sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sravan:a2abc5e15f14b071a977463f3974e0c6eb2a9cce
Branches Tags
sravan:system76 sravan:rebase-stable202405 sravan:master sravan:dev/ec-fmp sravan:esrt sravan:system76-stable202108 sravan:bonw14-display sravan:bonw14 sravan:system76-stable202205 sravan:system76-stable202002 sravan:intel-fsp-tgl sravan:system76-corebootpayloadpkg sravan:UDK2017
sravan:edk2-stable202405 sravan:edk2-stable202402 sravan:edk2-stable202311 sravan:edk2-stable202308 sravan:edk2-stable202305 sravan:edk2-stable202302 sravan:edk2-stable202211 sravan:edk2-stable202208 sravan:edk2-stable202205 sravan:edk2-stable202205-rc1 sravan:edk2-stable202202 sravan:edk2-stable202202-rc1 sravan:edk2-stable202111 sravan:edk2-stable202111-rc1 sravan:edk2-stable202108 sravan:edk2-stable202108-rc1 sravan:edk2-stable202108-rc0 sravan:edk2-stable202105 sravan:edk2-stable202102 sravan:edk2-stable202011 sravan:edk2-stable202008 sravan:edk2-stable202005 sravan:2020.03.17 sravan:edk2-stable202002 sravan:2019.12.01 sravan:edk2-stable201911 sravan:edk2-stable201908 sravan:edk2-stable201905 sravan:edk2-stable201903 sravan:edk2-stable201811 sravan:edk2-stable201808 sravan:vUDK2018 sravan:vUDK2017
...
compare: sravan:dev/ec-fmp
Branches Tags
sravan:system76 sravan:rebase-stable202405 sravan:master sravan:dev/ec-fmp sravan:esrt sravan:system76-stable202108 sravan:bonw14-display sravan:bonw14 sravan:system76-stable202205 sravan:system76-stable202002 sravan:intel-fsp-tgl sravan:system76-corebootpayloadpkg sravan:UDK2017
sravan:edk2-stable202405 sravan:edk2-stable202402 sravan:edk2-stable202311 sravan:edk2-stable202308 sravan:edk2-stable202305 sravan:edk2-stable202302 sravan:edk2-stable202211 sravan:edk2-stable202208 sravan:edk2-stable202205 sravan:edk2-stable202205-rc1 sravan:edk2-stable202202 sravan:edk2-stable202202-rc1 sravan:edk2-stable202111 sravan:edk2-stable202111-rc1 sravan:edk2-stable202108 sravan:edk2-stable202108-rc1 sravan:edk2-stable202108-rc0 sravan:edk2-stable202105 sravan:edk2-stable202102 sravan:edk2-stable202011 sravan:edk2-stable202008 sravan:edk2-stable202005 sravan:2020.03.17 sravan:edk2-stable202002 sravan:2019.12.01 sravan:edk2-stable201911 sravan:edk2-stable201908 sravan:edk2-stable201905 sravan:edk2-stable201903 sravan:edk2-stable201811 sravan:edk2-stable201808 sravan:vUDK2018 sravan:vUDK2017

21 Commits
a2abc5e15f ... dev/ec-fmp

Author SHA1 Message Date
Tim Crawford
153b1e1afb UefiPayloadPkg: Enable Capsule On Disk support 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2024-05-29 14:30:39 -06:00
Tim Crawford
102042deda Add FMP for System76 EC 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2024-05-29 14:29:59 -06:00
Tim Crawford
045b938884 UefiPayloadPkg: Enable FMP-based ESRT 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2024-05-29 14:29:59 -06:00
Gerd Hoffmann
88f5720e16 MdeModulePkg/UsbBusDxe: fix NOOPT build error 
gcc-11 (fedora 35):

/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c: In function ?UsbIoBulkTransfer?:
/home/kraxel/projects/edk2/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbBus.c:277:12: error: ?UsbHcBulkTransfer? accessing 80 bytes in a region of size 8 [-Werror=stringop-overflow=]

Upstream commit ae8272ef78

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
 2024-02-21 09:11:18 -07:00
Tim Crawford
27585e73da Update DBX to 2023-05-09 
Ref: https://uefi.org/revocationlistfile
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-06-27 08:16:14 -06:00
Tim Crawford
42a443d5cd SecurityPkg: Fix debug build 
For some reason only DEBUG builds fail because of the unused variable.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-06-22 13:41:43 -06:00
Tim Crawford
c466cc2ca5 Add System76 Secure Boot keys 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 18:10:00 -07:00
Tim Crawford
5c49aca613 Update DBX to 2022-09-07 
Ref: https://uefi.org/revocationlistfile
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 18:10:00 -07:00
Tim Crawford
99891bd41e SecureBootConfig: Remove blank line 
Remove the blank between "Delete..." and "Restore...".

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
3485d55709 SecureBootConfig: Split long strings 
firmware-setup does not wrap long lines, so manually split long strings.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
c1a7127e01 SecureBootConfig: Clear PK and reset 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
2f21eddfb8 SecureBootConfig: Restore keys and reset 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
860c29c923 SecureBootConfig: Update variable and perform reset 
Update the `SecureBootEnable` variable and perform a platform reset when
the enable/disable button is pressed.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
8cfead2839 SecureBootConfig: Add text key to perform the actions 
Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
30f6b2f3c7 SecureBootConfig: Modify UI 
Rewrite the UI based on feedback from enabling the module.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Tim Crawford
4de32568fa UiApp: Link to SecureBootConfig 
Shoehorn in logic from Device Manager to show only the Secure Boot
Config entry under the firmware config form.

Signed-off-by: Tim Crawford <tcrawford@system76.com>
 2023-03-07 10:10:35 -07:00
Jeremy Soller
ff91020528 Notify System76 security callback prior to loading boot options 2023-03-06 15:01:34 -07:00
Feng, Bob C
943773983d BaseTools: Fix DevicePath tool build failure issue 
Fix the DevicePath tool build failure that was introduced by
the fixes: 22130dcd98 ("Basetools: turn off gcc12 warning").
Failure cases are:
1. clang 13.1.6 on macOS
2. gcc5.4

Reported-by: Rebecca Cran <rebecca@bsdio.com>
Reported-by: Yuwei Chen <yuwei.chen@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bob Feng <bob.c.feng@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Yuwei Chen <yuwei.chen@intel.com>
Cc: Rebecca Cran <rebecca@bsdio.com>
Reviewed-by: Yuwei Chen <yuwei.chen@intel.com>
 2022-08-17 11:40:12 -06:00
Gerd Hoffmann
e91ea5561d Basetools: turn off gcc12 warning 
In function ?SetDevicePathEndNode?,
    inlined from ?FileDevicePath? at DevicePathUtilities.c:857:5:
DevicePathUtilities.c:321:3: error: writing 4 bytes into a region of size 1 [-Werror=stringop-overflow=]
  321 |   memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath));
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from UefiDevicePathLib.h:22,
                 from DevicePathUtilities.c:16:
../Include/Protocol/DevicePath.h: In function ?FileDevicePath?:
../Include/Protocol/DevicePath.h:51:9: note: destination object ?Type? of size 1
   51 |   UINT8 Type;       ///< 0x01 Hardware Device Path.
      |         ^~~~

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Bob Feng <bob.c.feng@intel.com>
 2022-08-17 11:40:12 -06:00
Gerd Hoffmann
5e86b202de BaseTools: fix gcc12 warning 
Sdk/C/LzmaEnc.c: In function ?LzmaEnc_CodeOneMemBlock?:
Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*p.rc.outStream? [-Werror=dangling-pointer=]
 2828 |   p->rc.outStream = &outStream.vt;
      |   ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
 2811 |   CLzmaEnc_SeqOutStreamBuf outStream;
      |                            ^~~~~~~~~
Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
Sdk/C/LzmaEnc.c:2828:19: error: storing the address of local variable ?outStream? in ?*(CLzmaEnc *)pp.rc.outStream? [-Werror=dangling-pointer=]
 2828 |   p->rc.outStream = &outStream.vt;
      |   ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~
Sdk/C/LzmaEnc.c:2811:28: note: ?outStream? declared here
 2811 |   CLzmaEnc_SeqOutStreamBuf outStream;
      |                            ^~~~~~~~~
Sdk/C/LzmaEnc.c:2811:28: note: ?pp? declared here
cc1: all warnings being treated as errors

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Bob Feng <bob.c.feng@intel.com>
 2022-08-17 11:40:12 -06:00
Gerd Hoffmann
b764882195 BaseTools: fix gcc12 warning 
GenFfs.c:545:5: error: pointer ?InFileHandle? used after ?fclose? [-Werror=use-after-free]
  545 |     Error(NULL, 0, 4001, "Resource", "memory cannot be allocated  of %s", InFileHandle);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GenFfs.c:544:5: note: call to ?fclose? here
  544 |     fclose (InFileHandle);
      |     ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Bob Feng <bob.c.feng@intel.com>
 2022-08-17 11:40:12 -06:00
25 changed files with 638 additions and 662 deletions
Expand all files Collapse all files

8
BaseTools/Source/C/DevicePath/GNUmakefile
View File

@@ -13,6 +13,14 @@ OBJECTS = DevicePath.o UefiDevicePathLib.o DevicePathFromText.o DevicePathUtili
include $(MAKEROOT)/Makefiles/app.makefile include $(MAKEROOT)/Makefiles/app.makefile
GCCVERSION = $(shell gcc -dumpversion | awk -F'.' '{print $$1}')
ifneq ("$(GCCVERSION)", "5")
ifneq ($(CXX), llvm)
# gcc 12 trips over device path handling
BUILD_CFLAGS += -Wno-error=stringop-overflow
endif
endif
LIBS = -lCommon LIBS = -lCommon
ifeq ($(CYGWIN), CYGWIN) ifeq ($(CYGWIN), CYGWIN)
LIBS += -L/lib/e2fsprogs -luuid LIBS += -L/lib/e2fsprogs -luuid

2
BaseTools/Source/C/GenFfs/GenFfs.c
View File

@@ -542,7 +542,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
PeFileBuffer = (UINT8 *) malloc (PeFileSize); PeFileBuffer = (UINT8 *) malloc (PeFileSize);
if (PeFileBuffer == NULL) { if (PeFileBuffer == NULL) {
fclose (InFileHandle); fclose (InFileHandle);
Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);

2
BaseTools/Source/C/GenSec/GenSec.c
View File

@@ -1062,7 +1062,7 @@ GetAlignmentFromFile(char *InFile, UINT32 *Alignment)
PeFileBuffer = (UINT8 *) malloc (PeFileSize); PeFileBuffer = (UINT8 *) malloc (PeFileSize);
if (PeFileBuffer == NULL) { if (PeFileBuffer == NULL) {
fclose (InFileHandle); fclose (InFileHandle);
Error(NULL, 0, 4001, "Resource", "memory cannot be allocated of %s", InFileHandle); Error(NULL, 0, 4001, "Resource", "memory cannot be allocated for %s", InFile);
return EFI_OUT_OF_RESOURCES; return EFI_OUT_OF_RESOURCES;
} }
fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle); fread (PeFileBuffer, sizeof (UINT8), PeFileSize, InFileHandle);

3
BaseTools/Source/C/LzmaCompress/Sdk/C/LzmaEnc.c
View File

@@ -2825,12 +2825,13 @@ SRes LzmaEnc_CodeOneMemBlock(CLzmaEncHandle pp, BoolInt reInit,
nowPos64 = p->nowPos64; nowPos64 = p->nowPos64;
RangeEnc_Init(&p->rc); RangeEnc_Init(&p->rc);
p->rc.outStream = &outStream.vt;
if (desiredPackSize == 0) if (desiredPackSize == 0)
return SZ_ERROR_OUTPUT_EOF; return SZ_ERROR_OUTPUT_EOF;
p->rc.outStream = &outStream.vt;
res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize); res = LzmaEnc_CodeOneBlock(p, desiredPackSize, *unpackSize);
p->rc.outStream = NULL;
*unpackSize = (UInt32)(p->nowPos64 - nowPos64); *unpackSize = (UInt32)(p->nowPos64 - nowPos64);
*destLen -= outStream.rem; *destLen -= outStream.rem;

120
MdeModulePkg/Application/UiApp/FrontPage.c
View File

@@ -247,6 +247,124 @@ UpdateFrontPageForm (
HiiFreeOpCodeHandle (EndOpCodeHandle); HiiFreeOpCodeHandle (EndOpCodeHandle);
} }
// FIXME: Copied from Device Manager; clean up
void ShowSecureBootConfig(void)
{
void *StartHandle;
void *EndHandle;
EFI_IFR_GUID_LABEL *StartLabel;
EFI_IFR_GUID_LABEL *EndLabel;
EFI_HII_HANDLE *HiiHandles;
EFI_HII_HANDLE HiiHandle = gFrontPagePrivate.HiiHandle;
UINTN Index;
EFI_STRING String;
EFI_STRING_ID Token;
EFI_STRING_ID TokenHelp;
EFI_IFR_FORM_SET *Buffer = NULL;
UINTN BufferSize = 0;
UINT8 ClassGuidNum;
EFI_GUID *ClassGuid;
UINTN TempSize = 0;
UINT8 *Ptr;
EFI_STATUS Status;
// XXX: Copied from SecureBootConfigDxe
EFI_GUID SecureBootConfigGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}};
StartHandle = HiiAllocateOpCodeHandle();
ASSERT(StartHandle != NULL);
EndHandle = HiiAllocateOpCodeHandle();
ASSERT(EndHandle != NULL);
StartLabel = (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode(StartHandle, &gEfiIfrTianoGuid, NULL, sizeof(*StartLabel));
StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
StartLabel->Number = LABEL_DEVICES_LIST;
EndLabel = (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode(EndHandle, &gEfiIfrTianoGuid, NULL, sizeof(*EndLabel));
EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
EndLabel->Number = LABEL_END;
// Get SecureBootConfig handle
HiiHandles = HiiGetHiiHandles(&SecureBootConfigGuid);
ASSERT(HiiHandles != NULL);
// Search for formset of each class type
for (Index = 0; HiiHandles[Index] != NULL; Index++) {
Status = HiiGetFormSetFromHiiHandle(HiiHandles[Index], &Buffer, &BufferSize);
if (EFI_ERROR(Status)) {
continue;
}
Ptr = (UINT8 *)Buffer;
while (TempSize < BufferSize) {
TempSize += ((EFI_IFR_OP_HEADER *)Ptr)->Length;
if (((EFI_IFR_OP_HEADER *)Ptr)->Length <= OFFSET_OF (EFI_IFR_FORM_SET, Flags)) {
Ptr += ((EFI_IFR_OP_HEADER *)Ptr)->Length;
continue;
}
ClassGuidNum = (UINT8)(((EFI_IFR_FORM_SET *)Ptr)->Flags & 0x3);
ClassGuid = (EFI_GUID *)(VOID *)(Ptr + sizeof(EFI_IFR_FORM_SET));
while (ClassGuidNum-- > 0) {
if (CompareGuid(&gEfiHiiPlatformSetupFormsetGuid, ClassGuid) == 0) {
ClassGuid++;
continue;
}
String = HiiGetString(HiiHandles[Index], ((EFI_IFR_FORM_SET *)Ptr)->FormSetTitle, NULL);
if (String == NULL) {
String = HiiGetString(HiiHandle, STRING_TOKEN (STR_MISSING_STRING), NULL);
ASSERT (String != NULL);
}
Token = HiiSetString(HiiHandle, 0, String, NULL);
FreePool(String);
String = HiiGetString(HiiHandles[Index], ((EFI_IFR_FORM_SET *)Ptr)->Help, NULL);
if (String == NULL) {
String = HiiGetString(HiiHandle, STRING_TOKEN (STR_MISSING_STRING), NULL);
ASSERT(String != NULL);
}
TokenHelp = HiiSetString(HiiHandle, 0, String, NULL);
FreePool(String);
HiiCreateGotoExOpCode(
StartHandle,
0,
Token,
TokenHelp,
0,
0,
0,
&SecureBootConfigGuid,
0
);
break;
}
Ptr += ((EFI_IFR_OP_HEADER *)Ptr)->Length;
}
FreePool (Buffer);
Buffer = NULL;
TempSize = 0;
BufferSize = 0;
}
HiiUpdateForm(
HiiHandle,
&mFrontPageGuid,
FRONT_PAGE_FORM_ID,
StartHandle,
EndHandle
);
HiiFreeOpCodeHandle(StartHandle);
HiiFreeOpCodeHandle(EndHandle);
}
/** /**
Initialize HII information for the FrontPage Initialize HII information for the FrontPage
@@ -305,6 +423,8 @@ InitializeFrontPage (
// //
UpdateFrontPageForm(); UpdateFrontPageForm();
ShowSecureBootConfig();
return Status; return Status;
} }

2
MdeModulePkg/Application/UiApp/FrontPage.h
View File

@@ -33,8 +33,10 @@ extern EFI_FORM_BROWSER2_PROTOCOL *gFormBrowser2;
// These are defined as the same with vfr file // These are defined as the same with vfr file
// //
#define FRONT_PAGE_FORM_ID 0x7600 #define FRONT_PAGE_FORM_ID 0x7600
#define FIRMWARE_INFO_FORM_ID 0x7601
#define LABEL_FRONTPAGE_INFORMATION 0x1000 #define LABEL_FRONTPAGE_INFORMATION 0x1000
#define LABEL_DEVICES_LIST 0x2000
#define LABEL_END 0xffff #define LABEL_END 0xffff
#define FRONT_PAGE_FORMSET_GUID \ #define FRONT_PAGE_FORMSET_GUID \

8
MdeModulePkg/Application/UiApp/FrontPageVfr.Vfr
View File

@@ -13,6 +13,7 @@
#define FIRMWARE_INFO_FORM_ID 0x7601 #define FIRMWARE_INFO_FORM_ID 0x7601
#define LABEL_FRONTPAGE_INFORMATION 0x1000 #define LABEL_FRONTPAGE_INFORMATION 0x1000
#define LABEL_DEVICES_LIST 0x2000
#define LABEL_END 0xffff #define LABEL_END 0xffff
formset formset
@@ -36,6 +37,12 @@ formset
label LABEL_END; label LABEL_END;
subtitle text = STRING_TOKEN(STR_EMPTY_STRING); subtitle text = STRING_TOKEN(STR_EMPTY_STRING);
label LABEL_DEVICES_LIST;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_EMPTY_STRING);
goto FIRMWARE_INFO_FORM_ID, goto FIRMWARE_INFO_FORM_ID,
prompt = STRING_TOKEN(STR_FIRMWARE_INFO), prompt = STRING_TOKEN(STR_FIRMWARE_INFO),
help = STRING_TOKEN(STR_EMPTY_STRING); help = STRING_TOKEN(STR_EMPTY_STRING);
@@ -56,6 +63,7 @@ formset
subtitle text = STRING_TOKEN(STR_TPM_STATUS); subtitle text = STRING_TOKEN(STR_TPM_STATUS);
subtitle text = STRING_TOKEN(STR_EMPTY_STRING); subtitle text = STRING_TOKEN(STR_EMPTY_STRING);
subtitle text = STRING_TOKEN(STR_ME_STATUS); subtitle text = STRING_TOKEN(STR_ME_STATUS);
subtitle text = STRING_TOKEN(STR_EMPTY_STRING);
endform; endform;
endformset; endformset;

1
MdeModulePkg/Application/UiApp/UiApp.inf
View File

@@ -60,6 +60,7 @@
gEfiIfrTianoGuid ## CONSUMES ## GUID (Extended IFR Guid Opcode) gEfiIfrTianoGuid ## CONSUMES ## GUID (Extended IFR Guid Opcode)
gEfiIfrFrontPageGuid ## CONSUMES ## GUID gEfiIfrFrontPageGuid ## CONSUMES ## GUID
gEfiSmbiosTableGuid ## CONSUMES ## GUID gEfiSmbiosTableGuid ## CONSUMES ## GUID
gEfiHiiPlatformSetupFormsetGuid ## CONSUMES ## GUID
[Protocols] [Protocols]
gEfiSmbiosProtocolGuid ## CONSUMES gEfiSmbiosProtocolGuid ## CONSUMES

2
MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.c
View File

@@ -285,7 +285,7 @@ UsbHcBulkTransfer (
IN UINT8 DevSpeed, IN UINT8 DevSpeed,
IN UINTN MaxPacket, IN UINTN MaxPacket,
IN UINT8 BufferNum, IN UINT8 BufferNum,
IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], IN OUT VOID *Data[],
IN OUT UINTN *DataLength, IN OUT UINTN *DataLength,
IN OUT UINT8 *DataToggle, IN OUT UINT8 *DataToggle,
IN UINTN TimeOut, IN UINTN TimeOut,

2
MdeModulePkg/Bus/Usb/UsbBusDxe/UsbUtility.h
View File

@@ -149,7 +149,7 @@ UsbHcBulkTransfer (
IN UINT8 DevSpeed, IN UINT8 DevSpeed,
IN UINTN MaxPacket, IN UINTN MaxPacket,
IN UINT8 BufferNum, IN UINT8 BufferNum,
IN OUT VOID *Data[EFI_USB_MAX_BULK_BUFFER_NUM], IN OUT VOID *Data[],
IN OUT UINTN *DataLength, IN OUT UINTN *DataLength,
IN OUT UINT8 *DataToggle, IN OUT UINT8 *DataToggle,
IN UINTN TimeOut, IN UINTN TimeOut,

631
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
View File

@@ -1,10 +1,6 @@
/** @file // SPDX-License-Identifier: BSD-2-Clause-Patent
VFR file used by the SecureBoot configuration component. // SPDX-FileCopyrightText: Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
// SPDX-FileCopyrightText: 2023 System76 <info@system76.com>
Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "SecureBootConfigNvData.h" #include "SecureBootConfigNvData.h"
@@ -19,34 +15,19 @@ formset
name = SECUREBOOT_CONFIGURATION, name = SECUREBOOT_CONFIGURATION,
guid = SECUREBOOT_CONFIG_FORM_SET_GUID; guid = SECUREBOOT_CONFIG_FORM_SET_GUID;
//
// ##1 Form "Secure Boot Configuration"
//
form formid = SECUREBOOT_CONFIGURATION_FORM_ID, form formid = SECUREBOOT_CONFIGURATION_FORM_ID,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE); title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
subtitle text = STRING_TOKEN(STR_NULL); // FIXME: firmware-setup doesn't handle EFI_IFR_TEXT.
//text
// help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
// text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
// text = STRING_TOKEN(STR_SECURE_BOOT_STATE_CONTENT);
text subtitle text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT);
help = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),
text = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),
text = STRING_TOKEN(STR_SECURE_BOOT_STATE_CONTENT);
// // XXX: Needed for "Secure Boot status" string to update.
// Display of Check Box: Attempt Secure Boot suppressif TRUE;
//
grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1 OR NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
checkbox varid = SECUREBOOT_CONFIGURATION.AttemptSecureBoot,
questionid = KEY_SECURE_BOOT_ENABLE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
help = STRING_TOKEN(STR_SECURE_BOOT_HELP),
flags = INTERACTIVE | RESET_REQUIRED,
endcheckbox;
endif;
//
// Display of Oneof: 'Secure Boot Mode'
//
oneof name = SecureBootMode, oneof name = SecureBootMode,
questionid = KEY_SECURE_BOOT_MODE, questionid = KEY_SECURE_BOOT_MODE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT), prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
@@ -55,557 +36,97 @@ formset
option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT; option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;
option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0; option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0;
endoneof; endoneof;
endif;
// suppressif ideqval SECUREBOOT_CONFIGURATION.AttemptSecureBoot == 0;
// Display of 'Current Secure Boot Mode' goto FORMID_SECURE_BOOT_DISABLE,
// prompt = STRING_TOKEN(STR_SECURE_BOOT_DISABLE_PROMPT),
suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD; help = STRING_TOKEN(STR_NULL);
grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_OPTION;
endif; endif;
suppressif ideqval SECUREBOOT_CONFIGURATION.AttemptSecureBoot == 1;
goto FORMID_SECURE_BOOT_ENABLE,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ENABLE_PROMPT),
help = STRING_TOKEN(STR_NULL);
endif; endif;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_DELETE_KEYS,
prompt = STRING_TOKEN(STR_DELETE_KEYS_PROMPT),
help = STRING_TOKEN(STR_NULL);
goto FORMID_RESTORE_KEYS,
prompt = STRING_TOKEN(STR_RESTORE_KEYS_PROMPT),
help = STRING_TOKEN(STR_NULL);
endform;
form formid = FORMID_SECURE_BOOT_ENABLE,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
subtitle text = STRING_TOKEN(STR_ENABLE_NOTICE);
subtitle text = STRING_TOKEN(STR_NULL);
text text
help = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS_HELP), help = STRING_TOKEN(STR_NULL),
text = STRING_TOKEN(STR_SECURE_RESET_TO_DEFAULTS), text = STRING_TOKEN(STR_ENABLE_SELECTION),
flags = INTERACTIVE, flags = INTERACTIVE,
key = KEY_SECURE_BOOT_RESET_TO_DEFAULT; key = KEY_SECURE_BOOT_STATE_ENABLE;
goto SECUREBOOT_CONFIGURATION_FORM_ID,
prompt = STRING_TOKEN(STR_CANCEL),
help = STRING_TOKEN(STR_NULL);
endform; endform;
// form formid = FORMID_SECURE_BOOT_DISABLE,
// ##2 Form: 'Custom Secure Boot Options' title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
//
form formid = FORMID_SECURE_BOOT_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_OPTION_TITLE);
subtitle text = STRING_TOKEN(STR_DISABLE_NOTICE);
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_PK_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_KEK_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_KEK_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_DB_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DB_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_DBX_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DBX_OPTION;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_DBT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION),
help = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DBT_OPTION;
endform;
//
// ##3 Form: 'PK Options'
//
form formid = FORMID_SECURE_BOOT_PK_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of 'Enroll PK'
//
grayoutif ideqval SECUREBOOT_CONFIGURATION.HasPk == 1;
goto FORMID_ENROLL_PK_FORM,
prompt = STRING_TOKEN(STR_ENROLL_PK),
help = STRING_TOKEN(STR_ENROLL_PK_HELP),
flags = INTERACTIVE,
key = KEY_ENROLL_PK;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of Check Box: 'Delete Pk'
//
grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
questionid = KEY_SECURE_BOOT_DELETE_PK,
prompt = STRING_TOKEN(STR_DELETE_PK),
help = STRING_TOKEN(STR_DELETE_PK_HELP),
flags = INTERACTIVE | RESET_REQUIRED,
endcheckbox;
endif;
endform;
//
// ##4 Form: 'Enroll PK'
//
form formid = FORMID_ENROLL_PK_FORM,
title = STRING_TOKEN(STR_ENROLL_PK);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_ENROLL_PK_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
flags = INTERACTIVE,
key = FORMID_ENROLL_PK_FORM;
subtitle text = STRING_TOKEN(STR_NULL);
label FORMID_ENROLL_PK_FORM;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE| RESET_REQUIRED,
key = KEY_VALUE_SAVE_AND_EXIT_PK;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_PK;
endform;
//
// ##5 Form: 'KEK Options'
//
form formid = FORMID_SECURE_BOOT_KEK_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION);
//
// Display of 'Enroll KEK'
//
goto FORMID_ENROLL_KEK_FORM,
prompt = STRING_TOKEN(STR_ENROLL_KEK),
help = STRING_TOKEN(STR_ENROLL_KEK_HELP),
flags = INTERACTIVE;
subtitle text = STRING_TOKEN(STR_NULL);
//
// Display of 'Delete KEK'
//
goto FORMID_DELETE_KEK_FORM,
prompt = STRING_TOKEN(STR_DELETE_KEK),
help = STRING_TOKEN(STR_DELETE_KEK_HELP),
flags = INTERACTIVE,
key = KEY_DELETE_KEK;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// ##6 Form: 'Enroll KEK'
//
form formid = FORMID_ENROLL_KEK_FORM,
title = STRING_TOKEN(STR_ENROLL_KEK_TITLE);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_ENROLL_KEK_FORM,
prompt = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE),
help = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP),
flags = INTERACTIVE,
key = FORMID_ENROLL_KEK_FORM;
subtitle text = STRING_TOKEN(STR_NULL);
label FORMID_ENROLL_KEK_FORM;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_KEK_GUID,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_KEK;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_KEK;
endform;
//
// ##7 Form: 'Delete KEK'
//
form formid = FORMID_DELETE_KEK_FORM,
title = STRING_TOKEN(STR_DELETE_KEK_TITLE);
label LABEL_KEK_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// ##8 Form: 'DB Options'
//
form formid = FORMID_SECURE_BOOT_DB_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
flags = 0;
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
flags = INTERACTIVE,
key = SECUREBOOT_DELETE_SIGNATURE_FROM_DB;
endform;
//
// ##9 Form: 'DBX Options'
//
form formid = FORMID_SECURE_BOOT_DBX_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
flags = 0;
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
flags = INTERACTIVE,
key = KEY_VALUE_FROM_DBX_TO_LIST_FORM;
endform;
//
// ##9 Form: 'DBT Options'
//
form formid = FORMID_SECURE_BOOT_DBT_OPTION_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DBT_OPTION);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT,
prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
flags = 0;
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
flags = INTERACTIVE,
key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT;
endform;
//
// Form: 'Delete Signature' for DB Options.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
label LABEL_DB_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: Display Signature List.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_LIST_FORM);
subtitle text = STRING_TOKEN(STR_NULL);
grayoutif ideqval SECUREBOOT_CONFIGURATION.ListCount == 0;
label LABEL_DELETE_ALL_LIST_BUTTON;
//
// Will create a goto button dynamically here.
//
label LABEL_END;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
label LABEL_SIGNATURE_LIST_START;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: Display Signature Data.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_DATA_FORM,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_DATA_FORM);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA),
help = STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DELETE_ALL_DATA;
grayoutif ideqval SECUREBOOT_CONFIGURATION.CheckedDataCount == 0;
goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM,
prompt = STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA),
help = STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_DELETE_CHECK_DATA;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
label LABEL_SIGNATURE_DATA_START;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: 'Delete Signature' for DBT Options.
//
form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBT,
title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
label LABEL_DBT_DELETE;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
endform;
//
// Form: 'Enroll Signature' for DB options.
//
form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
flags = INTERACTIVE,
key = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
subtitle text = STRING_TOKEN(STR_NULL);
label SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_SIGNATURE_GUID_DB,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_DB;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_DB;
endform;
//
// Form: 'Enroll Signature' for DBX options.
//
form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
flags = INTERACTIVE,
key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
label SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL);
grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
flags = INTERACTIVE,
key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
endif;
disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 1;
oneof name = X509SignatureFormatInDbx,
varid = SECUREBOOT_CONFIGURATION.CertificateFormat,
prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;
endoneof;
endif;
disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 2;
text text
help = STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP), // Help string help = STRING_TOKEN(STR_NULL),
text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string text = STRING_TOKEN(STR_DISABLE_SELECTION),
text = STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); // PE image type
endif;
disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
text
help = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP), // Help string
text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string
text = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); // AUTH_2 image type
endif;
suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;
checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation,
prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),
help = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),
flags = INTERACTIVE, flags = INTERACTIVE,
endcheckbox; key = KEY_SECURE_BOOT_STATE_DISABLE;
suppressif ideqval SECUREBOOT_CONFIGURATION.AlwaysRevocation == 1;
date varid = SECUREBOOT_CONFIGURATION.RevocationDate,
prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_PROMPT),
help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_DATE_HELP),
flags = STORAGE_NORMAL,
enddate;
time varid = SECUREBOOT_CONFIGURATION.RevocationTime,
prompt = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_PROMPT),
help = STRING_TOKEN(STR_CERTIFICATE_REVOCATION_TIME_HELP),
flags = STORAGE_NORMAL,
endtime;
endif;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_DBX;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_DBX;
goto SECUREBOOT_CONFIGURATION_FORM_ID,
prompt = STRING_TOKEN(STR_CANCEL),
help = STRING_TOKEN(STR_NULL);
endform; endform;
// form formid = FORMID_DELETE_KEYS,
// Form: 'Enroll Signature' for DBT options. title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
//
form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT,
title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
subtitle text = STRING_TOKEN(STR_DELETE_KEYS_NOTICE);
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, text
prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), help = STRING_TOKEN(STR_NULL),
help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE), text = STRING_TOKEN(STR_DELETE_KEYS_SELECTION),
flags = INTERACTIVE, flags = INTERACTIVE,
key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBT; key = KEY_SECURE_BOOT_DELETE_PK;
subtitle text = STRING_TOKEN(STR_NULL); goto SECUREBOOT_CONFIGURATION_FORM_ID,
label SECUREBOOT_ENROLL_SIGNATURE_TO_DBT; prompt = STRING_TOKEN(STR_CANCEL),
label LABEL_END; help = STRING_TOKEN(STR_NULL);
endform;
form formid = FORMID_RESTORE_KEYS,
title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
subtitle text = STRING_TOKEN(STR_RESTORE_KEYS_NOTICE);
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, text
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), help = STRING_TOKEN(STR_NULL),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), text = STRING_TOKEN(STR_RESTORE_KEYS_SELECTION),
flags = INTERACTIVE, flags = INTERACTIVE,
key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBT, key = KEY_RESTORE_KEYS;
minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE,
endstring;
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_NULL);
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_SAVE_AND_EXIT_DBT;
goto FORMID_SECURE_BOOT_OPTION_FORM,
prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
flags = INTERACTIVE,
key = KEY_VALUE_NO_SAVE_AND_EXIT_DBT;
goto SECUREBOOT_CONFIGURATION_FORM_ID,
prompt = STRING_TOKEN(STR_CANCEL),
help = STRING_TOKEN(STR_NULL);
endform; endform;
endformset; endformset;

126
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@@ -3142,9 +3142,9 @@ UpdateSecureBootString(
} }
if (*SecureBoot == SECURE_BOOT_MODE_ENABLE) { if (*SecureBoot == SECURE_BOOT_MODE_ENABLE) {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Enabled", NULL); HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_PROMPT), L"Secure Boot state: Enabled", NULL);
} else { } else {
HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_CONTENT), L"Disabled", NULL); HiiSetString (Private->HiiHandle, STRING_TOKEN (STR_SECURE_BOOT_STATE_PROMPT), L"Secure Boot state: Disabled", NULL);
} }
FreePool(SecureBoot); FreePool(SecureBoot);
@@ -4324,7 +4324,7 @@ SecureBootCallback (
UINT8 *SecureBootEnable; UINT8 *SecureBootEnable;
UINT8 *Pk; UINT8 *Pk;
UINT8 *SecureBootMode; UINT8 *SecureBootMode;
UINT8 *SetupMode; //UINT8 *SetupMode;
CHAR16 PromptString[100]; CHAR16 PromptString[100];
EFI_DEVICE_PATH_PROTOCOL *File; EFI_DEVICE_PATH_PROTOCOL *File;
UINTN NameLength; UINTN NameLength;
@@ -4332,13 +4332,11 @@ SecureBootCallback (
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
BOOLEAN GetBrowserDataResult; BOOLEAN GetBrowserDataResult;
ENROLL_KEY_ERROR EnrollKeyErrorCode; ENROLL_KEY_ERROR EnrollKeyErrorCode;
EFI_HII_POPUP_PROTOCOL *HiiPopup;
EFI_HII_POPUP_SELECTION UserSelection;
Status = EFI_SUCCESS; Status = EFI_SUCCESS;
SecureBootEnable = NULL; SecureBootEnable = NULL;
SecureBootMode = NULL; SecureBootMode = NULL;
SetupMode = NULL; //SetupMode = NULL;
File = NULL; File = NULL;
EnrollKeyErrorCode = None_Error; EnrollKeyErrorCode = None_Error;
@@ -4414,27 +4412,14 @@ SecureBootCallback (
if (Action == EFI_BROWSER_ACTION_CHANGING) { if (Action == EFI_BROWSER_ACTION_CHANGING) {
switch (QuestionId) { switch (QuestionId) {
case KEY_SECURE_BOOT_ENABLE: //case KEY_SECURE_BOOT_ENABLE:
case KEY_SECURE_BOOT_STATE_ENABLE:
GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
if (NULL != SecureBootEnable) { Status = SaveSecureBootVariable(1);
FreePool (SecureBootEnable); break;
if (EFI_ERROR (SaveSecureBootVariable (Value->u8))) { case KEY_SECURE_BOOT_STATE_DISABLE:
CreatePopUp ( GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, Status = SaveSecureBootVariable(0);
&Key,
L"Only Physical Presence User could disable secure boot!",
NULL
);
Status = EFI_UNSUPPORTED;
} else {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Configuration changed, please reset the platform to take effect!",
NULL
);
}
}
break; break;
case KEY_SECURE_BOOT_KEK_OPTION: case KEY_SECURE_BOOT_KEK_OPTION:
@@ -4534,26 +4519,7 @@ SecureBootCallback (
break; break;
case KEY_SECURE_BOOT_DELETE_PK: case KEY_SECURE_BOOT_DELETE_PK:
if (Value->u8) { Status = DeletePlatformKey();
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Are you sure you want to delete PK? Secure boot will be disabled!",
L"Press 'Y' to delete PK and exit, 'N' to discard change and return",
NULL
);
if (Key.UnicodeChar == 'y' || Key.UnicodeChar == 'Y') {
Status = DeletePlatformKey ();
if (EFI_ERROR (Status)) {
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
L"Only Physical Presence User could delete PK in custom mode!",
NULL
);
}
}
}
break; break;
case KEY_DELETE_KEK: case KEY_DELETE_KEK:
@@ -4850,8 +4816,12 @@ SecureBootCallback (
} }
} else if (Action == EFI_BROWSER_ACTION_CHANGED) { } else if (Action == EFI_BROWSER_ACTION_CHANGED) {
switch (QuestionId) { switch (QuestionId) {
case KEY_SECURE_BOOT_ENABLE: //case KEY_SECURE_BOOT_ENABLE:
case KEY_SECURE_BOOT_STATE_ENABLE:
case KEY_SECURE_BOOT_STATE_DISABLE:
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
// XXX: Is this safe?
gRT->ResetSystem(EfiResetCold, Status, 0, NULL);
break; break;
case KEY_SECURE_BOOT_MODE: case KEY_SECURE_BOOT_MODE:
mIsEnterSecureBootForm = FALSE; mIsEnterSecureBootForm = FALSE;
@@ -4870,45 +4840,33 @@ SecureBootCallback (
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
break; break;
case KEY_SECURE_BOOT_DELETE_PK: case KEY_SECURE_BOOT_DELETE_PK:
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); //GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { //if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
IfrNvData->DeletePk = TRUE; // IfrNvData->DeletePk = TRUE;
IfrNvData->HasPk = FALSE; // IfrNvData->HasPk = FALSE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT; // *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
} else { //} else {
IfrNvData->DeletePk = FALSE; // IfrNvData->DeletePk = FALSE;
IfrNvData->HasPk = TRUE; // IfrNvData->HasPk = TRUE;
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; // *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
} //}
if (SetupMode != NULL) { //if (SetupMode != NULL) {
FreePool (SetupMode); // FreePool (SetupMode);
//}
// XXX: Is this safe?
gRT->ResetSystem(EfiResetCold, Status, 0, NULL);
break;
//case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
case KEY_RESTORE_KEYS:
Status = KeyEnrollReset();
// Update secure boot strings after key reset
if (Status == EFI_SUCCESS) {
Status = UpdateSecureBootString(Private);
SecureBootExtractConfigFromVariable(Private, IfrNvData);
// XXX: Is this safe?
gRT->ResetSystem(EfiResetCold, Status, 0, NULL);
} }
break; break;
case KEY_SECURE_BOOT_RESET_TO_DEFAULT:
{
Status = gBS->LocateProtocol (&gEfiHiiPopupProtocolGuid, NULL, (VOID **) &HiiPopup);
if (EFI_ERROR (Status)) {
return Status;
}
Status = HiiPopup->CreatePopup (
HiiPopup,
EfiHiiPopupStyleInfo,
EfiHiiPopupTypeYesNo,
Private->HiiHandle,
STRING_TOKEN (STR_RESET_TO_DEFAULTS_POPUP),
&UserSelection
);
if (UserSelection == EfiHiiPopupSelectionYes) {
Status = KeyEnrollReset ();
}
//
// Update secure boot strings after key reset
//
if (Status == EFI_SUCCESS) {
Status = UpdateSecureBootString (Private);
SecureBootExtractConfigFromVariable (Private, IfrNvData);
}
}
default: default:
break; break;
} }

9
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
View File

@@ -119,6 +119,15 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#define PE_IMAGE_FILE_TYPE 2 #define PE_IMAGE_FILE_TYPE 2
#define AUTHENTICATION_2_FILE_TYPE 3 #define AUTHENTICATION_2_FILE_TYPE 3
#define FORMID_SECURE_BOOT_ENABLE 0x101
#define FORMID_SECURE_BOOT_DISABLE 0x102
#define FORMID_DELETE_KEYS 0x103
#define FORMID_RESTORE_KEYS 0x104
#define KEY_SECURE_BOOT_STATE_ENABLE 0x1120
#define KEY_SECURE_BOOT_STATE_DISABLE 0x1121
#define KEY_DELETE_KEYS 0x1122
#define KEY_RESTORE_KEYS 0x1123
// //
// Nv Data structure referenced by IFR // Nv Data structure referenced by IFR
// //

15
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
View File

@@ -138,3 +138,18 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#string STR_SIGNATURE_DATA_HELP_FORMAT_TIME #language en-US "Revocation Time:\n%s" #string STR_SIGNATURE_DATA_HELP_FORMAT_TIME #language en-US "Revocation Time:\n%s"
#string STR_SIGNATURE_DELETE_ALL_CONFIRM #language en-US "Press 'Y' to delete all signature List." #string STR_SIGNATURE_DELETE_ALL_CONFIRM #language en-US "Press 'Y' to delete all signature List."
#string STR_SECURE_BOOT_ENABLE_PROMPT #language en-US "Enable Secure Boot"
#string STR_SECURE_BOOT_DISABLE_PROMPT #language en-US "Disable Secure Boot"
#string STR_DELETE_KEYS_PROMPT #language en-US "Delete System76 and Microsoft keys (Use your own)"
#string STR_RESTORE_KEYS_PROMPT #language en-US "Restore System76 and Microsoft keys"
#string STR_ENABLE_NOTICE #language en-US "An operating system that includes Secure Boot support is required.\r\nDisable Secure Boot if your operating system does not boot."
#string STR_ENABLE_SELECTION #language en-US "Enable Secure Boot and reboot"
#string STR_DISABLE_NOTICE #language en-US "Disabling Secure Boot allows non-verified operating systems to boot\r\nand may disable some operating system security features."
#string STR_DISABLE_SELECTION #language en-US "Disable Secure Boot and reboot"
#string STR_DELETE_KEYS_NOTICE #language en-US "System and Microsoft keys will be deleted. Enroll custom keys from your\r\noperating system. Check your OS documentation for details. To facilitate\nsetup, Secure Boot is disabled until you manually activate it."
#string STR_DELETE_KEYS_SELECTION #language en-US "Delete System76 and Microsoft keys and restart"
#string STR_RESTORE_KEYS_NOTICE #language en-US "Restoring System76 and Microsoft keys will remove any custom keys you\r\nhave installed and may make your OS unbootable. Disable Secure Boot if\nyour operating system does not boot."
#string STR_RESTORE_KEYS_SELECTION #language en-US "Restore System76 and Microsoft keys and restart"
#string STR_CANCEL #language en-US "Cancel"

21
System76Pkg/Ec/Fmp/EcFmp.dsc Normal file
View File

@@ -0,0 +1,21 @@
# SPDX-License-Identifier: MPL-2.0
# SPDX-FileCopyrightText: 2023 System76, Inc.
FmpDevicePkg/FmpDxe/FmpDxe.inf {
<Defines>
FILE_GUID = $(EC_FMP_ESRT_GUID)
<PcdsFixedAtBuild>
gFmpDevicePkgTokenSpaceGuid.PcdFmpDeviceImageIdName|L"System76 EC"
gFmpDevicePkgTokenSpaceGuid.PcdFmpDeviceBuildTimeLowestSupportedVersion|0
gFmpDevicePkgTokenSpaceGuid.PcdFmpDeviceProgressWatchdogTimeInSeconds|0
gFmpDevicePkgTokenSpaceGuid.PcdFmpDeviceProgressColor|0x00FBB86C
<LibraryClasses>
FmpPayloadHeaderLib|FmpDevicePkg/Library/FmpPayloadHeaderLibV1/FmpPayloadHeaderLibV1.inf
FmpAuthenticationLib|MdeModulePkg/Library/FmpAuthenticationLibNull/FmpAuthenticationLibNull.inf
FmpDependencyLib|FmpDevicePkg/Library/FmpDependencyLib/FmpDependencyLib.inf
FmpDependencyCheckLib|FmpDevicePkg/Library/FmpDependencyCheckLibNull/FmpDependencyCheckLibNull.inf
FmpDependencyDeviceLib|FmpDevicePkg/Library/FmpDependencyDeviceLibNull/FmpDependencyDeviceLibNull.inf
CapsuleUpdatePolicyLib|FmpDevicePkg/Library/CapsuleUpdatePolicyLibNull/CapsuleUpdatePolicyLibNull.inf
FmpDeviceLib|System76Pkg/Ec/Fmp/EcFmpLib.inf
}

241
System76Pkg/Ec/Fmp/EcFmpLib.c Normal file
View File

@@ -0,0 +1,241 @@
// SPDX-License-Identifier: MPL-2.0
// SPDX-FileCopyrightText: 2023 System76, Inc.
#include <Guid/SystemResourceTable.h>
#include <Library/BaseMemoryLib.h>
#include <Library/FmpDeviceLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiBootServicesTableLib.h>
#include <LastAttemptStatus.h>
#define US_PER_MS 1000
EFI_STATUS
EFIAPI
RegisterFmpInstaller(
IN FMP_DEVICE_LIB_REGISTER_FMP_INSTALLER FmpInstaller
) {
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
RegisterFmpUninstaller(
IN FMP_DEVICE_LIB_REGISTER_FMP_UNINSTALLER FmpUninstaller
) {
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceSetContext(
IN EFI_HANDLE Handle,
IN OUT VOID **Context
) {
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceGetSize(
OUT UINTN *Size
) {
if (!Size)
return EFI_INVALID_PARAMETER;
// TODO
*Size = 128 * 1024;
return EFI_SUCCESS;
}
EFI_STATUS
EFIAPI
FmpDeviceGetImageTypeIdGuidPtr(
OUT EFI_GUID **Guid
) {
if (!Guid)
return EFI_INVALID_PARAMETER;
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceGetAttributes(
OUT UINT64 *Supported,
OUT UINT64 *Setting
) {
if (!Supported || !Setting)
return EFI_INVALID_PARAMETER;
*Supported = IMAGE_ATTRIBUTE_IMAGE_UPDATABLE
| IMAGE_ATTRIBUTE_RESET_REQUIRED
| IMAGE_ATTRIBUTE_IN_USE;
*Setting = IMAGE_ATTRIBUTE_IMAGE_UPDATABLE
| IMAGE_ATTRIBUTE_RESET_REQUIRED
| IMAGE_ATTRIBUTE_IN_USE;
return EFI_SUCCESS;
}
EFI_STATUS
EFIAPI
FmpDeviceGetLowestSupportedVersion(
OUT UINT32 *LowestSupportedVersion
) {
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceGetVersionString(
OUT CHAR16 **VersionString
) {
if (!VersionString)
return EFI_INVALID_PARAMETER;
// TODO
*VersionString = AllocatePool(sizeof(L"0.3"));
if (!(*VersionString))
return EFI_OUT_OF_RESOURCES;
CopyMem(VersionString, L"0.3", sizeof(L"0.3"));
//*VersionString = NULL;
return EFI_SUCCESS;
}
EFI_STATUS
EFIAPI
FmpDeviceGetVersion(
OUT UINT32 *Version
) {
if (!Version)
return EFI_INVALID_PARAMETER;
// TODO
*Version = 3;
return EFI_SUCCESS;
}
EFI_STATUS
EFIAPI
FmpDeviceGetHardwareInstance(
OUT UINT64 *HardwareInstance
) {
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceGetImage(
OUT VOID *Image,
IN OUT UINTN *ImageSize
) {
// TODO
return EFI_UNSUPPORTED;
}
EFI_STATUS
EFIAPI
FmpDeviceCheckImageWithStatus(
IN CONST VOID *Image,
IN UINTN ImageSize,
OUT UINT32 *ImageUpdatable,
OUT UINT32 *LastAttemptStatus
) {
if (!LastAttemptStatus)
return EFI_INVALID_PARAMETER;
*LastAttemptStatus = LAST_ATTEMPT_STATUS_DEVICE_LIBRARY_MIN_ERROR_CODE_VALUE;
if (!ImageUpdatable || !Image)
return EFI_INVALID_PARAMETER;
// TODO:
*LastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS;
return EFI_SUCCESS;
}
EFI_STATUS
EFIAPI
FmpDeviceCheckImage(
IN CONST VOID *Image,
IN UINTN ImageSize,
OUT UINT32 *ImageUpdatable
) {
UINT32 LastAttemptStatus;
return FmpDeviceCheckImageWithStatus(Image, ImageSize, ImageUpdatable, &LastAttemptStatus);
}
EFI_STATUS
EFIAPI
FmpDeviceSetImageWithStatus (
IN CONST VOID *Image,
IN UINTN ImageSize,
IN CONST VOID *VendorCode, OPTIONAL
IN EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS Progress, OPTIONAL
IN UINT32 CapsuleFwVersion,
OUT CHAR16 **AbortReason,
OUT UINT32 *LastAttemptStatus
) {
// TODO
EFI_STATUS Status = EFI_SUCCESS;
UINT32 Updateable = 0;
Status = FmpDeviceCheckImageWithStatus(Image, ImageSize, &Updateable, LastAttemptStatus);
if (EFI_ERROR(Status)) {
goto cleanup;
}
if (Updateable != IMAGE_UPDATABLE_VALID) {
Status = EFI_ABORTED;
goto cleanup;
}
if (Progress == NULL) {
Status = EFI_INVALID_PARAMETER;
goto cleanup;
}
gBS->Stall (3000 * US_PER_MS);
Progress(15);
gBS->Stall (2000 * US_PER_MS);
for (int p = 20; p < 100; p++) {
gBS->Stall (100 * US_PER_MS);
Progress (p);
}
cleanup:
if (EFI_ERROR (Status)) {
*LastAttemptStatus = LAST_ATTEMPT_STATUS_DEVICE_LIBRARY_MIN_ERROR_CODE_VALUE;
}
return Status;
}
EFI_STATUS
EFIAPI
FmpDeviceSetImage(
IN CONST VOID *Image,
IN UINTN ImageSize,
IN CONST VOID *VendorCode, OPTIONAL
IN EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS Progress, OPTIONAL
IN UINT32 CapsuleFwVersion,
OUT CHAR16 **AbortReason
) {
UINT32 LastAttemptStatus;
return FmpDeviceSetImageWithStatus(Image, ImageSize, VendorCode, Progress, CapsuleFwVersion, AbortReason, &LastAttemptStatus);
}
EFI_STATUS
EFIAPI
FmpDeviceLock(
VOID
) {
return EFI_UNSUPPORTED;
}

20
System76Pkg/Ec/Fmp/EcFmpLib.inf Normal file
View File

@@ -0,0 +1,20 @@
# SPDX-License-Identifier: MPL-2.0
# SPDX-FileCopyrightText: 2023 System76, Inc.
[Defines]
INF_VERSION = 1.27
BASE_NAME = EcFmpLib
FILE_GUID = 760B7155-99F7-4E8E-8C07-D38A75F54C54
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 0.1
LIBRARY_CLASS = FmpDeviceLib|DXE_DRIVER
[Sources]
EcFmpLib.c
[Packages]
MdePkg/MdePkg.dec
FmpDevicePkg/FmpDevicePkg.dec
[LibraryClasses]
UefiBootServicesTableLib

20
UefiPayloadPkg/Library/PlatformBootManagerLib/PlatformBootManager.c
View File

@@ -192,6 +192,14 @@ PlatformBootManagerBeforeConsole (
PlatformConsoleInit (); PlatformConsoleInit ();
} }
// GUID for System76 security driver
EFI_GUID SYSTEM76_SECURITY_PROTOCOL_GUID = {0x764247c4, 0xa859, 0x4a6b, {0xb5, 0x00, 0xed, 0x5d, 0x7a, 0x70, 0x7d, 0xd4}};
typedef struct {
// Run System76 security driver, will return true if we should boot immediately
BOOLEAN (EFIAPI *Run)();
} SYSTEM76_SECURITY_PROTOCOL;
/** /**
Do the platform specific action after the console is connected. Do the platform specific action after the console is connected.
@@ -210,6 +218,8 @@ PlatformBootManagerAfterConsole (
{ {
EFI_GRAPHICS_OUTPUT_BLT_PIXEL Black; EFI_GRAPHICS_OUTPUT_BLT_PIXEL Black;
EFI_GRAPHICS_OUTPUT_BLT_PIXEL White; EFI_GRAPHICS_OUTPUT_BLT_PIXEL White;
EFI_STATUS Status;
SYSTEM76_SECURITY_PROTOCOL * system76_security;
if (mUniversalPayloadPlatformBootManagerOverrideInstance != NULL){ if (mUniversalPayloadPlatformBootManagerOverrideInstance != NULL){
mUniversalPayloadPlatformBootManagerOverrideInstance->AfterConsole(); mUniversalPayloadPlatformBootManagerOverrideInstance->AfterConsole();
@@ -249,6 +259,16 @@ PlatformBootManagerAfterConsole (
// Inject boot logo into BGRT table // Inject boot logo into BGRT table
AddBGRT(); AddBGRT();
// If System76 security driver is installed
Status = gBS->LocateProtocol (&SYSTEM76_SECURITY_PROTOCOL_GUID, NULL, (VOID **) &system76_security);
if (!EFI_ERROR(Status)) {
// Run System76 security driver
if (system76_security->Run ()) {
// Skip boot timeout if requested
PcdSet16S (PcdPlatformBootTimeOut, 0);
}
}
} }
/** /**

BIN
UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/crl.bin
View File

Binary file not shown.

BIN
UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-system76.crt Normal file
View File

Binary file not shown.

0
UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek.crt → UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek-microsoft.crt
View File

BIN
UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek-system76.crt Normal file
View File

Binary file not shown.

BIN
UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/pk.crt
View File

Binary file not shown.

27
UefiPayloadPkg/UefiPayloadPkg.dsc
View File

@@ -112,6 +112,9 @@
DEFINE SECURE_BOOT_ENABLE = FALSE DEFINE SECURE_BOOT_ENABLE = FALSE
DEFINE TPM_ENABLE = FALSE DEFINE TPM_ENABLE = FALSE
# FMP
DEFINE EC_FMP_ESRT_GUID = 76FFAC81-FDE6-464D-A6D9-84BDD9EE522D
[BuildOptions] [BuildOptions]
*_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -206,13 +209,16 @@
UefiUsbLib|MdePkg/Library/UefiUsbLib/UefiUsbLib.inf UefiUsbLib|MdePkg/Library/UefiUsbLib/UefiUsbLib.inf
UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf UefiScsiLib|MdePkg/Library/UefiScsiLib/UefiScsiLib.inf
OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf OemHookStatusCodeLib|MdeModulePkg/Library/OemHookStatusCodeLibNull/OemHookStatusCodeLibNull.inf
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
SecurityManagementLib|MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.inf SecurityManagementLib|MdeModulePkg/Library/DxeSecurityManagementLib/DxeSecurityManagementLib.inf
UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf BootLogoLib|MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf
CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf CustomizedDisplayLib|MdeModulePkg/Library/CustomizedDisplayLib/CustomizedDisplayLib.inf
FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf FrameBufferBltLib|MdeModulePkg/Library/FrameBufferBltLib/FrameBufferBltLib.inf
# FMP Capsule
BmpSupportLib|MdeModulePkg/Library/BaseBmpSupportLib/BaseBmpSupportLib.inf
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibNull/DxeCapsuleLibNull.inf
# #
# CPU # CPU
# #
@@ -346,6 +352,9 @@
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
!endif !endif
# FMP Capsule
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.inf
[LibraryClasses.common.DXE_RUNTIME_DRIVER] [LibraryClasses.common.DXE_RUNTIME_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
@@ -364,6 +373,9 @@
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif !endif
# FMP Capsule
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.inf
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION] [LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
@@ -402,6 +414,10 @@
# Disable MTRR programming # Disable MTRR programming
gUefiCpuPkgTokenSpaceGuid.PcdCpuDisableMtrrProgramming|TRUE gUefiCpuPkgTokenSpaceGuid.PcdCpuDisableMtrrProgramming|TRUE
# Enable Capsule On Disk support
# NOTE: Capsule in RAM is enabled, so UpdateCapsule will still be called
gEfiMdeModulePkgTokenSpaceGuid.PcdCapsuleOnDiskSupport|TRUE
[PcdsPatchableInModule.common] [PcdsPatchableInModule.common]
gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 } gEfiMdeModulePkgTokenSpaceGuid.PcdBootManagerMenuFile|{ 0x21, 0xaa, 0x2c, 0x46, 0x14, 0x76, 0x03, 0x45, 0x83, 0x6e, 0x8a, 0xb6, 0xf4, 0x66, 0x23, 0x31 }
gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x7
@@ -563,7 +579,6 @@
MdeModulePkg/Universal/Metronome/Metronome.inf MdeModulePkg/Universal/Metronome/Metronome.inf
MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
!if $(DISABLE_RESET_SYSTEM) == FALSE !if $(DISABLE_RESET_SYSTEM) == FALSE
MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf MdeModulePkg/Universal/ResetSystemRuntimeDxe/ResetSystemRuntimeDxe.inf
@@ -706,6 +721,14 @@
} }
!endif !endif
#
# Firmware update
#
MdeModulePkg/Universal/EsrtFmpDxe/EsrtFmpDxe.inf
MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
!include System76Pkg/Ec/Fmp/EcFmp.dsc
#------------------------------ #------------------------------
# Build the shell # Build the shell
#------------------------------ #------------------------------

12
UefiPayloadPkg/UefiPayloadPkg.fdf
View File

@@ -113,7 +113,6 @@ INF PcAtChipsetPkg/HpetTimerDxe/HpetTimerDxe.inf
INF MdeModulePkg/Universal/Metronome/Metronome.inf INF MdeModulePkg/Universal/Metronome/Metronome.inf
INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf INF MdeModulePkg/Universal/WatchdogTimerDxe/WatchdogTimer.inf
INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf INF MdeModulePkg/Core/RuntimeDxe/RuntimeDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
!if $(DISABLE_RESET_SYSTEM) == FALSE !if $(DISABLE_RESET_SYSTEM) == FALSE
@@ -260,11 +259,13 @@ INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
} }
FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 { FILE FREEFORM = 6f64916e-9f7a-4c35-b952-cd041efb05a3 {
SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek.crt SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek-system76.crt
SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/kek-microsoft.crt
SECTION UI = "KEK Default" SECTION UI = "KEK Default"
} }
FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 { FILE FREEFORM = c491d352-7623-4843-accc-2791a7574421 {
SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-system76.crt
SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-1.crt SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-1.crt
SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-2.crt SECTION RAW = UefiPayloadPkg/SecureBootEnrollDefaultKeys/keys/db-2.crt
SECTION UI = "DB Default" SECTION UI = "DB Default"
@@ -276,6 +277,13 @@ INF SecurityPkg/RandomNumberGenerator/RngDxe/RngDxe.inf
} }
!endif !endif
#
# Firmware update
#
INF MdeModulePkg/Universal/EsrtFmpDxe/EsrtFmpDxe.inf
INF MdeModulePkg/Universal/CapsuleRuntimeDxe/CapsuleRuntimeDxe.inf
INF FILE_GUID = $(EC_FMP_ESRT_GUID) FmpDevicePkg/FmpDxe/FmpDxe.inf
# #
# Shell # Shell
# #