diff --git a/MdePkg/Include/Guid/ImageAuthentication.h b/MdePkg/Include/Guid/ImageAuthentication.h new file mode 100644 index 0000000000..b965a42549 --- /dev/null +++ b/MdePkg/Include/Guid/ImageAuthentication.h @@ -0,0 +1,221 @@ +/** @file + Platform Key, Key Exchange Key, and Image signature database are defined + for the signed image validation. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + GUIDs defined in UEFI 2.2 spec. +**/ + +#ifndef __IMAGE_AUTHTICATION_H__ +#define __IMAGE_AUTHTICATION_H__ + +#include + +#define EFI_IMAGE_SECURITY_DATABASE_GUID \ + { \ + 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \ + } + +/// +/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID +/// for the authorized signature database. +/// +#define EFI_IMAGE_SECURITY_DATABASE L"db" +/// +/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID +/// for the forbidden signature database. +/// +#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx" + +#define SETUP_MODE 1 +#define USER_MODE 0 +/// +/// Globally "SetupMode" variable to specify whether the system is currently operating +/// in setup mode (1) or not (0). All other values are reserved. +/// +#define EFI_SETUP_MODE_NAME L"SetupMode" +/// +/// Globally "PK" variable for the Platform Key Signature Database. +/// +#define EFI_PLATFORM_KEY_NAME L"PK" +/// +/// Globally "KEK" variable for the Key Exchange Key Signature Database. +/// +#define EFI_KEY_EXCHANGE_KEY_NAME L"KEK" +/// +/// Globally "SignatureSupport" variable returns an array of GUIDs, +/// with each GUID representing a type of signature which the platform +/// firmware supports for images and other data. +/// +#define EFI_SIGNATURE_SUPPORT_NAME L"SignatureSupport" + +//*********************************************************************** +// Signature Database +//*********************************************************************** +/// +/// The format of a signature database. +/// +#pragma pack(1) + +typedef struct { + /// + /// An identifier which identifies the agent which added the signature to the list. + /// + EFI_GUID SignatureOwner; + /// + /// The format of the signature is defined by the SignatureType. + /// + UINT8 SignatureData[1]; +} EFI_SIGNATURE_DATA; + +typedef struct { + /// + /// Type of the signature. GUID signature types are defined in below. + /// + EFI_GUID SignatureType; + /// + /// Total size of the signature list, including this header. + /// + UINT32 SignatureListSize; + /// + /// Size of the signature header which precedes the array of signatures. + /// + UINT32 SignatureHeaderSize; + /// + /// Size of each signature. + /// + UINT32 SignatureSize; + /// + /// Header before the array of signatures. The format of this header is specified + /// by the SignatureType. + /// UINT8 SignatureHeader[SignatureHeaderSize]; + /// + /// An array of signatures. Each signature is SignatureSize bytes in length. + /// EFI_SIGNATURE_DATA Signatures[][SignatureSize]; + /// +} EFI_SIGNATURE_LIST; + +#pragma pack() + +/// +/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size should +/// always be 0. The SignatureSize should always be 32 bytes. +/// +#define EFI_CERT_SHA256_GUID \ + { \ + 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \ + } + +/// +/// This identifies a signature containing an RSA-2048 key. The SignatureHeader size should +/// always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_GUID \ + { \ + 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \ + } + +/// +/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The +/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_SHA256_GUID \ + { \ + 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \ + } + +/// +/// This identifies a signature containing a SHA-1 hash. The SignatureHeader size should always +/// be 0. The SignatureSize should always be 20 bytes +/// +#define EFI_CERT_SHA1_GUID \ + { \ + 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \ + } + +/// +/// This identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The +/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes. +/// +#define EFI_CERT_RSA2048_SHA1_GUID \ + { \ + 0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \ + } + +/// +/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 certificate then +/// verification of the signature of an image should validate the public key certificate in the image using +/// certificate path verification, up to this X.509 certificate as a trusted root. +/// +#define EFI_CERT_X509 \ + { \ + 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \ + } + +//*********************************************************************** +// Image Execution Information Table Definition +//*********************************************************************** +typedef UINT32 EFI_IMAGE_EXECUTION_ACTION; + +#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007 + +// +// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table +// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID. +// +typedef struct { + /// + /// Describes the action taken by the firmware regarding this image. + /// + EFI_IMAGE_EXECUTION_ACTION Action; + /// + /// Size of all of the entire structure. + /// + UINT32 InfoSize; + /// + /// If this image was a UEFI device driver (for option ROM, for example) this is the + /// null-terminated, user-friendly name for the device. If the image was for an application, + /// then this is the name of the application. If this cannot be determined, then a simple + /// NULL character should be put in this position. + /// CHAR16 Name[]; + /// + + /// + /// For device drivers, this is the device path of the device for which this device driver + /// was intended. In some cases, the driver itself may be stored as part of the system + /// firmware, but this field should record the device's path, not the firmware path. For + /// applications, this is the device path of the application. If this cannot be determined, + /// a simple end-of-path device node should be put in this position. + /// EFI_DEVICE_PATH_PROTOCOL DevicePath; + /// + + /// + /// The image digest of the image. The certificate type must be one of the hash types. + /// The hash type must match the type used in the Signature field. + /// + WIN_CERTIFICATE ImageHash; + /// + /// Zero or more image signatures. If the image contained no signtures, + /// then this field is empty. + /// + WIN_CERTIFICATE Signature; +} EFI_IMAGE_EXECUTION_INFO; + +extern EFI_GUID gEfiImageSecurityDatabaseGuid; +extern EFI_GUID gEfiCertSha256Guid; +extern EFI_GUID gEfiCertRsa2048Guid; +extern EFI_GUID gEfiCertRsa2048Sha256Guid; +extern EFI_GUID gEfiCertSha1Guid; +extern EFI_GUID gEfiCertRsa2048Sha1Guid; +extern EFI_GUID gEfiCertX509Guid; + +#endif diff --git a/MdePkg/Include/Guid/MemoryOverwriteControl.h b/MdePkg/Include/Guid/MemoryOverwriteControl.h new file mode 100644 index 0000000000..ac50ecd603 --- /dev/null +++ b/MdePkg/Include/Guid/MemoryOverwriteControl.h @@ -0,0 +1,76 @@ +/** @file + GUID used for MemoryOverwriteRequestControl UEFI variable defined in + TCG Platform Reset Attack Mitigation Specification 1.00. + See http://trustedcomputinggroup.org for the latest specification + + The purpose of the MemoryOverwriteRequestControl UEFI variable is to give users (e.g., OS, loader) the ability to + indicate to the platform that secrets are present in memory and that the platform firmware must clear memory upon + a restart. The OS loader should not create the variable. Rather, the firmware is required to create it. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_ +#define _MEMORY_OVERWRITE_CONTROL_DATA_GUID_H_ + +#define MEMORY_ONLY_RESET_CONTROL_GUID \ + { \ + 0xe20939be, 0x32d4, 0x41be, {0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29} \ + } + +/// +/// Variable name is "MemoryOverwriteRequestControl" and it is a 1 byte unsigned value. +/// The attributes should be: +/// EFI_VARIABLE_NON_VOLATILE | +/// EFI_VARIABLE_BOOTSERVICE_ACCESS | +/// EFI_VARIABLE_RUNTIME_ACCESS +/// +#define MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME L"MemoryOverwriteRequestControl" + +/// +/// 0 = Firmware MUST clear the MOR bi +/// 1 = Firmware MUST set the MOR bit +/// +#define MOR_CLEAR_MEMORY_BIT_MASK 0x01 + +/// +/// 0 = Firmware MAY autodetect a clean shutdown of the Static RTM OS. +/// 1 = Firmware MUST NOT autodetect a clean shutdown of the Static RTM OS. +/// +#define MOR_DISABLEAUTODETECT_BIT_MASK 0x10 + +/// +/// MOR field bit offset +/// +#define MOR_CLEAR_MEMORY_BIT_OFFSET 0 +#define MOR_DISABLEAUTODETECT_BIT_OFFSET 4 + +/** + Return the ClearMemory bit value 0 or 1. + + @param mor 1 byte value that contains ClearMemory and DisableAutoDetect bit. + + @return ClearMemory bit value +**/ +#define MOR_CLEAR_MEMORY_VALUE(mor) (((UINT8)(mor) & MOR_CLEAR_MEMORY_BIT_MASK) >> MOR_CLEAR_MEMORY_BIT_OFFSET) + +/** + Return the DisableAutoDetect bit value 0 or 1. + + @param mor 1 byte value that contains ClearMemory and DisableAutoDetect bit. + + @return DisableAutoDetect bit value +**/ +#define MOR_DISABLE_AUTO_DETECT_VALUE(mor) (((UINT8)(mor) & MOR_DISABLEAUTODETECT_BIT_MASK) >> MOR_DISABLEAUTODETECT_BIT_OFFSET) + +extern EFI_GUID gEfiMemoryOverwriteControlDataGuid; + +#endif diff --git a/MdePkg/Include/Guid/WinCertificate.h b/MdePkg/Include/Guid/WinCertificate.h new file mode 100644 index 0000000000..f7a4190c2e --- /dev/null +++ b/MdePkg/Include/Guid/WinCertificate.h @@ -0,0 +1,128 @@ +/** @file + GUID for UEFI WIN_CERTIFICATE structure. + + Copyright (c) 2006 - 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + GUID defined in UEFI 2.0 spec. +**/ + +#ifndef __EFI_WIN_CERTIFICATE_H__ +#define __EFI_WIN_CERTIFICATE_H__ + +// +// _WIN_CERTIFICATE.wCertificateType +// +#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 +#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 +#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 + +/// +/// The WIN_CERTIFICATE structure is part of the PE/COFF specification. +/// +typedef struct { + /// + /// The length of the entire certificate, + /// including the length of the header, in bytes. + /// + UINT32 dwLength; + /// + /// The revision level of the WIN_CERTIFICATE + /// structure. The current revision level is 0x0200. + /// + UINT16 wRevision; + /// + /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI + /// certificate types. The UEFI specification reserves the range of + /// certificate type values from 0x0EF0 to 0x0EFF. + /// + UINT16 wCertificateType; + /// + /// The following is the actual certificate. The format of + /// the certificate depends on wCertificateType. + /// + /// UINT8 bCertificate[ANYSIZE_ARRAY]; + /// +} WIN_CERTIFICATE; + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertType +/// +#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ + {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } + +/// +/// WIN_CERTIFICATE_UEFI_GUID.CertData +/// +typedef struct { + UINT32 HashType; + UINT8 PublicKey[256]; + UINT8 Signature[256]; +} EFI_CERT_BLOCK_RSA_2048_SHA256; + + +/// +/// Certificate which encapsulates a GUID-specific digital signature +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the unique id which determines the + /// format of the CertData. . + /// + EFI_GUID CertType; + /// + /// The following is the certificate data. The format of + /// the data is determined by the CertType. + /// If CertType is EFI_CERT_TYPE_RSA2048_SHA256_GUID, + /// the CertData will be EFI_CERT_BLOCK_RSA_2048_SHA256 structure. + /// + UINT8 CertData[1]; +} WIN_CERTIFICATE_UEFI_GUID; + + +/// +/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. +/// +/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from +/// WIN_CERTIFICATE and encapsulate the information needed to +/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as +/// specified in RFC2437. +/// +typedef struct { + /// + /// This is the standard WIN_CERTIFICATE header, where + /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. + /// + WIN_CERTIFICATE Hdr; + /// + /// This is the hashing algorithm which was performed on the + /// UEFI executable when creating the digital signature. + /// + EFI_GUID HashAlgorithm; + /// + /// The following is the actual digital signature. The + /// size of the signature is the same size as the key + /// (1024-bit key is 128 bytes) and can be determined by + /// subtracting the length of the other parts of this header + /// from the total length of the certificate as found in + /// Hdr.dwLength. + /// + /// UINT8 Signature[]; + /// +} WIN_CERTIFICATE_EFI_PKCS1_15; + +extern EFI_GUID gEfiCertTypeRsa2048Sha256Guid; + +#endif diff --git a/MdePkg/Include/Protocol/AuthenticationInfo.h b/MdePkg/Include/Protocol/AuthenticationInfo.h index b520327834..a3c9b97377 100644 --- a/MdePkg/Include/Protocol/AuthenticationInfo.h +++ b/MdePkg/Include/Protocol/AuthenticationInfo.h @@ -34,6 +34,7 @@ typedef struct _EFI_AUTHENTICATION_INFO_PROTOCOL EFI_AUTHENTICATION_INFO_PROTOCOL; +#pragma pack(1) typedef struct { /// /// Authentication Type GUID. @@ -52,7 +53,7 @@ typedef struct { /// /// RADIUS Server IPv4 or IPv6 Address /// - EFI_IPv6_ADDRESS RadiusIpAddr; ///< IPv4 or IPv6 address + UINT8 RadiusIpAddr[16]; ///< IPv4 or IPv6 address /// /// Reserved for future use @@ -62,7 +63,7 @@ typedef struct { /// /// Network Access Server IPv4 or IPv6 Address (OPTIONAL) /// - EFI_IPv6_ADDRESS NasIpAddr; ///< IPv4 or IPv6 address + UINT8 NasIpAddr[16]; ///< IPv4 or IPv6 address /// /// Network Access Server Secret Length in bytes (OPTIONAL) @@ -70,29 +71,27 @@ typedef struct { UINT16 NasSecretLength; /// - /// Network Access Server secret (OPTIONAL) + /// Network Access Server Secret (OPTIONAL) /// - UINT8 *NasSecret; + UINT8 NasSecret[1]; + /// + /// CHAP Initiator Secret length in bytes on offset NasSecret + NasSecretLength. /// - /// CHAP Initiator Secret length in bytes - /// - UINT16 ChapSecretLength; - + /// UINT16 ChapSecretLength; /// /// CHAP Initiator Secret /// - UINT8 *ChapSecret; - + /// UINT8 ChapSecret[]; /// - /// CHAP Initiator Name Length in bytes + /// CHAP Initiator Name Length in bytes on offset ChapSecret + ChapSecretLength /// - UINT16 ChapNameLength; - + /// UINT16 ChapNameLength; /// /// CHAP Initiator Name /// - UINT8 *ChapName; + /// UINT8 ChapName[]; + /// } CHAP_RADIUS_AUTH_NODE; typedef struct { @@ -111,45 +110,42 @@ typedef struct { /// /// User Secret /// - UINT8 *UserSecret; + UINT8 UserSecret[1]; /// - /// User Name Length in bytes + /// User Name Length in bytes on offset UserSecret + UserSecretLength /// - UINT16 UserNameLength; - + /// UINT16 UserNameLength; /// /// User Name /// - UINT8 *UserName; - + /// UINT8 *UserName; /// - /// CHAP Initiator Secret length in bytes + /// CHAP Initiator Secret length in bytes on offset UserName + UserNameLength /// - UINT16 ChapSecretLength; - + /// UINT16 ChapSecretLength; /// /// CHAP Initiator Secret /// - UINT8 *ChapSecret; - + /// UINT8 *ChapSecret; /// - /// CHAP Initiator Name Length in bytes + /// CHAP Initiator Name Length in bytes on offset ChapSecret + ChapSecretLength /// - UINT16 ChapNameLength; - + /// UINT16 ChapNameLength; /// /// CHAP Initiator Name /// - UINT8 *ChapName; + /// UINT8 *ChapName; + /// } CHAP_LOCAL_AUTH_NODE; +#pragma pack() /** Retrieves the authentication information associated with a particular controller handle. - @param This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL - @param ControllerHandle Handle to the Controller - @param Buffer Pointer to the authentication information. + @param[in] This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL + @param[in] ControllerHandle Handle to the Controller + @param[out] Buffer Pointer to the authentication information. @retval EFI_SUCCESS Successfully retrieved authentication information for the given ControllerHandle @retval EFI_INVALID_PARAMETER No matching authentication information found for the given ControllerHandle @@ -163,14 +159,14 @@ EFI_STATUS IN EFI_AUTHENTICATION_INFO_PROTOCOL *This, IN EFI_HANDLE *ControllerHandle, OUT VOID *Buffer - ); + ); /** Set the authentication information for a given controller handle. - @param This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL - @param ControllerHandle Handle to the Controller - @param Buffer Pointer to the authentication information. + @param[in] This Pointer to the EFI_AUTHENTICATION_INFO_PROTOCOL + @param[in] ControllerHandle Handle to the Controller + @param[in] Buffer Pointer to the authentication information. @retval EFI_SUCCESS Successfully set authentication information for the given ControllerHandle @retval EFI_UNSUPPORTED If the platform policies do not allow setting of the authentication diff --git a/MdePkg/Include/Protocol/Hash.h b/MdePkg/Include/Protocol/Hash.h index fda852fd90..b9ed6daa6d 100644 --- a/MdePkg/Include/Protocol/Hash.h +++ b/MdePkg/Include/Protocol/Hash.h @@ -4,7 +4,6 @@ The EFI Hash Service Binding Protocol is used to locate hashing services support provided by a driver and to create and destroy instances of the EFI Hash Protocol so that a multiple drivers can use the underlying hashing services. - The EFI Service Binding Protocol defines the generic Service Binding Protocol functions. Copyright (c) 2006 - 2009, Intel Corporation All rights reserved. This program and the accompanying materials @@ -81,9 +80,9 @@ typedef union { /** Returns the size of the hash which results from a specific algorithm. - @param This Points to this instance of EFI_HASH_PROTOCOL. - @param HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. - @param HashSize Holds the returned size of the algorithm's hash. + @param[in] This Points to this instance of EFI_HASH_PROTOCOL. + @param[in] HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. + @param[out] HashSize Holds the returned size of the algorithm's hash. @retval EFI_SUCCESS Hash size returned successfully. @retval EFI_INVALID_PARAMETER HashSize is NULL @@ -102,14 +101,14 @@ EFI_STATUS /** Returns the size of the hash which results from a specific algorithm. - @param This Points to this instance of EFI_HASH_PROTOCOL. - @param HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. - @param Extend Specifies whether to create a new hash (FALSE) or extend the specified - existing hash (TRUE). - @param Message Points to the start of the message. - @param MessageSize The size of Message, in bytes. - @param Hash On input, if Extend is TRUE, then this holds the hash to extend. On - output, holds the resulting hash computed from the message. + @param[in] This Points to this instance of EFI_HASH_PROTOCOL. + @param[in] HashAlgorithm Points to the EFI_GUID which identifies the algorithm to use. + @param[in] Extend Specifies whether to create a new hash (FALSE) or extend the specified + existing hash (TRUE). + @param[in] Message Points to the start of the message. + @param[in] MessageSize The size of Message, in bytes. + @param[in,out] Hash On input, if Extend is TRUE, then this holds the hash to extend. On + output, holds the resulting hash computed from the message. @retval EFI_SUCCESS Hash returned successfully. @retval EFI_INVALID_PARAMETER Message or Hash is NULL diff --git a/MdePkg/Include/Uefi/UefiMultiPhase.h b/MdePkg/Include/Uefi/UefiMultiPhase.h index f82a8ae792..7c4cec1103 100644 --- a/MdePkg/Include/Uefi/UefiMultiPhase.h +++ b/MdePkg/Include/Uefi/UefiMultiPhase.h @@ -15,6 +15,7 @@ #ifndef __UEFI_MULTIPHASE_H__ #define __UEFI_MULTIPHASE_H__ +#include /// /// Enumeration of memory types introduced in UEFI. /// @@ -130,114 +131,6 @@ typedef struct { /// #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 -// -// _WIN_CERTIFICATE.wCertificateType -// -#define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0 -#define WIN_CERT_TYPE_EFI_GUID 0x0EF1 - -/// -/// The WIN_CERTIFICATE structure is part of the PE/COFF specification. -/// -typedef struct _WIN_CERTIFICATE { - /// - /// The length of the entire certificate, - /// including the length of the header, in bytes. - /// - UINT32 dwLength; - /// - /// The revision level of the WIN_CERTIFICATE - /// structure. The current revision level is 0x0200. - /// - UINT16 wRevision; - /// - /// The certificate type. See WIN_CERT_TYPE_xxx for the UEFI - /// certificate types. The UEFI specification reserves the range of - /// certificate type values from 0x0EF0 to 0x0EFF. - /// - UINT16 wCertificateType; - /// - /// The following is the actual certificate. The format of - /// the certificate depends on wCertificateType. - /// - /// UINT8 bCertificate[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE; - -/// -/// WIN_CERTIFICATE_UEFI_GUID.CertType -/// -#define EFI_CERT_TYPE_RSA2048_SHA256_GUID \ - {0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } } - -/// -/// WIN_CERTIFICATE_UEFI_GUID.CertData -/// -typedef struct _EFI_CERT_BLOCK_RSA_2048_SHA256 { - UINT32 HashType; - UINT8 PublicKey[256]; - UINT8 Signature[256]; -} EFI_CERT_BLOCK_RSA_2048_SHA256; - - -/// -/// Certificate which encapsulates a GUID-specific digital signature -/// -typedef struct _WIN_CERTIFICATE_UEFI_GUID { - /// - /// This is the standard WIN_CERTIFICATE header, where - /// wCertificateType is set to WIN_CERT_TYPE_UEFI_GUID. - /// - WIN_CERTIFICATE Hdr; - /// - /// This is the unique id which determines the - /// format of the CertData. In this case, the - /// value is EFI_CERT_TYPE_RSA2048_SHA256_GUID. - /// - EFI_GUID CertType; - /// - /// The following is the certificate data. The format of - /// the data is determined by the CertType. In this case the value is - /// EFI_CERT_BLOCK_RSA_2048_SHA256. - /// - /// UINT8 CertData[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE_UEFI_GUID; - - -/// -/// Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature. -/// -/// The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from -/// WIN_CERTIFICATE and encapsulate the information needed to -/// implement the RSASSA-PKCS1-v1_5 digital signature algorithm as -/// specified in RFC2437. -/// -typedef struct _WIN_CERTIFICATE_EFI_PKCS1_15 { - /// - /// This is the standard WIN_CERTIFICATE header, where - /// wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15. - /// - WIN_CERTIFICATE Hdr; - /// - /// This is the hashing algorithm which was performed on the - /// UEFI executable when creating the digital signature. - /// - EFI_GUID HashAlgorithm; - /// - /// The following is the actual digital signature. The - /// size of the signature is the same size as the key - /// (1024-bit key is 128 bytes) and can be determined by - /// subtracting the length of the other parts of this header - /// from the total length of the certificate as found in - /// Hdr.dwLength. - /// - /// UINT8 Signature[ANYSIZE_ARRAY]; - /// -} WIN_CERTIFICATE_EFI_PKCS1_15; - - - /// /// AuthInfo is a WIN_CERTIFICATE using the wCertificateType /// WIN_CERTIFICATE_UEFI_GUID and the CertType diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index acbd6a69c8..72baed191e 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -317,6 +317,33 @@ ## Include/Guid/HiiPlatformSetupFormset.h gEfiHiiPlatformSetupFormsetGuid = { 0x93039971, 0x8545, 0x4b04, { 0xb4, 0x5e, 0x32, 0xeb, 0x83, 0x26, 0x04, 0x0e }} + ## Include/Guid/MemoryOverwriteControl.h + gEfiMemoryOverwriteControlDataGuid = { 0xe20939be, 0x32d4, 0x41be, {0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29 }} + + ## Include/Guid/WinCertificate.h + gEfiCertTypeRsa2048Sha256Guid = { 0xa7717414, 0xc616, 0x4977, {0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf }} + + ## Include/Guid/ImageAuthentication.h + gEfiImageSecurityDatabaseGuid = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertSha256Guid = { 0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Guid = { 0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Sha256Guid = { 0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertSha1Guid = { 0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertRsa2048Sha1Guid = {0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80 }} + + ## Include/Guid/ImageAuthentication.h + gEfiCertX509Guid = { 0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 }} + # # GUID defined in PI1.0 #