInfo.NewIdentityPolicyLen = NewPolicyInfoLen;
mUserInfo.NewIdentityPolicyModified = TRUE;
}
/**
This function replaces the old identity policy with a new identity policy.
This function delete the user identity policy information.
If enroll new credential failed, recover the old identity policy.
@retval EFI_SUCCESS Modify user identity policy successfully.
@retval Others Fail to modify user identity policy.
**/
EFI_STATUS
UpdateCredentialProvider (
)
{
EFI_STATUS Status;
EFI_USER_INFO_IDENTITY_POLICY *Identity;
UINTN Offset;
//
// Delete the old identification policy.
//
DeleteCredentialFromProviders (mUserInfo.IdentityPolicy, mUserInfo.IdentityPolicyLen, mModifyUser);
//
// Add the new identification policy.
//
Offset = 0;
while (Offset < mUserInfo.NewIdentityPolicyLen) {
Identity = (EFI_USER_INFO_IDENTITY_POLICY *) (mUserInfo.NewIdentityPolicy + Offset);
if (Identity->Type == EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER) {
//
// Enroll the user on this provider
//
Status = EnrollUserOnProvider (Identity, mModifyUser);
if (EFI_ERROR (Status)) {
//
// Failed to enroll the user by new identification policy.
// So removed the credential provider from the identification policy
//
DeleteProviderFromPolicy (Identity, Offset);
continue;
}
}
Offset += Identity->Length;
}
return EFI_SUCCESS;
}
/**
Check whether the identity policy is valid.
@param[in] PolicyInfo Point to the identity policy.
@param[in] PolicyInfoLen The policy length.
@retval TRUE The policy is a valid identity policy.
@retval FALSE The policy is not a valid identity policy.
**/
BOOLEAN
CheckNewIdentityPolicy (
IN UINT8 *PolicyInfo,
IN UINTN PolicyInfoLen
)
{
EFI_USER_INFO_IDENTITY_POLICY *Identity;
EFI_INPUT_KEY Key;
UINTN Offset;
UINT32 OpCode;
//
// Check policy expression.
//
OpCode = EFI_USER_INFO_IDENTITY_FALSE;
Offset = 0;
while (Offset < PolicyInfoLen) {
//
// Check identification policy according to type
//
Identity = (EFI_USER_INFO_IDENTITY_POLICY *) (PolicyInfo + Offset);
switch (Identity->Type) {
case EFI_USER_INFO_IDENTITY_TRUE:
break;
case EFI_USER_INFO_IDENTITY_OR:
if (OpCode == EFI_USER_INFO_IDENTITY_AND) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Invalid Identity Policy, Mixed Connector Unsupport!",
L"",
L"Press Any Key to Continue ...",
NULL
);
return FALSE;
}
OpCode = EFI_USER_INFO_IDENTITY_OR;
break;
case EFI_USER_INFO_IDENTITY_AND:
if (OpCode == EFI_USER_INFO_IDENTITY_OR) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Invalid Identity Policy, Mixed Connector Unsupport!",
L"",
L"Press Any Key to Continue ...",
NULL
);
return FALSE;
}
OpCode = EFI_USER_INFO_IDENTITY_AND;
break;
case EFI_USER_INFO_IDENTITY_CREDENTIAL_PROVIDER:
break;
default:
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Unsupport parameter",
L"",
L"Press Any Key to Continue ...",
NULL
);
return FALSE;
}
Offset += Identity->Length;
}
return TRUE;
}
/**
Save the identity policy and update UI with it.
This funciton will verify the new identity policy, in current implementation,
the identity policy can be: T, P & P & P & ..., P | P | P | ...
Here, "T" means "True", "P" means "Credential Provider", "&" means "and", "|" means "or".
Other identity policies are not supported.
**/
VOID
SaveIdentityPolicy (
VOID
)
{
EFI_STATUS Status;
EFI_USER_INFO_HANDLE UserInfo;
EFI_USER_INFO *Info;
if (!mUserInfo.NewIdentityPolicyModified || (mUserInfo.NewIdentityPolicyLen == 0)) {
return;
}
//
// Check policy expression.
//
if (!CheckNewIdentityPolicy (mUserInfo.NewIdentityPolicy, mUserInfo.NewIdentityPolicyLen)) {
return;
}
Status = FindInfoByType (mModifyUser, EFI_USER_INFO_IDENTITY_POLICY_RECORD, &UserInfo);
if (EFI_ERROR (Status)) {
return ;
}
//
// Update the informantion on credential provider.
//
Status = UpdateCredentialProvider ();
if (EFI_ERROR (Status)) {
return ;
}
//
// Save new identification policy.
//
Info = AllocateZeroPool (sizeof (EFI_USER_INFO) + mUserInfo.NewIdentityPolicyLen);
ASSERT (Info != NULL);
Info->InfoType = EFI_USER_INFO_IDENTITY_POLICY_RECORD;
Info->InfoAttribs = EFI_USER_INFO_STORAGE_PLATFORM_NV | EFI_USER_INFO_PUBLIC | EFI_USER_INFO_EXCLUSIVE;
Info->InfoSize = (UINT32) (sizeof (EFI_USER_INFO) + mUserInfo.NewIdentityPolicyLen);
CopyMem ((UINT8 *) (Info + 1), mUserInfo.NewIdentityPolicy, mUserInfo.NewIdentityPolicyLen);
Status = mUserManager->SetInfo (mUserManager, mModifyUser, &UserInfo, Info, Info->InfoSize);
FreePool (Info);
//
// Update the mUserInfo.IdentityPolicy by mUserInfo.NewIdentityPolicy
//
if (mUserInfo.IdentityPolicy != NULL) {
FreePool (mUserInfo.IdentityPolicy);
}
mUserInfo.IdentityPolicy = mUserInfo.NewIdentityPolicy;
mUserInfo.IdentityPolicyLen = mUserInfo.NewIdentityPolicyLen;
mUserInfo.NewIdentityPolicy = NULL;
mUserInfo.NewIdentityPolicyLen = 0;
mUserInfo.NewIdentityPolicyModified = FALSE;
//
// Update identity policy choice.
//
ResolveIdentityPolicy (mUserInfo.IdentityPolicy, mUserInfo.IdentityPolicyLen, STRING_TOKEN (STR_IDENTIFY_POLICY_VAL));
}
/**
Update the mUserInfo.NewIdentityPolicy, and UI when 'add option' is pressed.
**/
VOID
AddIdentityPolicyItem (
VOID
)
{
if (mProviderInfo->Count == 0) {
return ;
}
//
// Check the identity policy.
//
if (ProviderAlreadyInPolicy (&mProviderInfo->Provider[mProviderChoice]->Identifier)) {
return;
}
//
// Add it to identification policy
//
AddProviderToPolicy (&mProviderInfo->Provider[mProviderChoice]->Identifier);
//
// Update identity policy choice.
//
ResolveIdentityPolicy (mUserInfo.NewIdentityPolicy, mUserInfo.NewIdentityPolicyLen, STRING_TOKEN (STR_IDENTIFY_POLICY_VALUE));
}

4
SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileAdd.c
View File

@@ -1,7 +1,7 @@
/** @file
The functions to add a user profile.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -239,7 +239,7 @@ SetIdentityPolicy (
NewUserInfo->InfoType = EFI_USER_INFO_IDENTITY_POLICY_RECORD;
NewUserInfo->InfoAttribs = EFI_USER_INFO_STORAGE_PLATFORM_NV |
EFI_USER_INFO_PRIVATE |
EFI_USER_INFO_PUBLIC |
EFI_USER_INFO_EXCLUSIVE;
NewUserInfo->InfoSize = sizeof (EFI_USER_INFO) + Policy->Length;
UserInfo = NULL;

28
SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileDelete.c
View File

@@ -185,6 +185,9 @@ DeleteUser (
EFI_STATUS Status;
EFI_USER_PROFILE_HANDLE User;
EFI_INPUT_KEY Key;
EFI_USER_INFO_HANDLE UserInfo;
EFI_USER_INFO *Info;
UINTN InfoSize;
//
// Find specified user profile and delete it.
@@ -204,6 +207,31 @@ DeleteUser (
}
if (UserIndex == 1) {
//
// Get the identification policy.
//
Status = FindInfoByType (User, EFI_USER_INFO_IDENTITY_POLICY_RECORD, &UserInfo);
if (EFI_ERROR (Status)) {
goto Done;
}
InfoSize = 0;
Info = NULL;
Status = mUserManager->GetInfo (mUserManager, User, UserInfo, Info, &InfoSize);
if (Status == EFI_BUFFER_TOO_SMALL) {
Info = AllocateZeroPool (InfoSize);
if (Info == NULL) {
goto Done;
}
Status = mUserManager->GetInfo (mUserManager, User, UserInfo, Info, &InfoSize);
}
//
// Delete the user on the credential providers by its identification policy.
//
DeleteCredentialFromProviders ((UINT8 *)(Info + 1), Info->InfoSize - sizeof (EFI_USER_INFO), User);
FreePool (Info);
Status = mUserManager->Delete (mUserManager, User);
if (EFI_ERROR (Status)) {
goto Done;

63
SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileManager.h
View File

@@ -140,6 +140,7 @@ extern USER_INFO mUserInfo;
extern USER_PROFILE_MANAGER_CALLBACK_INFO *mCallbackInfo;
extern EFI_USER_PROFILE_HANDLE mModifyUser;
/**
Get string by string id from HII Interface.
@@ -378,5 +379,67 @@ GetUserNameInput (
IN OUT UINTN *UserNameLen,
OUT CHAR16 *UserName
);
/**
Find the specified info in User profile by the InfoType.
@param[in] User Handle of the user whose information will be searched.
@param[in] InfoType The user information type to find.
@param[out] UserInfo Points to user information handle found.
@retval EFI_SUCCESS Find the user information successfully.
@retval Others Fail to find the user information.
**/
EFI_STATUS
FindInfoByType (
IN EFI_USER_PROFILE_HANDLE User,
IN UINT8 InfoType,
OUT EFI_USER_INFO_HANDLE *UserInfo
);
/**
Convert the identity policy to a unicode string and update the Hii database
IpStringId string with it.
@param[in] Ip Points to identity policy.
@param[in] IpLen The identity policy length.
@param[in] IpStringId String ID in the HII database to be replaced.
**/
VOID
ResolveIdentityPolicy (
IN UINT8 *Ip,
IN UINTN IpLen,
IN EFI_STRING_ID IpStringId
);
/**
Expand access policy memory size.
@param[in] ValidLen The valid access policy length.
@param[in] ExpandLen The length that is needed to expand.
**/
VOID
ExpandMemory (
IN UINTN ValidLen,
IN UINTN ExpandLen
);
/**
Delete User's credental from all the providers that exist in User's identity policy.
@param[in] IdentityPolicy Point to User's identity policy.
@param[in] IdentityPolicyLen The length of the identity policy.
@param[in] User Points to user profile.
**/
VOID
DeleteCredentialFromProviders (
IN UINT8 *IdentityPolicy,
IN UINTN IdentityPolicyLen,
IN EFI_USER_PROFILE_HANDLE User
);
#endif

2
SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileManagerDxe.inf
View File

@@ -25,6 +25,8 @@
UserProfileAdd.c
UserProfileDelete.c
UserProfileModify.c
ModifyIdentityPolicy.c
ModifyAccessPolicy.c
UserProfileManagerData.h
UserProfileManagerStrings.uni
UserProfileManagerVfr.Vfr

1050
SecurityPkg/UserIdentification/UserProfileManagerDxe/UserProfileModify.c
View File

File diff suppressed because it is too large Load Diff