TianoCore EDK2 master
Loading...
Searching...
No Matches
Data Structures | Macros | Typedefs | Functions | Variables
AuthService.c File Reference
#include "AuthServiceInternal.h"
#include <Protocol/VariablePolicy.h>
#include <Library/VariablePolicyLib.h>

Go to the source code of this file.

Data Structures

struct  EFI_HASH_INFO
 

Macros

#define SHA_DIGEST_SIZE_MAX   SHA512_DIGEST_SIZE
 

Typedefs

typedef UINTN(EFIAPI * EFI_HASH_GET_CONTEXT_SIZE) (VOID)
 
typedef BOOLEAN(EFIAPI * EFI_HASH_INIT) (OUT VOID *HashContext)
 
typedef BOOLEAN(EFIAPI * EFI_HASH_UPDATE) (IN OUT VOID *HashContext, IN CONST VOID *Data, IN UINTN DataSize)
 
typedef BOOLEAN(EFIAPI * EFI_HASH_FINAL) (IN OUT VOID *HashContext, OUT UINT8 *HashValue)
 

Functions

EFI_STATUS AuthServiceInternalFindVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT VOID **Data, OUT UINTN *DataSize)
 
EFI_STATUS AuthServiceInternalUpdateVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes)
 
EFI_STATUS AuthServiceInternalUpdateVariableWithTimeStamp (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN EFI_TIME *TimeStamp)
 
BOOLEAN NeedPhysicallyPresent (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid)
 
BOOLEAN InCustomMode (VOID)
 
EFI_STATUS UpdatePlatformMode (IN UINT32 Mode)
 
EFI_STATUS CheckSignatureListFormat (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize)
 
EFI_STATUS VendorKeyIsModified (VOID)
 
EFI_STATUS ProcessVarWithPk (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes OPTIONAL, IN BOOLEAN IsPk)
 
EFI_STATUS ProcessVarWithKek (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes OPTIONAL)
 
BOOLEAN IsDeleteAuthVariable (IN UINT32 OrgAttributes, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes)
 
EFI_STATUS ProcessVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes)
 
EFI_STATUS FilterSignatureList (IN VOID *Data, IN UINTN DataSize, IN OUT VOID *NewData, IN OUT UINTN *NewDataSize)
 
BOOLEAN AuthServiceInternalCompareTimeStamp (IN EFI_TIME *FirstTime, IN EFI_TIME *SecondTime)
 
EFI_STATUS CalculatePrivAuthVarSignChainSHADigest (IN UINT8 HashAlgId, IN UINT8 *SignerCert, IN UINTN SignerCertSize, IN UINT8 *TopLevelCert, IN UINTN TopLevelCertSize, OUT UINT8 *ShaDigest)
 
EFI_STATUS FindCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT8 *Data, IN UINTN DataSize, OUT UINT32 *CertOffset OPTIONAL, OUT UINT32 *CertDataSize OPTIONAL, OUT UINT32 *CertNodeOffset OPTIONAL, OUT UINT32 *CertNodeSize OPTIONAL)
 
EFI_STATUS GetCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT32 Attributes, OUT UINT8 **CertData, OUT UINT32 *CertDataSize)
 
EFI_STATUS DeleteCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT32 Attributes)
 
EFI_STATUS InsertCertsToDb (IN UINT8 HashAlgId, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT32 Attributes, IN UINT8 *SignerCert, IN UINTN SignerCertSize, IN UINT8 *TopLevelCert, IN UINTN TopLevelCertSize)
 
EFI_STATUS CleanCertsFromDb (VOID)
 
UINT8 FindHashAlgorithmIndex (IN UINT8 *SigData, IN UINT32 SigDataSize)
 
EFI_STATUS VerifyTimeBasedPayload (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN AUTHVAR_TYPE AuthVarType, IN EFI_TIME *OrgTimeStamp, OUT UINT8 **VarPayloadPtr, OUT UINTN *VarPayloadSize)
 
EFI_STATUS VerifyTimeBasedPayloadAndUpdate (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN AUTHVAR_TYPE AuthVarType, OUT BOOLEAN *VarDel)
 

Variables

CONST UINT8 mRsaE [] = { 0x01, 0x00, 0x01 }
 
UINT8 mSha256OidValue [] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }
 
UINT8 mSha384OidValue [] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 }
 
UINT8 mSha512OidValue [] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 }
 
EFI_HASH_INFO mHashInfo []
 
EFI_SIGNATURE_ITEM mSupportSigItem []
 

Detailed Description

Implement authentication services for the authenticated variables.

Caution: This module requires additional review when modified. This driver will have external input - variable data. It may be input in SMM mode. This external input must be validated carefully to avoid security issue like buffer overflow, integer overflow. Variable attribute should also be checked to avoid authentication bypass. The whole SMM authentication variable design relies on the integrity of flash part and SMM. which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory may not be modified without authorization. If platform fails to protect these resources, the authentication service provided in this driver will be broken, and the behavior is undefined.

ProcessVarWithPk(), ProcessVarWithKek() and ProcessVariable() are the function to do variable authentication.

VerifyTimeBasedPayloadAndUpdate() and VerifyCounterBasedPayload() are sub function to do verification. They will do basic validation for authentication data structure, then call crypto library to verify the signature.

Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file AuthService.c.

Macro Definition Documentation

◆ SHA_DIGEST_SIZE_MAX

#define SHA_DIGEST_SIZE_MAX   SHA512_DIGEST_SIZE

Definition at line 32 of file AuthService.c.

Typedef Documentation

◆ EFI_HASH_FINAL

typedef BOOLEAN(EFIAPI * EFI_HASH_FINAL) (IN OUT VOID *HashContext, OUT UINT8 *HashValue)

Completes computation of the Hash digest value.

This function completes hash computation and retrieves the digest value into the specified memory. After this function has been called, the Hash context cannot be used again. Hash context should be already correctly initialized by HashInit(), and should not be finalized by HashFinal(). Behavior with invalid Hash context is undefined.

If HashContext is NULL, then return FALSE. If HashValue is NULL, then return FALSE. If this interface is not supported, then return FALSE.

Parameters
[in,out]HashContextPointer to the Hash context.
[out]HashValuePointer to a buffer that receives the Hash digest value.
Return values
TRUEHash digest computation succeeded.
FALSEHash digest computation failed.
FALSEThis interface is not supported.

Definition at line 120 of file AuthService.c.

◆ EFI_HASH_GET_CONTEXT_SIZE

typedef UINTN(EFIAPI * EFI_HASH_GET_CONTEXT_SIZE) (VOID)

Retrieves the size, in bytes, of the context buffer required for hash operations.

If this interface is not supported, then return zero.

Returns
The size, in bytes, of the context buffer required for hash operations.
Return values
0This interface is not supported.

Definition at line 44 of file AuthService.c.

◆ EFI_HASH_INIT

typedef BOOLEAN(EFIAPI * EFI_HASH_INIT) (OUT VOID *HashContext)

Initializes user-supplied memory pointed by Sha1Context as hash context for subsequent use.

If HashContext is NULL, then return FALSE. If this interface is not supported, then return FALSE.

Parameters
[out]HashContextPointer to Hashcontext being initialized.
Return values
TRUEHash context initialization succeeded.
FALSEHash context initialization failed.
FALSEThis interface is not supported.

Definition at line 64 of file AuthService.c.

◆ EFI_HASH_UPDATE

typedef BOOLEAN(EFIAPI * EFI_HASH_UPDATE) (IN OUT VOID *HashContext, IN CONST VOID *Data, IN UINTN DataSize)

Digests the input data and updates Hash context.

This function performs Hash digest on a data buffer of the specified size. It can be called multiple times to compute the digest of long or discontinuous data streams. Hash context should be already correctly initialized by HashInit(), and should not be finalized by HashFinal(). Behavior with invalid context is undefined.

If HashContext is NULL, then return FALSE. If this interface is not supported, then return FALSE.

Parameters
[in,out]HashContextPointer to the Hash context.
[in]DataPointer to the buffer containing the data to be hashed.
[in]DataSizeSize of Data buffer in bytes.
Return values
TRUESHA-1 data digest succeeded.
FALSESHA-1 data digest failed.
FALSEThis interface is not supported.

Definition at line 90 of file AuthService.c.

Function Documentation

◆ AuthServiceInternalCompareTimeStamp()

BOOLEAN AuthServiceInternalCompareTimeStamp ( IN EFI_TIME FirstTime,
IN EFI_TIME SecondTime 
)

Compare two EFI_TIME data.

Parameters
FirstTimeA pointer to the first EFI_TIME data.
SecondTimeA pointer to the second EFI_TIME data.
Return values
TRUEThe FirstTime is not later than the SecondTime.
FALSEThe FirstTime is later than the SecondTime.

Definition at line 1185 of file AuthService.c.

◆ AuthServiceInternalFindVariable()

EFI_STATUS AuthServiceInternalFindVariable ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
OUT VOID **  Data,
OUT UINTN DataSize 
)

Finds variable in storage blocks of volatile and non-volatile storage areas.

This code finds variable in storage blocks of volatile and non-volatile storage areas. If VariableName is an empty string, then we just return the first qualified variable without comparing VariableName and VendorGuid.

Parameters
[in]VariableNameName of the variable to be found.
[in]VendorGuidVariable vendor GUID to be found.
[out]DataPointer to data address.
[out]DataSizePointer to data size.
Return values
EFI_INVALID_PARAMETERIf VariableName is not an empty string, while VendorGuid is NULL.
EFI_SUCCESSVariable successfully found.
EFI_NOT_FOUNDVariable not found

Definition at line 191 of file AuthService.c.

◆ AuthServiceInternalUpdateVariable()

EFI_STATUS AuthServiceInternalUpdateVariable ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes 
)

Update the variable region with Variable information.

Parameters
[in]VariableNameName of variable.
[in]VendorGuidGuid of variable.
[in]DataData pointer.
[in]DataSizeSize of Data.
[in]AttributesAttribute value of the variable.
Return values
EFI_SUCCESSThe update operation is success.
EFI_INVALID_PARAMETERInvalid parameter.
EFI_WRITE_PROTECTEDVariable is write-protected.
EFI_OUT_OF_RESOURCESThere is not enough resource.

Definition at line 228 of file AuthService.c.

◆ AuthServiceInternalUpdateVariableWithTimeStamp()

EFI_STATUS AuthServiceInternalUpdateVariableWithTimeStamp ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes,
IN EFI_TIME TimeStamp 
)

Update the variable region with Variable information.

Parameters
[in]VariableNameName of variable.
[in]VendorGuidGuid of variable.
[in]DataData pointer.
[in]DataSizeSize of Data.
[in]AttributesAttribute value of the variable.
[in]TimeStampValue of associated TimeStamp.
Return values
EFI_SUCCESSThe update operation is success.
EFI_INVALID_PARAMETERInvalid parameter.
EFI_WRITE_PROTECTEDVariable is write-protected.
EFI_OUT_OF_RESOURCESThere is not enough resource.

Definition at line 267 of file AuthService.c.

◆ CalculatePrivAuthVarSignChainSHADigest()

EFI_STATUS CalculatePrivAuthVarSignChainSHADigest ( IN UINT8  HashAlgId,
IN UINT8 *  SignerCert,
IN UINTN  SignerCertSize,
IN UINT8 *  TopLevelCert,
IN UINTN  TopLevelCertSize,
OUT UINT8 *  ShaDigest 
)

Calculate SHA digest of SignerCert CommonName + ToplevelCert tbsCertificate. SignerCert and ToplevelCert are inside the signer certificate chain.

Parameters
[in]HashAlgIdHash algorithm index.
[in]SignerCertA pointer to SignerCert data.
[in]SignerCertSizeLength of SignerCert data.
[in]TopLevelCertA pointer to TopLevelCert data.
[in]TopLevelCertSizeLength of TopLevelCert data.
[out]ShaDigestSha digest calculated.
Returns
EFI_ABORTED Digest process failed.
EFI_SUCCESS SHA Digest is successfully calculated.

Definition at line 1221 of file AuthService.c.

◆ CheckSignatureListFormat()

EFI_STATUS CheckSignatureListFormat ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize 
)

Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx/dbt variable.

Parameters
[in]VariableNameName of Variable to be check.
[in]VendorGuidVariable vendor GUID.
[in]DataPoint to the variable data to be checked.
[in]DataSizeSize of Data.
Returns
EFI_INVALID_PARAMETER Invalid signature list format.
EFI_SUCCESS Passed signature list format check successfully.

Definition at line 512 of file AuthService.c.

◆ CleanCertsFromDb()

EFI_STATUS CleanCertsFromDb ( VOID  )

Clean up signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb". System may break down during Timebased Variable update & certdb update, make them inconsistent, this function is called in AuthVariable Init to ensure consistency.

Return values
EFI_NOT_FOUNDFail to find variable "certdb".
EFI_OUT_OF_RESOURCESThe operation is failed due to lack of resources.
EFI_SUCCESSThe operation is completed successfully.

Definition at line 1825 of file AuthService.c.

◆ DeleteCertsFromDb()

EFI_STATUS DeleteCertsFromDb ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT32  Attributes 
)

Delete matching signer's certificates when deleting common authenticated variable by corresponding VariableName and VendorGuid from "certdb" or "certdbv" according to authenticated variable attributes.

Parameters
[in]VariableNameName of authenticated Variable.
[in]VendorGuidVendor GUID of authenticated Variable.
[in]AttributesAttributes of authenticated variable.
Return values
EFI_INVALID_PARAMETERAny input parameter is invalid.
EFI_NOT_FOUNDFail to find "certdb"/"certdbv" or matching certs.
EFI_OUT_OF_RESOURCESThe operation is failed due to lack of resources.
EFI_SUCCESSThe operation is completed successfully.

Definition at line 1518 of file AuthService.c.

◆ FilterSignatureList()

EFI_STATUS FilterSignatureList ( IN VOID *  Data,
IN UINTN  DataSize,
IN OUT VOID *  NewData,
IN OUT UINTN NewDataSize 
)

Filter out the duplicated EFI_SIGNATURE_DATA from the new data by comparing to the original data.

Parameters
[in]DataPointer to original EFI_SIGNATURE_LIST.
[in]DataSizeSize of Data buffer.
[in,out]NewDataPointer to new EFI_SIGNATURE_LIST.
[in,out]NewDataSizeSize of NewData buffer.

Definition at line 1058 of file AuthService.c.

◆ FindCertsFromDb()

EFI_STATUS FindCertsFromDb ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT8 *  Data,
IN UINTN  DataSize,
OUT UINT32 *CertOffset  OPTIONAL,
OUT UINT32 *CertDataSize  OPTIONAL,
OUT UINT32 *CertNodeOffset  OPTIONAL,
OUT UINT32 *CertNodeSize  OPTIONAL 
)

Find matching signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb" or "certdbv".

The data format of "certdb" or "certdbv":

UINT32 CertDbListSize; /// AUTH_CERT_DB_DATA Certs1[]; /// AUTH_CERT_DB_DATA Certs2[]; /// ... /// AUTH_CERT_DB_DATA Certsn[];

Parameters
[in]VariableNameName of authenticated Variable.
[in]VendorGuidVendor GUID of authenticated Variable.
[in]DataPointer to variable "certdb" or "certdbv".
[in]DataSizeSize of variable "certdb" or "certdbv".
[out]CertOffsetOffset of matching CertData, from starting of Data.
[out]CertDataSizeLength of CertData in bytes.
[out]CertNodeOffsetOffset of matching AUTH_CERT_DB_DATA , from starting of Data.
[out]CertNodeSizeLength of AUTH_CERT_DB_DATA in bytes.
Return values
EFI_INVALID_PARAMETERAny input parameter is invalid.
EFI_NOT_FOUNDFail to find matching certs.
EFI_SUCCESSFind matching certs and output parameters.

Definition at line 1324 of file AuthService.c.

◆ FindHashAlgorithmIndex()

UINT8 FindHashAlgorithmIndex ( IN UINT8 *  SigData,
IN UINT32  SigDataSize 
)

Find hash algorithm index.

Parameters
[in]SigDataPointer to the PKCS#7 message.
[in]SigDataSizeLength of the PKCS#7 message.
Return values
UINT8Hash Algorithm Index.

Definition at line 1930 of file AuthService.c.

◆ GetCertsFromDb()

EFI_STATUS GetCertsFromDb ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT32  Attributes,
OUT UINT8 **  CertData,
OUT UINT32 *  CertDataSize 
)

Retrieve signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb" or "certdbv" according to authenticated variable attributes.

Parameters
[in]VariableNameName of authenticated Variable.
[in]VendorGuidVendor GUID of authenticated Variable.
[in]AttributesAttributes of authenticated variable.
[out]CertDataPointer to signer's certificates.
[out]CertDataSizeLength of CertData in bytes.
Return values
EFI_INVALID_PARAMETERAny input parameter is invalid.
EFI_NOT_FOUNDFail to find "certdb"/"certdbv" or matching certs.
EFI_SUCCESSGet signer's certificates successfully.

Definition at line 1435 of file AuthService.c.

◆ InCustomMode()

BOOLEAN InCustomMode ( VOID  )

Determine whether the platform is operating in Custom Secure Boot mode.

Return values
TRUEThe platform is operating in Custom mode.
FALSEThe platform is operating in Standard mode.

Definition at line 358 of file AuthService.c.

◆ InsertCertsToDb()

EFI_STATUS InsertCertsToDb ( IN UINT8  HashAlgId,
IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT32  Attributes,
IN UINT8 *  SignerCert,
IN UINTN  SignerCertSize,
IN UINT8 *  TopLevelCert,
IN UINTN  TopLevelCertSize 
)

Insert signer's certificates for common authenticated variable with VariableName and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to time based authenticated variable attributes. CertData is the SHA digest of SignerCert CommonName + TopLevelCert tbsCertificate.

Parameters
[in]HashAlgIdHash algorithm index.
[in]VariableNameName of authenticated Variable.
[in]VendorGuidVendor GUID of authenticated Variable.
[in]AttributesAttributes of authenticated variable.
[in]SignerCertSigner certificate data.
[in]SignerCertSizeLength of signer certificate.
[in]TopLevelCertTop-level certificate data.
[in]TopLevelCertSizeLength of top-level certificate.
Return values
EFI_INVALID_PARAMETERAny input parameter is invalid.
EFI_ACCESS_DENIEDAn AUTH_CERT_DB_DATA entry with same VariableName and VendorGuid already exists.
EFI_OUT_OF_RESOURCESThe operation is failed due to lack of resources.
EFI_SUCCESSInsert an AUTH_CERT_DB_DATA entry to "certdb" or "certdbv"

Definition at line 1659 of file AuthService.c.

◆ IsDeleteAuthVariable()

BOOLEAN IsDeleteAuthVariable ( IN UINT32  OrgAttributes,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes 
)

Check if it is to delete auth variable.

Parameters
[in]OrgAttributesOriginal attribute value of the variable.
[in]DataData pointer.
[in]DataSizeSize of Data.
[in]AttributesAttribute value of the variable.
Return values
TRUEIt is to delete auth variable.
FALSEIt is not to delete auth variable.

Definition at line 901 of file AuthService.c.

◆ NeedPhysicallyPresent()

BOOLEAN NeedPhysicallyPresent ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid 
)

Determine whether this operation needs a physical present user.

Parameters
[in]VariableNameName of the Variable.
[in]VendorGuidGUID of the Variable.
Return values
TRUEThis variable is protected, only a physical present user could set this variable.
FALSEThis variable is not protected.

Definition at line 333 of file AuthService.c.

◆ ProcessVariable()

EFI_STATUS ProcessVariable ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes 
)

Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set

Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.

Parameters
[in]VariableNameName of the variable.
[in]VendorGuidVariable vendor GUID.
[in]DataData pointer.
[in]DataSizeSize of Data.
[in]AttributesAttribute value of the variable.
Returns
EFI_INVALID_PARAMETER Invalid parameter.
EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
EFI_OUT_OF_RESOURCES The Database to save the public key is full.
EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set, but the AuthInfo does NOT pass the validation check carried out by the firmware.
EFI_SUCCESS Variable is not write-protected or pass validation successfully.

Definition at line 965 of file AuthService.c.

◆ ProcessVarWithKek()

EFI_STATUS ProcessVarWithKek ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32 Attributes  OPTIONAL 
)

Process variable with key exchange key for verification.

Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.

Parameters
[in]VariableNameName of Variable to be found.
[in]VendorGuidVariable vendor GUID.
[in]DataData pointer.
[in]DataSizeSize of Data found. If size is less than the data, this value contains the required size.
[in]AttributesAttribute value of the variable.
Returns
EFI_INVALID_PARAMETER Invalid parameter.
EFI_SECURITY_VIOLATION The variable does NOT pass the validation check carried out by the firmware.
EFI_SUCCESS Variable pass validation successfully.

Definition at line 820 of file AuthService.c.

◆ ProcessVarWithPk()

EFI_STATUS ProcessVarWithPk ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32 Attributes  OPTIONAL,
IN BOOLEAN  IsPk 
)

Process variable with platform key for verification.

Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.

Parameters
[in]VariableNameName of Variable to be found.
[in]VendorGuidVariable vendor GUID.
[in]DataData pointer.
[in]DataSizeSize of Data found. If size is less than the data, this value contains the required size.
[in]AttributesAttribute value of the variable
[in]IsPkIndicate whether it is to process pk.
Returns
EFI_INVALID_PARAMETER Invalid parameter.
EFI_SECURITY_VIOLATION The variable does NOT pass the validation. check carried out by the firmware.
EFI_SUCCESS Variable passed validation successfully.

Definition at line 691 of file AuthService.c.

◆ UpdatePlatformMode()

EFI_STATUS UpdatePlatformMode ( IN UINT32  Mode)

Update platform mode.

Parameters
[in]ModeSETUP_MODE or USER_MODE.
Returns
EFI_INVALID_PARAMETER Invalid parameter.
EFI_SUCCESS Update platform mode successfully.

Definition at line 384 of file AuthService.c.

◆ VendorKeyIsModified()

EFI_STATUS VendorKeyIsModified ( VOID  )

Update "VendorKeys" variable to record the out of band secure boot key modification.

Returns
EFI_SUCCESS Variable is updated successfully.
Others Failed to update variable.

Definition at line 634 of file AuthService.c.

◆ VerifyTimeBasedPayload()

EFI_STATUS VerifyTimeBasedPayload ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes,
IN AUTHVAR_TYPE  AuthVarType,
IN EFI_TIME OrgTimeStamp,
OUT UINT8 **  VarPayloadPtr,
OUT UINTN VarPayloadSize 
)

Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set

Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow.

Parameters
[in]VariableNameName of Variable to be found.
[in]VendorGuidVariable vendor GUID.
[in]DataData pointer.
[in]DataSizeSize of Data found. If size is less than the data, this value contains the required size.
[in]AttributesAttribute value of the variable.
[in]AuthVarTypeVerify against PK, KEK database, private database or certificate in data payload.
[in]OrgTimeStampPointer to original time stamp, original variable is not found if NULL.
[out]VarPayloadPtrPointer to variable payload address.
[out]VarPayloadSizePointer to variable payload size.
Return values
EFI_INVALID_PARAMETERInvalid parameter.
EFI_SECURITY_VIOLATIONThe variable does NOT pass the validation check carried out by the firmware.
EFI_OUT_OF_RESOURCESFailed to process variable due to lack of resources.
EFI_SUCCESSVariable pass validation successfully.

Definition at line 1982 of file AuthService.c.

◆ VerifyTimeBasedPayloadAndUpdate()

EFI_STATUS VerifyTimeBasedPayloadAndUpdate ( IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN VOID *  Data,
IN UINTN  DataSize,
IN UINT32  Attributes,
IN AUTHVAR_TYPE  AuthVarType,
OUT BOOLEAN *  VarDel 
)

Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set

Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow.

Parameters
[in]VariableNameName of Variable to be found.
[in]VendorGuidVariable vendor GUID.
[in]DataData pointer.
[in]DataSizeSize of Data found. If size is less than the data, this value contains the required size.
[in]AttributesAttribute value of the variable.
[in]AuthVarTypeVerify against PK, KEK database, private database or certificate in data payload.
[out]VarDelDelete the variable or not.
Return values
EFI_INVALID_PARAMETERInvalid parameter.
EFI_SECURITY_VIOLATIONThe variable does NOT pass the validation check carried out by the firmware.
EFI_OUT_OF_RESOURCESFailed to process variable due to lack of resources.
EFI_SUCCESSVariable pass validation successfully.

Definition at line 2462 of file AuthService.c.

Variable Documentation

◆ mHashInfo

EFI_HASH_INFO mHashInfo[]
Initial value:
= {
{ SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final, &mHashSha256Ctx, mSha256OidValue, 9 },
{ SHA384_DIGEST_SIZE, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final, &mHashSha384Ctx, mSha384OidValue, 9 },
{ SHA512_DIGEST_SIZE, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final, &mHashSha512Ctx, mSha512OidValue, 9 },
}
Sha256GetContextSize
UINTN EFIAPI Sha256GetContextSize(VOID)
Definition: CryptSha256.c:20
Sha384GetContextSize
UINTN EFIAPI Sha384GetContextSize(VOID)
Definition: CryptSha512.c:20
Sha512Final
BOOLEAN EFIAPI Sha512Final(IN OUT VOID *Sha512Context, OUT UINT8 *HashValue)
Definition: CryptSha512.c:389
Sha512GetContextSize
UINTN EFIAPI Sha512GetContextSize(VOID)
Definition: CryptSha512.c:246
Sha512Init
BOOLEAN EFIAPI Sha512Init(OUT VOID *Sha512Context)
Definition: CryptSha512.c:270
SHA512_DIGEST_SIZE
#define SHA512_DIGEST_SIZE
Definition: BaseCryptLib.h:54
Sha256Init
BOOLEAN EFIAPI Sha256Init(OUT VOID *Sha256Context)
Definition: CryptSha256.c:44
Sha256Final
BOOLEAN EFIAPI Sha256Final(IN OUT VOID *Sha256Context, OUT UINT8 *HashValue)
Definition: CryptSha256.c:161
SHA256_DIGEST_SIZE
#define SHA256_DIGEST_SIZE
Definition: BaseCryptLib.h:44
Sha384Update
BOOLEAN EFIAPI Sha384Update(IN OUT VOID *Sha384Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha512.c:115
Sha256Update
BOOLEAN EFIAPI Sha256Update(IN OUT VOID *Sha256Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha256.c:113
Sha384Final
BOOLEAN EFIAPI Sha384Final(IN OUT VOID *Sha384Context, OUT UINT8 *HashValue)
Definition: CryptSha512.c:163
Sha384Init
BOOLEAN EFIAPI Sha384Init(OUT VOID *Sha384Context)
Definition: CryptSha512.c:44
Sha512Update
BOOLEAN EFIAPI Sha512Update(IN OUT VOID *Sha512Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha512.c:341
SHA384_DIGEST_SIZE
#define SHA384_DIGEST_SIZE
Definition: BaseCryptLib.h:49

Definition at line 146 of file AuthService.c.

◆ mRsaE

CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 }

Definition at line 140 of file AuthService.c.

◆ mSha256OidValue

UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 }

Definition at line 142 of file AuthService.c.

◆ mSha384OidValue

UINT8 mSha384OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02 }

Definition at line 143 of file AuthService.c.

◆ mSha512OidValue

UINT8 mSha512OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03 }

Definition at line 144 of file AuthService.c.

◆ mSupportSigItem

EFI_SIGNATURE_ITEM mSupportSigItem[]
Initial value:
= {
{ EFI_CERT_SHA256_GUID, 0, 32 },
{ EFI_CERT_RSA2048_GUID, 0, 256 },
{ EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
{ EFI_CERT_SHA1_GUID, 0, 20 },
{ EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
{ EFI_CERT_X509_GUID, 0, ((UINT32) ~0) },
{ EFI_CERT_SHA224_GUID, 0, 28 },
{ EFI_CERT_SHA384_GUID, 0, 48 },
{ EFI_CERT_SHA512_GUID, 0, 64 },
{ EFI_CERT_X509_SHA256_GUID, 0, 48 },
{ EFI_CERT_X509_SHA384_GUID, 0, 64 },
{ EFI_CERT_X509_SHA512_GUID, 0, 80 }
}
EFI_CERT_X509_SHA512_GUID
#define EFI_CERT_X509_SHA512_GUID
Definition: ImageAuthentication.h:257
EFI_CERT_SHA512_GUID
#define EFI_CERT_SHA512_GUID
Definition: ImageAuthentication.h:218
EFI_CERT_SHA224_GUID
#define EFI_CERT_SHA224_GUID
Definition: ImageAuthentication.h:198
EFI_CERT_RSA2048_SHA1_GUID
#define EFI_CERT_RSA2048_SHA1_GUID
Definition: ImageAuthentication.h:174
EFI_CERT_SHA384_GUID
#define EFI_CERT_SHA384_GUID
Definition: ImageAuthentication.h:208
EFI_CERT_RSA2048_GUID
#define EFI_CERT_RSA2048_GUID
Definition: ImageAuthentication.h:145
EFI_CERT_SHA256_GUID
#define EFI_CERT_SHA256_GUID
Definition: ImageAuthentication.h:133
EFI_CERT_RSA2048_SHA256_GUID
#define EFI_CERT_RSA2048_SHA256_GUID
Definition: ImageAuthentication.h:155
EFI_CERT_X509_SHA256_GUID
#define EFI_CERT_X509_SHA256_GUID
Definition: ImageAuthentication.h:231
EFI_CERT_X509_GUID
#define EFI_CERT_X509_GUID
Definition: ImageAuthentication.h:188
EFI_CERT_SHA1_GUID
#define EFI_CERT_SHA1_GUID
Definition: ImageAuthentication.h:164
EFI_CERT_X509_SHA384_GUID
#define EFI_CERT_X509_SHA384_GUID
Definition: ImageAuthentication.h:244

Definition at line 156 of file AuthService.c.