UEFI 2.4 X509 Certificate Hash and RFC3161 Timestamp Verification support for Secure Boot

Main ChangeLogs includes: 1. Introduce the new GUID and structure definitions for certificate hash and timestamp support; 2. Update Image Verification Library to support DBT signature checking; 3. Update the related SecureBoot Configuration Pages; Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <qin.long@intel.com> Reviewed-by: Guo Dong <guo.dong@intel.com> Reviewed-by: Siyuan Fu <siyuan.fu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@16380 6f19259b-4bc3-4df7-8a09-765794883524
2014-11-14 08:41:12 +00:00
parent 2e70cf8ade
commit 20333c6d56
14 changed files with 1972 additions and 588 deletions
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
@ -2,7 +2,7 @@
  The header file of HII Config Access protocol implementation of SecureBoot
  configuration module.

-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2011 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@ -73,9 +73,18 @@ extern  EFI_IFR_GUID_LABEL         *mEndLabel;
 //
 #define SHA256_DIGEST_SIZE  32
 //
-// Set max digest size as SHA256 Output (32 bytes) by far
+// SHA-384 digest size in bytes
 //
-#define MAX_DIGEST_SIZE    SHA256_DIGEST_SIZE
+#define SHA384_DIGEST_SIZE  48
+//
+// SHA-512 digest size in bytes
+//
+#define SHA512_DIGEST_SIZE  64
+
+//
+// Set max digest size as SHA512 Output (64 bytes) by far
+//
+#define MAX_DIGEST_SIZE    SHA512_DIGEST_SIZE

 #define WIN_CERT_UEFI_RSA2048_SIZE               256

@ -87,6 +96,7 @@ extern  EFI_IFR_GUID_LABEL         *mEndLabel;
 #define HASHALG_SHA256                         0x00000002
 #define HASHALG_SHA384                         0x00000003
 #define HASHALG_SHA512                         0x00000004
+#define HASHALG_RAW                            0x00000005
 #define HASHALG_MAX                            0x00000005


@ -120,6 +130,7 @@ typedef enum _FILE_EXPLORER_STATE {
  FileExplorerStateEnrollKekFile,
  FileExplorerStateEnrollSignatureFileToDb,
  FileExplorerStateEnrollSignatureFileToDbx,
+  FileExplorerStateEnrollSignatureFileToDbt,
  FileExplorerStateUnknown
 } FILE_EXPLORER_STATE;

@ -316,7 +327,7 @@ BOOLEAN
 typedef struct {
  CHAR16                   *Name;           ///< Name for Hash Algorithm
  UINTN                    DigestLength;    ///< Digest Length
-  UINT8                    *OidValue;       ///< Hash Algorithm OID ASN.1 Value 
+  UINT8                    *OidValue;       ///< Hash Algorithm OID ASN.1 Value
  UINTN                    OidLength;       ///< Length of Hash OID Value
  HASH_GET_CONTEXT_SIZE    GetContextSize;  ///< Pointer to Hash GetContentSize function
  HASH_INIT                HashInit;        ///< Pointer to Hash Init function
@ -471,7 +482,7 @@ DevicePathToStr (


 /**
-  Clean up the dynamic opcode at label and form specified by both LabelId. 
+  Clean up the dynamic opcode at label and form specified by both LabelId.

  @param[in] LabelId         It is both the Form ID and Label ID for opcode deletion.
  @param[in] PrivateData     Module private data.
@ -505,7 +516,7 @@ UpdateFileExplorer (
  Free resources allocated in Allocate Rountine.

  @param[in, out]  MenuOption        Menu to be freed
-  
+
 **/
 VOID
 FreeMenu (
@ -514,15 +525,15 @@ FreeMenu (


 /**
-  Read file content into BufferPtr, the size of the allocate buffer 
+  Read file content into BufferPtr, the size of the allocate buffer
  is *FileSize plus AddtionAllocateSize.

  @param[in]       FileHandle            The file to be read.
  @param[in, out]  BufferPtr             Pointers to the pointer of allocated buffer.
  @param[out]      FileSize              Size of input file
-  @param[in]       AddtionAllocateSize   Addtion size the buffer need to be allocated. 
+  @param[in]       AddtionAllocateSize   Addtion size the buffer need to be allocated.
                                         In case the buffer need to contain others besides the file content.
-  
+
  @retval   EFI_SUCCESS                  The file was read into the buffer.
  @retval   EFI_INVALID_PARAMETER        A parameter was invalid.
  @retval   EFI_OUT_OF_RESOURCES         A memory allocation failed.
@ -542,7 +553,7 @@ ReadFileContent (
  Close an open file handle.

  @param[in] FileHandle           The file handle to close.
-  
+
 **/
 VOID
 CloseFile (
@ -555,7 +566,7 @@ CloseFile (

  @param[in]   Integer          Pointer to the nonnegative integer to be converted
  @param[in]   IntSizeInWords   Length of integer buffer in words
-  @param[out]  OctetString      Converted octet string of the specified length 
+  @param[out]  OctetString      Converted octet string of the specified length
  @param[in]   OSSizeInBytes    Intended length of resulting octet string in bytes

 Returns:
@ -587,8 +598,8 @@ Int2OctStr (
 **/
 EFI_STATUS
 StringToGuid (
-  IN   CHAR16           *Str, 
-  IN   UINTN            StrLen, 
+  IN   CHAR16           *Str,
+  IN   UINTN            StrLen,
  OUT  EFI_GUID         *Guid
  );

@ -599,7 +610,7 @@ StringToGuid (
  @param[in]     Guid          Pointer to GUID to print.
  @param[in]     Buffer        Buffer to print Guid into.
  @param[in]     BufferSize    Size of Buffer.
-  
+
  @retval    Number of characters printed.

 **/
@ -610,4 +621,4 @@ GuidToString (
  IN  UINTN     BufferSize
  );

-#endif
+#endif