Add “VendorKeys” variable for indicating out of band key modification.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Fu Siyuan
2013-09-12 05:23:28 +00:00
committed by sfu5
parent 4c58575ecc
commit a555940b2d
6 changed files with 136 additions and 5 deletions

View File

@@ -36,6 +36,8 @@ UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
UINT32 mPubKeyNumber;
UINT8 mCertDbStore[MAX_CERTDB_SIZE];
UINT32 mPlatformMode;
UINT8 mVendorKeyState;
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
//
// Public Exponent of RSA Key.
@@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize (
}
//
// Create "SetupMode" varable with BS+RT attribute set.
// Create "SetupMode" variable with BS+RT attribute set.
//
FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (PkVariable.CurrPtr == NULL) {
@@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize (
}
//
// Create "SignatureSupport" varable with BS+RT attribute set.
// Create "SignatureSupport" variable with BS+RT attribute set.
//
FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (
@@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize (
}
//
// Create "SecureBoot" varable with BS+RT attribute set.
// Create "SecureBoot" variable with BS+RT attribute set.
//
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
@@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize (
}
}
//
// Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
//
FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (Variable.CurrPtr != NULL) {
mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));
} else {
//
// "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
//
mVendorKeyState = VENDOR_KEYS_VALID;
Status = UpdateVariable (
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
&gEfiVendorKeysNvGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
0,
0,
&Variable,
NULL
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Create "VendorKeys" variable with BS+RT attribute set.
//
FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (
EFI_VENDOR_KEYS_VARIABLE_NAME,
&gEfiGlobalVariableGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
0,
0,
&Variable,
NULL
);
if (EFI_ERROR (Status)) {
return Status;
}
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
return Status;
}
@@ -911,6 +961,56 @@ CheckSignatureListFormat(
return EFI_SUCCESS;
}
/**
Update "VendorKeys" variable to record the out of band secure boot key modification.
@return EFI_SUCCESS Variable is updated successfully.
@return Others Failed to update variable.
**/
EFI_STATUS
VendorKeyIsModified (
VOID
)
{
EFI_STATUS Status;
VARIABLE_POINTER_TRACK Variable;
if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
return EFI_SUCCESS;
}
mVendorKeyState = VENDOR_KEYS_MODIFIED;
FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
&gEfiVendorKeysNvGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
0,
0,
&Variable,
NULL
);
if (EFI_ERROR (Status)) {
return Status;
}
FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
return UpdateVariable (
EFI_VENDOR_KEYS_VARIABLE_NAME,
&gEfiGlobalVariableGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
0,
0,
&Variable,
NULL
);
}
/**
Process variable with platform key for verification.
@@ -985,6 +1085,13 @@ ProcessVarWithPk (
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
if (EFI_ERROR(Status)) {
return Status;
}
if (mPlatformMode != SETUP_MODE) {
Status = VendorKeyIsModified ();
}
} else if (mPlatformMode == USER_MODE) {
//
// Verify against X509 Cert in PK database.
@@ -1117,6 +1224,13 @@ ProcessVarWithKek (
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
if (EFI_ERROR (Status)) {
return Status;
}
if (mPlatformMode != SETUP_MODE) {
Status = VendorKeyIsModified ();
}
}
return Status;