SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition.

Implement Customized SecureBoot Mode transition logic according to Mantis 1263, including AuditMode/DeployedMode/PK update management.
  Also implement image verification logic in AuditMode. Image Certificate & Hash are recorded to EFI Image Execution Table.
  https://mantis.uefi.org/mantis/view.php?id=1263

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Zeng Star <star.zeng@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19133 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Chao Zhang
2015-12-07 06:20:02 +00:00
committed by czhang46
parent af9af05bec
commit 4fc08e8d68
5 changed files with 1913 additions and 269 deletions

File diff suppressed because it is too large Load Diff

View File

@@ -117,6 +117,54 @@ typedef struct {
} AUTH_CERT_DB_DATA;
#pragma pack()
///
/// "SecureBootMode" variable stores current secure boot mode.
/// The value type is SECURE_BOOT_MODE_TYPE.
///
#define EDKII_SECURE_BOOT_MODE_NAME L"SecureBootMode"
typedef enum {
SecureBootModeTypeUserMode,
SecureBootModeTypeSetupMode,
SecureBootModeTypeAuditMode,
SecureBootModeTypeDeployedMode,
SecureBootModeTypeMax
} SECURE_BOOT_MODE_TYPE;
//
// Record status info of Customized Secure Boot Mode.
//
typedef struct {
///
/// AuditMode variable value
///
UINT8 AuditMode;
///
/// AuditMode variable RW
///
BOOLEAN IsAuditModeRO;
///
/// DeployedMode variable value
///
UINT8 DeployedMode;
///
/// AuditMode variable RW
///
BOOLEAN IsDeployedModeRO;
///
/// SetupMode variable value
///
UINT8 SetupMode;
///
/// SetupMode is always RO. Skip IsSetupModeRO;
///
///
/// SecureBoot variable value
///
UINT8 SecureBoot;
} SECURE_BOOT_MODE;
extern UINT8 *mPubKeyStore;
extern UINT32 mPubKeyNumber;
extern UINT32 mMaxKeyNumber;
@@ -130,6 +178,18 @@ extern VOID *mHashCtx;
extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
/**
Initialize Secure Boot variables.
@retval EFI_SUCCESS The initialization operation is successful.
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
**/
EFI_STATUS
InitSecureBootVariables (
VOID
);
/**
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
@@ -219,6 +279,39 @@ FilterSignatureList (
IN OUT UINTN *NewDataSize
);
/**
Process Secure Boot Mode variable.
Caution: This function may receive untrusted input.
This function may be invoked in SMM mode, and datasize and data are external input.
This function will do basic validation, before parse the data.
This function will parse the authentication carefully to avoid security issues, like
buffer overflow, integer overflow.
This function will check attribute carefully to avoid authentication bypass.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] Data Data pointer.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Attributes Attribute value of the variable
@return EFI_INVALID_PARAMETER Invalid parameter
@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
check carried out by the firmware.
@return EFI_WRITE_PROTECTED Variable is Read-Only.
@return EFI_SUCCESS Variable passed validation successfully.
**/
EFI_STATUS
ProcessSecureBootModeVar (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN VOID *Data,
IN UINTN DataSize,
IN UINT32 Attributes OPTIONAL
);
/**
Process variable with platform key for verification.

View File

@@ -33,7 +33,6 @@ UINT32 mMaxKeyNumber;
UINT32 mMaxKeyDbSize;
UINT8 *mCertDbStore;
UINT32 mMaxCertDbSize;
UINT32 mPlatformMode;
UINT8 mVendorKeyState;
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
@@ -99,6 +98,17 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
MAX_UINTN
}
},
{
&gEdkiiSecureBootModeGuid,
L"SecureBootMode",
{
VAR_CHECK_VARIABLE_PROPERTY_REVISION,
VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
VARIABLE_ATTRIBUTE_NV_BS_RT,
sizeof (UINT8),
sizeof (UINT8)
}
}
};
VOID **mAuthVarAddressPointer[10];
@@ -132,8 +142,6 @@ AuthVariableLibInitialize (
UINT8 *Data;
UINTN DataSize;
UINTN CtxSize;
UINT8 SecureBootMode;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT32 ListSize;
@@ -208,31 +216,11 @@ AuthVariableLibInitialize (
mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
}
Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
} else {
DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
}
//
// Init Secure Boot variables
//
Status = InitSecureBootVariables ();
//
// Create "SetupMode" variable with BS+RT attribute set.
//
if (EFI_ERROR (Status)) {
mPlatformMode = SETUP_MODE;
} else {
mPlatformMode = USER_MODE;
}
Status = AuthServiceInternalUpdateVariable (
EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid,
&mPlatformMode,
sizeof(UINT8),
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
//
// Create "SignatureSupport" variable with BS+RT attribute set.
@@ -248,69 +236,6 @@ AuthVariableLibInitialize (
return Status;
}
//
// If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
// If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
// If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
//
SecureBootEnable = SECURE_BOOT_DISABLE;
Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
if (!EFI_ERROR (Status)) {
if (mPlatformMode == SETUP_MODE){
//
// PK is cleared in runtime. "SecureBootMode" is not updated before reboot
// Delete "SecureBootMode" in SetupMode
//
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&SecureBootEnable,
0,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
} else {
SecureBootEnable = *(UINT8 *) Data;
}
} else if (mPlatformMode == USER_MODE) {
//
// "SecureBootEnable" not exist, initialize it in USER_MODE.
//
SecureBootEnable = SECURE_BOOT_ENABLE;
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&SecureBootEnable,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Create "SecureBoot" variable with BS+RT attribute set.
//
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
} else {
SecureBootMode = SECURE_BOOT_MODE_DISABLE;
}
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&SecureBootMode,
sizeof (UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
//
// Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
//
@@ -455,10 +380,16 @@ AuthVariableLibProcessVariable (
{
EFI_STATUS Status;
//
// Process PK, KEK, Sigdb, AuditMode, DeployedMode separately.
//
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)
&& (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) {
Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes);
} else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||

View File

@@ -85,6 +85,10 @@
## PRODUCES ## Variable:L"AuthVarKeyDatabase"
gEfiAuthenticatedVariableGuid
## CONSUMES ## Variable:L"SecureBootMode"
## PRODUCES ## Variable:L"SecureBootMode"
gEdkiiSecureBootModeGuid
gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.