TianoCore EDK2 master
Loading...
Searching...
No Matches
Data Structures | Macros | Functions | Variables
BlobVerifierSevHashes.c File Reference
#include <Library/BaseCryptLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/DebugLib.h>
#include <Library/BlobVerifierLib.h>

Go to the source code of this file.

Data Structures

struct  HASH_TABLE
 

Macros

#define SEV_HASH_TABLE_GUID    (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x11, 0xfd, 0x21 } }
 
#define SEV_KERNEL_HASH_GUID    (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd2, 0x04, 0x5b } }
 
#define SEV_INITRD_HASH_GUID    (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x69, 0x78, 0x1d } }
 
#define SEV_CMDLINE_HASH_GUID    (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x36, 0xab, 0x2a } }
 

Functions

STATIC CONST GUIDFindBlobEntryGuid (IN CONST CHAR16 *BlobName)
 
EFI_STATUS EFIAPI VerifyBlob (IN CONST CHAR16 *BlobName, IN CONST VOID *Buf, IN UINT32 BufSize, IN EFI_STATUS FetchStatus)
 
RETURN_STATUS EFIAPI BlobVerifierLibSevHashesConstructor (VOID)
 

Variables

STATIC CONST EFI_GUID mSevKernelHashGuid = SEV_KERNEL_HASH_GUID
 
STATIC CONST EFI_GUID mSevInitrdHashGuid = SEV_INITRD_HASH_GUID
 
STATIC CONST EFI_GUID mSevCmdlineHashGuid = SEV_CMDLINE_HASH_GUID
 
STATIC HASH_TABLEmHashesTable
 
STATIC UINT16 mHashesTableSize
 

Detailed Description

Blob verifier library that uses SEV hashes table. The hashes table holds the allowed hashes of the kernel, initrd, and cmdline blobs.

Copyright (C) 2021, IBM Corporation

SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file BlobVerifierSevHashes.c.

Macro Definition Documentation

◆ SEV_CMDLINE_HASH_GUID

#define SEV_CMDLINE_HASH_GUID    (GUID) { 0x97d02dd8, 0xbd20, 0x4c94, { 0xaa, 0x78, 0xe7, 0x71, 0x4d, 0x36, 0xab, 0x2a } }

Definition at line 42 of file BlobVerifierSevHashes.c.

◆ SEV_HASH_TABLE_GUID

#define SEV_HASH_TABLE_GUID    (GUID) { 0x9438d606, 0x4f22, 0x4cc9, { 0xb4, 0x79, 0xa7, 0x93, 0xd4, 0x11, 0xfd, 0x21 } }

The SEV Hashes table must be in encrypted memory and has the table and its entries described by

<GUID>|UINT16 <len>|<data>

With the whole table GUID being 9438d606-4f22-4cc9-b479-a793d411fd21

The current possible table entries are for the kernel, the initrd and the cmdline:

4de79437-abd2-427f-b835-d5b172d2045b kernel 44baf731-3a2f-4bd7-9af1-41e29169781d initrd 97d02dd8-bd20-4c94-aa78-e7714d36ab2a cmdline

The size of the entry is used to identify the hash, but the expectation is that it will be 32 bytes of SHA-256.

Definition at line 36 of file BlobVerifierSevHashes.c.

◆ SEV_INITRD_HASH_GUID

#define SEV_INITRD_HASH_GUID    (GUID) { 0x44baf731, 0x3a2f, 0x4bd7, { 0x9a, 0xf1, 0x41, 0xe2, 0x91, 0x69, 0x78, 0x1d } }

Definition at line 40 of file BlobVerifierSevHashes.c.

◆ SEV_KERNEL_HASH_GUID

#define SEV_KERNEL_HASH_GUID    (GUID) { 0x4de79437, 0xabd2, 0x427f, { 0xb8, 0x35, 0xd5, 0xb1, 0x72, 0xd2, 0x04, 0x5b } }

Definition at line 38 of file BlobVerifierSevHashes.c.

Function Documentation

◆ BlobVerifierLibSevHashesConstructor()

RETURN_STATUS EFIAPI BlobVerifierLibSevHashesConstructor ( VOID  )

Locate the SEV hashes table.

This function always returns success, even if the table can't be found. The subsequent VerifyBlob calls will fail if no table was found.

Return values
RETURN_SUCCESSThe hashes table is set up correctly, or there is no hashes table

Definition at line 224 of file BlobVerifierSevHashes.c.

◆ FindBlobEntryGuid()

STATIC CONST GUID * FindBlobEntryGuid ( IN CONST CHAR16 *  BlobName)

Definition at line 62 of file BlobVerifierSevHashes.c.

◆ VerifyBlob()

EFI_STATUS EFIAPI VerifyBlob ( IN CONST CHAR16 *  BlobName,
IN CONST VOID *  Buf,
IN UINT32  BufSize,
IN EFI_STATUS  FetchStatus 
)

Verify blob from an external source.

If a non-secure configuration is detected this function will enter a dead loop to prevent a boot.

Parameters
[in]BlobNameThe name of the blob
[in]BufThe data of the blob
[in]BufSizeThe size of the blob in bytes
[in]FetchStatusThe status of the previous blob fetch
Return values
EFI_SUCCESSThe blob was verified successfully or was not found in the hash table.
EFI_ACCESS_DENIEDKernel hashes not supported, but the boot can continue safely.

Definition at line 95 of file BlobVerifierSevHashes.c.

Variable Documentation

◆ mHashesTable

STATIC HASH_TABLE* mHashesTable

Definition at line 57 of file BlobVerifierSevHashes.c.

◆ mHashesTableSize

STATIC UINT16 mHashesTableSize

Definition at line 58 of file BlobVerifierSevHashes.c.

◆ mSevCmdlineHashGuid

STATIC CONST EFI_GUID mSevCmdlineHashGuid = SEV_CMDLINE_HASH_GUID

Definition at line 47 of file BlobVerifierSevHashes.c.

◆ mSevInitrdHashGuid

STATIC CONST EFI_GUID mSevInitrdHashGuid = SEV_INITRD_HASH_GUID

Definition at line 46 of file BlobVerifierSevHashes.c.

◆ mSevKernelHashGuid

STATIC CONST EFI_GUID mSevKernelHashGuid = SEV_KERNEL_HASH_GUID

Definition at line 45 of file BlobVerifierSevHashes.c.