sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
fdeff3fdae641ecefb0d8cad2f2d52baef7037af
system76-edk2/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c
Grzegorz Bernacki bb806a6e88 SecurityPkg: Create SecureBootVariableLib. 
This commits add library, which consist helper functions related
to creation/removal Secure Boot variables. Some of the functions
was moved from SecureBootConfigImpl.c file.

Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
Reviewed-by: Sunny Wang <sunny.wang@arm.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
2021-08-03 07:26:41 +00:00

511 lines
14 KiB
C
Raw Blame History

/** @file
This library provides helper functions to set/clear Secure Boot
keys and databases.
Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
Copyright (c) 2021, Semihalf All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Guid/GlobalVariable.h>
#include <Guid/AuthenticatedVariableFormat.h>
#include <Guid/ImageAuthentication.h>
#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/SecureBootVariableLib.h>
#include "Library/DxeServicesLib.h"
/** Creates EFI Signature List structure.
@param[in] Data A pointer to signature data.
@param[in] Size Size of signature data.
@param[out] SigList Created Signature List.
@retval EFI_SUCCESS Signature List was created successfully.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
**/
STATIC
EFI_STATUS
CreateSigList (
IN VOID *Data,
IN UINTN Size,
OUT EFI_SIGNATURE_LIST **SigList
)
{
UINTN SigListSize;
EFI_SIGNATURE_LIST *TmpSigList;
EFI_SIGNATURE_DATA *SigData;
//
// Allocate data for Signature Database
//
SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize);
if (TmpSigList == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Only gEfiCertX509Guid type is supported
//
TmpSigList->SignatureListSize = (UINT32)SigListSize;
TmpSigList->SignatureSize = (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
TmpSigList->SignatureHeaderSize = 0;
CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
//
// Copy key data
//
SigData = (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
CopyMem (&SigData->SignatureData[0], Data, Size);
*SigList = TmpSigList;
return EFI_SUCCESS;
}
/** Adds new signature list to signature database.
@param[in] SigLists A pointer to signature database.
@param[in] SigListAppend A signature list to be added.
@param[out] *SigListOut Created signature database.
@param[in, out] SigListsSize A size of created signature database.
@retval EFI_SUCCESS Signature List was added successfully.
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
**/
STATIC
EFI_STATUS
ConcatenateSigList (
IN EFI_SIGNATURE_LIST *SigLists,
IN EFI_SIGNATURE_LIST *SigListAppend,
OUT EFI_SIGNATURE_LIST **SigListOut,
IN OUT UINTN *SigListsSize
)
{
EFI_SIGNATURE_LIST *TmpSigList;
UINT8 *Offset;
UINTN NewSigListsSize;
NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
TmpSigList = (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize);
if (TmpSigList == NULL) {
return EFI_OUT_OF_RESOURCES;
}
CopyMem (TmpSigList, SigLists, *SigListsSize);
Offset = (UINT8 *)TmpSigList;
Offset += *SigListsSize;
CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
*SigListsSize = NewSigListsSize;
*SigListOut = TmpSigList;
return EFI_SUCCESS;
}
/**
Create a EFI Signature List with data fetched from section specified as a argument.
Found keys are verified using RsaGetPublicKeyFromX509().
@param[in] KeyFileGuid A pointer to to the FFS filename GUID
@param[out] SigListsSize A pointer to size of signature list
@param[out] SigListOut a pointer to a callee-allocated buffer with signature lists
@retval EFI_SUCCESS Create time based payload successfully.
@retval EFI_NOT_FOUND Section with key has not been found.
@retval EFI_INVALID_PARAMETER Embedded key has a wrong format.
@retval Others Unexpected error happens.
**/
EFI_STATUS
SecureBootFetchData (
IN EFI_GUID *KeyFileGuid,
OUT UINTN *SigListsSize,
OUT EFI_SIGNATURE_LIST **SigListOut
)
{
EFI_SIGNATURE_LIST *EfiSig;
EFI_SIGNATURE_LIST *TmpEfiSig;
EFI_SIGNATURE_LIST *TmpEfiSig2;
EFI_STATUS Status;
VOID *Buffer;
VOID *RsaPubKey;
UINTN Size;
UINTN KeyIndex;
KeyIndex = 0;
EfiSig = NULL;
*SigListsSize = 0;
while (1) {
Status = GetSectionFromAnyFv (
KeyFileGuid,
EFI_SECTION_RAW,
KeyIndex,
&Buffer,
&Size
);
if (Status == EFI_SUCCESS) {
RsaPubKey = NULL;
if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
if (EfiSig != NULL) {
FreePool(EfiSig);
}
FreePool(Buffer);
return EFI_INVALID_PARAMETER;
}
Status = CreateSigList (Buffer, Size, &TmpEfiSig);
//
// Concatenate lists if more than one section found
//
if (KeyIndex == 0) {
EfiSig = TmpEfiSig;
*SigListsSize = TmpEfiSig->SignatureListSize;
} else {
ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
FreePool (EfiSig);
FreePool (TmpEfiSig);
EfiSig = TmpEfiSig2;
}
KeyIndex++;
FreePool (Buffer);
} if (Status == EFI_NOT_FOUND) {
break;
}
};
if (KeyIndex == 0) {
return EFI_NOT_FOUND;
}
*SigListOut = EfiSig;
return EFI_SUCCESS;
}
/**
Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
descriptor with the input data. NO authentication is required in this function.
@param[in, out] DataSize On input, the size of Data buffer in bytes.
On output, the size of data returned in Data
buffer in bytes.
@param[in, out] Data On input, Pointer to data buffer to be wrapped or
pointer to NULL to wrap an empty payload.
On output, Pointer to the new payload date buffer allocated from pool,
it's caller's responsibility to free the memory when finish using it.
@retval EFI_SUCCESS Create time based payload successfully.
@retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval Others Unexpected error happens.
**/
EFI_STATUS
CreateTimeBasedPayload (
IN OUT UINTN *DataSize,
IN OUT UINT8 **Data
)
{
EFI_STATUS Status;
UINT8 *NewData;
UINT8 *Payload;
UINTN PayloadSize;
EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
UINTN DescriptorSize;
EFI_TIME Time;
if (Data == NULL || DataSize == NULL) {
return EFI_INVALID_PARAMETER;
}
//
// In Setup mode or Custom mode, the variable does not need to be signed but the
// parameters to the SetVariable() call still need to be prepared as authenticated
// variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
// data in it.
//
Payload = *Data;
PayloadSize = *DataSize;
DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
if (NewData == NULL) {
return EFI_OUT_OF_RESOURCES;
}
if ((Payload != NULL) && (PayloadSize != 0)) {
CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
}
DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
ZeroMem (&Time, sizeof (EFI_TIME));
Status = gRT->GetTime (&Time, NULL);
if (EFI_ERROR (Status)) {
FreePool(NewData);
return Status;
}
Time.Pad1 = 0;
Time.Nanosecond = 0;
Time.TimeZone = 0;
Time.Daylight = 0;
Time.Pad2 = 0;
CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
if (Payload != NULL) {
FreePool(Payload);
}
*DataSize = DescriptorSize + PayloadSize;
*Data = NewData;
return EFI_SUCCESS;
}
/**
Internal helper function to delete a Variable given its name and GUID, NO authentication
required.
@param[in] VariableName Name of the Variable.
@param[in] VendorGuid GUID of the Variable.
@retval EFI_SUCCESS Variable deleted successfully.
@retval Others The driver failed to start the device.
**/
EFI_STATUS
DeleteVariable (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
)
{
EFI_STATUS Status;
VOID* Variable;
UINT8 *Data;
UINTN DataSize;
UINT32 Attr;
GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
if (Variable == NULL) {
return EFI_SUCCESS;
}
FreePool (Variable);
Data = NULL;
DataSize = 0;
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
Status = CreateTimeBasedPayload (&DataSize, &Data);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
return Status;
}
Status = gRT->SetVariable (
VariableName,
VendorGuid,
Attr,
DataSize,
Data
);
if (Data != NULL) {
FreePool (Data);
}
return Status;
}
/**
Set the platform secure boot mode into "Custom" or "Standard" mode.
@param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or
CUSTOM_SECURE_BOOT_MODE.
@return EFI_SUCCESS The platform has switched to the special mode successfully.
@return other Fail to operate the secure boot mode.
**/
EFI_STATUS
SetSecureBootMode (
IN UINT8 SecureBootMode
)
{
return gRT->SetVariable (
EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
sizeof (UINT8),
&SecureBootMode
);
}
/**
Fetches the value of SetupMode variable.
@param[out] SetupMode Pointer to UINT8 for SetupMode output
@retval other Retval from GetVariable.
**/
EFI_STATUS
EFIAPI
GetSetupMode (
OUT UINT8 *SetupMode
)
{
UINTN Size;
EFI_STATUS Status;
Size = sizeof (*SetupMode);
Status = gRT->GetVariable (
EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid,
NULL,
&Size,
SetupMode
);
if (EFI_ERROR (Status)) {
return Status;
}
return EFI_SUCCESS;
}
/**
Clears the content of the 'db' variable.
@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
while VendorGuid is NULL.
@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
**/
EFI_STATUS
EFIAPI
DeleteDb (
VOID
)
{
EFI_STATUS Status;
Status = DeleteVariable (
EFI_IMAGE_SECURITY_DATABASE,
&gEfiImageSecurityDatabaseGuid
);
return Status;
}
/**
Clears the content of the 'dbx' variable.
@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
while VendorGuid is NULL.
@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
**/
EFI_STATUS
EFIAPI
DeleteDbx (
VOID
)
{
EFI_STATUS Status;
Status = DeleteVariable (
EFI_IMAGE_SECURITY_DATABASE1,
&gEfiImageSecurityDatabaseGuid
);
return Status;
}
/**
Clears the content of the 'dbt' variable.
@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
while VendorGuid is NULL.
@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
**/
EFI_STATUS
EFIAPI
DeleteDbt (
VOID
)
{
EFI_STATUS Status;
Status = DeleteVariable (
EFI_IMAGE_SECURITY_DATABASE2,
&gEfiImageSecurityDatabaseGuid
);
return Status;
}
/**
Clears the content of the 'KEK' variable.
@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
while VendorGuid is NULL.
@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
**/
EFI_STATUS
EFIAPI
DeleteKEK (
VOID
)
{
EFI_STATUS Status;
Status = DeleteVariable (
EFI_KEY_EXCHANGE_KEY_NAME,
&gEfiGlobalVariableGuid
);
return Status;
}
/**
Remove the PK variable.
@retval EFI_SUCCESS Delete PK successfully.
@retval Others Could not allow to delete PK.
**/
EFI_STATUS
EFIAPI
DeletePlatformKey (
VOID
)
{
EFI_STATUS Status;
Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
if (EFI_ERROR (Status)) {
return Status;
}
Status = DeleteVariable (
EFI_PLATFORM_KEY_NAME,
&gEfiGlobalVariableGuid
);
return Status;
}
Reference in New Issue View Git Blame Copy Permalink