SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition.
Implement Customized SecureBoot Mode transition logic according to Mantis 1263, including AuditMode/DeployedMode/PK update management. Also implement image verification logic in AuditMode. Image Certificate & Hash are recorded to EFI Image Execution Table. https://mantis.uefi.org/mantis/view.php?id=1263 Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Zeng Star <star.zeng@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19133 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
File diff suppressed because it is too large
Load Diff
@@ -117,6 +117,54 @@ typedef struct {
|
||||
} AUTH_CERT_DB_DATA;
|
||||
#pragma pack()
|
||||
|
||||
///
|
||||
/// "SecureBootMode" variable stores current secure boot mode.
|
||||
/// The value type is SECURE_BOOT_MODE_TYPE.
|
||||
///
|
||||
#define EDKII_SECURE_BOOT_MODE_NAME L"SecureBootMode"
|
||||
|
||||
typedef enum {
|
||||
SecureBootModeTypeUserMode,
|
||||
SecureBootModeTypeSetupMode,
|
||||
SecureBootModeTypeAuditMode,
|
||||
SecureBootModeTypeDeployedMode,
|
||||
SecureBootModeTypeMax
|
||||
} SECURE_BOOT_MODE_TYPE;
|
||||
|
||||
//
|
||||
// Record status info of Customized Secure Boot Mode.
|
||||
//
|
||||
typedef struct {
|
||||
///
|
||||
/// AuditMode variable value
|
||||
///
|
||||
UINT8 AuditMode;
|
||||
///
|
||||
/// AuditMode variable RW
|
||||
///
|
||||
BOOLEAN IsAuditModeRO;
|
||||
///
|
||||
/// DeployedMode variable value
|
||||
///
|
||||
UINT8 DeployedMode;
|
||||
///
|
||||
/// AuditMode variable RW
|
||||
///
|
||||
BOOLEAN IsDeployedModeRO;
|
||||
///
|
||||
/// SetupMode variable value
|
||||
///
|
||||
UINT8 SetupMode;
|
||||
///
|
||||
/// SetupMode is always RO. Skip IsSetupModeRO;
|
||||
///
|
||||
|
||||
///
|
||||
/// SecureBoot variable value
|
||||
///
|
||||
UINT8 SecureBoot;
|
||||
} SECURE_BOOT_MODE;
|
||||
|
||||
extern UINT8 *mPubKeyStore;
|
||||
extern UINT32 mPubKeyNumber;
|
||||
extern UINT32 mMaxKeyNumber;
|
||||
@@ -130,6 +178,18 @@ extern VOID *mHashCtx;
|
||||
|
||||
extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;
|
||||
|
||||
/**
|
||||
Initialize Secure Boot variables.
|
||||
|
||||
@retval EFI_SUCCESS The initialization operation is successful.
|
||||
@retval EFI_OUT_OF_RESOURCES There is not enough resource.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
InitSecureBootVariables (
|
||||
VOID
|
||||
);
|
||||
|
||||
/**
|
||||
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
|
||||
|
||||
@@ -219,6 +279,39 @@ FilterSignatureList (
|
||||
IN OUT UINTN *NewDataSize
|
||||
);
|
||||
|
||||
/**
|
||||
Process Secure Boot Mode variable.
|
||||
|
||||
Caution: This function may receive untrusted input.
|
||||
This function may be invoked in SMM mode, and datasize and data are external input.
|
||||
This function will do basic validation, before parse the data.
|
||||
This function will parse the authentication carefully to avoid security issues, like
|
||||
buffer overflow, integer overflow.
|
||||
This function will check attribute carefully to avoid authentication bypass.
|
||||
|
||||
@param[in] VariableName Name of Variable to be found.
|
||||
@param[in] VendorGuid Variable vendor GUID.
|
||||
@param[in] Data Data pointer.
|
||||
@param[in] DataSize Size of Data found. If size is less than the
|
||||
data, this value contains the required size.
|
||||
@param[in] Attributes Attribute value of the variable
|
||||
|
||||
@return EFI_INVALID_PARAMETER Invalid parameter
|
||||
@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
|
||||
check carried out by the firmware.
|
||||
@return EFI_WRITE_PROTECTED Variable is Read-Only.
|
||||
@return EFI_SUCCESS Variable passed validation successfully.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
ProcessSecureBootModeVar (
|
||||
IN CHAR16 *VariableName,
|
||||
IN EFI_GUID *VendorGuid,
|
||||
IN VOID *Data,
|
||||
IN UINTN DataSize,
|
||||
IN UINT32 Attributes OPTIONAL
|
||||
);
|
||||
|
||||
/**
|
||||
Process variable with platform key for verification.
|
||||
|
||||
|
@@ -33,7 +33,6 @@ UINT32 mMaxKeyNumber;
|
||||
UINT32 mMaxKeyDbSize;
|
||||
UINT8 *mCertDbStore;
|
||||
UINT32 mMaxCertDbSize;
|
||||
UINT32 mPlatformMode;
|
||||
UINT8 mVendorKeyState;
|
||||
|
||||
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
|
||||
@@ -99,6 +98,17 @@ VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
|
||||
MAX_UINTN
|
||||
}
|
||||
},
|
||||
{
|
||||
&gEdkiiSecureBootModeGuid,
|
||||
L"SecureBootMode",
|
||||
{
|
||||
VAR_CHECK_VARIABLE_PROPERTY_REVISION,
|
||||
VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
|
||||
VARIABLE_ATTRIBUTE_NV_BS_RT,
|
||||
sizeof (UINT8),
|
||||
sizeof (UINT8)
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
VOID **mAuthVarAddressPointer[10];
|
||||
@@ -132,8 +142,6 @@ AuthVariableLibInitialize (
|
||||
UINT8 *Data;
|
||||
UINTN DataSize;
|
||||
UINTN CtxSize;
|
||||
UINT8 SecureBootMode;
|
||||
UINT8 SecureBootEnable;
|
||||
UINT8 CustomMode;
|
||||
UINT32 ListSize;
|
||||
|
||||
@@ -208,31 +216,11 @@ AuthVariableLibInitialize (
|
||||
mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
|
||||
}
|
||||
|
||||
Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
|
||||
if (EFI_ERROR (Status)) {
|
||||
DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
|
||||
} else {
|
||||
DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
|
||||
}
|
||||
//
|
||||
// Init Secure Boot variables
|
||||
//
|
||||
Status = InitSecureBootVariables ();
|
||||
|
||||
//
|
||||
// Create "SetupMode" variable with BS+RT attribute set.
|
||||
//
|
||||
if (EFI_ERROR (Status)) {
|
||||
mPlatformMode = SETUP_MODE;
|
||||
} else {
|
||||
mPlatformMode = USER_MODE;
|
||||
}
|
||||
Status = AuthServiceInternalUpdateVariable (
|
||||
EFI_SETUP_MODE_NAME,
|
||||
&gEfiGlobalVariableGuid,
|
||||
&mPlatformMode,
|
||||
sizeof(UINT8),
|
||||
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
//
|
||||
// Create "SignatureSupport" variable with BS+RT attribute set.
|
||||
@@ -248,69 +236,6 @@ AuthVariableLibInitialize (
|
||||
return Status;
|
||||
}
|
||||
|
||||
//
|
||||
// If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
|
||||
// If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
|
||||
// If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
|
||||
//
|
||||
SecureBootEnable = SECURE_BOOT_DISABLE;
|
||||
Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
|
||||
if (!EFI_ERROR (Status)) {
|
||||
if (mPlatformMode == SETUP_MODE){
|
||||
//
|
||||
// PK is cleared in runtime. "SecureBootMode" is not updated before reboot
|
||||
// Delete "SecureBootMode" in SetupMode
|
||||
//
|
||||
Status = AuthServiceInternalUpdateVariable (
|
||||
EFI_SECURE_BOOT_ENABLE_NAME,
|
||||
&gEfiSecureBootEnableDisableGuid,
|
||||
&SecureBootEnable,
|
||||
0,
|
||||
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
);
|
||||
} else {
|
||||
SecureBootEnable = *(UINT8 *) Data;
|
||||
}
|
||||
} else if (mPlatformMode == USER_MODE) {
|
||||
//
|
||||
// "SecureBootEnable" not exist, initialize it in USER_MODE.
|
||||
//
|
||||
SecureBootEnable = SECURE_BOOT_ENABLE;
|
||||
Status = AuthServiceInternalUpdateVariable (
|
||||
EFI_SECURE_BOOT_ENABLE_NAME,
|
||||
&gEfiSecureBootEnableDisableGuid,
|
||||
&SecureBootEnable,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Create "SecureBoot" variable with BS+RT attribute set.
|
||||
//
|
||||
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
|
||||
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
|
||||
} else {
|
||||
SecureBootMode = SECURE_BOOT_MODE_DISABLE;
|
||||
}
|
||||
Status = AuthServiceInternalUpdateVariable (
|
||||
EFI_SECURE_BOOT_MODE_NAME,
|
||||
&gEfiGlobalVariableGuid,
|
||||
&SecureBootMode,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
|
||||
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
|
||||
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
|
||||
|
||||
//
|
||||
// Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
|
||||
//
|
||||
@@ -455,10 +380,16 @@ AuthVariableLibProcessVariable (
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
|
||||
//
|
||||
// Process PK, KEK, Sigdb, AuditMode, DeployedMode separately.
|
||||
//
|
||||
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
|
||||
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
|
||||
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
|
||||
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
|
||||
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)
|
||||
&& (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) {
|
||||
Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes);
|
||||
} else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
|
||||
((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||
|
||||
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
|
||||
|
@@ -85,6 +85,10 @@
|
||||
## PRODUCES ## Variable:L"AuthVarKeyDatabase"
|
||||
gEfiAuthenticatedVariableGuid
|
||||
|
||||
## CONSUMES ## Variable:L"SecureBootMode"
|
||||
## PRODUCES ## Variable:L"SecureBootMode"
|
||||
gEdkiiSecureBootModeGuid
|
||||
|
||||
gEfiCertTypeRsa2048Sha256Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
|
||||
gEfiCertPkcs7Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the certificate.
|
||||
gEfiCertX509Guid ## SOMETIMES_CONSUMES ## GUID # Unique ID for the type of the signature.
|
||||
|
Reference in New Issue
Block a user