Add “VendorKeys” variable for indicating out of band key modification.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Dong Guo <guo.dong@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
@@ -36,6 +36,8 @@ UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
|
||||
UINT32 mPubKeyNumber;
|
||||
UINT8 mCertDbStore[MAX_CERTDB_SIZE];
|
||||
UINT32 mPlatformMode;
|
||||
UINT8 mVendorKeyState;
|
||||
|
||||
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
|
||||
//
|
||||
// Public Exponent of RSA Key.
|
||||
@@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize (
|
||||
}
|
||||
|
||||
//
|
||||
// Create "SetupMode" varable with BS+RT attribute set.
|
||||
// Create "SetupMode" variable with BS+RT attribute set.
|
||||
//
|
||||
FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
if (PkVariable.CurrPtr == NULL) {
|
||||
@@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize (
|
||||
}
|
||||
|
||||
//
|
||||
// Create "SignatureSupport" varable with BS+RT attribute set.
|
||||
// Create "SignatureSupport" variable with BS+RT attribute set.
|
||||
//
|
||||
FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
Status = UpdateVariable (
|
||||
@@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize (
|
||||
}
|
||||
|
||||
//
|
||||
// Create "SecureBoot" varable with BS+RT attribute set.
|
||||
// Create "SecureBoot" variable with BS+RT attribute set.
|
||||
//
|
||||
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
|
||||
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
|
||||
@@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize (
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
|
||||
//
|
||||
FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
if (Variable.CurrPtr != NULL) {
|
||||
mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));
|
||||
} else {
|
||||
//
|
||||
// "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
|
||||
//
|
||||
mVendorKeyState = VENDOR_KEYS_VALID;
|
||||
Status = UpdateVariable (
|
||||
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
|
||||
&gEfiVendorKeysNvGuid,
|
||||
&mVendorKeyState,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
|
||||
0,
|
||||
0,
|
||||
&Variable,
|
||||
NULL
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Create "VendorKeys" variable with BS+RT attribute set.
|
||||
//
|
||||
FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
Status = UpdateVariable (
|
||||
EFI_VENDOR_KEYS_VARIABLE_NAME,
|
||||
&gEfiGlobalVariableGuid,
|
||||
&mVendorKeyState,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
|
||||
0,
|
||||
0,
|
||||
&Variable,
|
||||
NULL
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
|
||||
|
||||
return Status;
|
||||
}
|
||||
|
||||
@@ -911,6 +961,56 @@ CheckSignatureListFormat(
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
/**
|
||||
Update "VendorKeys" variable to record the out of band secure boot key modification.
|
||||
|
||||
@return EFI_SUCCESS Variable is updated successfully.
|
||||
@return Others Failed to update variable.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
VendorKeyIsModified (
|
||||
VOID
|
||||
)
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
VARIABLE_POINTER_TRACK Variable;
|
||||
|
||||
if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
mVendorKeyState = VENDOR_KEYS_MODIFIED;
|
||||
|
||||
FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
Status = UpdateVariable (
|
||||
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
|
||||
&gEfiVendorKeysNvGuid,
|
||||
&mVendorKeyState,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
|
||||
0,
|
||||
0,
|
||||
&Variable,
|
||||
NULL
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
|
||||
return UpdateVariable (
|
||||
EFI_VENDOR_KEYS_VARIABLE_NAME,
|
||||
&gEfiGlobalVariableGuid,
|
||||
&mVendorKeyState,
|
||||
sizeof (UINT8),
|
||||
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
|
||||
0,
|
||||
0,
|
||||
&Variable,
|
||||
NULL
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
Process variable with platform key for verification.
|
||||
|
||||
@@ -985,6 +1085,13 @@ ProcessVarWithPk (
|
||||
Variable,
|
||||
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
|
||||
);
|
||||
if (EFI_ERROR(Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
if (mPlatformMode != SETUP_MODE) {
|
||||
Status = VendorKeyIsModified ();
|
||||
}
|
||||
} else if (mPlatformMode == USER_MODE) {
|
||||
//
|
||||
// Verify against X509 Cert in PK database.
|
||||
@@ -1117,6 +1224,13 @@ ProcessVarWithKek (
|
||||
Variable,
|
||||
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
|
||||
);
|
||||
if (EFI_ERROR (Status)) {
|
||||
return Status;
|
||||
}
|
||||
|
||||
if (mPlatformMode != SETUP_MODE) {
|
||||
Status = VendorKeyIsModified ();
|
||||
}
|
||||
}
|
||||
|
||||
return Status;
|
||||
|
Reference in New Issue
Block a user