Add “VendorKeys” variable for indicating out of band key modification.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524

SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c

@@ -36,6 +36,8 @@ UINT8    mPubKeyStore[MAX_KEYDB_SIZE];
 UINT32   mPubKeyNumber;
 UINT8    mCertDbStore[MAX_CERTDB_SIZE];
 UINT32   mPlatformMode;
+UINT8    mVendorKeyState;
+
 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
 //
 // Public Exponent of RSA Key.
@@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize (
   }
   
   //
-  // Create "SetupMode" varable with BS+RT attribute set.
+  // Create "SetupMode" variable with BS+RT attribute set.
   //
   FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
   if (PkVariable.CurrPtr == NULL) {
@@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize (
   }
   
   //
-  // Create "SignatureSupport" varable with BS+RT attribute set.
+  // Create "SignatureSupport" variable with BS+RT attribute set.
   //
   FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
   Status  = UpdateVariable (
@@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize (
   }
 
   //
-  // Create "SecureBoot" varable with BS+RT attribute set.
+  // Create "SecureBoot" variable with BS+RT attribute set.
   //
   if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
     SecureBootMode = SECURE_BOOT_MODE_ENABLE;
@@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize (
     }
   }  
 
+  //
+  // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
+  //
+  FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+  if (Variable.CurrPtr != NULL) {
+    mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));
+  } else {
+    //
+    // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
+    //
+    mVendorKeyState = VENDOR_KEYS_VALID;
+    Status = UpdateVariable (
+               EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+               &gEfiVendorKeysNvGuid,
+               &mVendorKeyState,
+               sizeof (UINT8),
+               EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+               0,
+               0,
+               &Variable,
+               NULL
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+
+  //
+  // Create "VendorKeys" variable with BS+RT attribute set.
+  //
+  FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+  Status = UpdateVariable (
+             EFI_VENDOR_KEYS_VARIABLE_NAME,
+             &gEfiGlobalVariableGuid,
+             &mVendorKeyState,
+             sizeof (UINT8),
+             EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+             0,
+             0,
+             &Variable,
+             NULL
+             );
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
+
   return Status;
 }
 
@@ -911,6 +961,56 @@ CheckSignatureListFormat(
   return EFI_SUCCESS;
 }
 
+/**
+  Update "VendorKeys" variable to record the out of band secure boot key modification.
+
+  @return EFI_SUCCESS           Variable is updated successfully.
+  @return Others                Failed to update variable.
+  
+**/
+EFI_STATUS
+VendorKeyIsModified (
+  VOID
+  )
+{
+  EFI_STATUS              Status;
+  VARIABLE_POINTER_TRACK  Variable;
+
+  if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
+    return EFI_SUCCESS;
+  }
+  mVendorKeyState = VENDOR_KEYS_MODIFIED;
+  
+  FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+  Status = UpdateVariable (
+             EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+             &gEfiVendorKeysNvGuid,
+             &mVendorKeyState,
+             sizeof (UINT8),
+             EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+             0,
+             0,
+             &Variable,
+             NULL
+             );
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+  return UpdateVariable (
+           EFI_VENDOR_KEYS_VARIABLE_NAME,
+           &gEfiGlobalVariableGuid,
+           &mVendorKeyState,
+           sizeof (UINT8),
+           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+           0,
+           0,
+           &Variable,
+           NULL
+           );
+}
+
 /**
   Process variable with platform key for verification.
 
@@ -985,6 +1085,13 @@ ProcessVarWithPk (
                Variable,
                &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
                );
+    if (EFI_ERROR(Status)) {
+      return Status;
+    }
+
+    if (mPlatformMode != SETUP_MODE) {
+      Status = VendorKeyIsModified ();
+    }
   } else if (mPlatformMode == USER_MODE) {
     //
     // Verify against X509 Cert in PK database.
@@ -1117,6 +1224,13 @@ ProcessVarWithKek (
                Variable,
                &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
                );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+
+    if (mPlatformMode != SETUP_MODE) {
+      Status = VendorKeyIsModified ();
+    }
   }
 
   return Status;