TianoCore EDK2 master
Loading...
Searching...
No Matches
Functions | Variables
SecureBootConfigImpl.c File Reference
#include "SecureBootConfigImpl.h"
#include <UefiSecureBoot.h>
#include <Protocol/HiiPopup.h>
#include <Protocol/RealTimeClock.h>
#include <Library/BaseCryptLib.h>
#include <Library/SecureBootVariableLib.h>
#include <Library/SecureBootVariableProvisionLib.h>

Go to the source code of this file.

Functions

VOID CloseEnrolledFile (IN SECUREBOOT_FILE_CONTEXT *FileContext)
 
STATIC EFI_STATUS GetCurrentTime (IN EFI_TIME *Time)
 
BOOLEAN IsDerEncodeCertificate (IN CONST CHAR16 *FileSuffix)
 
BOOLEAN IsAuthentication2Format (IN EFI_FILE_HANDLE FileHandle)
 
EFI_STATUS SaveSecureBootVariable (IN UINT8 VarValue)
 
EFI_STATUS CheckX509Certificate (IN SECUREBOOT_FILE_CONTEXT *X509FileContext, OUT ENROLL_KEY_ERROR *Error)
 
EFI_STATUS CreatePkX509SignatureList (IN EFI_FILE_HANDLE X509File, OUT EFI_SIGNATURE_LIST **PkCert)
 
EFI_STATUS EnrollPlatformKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
 
EFI_STATUS EnrollRsa2048ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
 
EFI_STATUS EnrollX509ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
 
EFI_STATUS EnrollKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
 
EFI_STATUS EnrollX509toSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
 
BOOLEAN IsSignatureFoundInDatabase (IN CHAR16 *VariableName, IN UINT8 *Signature, IN UINTN SignatureSize)
 
BOOLEAN CalculateCertHash (IN UINT8 *CertData, IN UINTN CertSize, IN UINT32 HashAlg, OUT UINT8 *CertHash)
 
BOOLEAN IsCertHashFoundInDbx (IN UINT8 *Certificate, IN UINTN CertSize)
 
BOOLEAN GetSignaturelistOffset (IN EFI_SIGNATURE_LIST *Database, IN UINTN DatabaseSize, IN EFI_GUID *SignatureType, OUT UINTN *Offset)
 
EFI_STATUS EnrollX509HashtoSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN UINT32 HashAlg, IN EFI_HII_DATE *RevocationDate, IN EFI_HII_TIME *RevocationTime, IN BOOLEAN AlwaysRevocation)
 
BOOLEAN IsX509CertInDbx (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
 
EFI_STATUS EFIAPI SecureBootConfigImageRead (IN VOID *FileHandle, IN UINTN FileOffset, IN OUT UINTN *ReadSize, OUT VOID *Buffer)
 
EFI_STATUS LoadPeImage (VOID)
 
BOOLEAN HashPeImage (IN UINT32 HashAlg)
 
EFI_STATUS HashPeImageByType (VOID)
 
EFI_STATUS EnrollAuthentication2Descriptor (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
 
EFI_STATUS EnrollImageSignatureToSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
 
EFI_STATUS EnrollSignatureDatabase (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
 
EFI_STATUS UpdateDeletePage (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase)
 
EFI_STATUS DeleteKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN EFI_QUESTION_ID QuestionId)
 
EFI_STATUS DeleteSignature (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase, IN UINTN DeleteIndex)
 
EFI_STATUS DeleteSignatureEx (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN SIGNATURE_DELETE_TYPE DelType, IN UINT32 CheckedCount)
 
EFI_STATUS UpdateSecureBootString (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
 
VOID SecureBootExtractConfigFromVariable (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN OUT SECUREBOOT_CONFIGURATION *ConfigData)
 
EFI_STATUS EFIAPI SecureBootExtractConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Request, OUT EFI_STRING *Progress, OUT EFI_STRING *Results)
 
EFI_STATUS EFIAPI SecureBootRouteConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Configuration, OUT EFI_STRING *Progress)
 
EFI_STATUS LoadSignatureList (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN UINT16 LabelId, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase)
 
EFI_STATUS ParseHashValue (IN EFI_SIGNATURE_LIST *ListEntry, IN EFI_SIGNATURE_DATA *DataEntry, OUT CHAR16 **BufferToReturn)
 
EFI_STATUS GetCommonNameFromX509 (IN EFI_SIGNATURE_LIST *ListEntry, IN EFI_SIGNATURE_DATA *DataEntry, OUT CHAR16 **BufferToReturn)
 
EFI_STATUS FormatHelpInfo (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN EFI_SIGNATURE_LIST *ListEntry, IN EFI_SIGNATURE_DATA *DataEntry, OUT EFI_STRING_ID *StringId)
 
EFI_STATUS LoadSignatureData (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN UINT16 LabelId, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase, IN UINT16 ListIndex)
 
STATIC EFI_STATUS EFIAPI KeyEnrollReset (VOID)
 
EFI_STATUS EFIAPI SecureBootCallback (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN EFI_BROWSER_ACTION Action, IN EFI_QUESTION_ID QuestionId, IN UINT8 Type, IN EFI_IFR_TYPE_VALUE *Value, OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest)
 
EFI_STATUS InstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData)
 
VOID UninstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData)
 

Variables

CHAR16 mSecureBootStorageName [] = L"SECUREBOOT_CONFIGURATION"
 
SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate
 
HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath
 
BOOLEAN mIsEnterSecureBootForm = FALSE
 
UINT8 mHashOidValue []
 
HASH_TABLE mHash []
 
UINT32 mPeCoffHeaderOffset = 0
 
WIN_CERTIFICATEmCertificate = NULL
 
IMAGE_TYPE mImageType
 
UINT8 * mImageBase = NULL
 
UINTN mImageSize = 0
 
UINT8 mImageDigest [MAX_DIGEST_SIZE]
 
UINTN mImageDigestSize
 
EFI_GUID mCertType
 
EFI_IMAGE_SECURITY_DATA_DIRECTORYmSecDataDir = NULL
 
EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader
 
CHAR16 * mDerEncodedSuffix []
 
CHAR16 * mSupportX509Suffix = L"*.cer/der/crt"
 
CHAR16 * mX509EnrollPromptTitle []
 
CHAR16 * mX509EnrollPromptString []
 
SECUREBOOT_CONFIG_PRIVATE_DATAgSecureBootPrivateData = NULL
 

Detailed Description

HII Config Access protocol implementation of SecureBoot configuration module.

Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2018 Hewlett Packard Enterprise Development LP
SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file SecureBootConfigImpl.c.

Function Documentation

◆ CalculateCertHash()

BOOLEAN CalculateCertHash ( IN UINT8 *  CertData,
IN UINTN  CertSize,
IN UINT32  HashAlg,
OUT UINT8 *  CertHash 
)

Calculate the hash of a certificate data with the specified hash algorithm.

Parameters
[in]CertDataThe certificate data to be hashed.
[in]CertSizeThe certificate size in bytes.
[in]HashAlgThe specified hash algorithm.
[out]CertHashThe output digest of the certificate
Return values
TRUESuccessfully got the hash of the CertData.
FALSEFailed to get the hash of CertData.

Definition at line 1135 of file SecureBootConfigImpl.c.

◆ CheckX509Certificate()

EFI_STATUS CheckX509Certificate ( IN SECUREBOOT_FILE_CONTEXT X509FileContext,
OUT ENROLL_KEY_ERROR *  Error 
)

This code checks if the encode type and key strength of X.509 certificate is qualified.

Parameters
[in]X509FileContextFileContext of X.509 certificate storing file.
[out]ErrorError type checked in the certificate.
Returns
EFI_SUCCESS The certificate checked successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_OUT_OF_RESOURCES Memory allocation failed.

Definition at line 305 of file SecureBootConfigImpl.c.

◆ CloseEnrolledFile()

VOID CloseEnrolledFile ( IN SECUREBOOT_FILE_CONTEXT FileContext)

This code cleans up enrolled file by closing file & free related resources attached to enrolled file.

Parameters
[in]FileContextFileContext cached in SecureBootConfig driver

Definition at line 123 of file SecureBootConfigImpl.c.

◆ CreatePkX509SignatureList()

EFI_STATUS CreatePkX509SignatureList ( IN EFI_FILE_HANDLE  X509File,
OUT EFI_SIGNATURE_LIST **  PkCert 
)

Generate the PK signature list from the X509 Certificate storing file (.cer)

Parameters
[in]X509FileFileHandle of X509 Certificate storing file.
[out]PkCertPoint to the data buffer to store the signature list.
Returns
EFI_UNSUPPORTED Unsupported Key Length.
EFI_OUT_OF_RESOURCES There are not enough memory resources to form the signature list.

Definition at line 401 of file SecureBootConfigImpl.c.

◆ DeleteKeyExchangeKey()

EFI_STATUS DeleteKeyExchangeKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN EFI_QUESTION_ID  QuestionId 
)

Delete a KEK entry from KEK database.

Parameters
[in]PrivateDataModule's private data.
[in]QuestionIdQuestion id of the KEK item to delete.
Return values
EFI_SUCCESSDelete kek item successfully.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 2712 of file SecureBootConfigImpl.c.

◆ DeleteSignature()

EFI_STATUS DeleteSignature ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT16  LabelNumber,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase,
IN UINTN  DeleteIndex 
)

Delete a signature entry from signature database.

Parameters
[in]PrivateDataModule's private data.
[in]VariableNameThe variable name of the vendor's signature database.
[in]VendorGuidA unique identifier for the vendor.
[in]LabelNumberLabel number to insert opcodes.
[in]FormIdForm ID of current page.
[in]QuestionIdBaseBase question id of the signature list.
[in]DeleteIndexSignature index to delete.
Return values
EFI_SUCCESSDelete signature successfully.
EFI_NOT_FOUNDCan't find the signature item,
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 2911 of file SecureBootConfigImpl.c.

◆ DeleteSignatureEx()

EFI_STATUS DeleteSignatureEx ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN SIGNATURE_DELETE_TYPE  DelType,
IN UINT32  CheckedCount 
)

This function to delete signature list or data, according by DelType.

Parameters
[in]PrivateDataModule's private data.
[in]DelTypeIndicate delete signature list or data.
[in]CheckedCountIndicate how many signature data have been checked in current signature list.
Return values
EFI_SUCCESSSuccess to update the signature list page
EFI_OUT_OF_RESOURCESUnable to allocate required resources.

Definition at line 3118 of file SecureBootConfigImpl.c.

◆ EnrollAuthentication2Descriptor()

EFI_STATUS EnrollAuthentication2Descriptor ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll a new signature of executable into Signature Database.

Parameters
[in]PrivateDataThe module's private data.
[in]VariableNameVariable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 or EFI_IMAGE_SECURITY_DATABASE2.
Return values
EFI_SUCCESSNew signature is enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_UNSUPPORTEDUnsupported command.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 2157 of file SecureBootConfigImpl.c.

◆ EnrollImageSignatureToSigDB()

EFI_STATUS EnrollImageSignatureToSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll a new signature of executable into Signature Database.

Parameters
[in]PrivateDataThe module's private data.
[in]VariableNameVariable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 or EFI_IMAGE_SECURITY_DATABASE2.
Return values
EFI_SUCCESSNew signature is enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_UNSUPPORTEDUnsupported command.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 2257 of file SecureBootConfigImpl.c.

◆ EnrollKeyExchangeKey()

EFI_STATUS EnrollKeyExchangeKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private)

Enroll new KEK into the System without PK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.

Parameters
[in]PrivateDataThe module's private data.
Return values
EFI_SUCCESSNew KEK enrolled successful.
EFI_INVALID_PARAMETERThe parameter is invalid.
othersFail to enroll KEK data.

Definition at line 863 of file SecureBootConfigImpl.c.

◆ EnrollPlatformKey()

EFI_STATUS EnrollPlatformKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private)

Enroll new PK into the System without original PK's authentication.

The SignatureOwner GUID will be the same with PK's vendorguid.

Parameters
[in]PrivateDataThe module's private data.
Return values
EFI_SUCCESSNew PK enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 477 of file SecureBootConfigImpl.c.

◆ EnrollRsa2048ToKek()

EFI_STATUS EnrollRsa2048ToKek ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private)

Enroll a new KEK item from public key storing file (*.pbk).

Parameters
[in]PrivateDataThe module's private data.
Return values
EFI_SUCCESSNew KEK enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_UNSUPPORTEDUnsupported command.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 563 of file SecureBootConfigImpl.c.

◆ EnrollSignatureDatabase()

EFI_STATUS EnrollSignatureDatabase ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll signature into DB/DBX/DBT without KEK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.

Parameters
[in]PrivateDataThe module's private data.
[in]VariableNameVariable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
Return values
EFI_SUCCESSNew signature enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
othersFail to enroll signature data.

Definition at line 2464 of file SecureBootConfigImpl.c.

◆ EnrollX509HashtoSigDB()

EFI_STATUS EnrollX509HashtoSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN UINT32  HashAlg,
IN EFI_HII_DATE RevocationDate,
IN EFI_HII_TIME RevocationTime,
IN BOOLEAN  AlwaysRevocation 
)

Enroll a new X509 certificate hash into Signature Database (dbx) without KEK's authentication.

Parameters
[in]PrivateDataThe module's private data.
[in]HashAlgThe hash algorithm to enroll the certificate.
[in]RevocationDateThe revocation date of the certificate.
[in]RevocationTimeThe revocation time of the certificate.
[in]AlwaysRevocationIndicate whether the certificate is always revoked.
Return values
EFI_SUCCESSNew X509 is enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 1372 of file SecureBootConfigImpl.c.

◆ EnrollX509ToKek()

EFI_STATUS EnrollX509ToKek ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private)

Enroll a new KEK item from X509 certificate file.

Parameters
[in]PrivateDataThe module's private data.
Return values
EFI_SUCCESSNew X509 is enrolled successfully.
EFI_INVALID_PARAMETERThe parameter is invalid.
EFI_UNSUPPORTEDUnsupported command.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 740 of file SecureBootConfigImpl.c.

◆ EnrollX509toSigDB()

EFI_STATUS EnrollX509toSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without KEK's authentication.

Parameters
[in]PrivateDataThe module's private data.
[in]VariableNameVariable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
Return values
EFI_SUCCESSNew X509 is enrolled successfully.
EFI_OUT_OF_RESOURCESCould not allocate needed resources.

Definition at line 917 of file SecureBootConfigImpl.c.

◆ FormatHelpInfo()

EFI_STATUS FormatHelpInfo ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN EFI_SIGNATURE_LIST ListEntry,
IN EFI_SIGNATURE_DATA DataEntry,
OUT EFI_STRING_ID *  StringId 
)

Format the help info for the signature data, each help info contain 3 parts.

  1. Onwer Guid.
  2. Content, depends on the type of the signature list.
  3. Revocation time.
Parameters
[in]PrivateDataModule's private data.
[in]ListEntryPoint to the signature list.
[in]DataEntryPoint to the signature data we are processing.
[out]StringIdSave the string id of help info.
Return values
EFI_SUCCESSOperation success.
EFI_OUT_OF_RESOURCESUnable to allocate required resources.

Definition at line 4009 of file SecureBootConfigImpl.c.

◆ GetCommonNameFromX509()

EFI_STATUS GetCommonNameFromX509 ( IN EFI_SIGNATURE_LIST ListEntry,
IN EFI_SIGNATURE_DATA DataEntry,
OUT CHAR16 **  BufferToReturn 
)

Function to get the common name from the X509 format certificate. The buffer is callee allocated and should be freed by the caller.

Parameters
[in]ListEntryThe pointer point to the signature list.
[in]DataEntryThe signature data we are processing.
[out]BufferToReturnBuffer to save the CN of X509 certificate.
Return values
EFI_INVALID_PARAMETERInvalid List or Data or Buffer.
EFI_OUT_OF_RESOURCESA memory allocation failed.
EFI_SUCCESSOperation success.
EFI_NOT_FOUNDNot found CN field in the X509 certificate.

Definition at line 3953 of file SecureBootConfigImpl.c.

◆ GetCurrentTime()

STATIC EFI_STATUS GetCurrentTime ( IN EFI_TIME Time)

Helper function to populate an EFI_TIME instance.

Parameters
[in]TimeFileContext cached in SecureBootConfig driver

Definition at line 148 of file SecureBootConfigImpl.c.

◆ GetSignaturelistOffset()

BOOLEAN GetSignaturelistOffset ( IN EFI_SIGNATURE_LIST Database,
IN UINTN  DatabaseSize,
IN EFI_GUID SignatureType,
OUT UINTN Offset 
)

Check whether the signature list exists in given variable data.

It searches the signature list for the certificate hash by CertType. If the signature list is found, get the offset of Database for the next hash of a certificate.

Parameters
[in]DatabaseVariable data to save signature list.
[in]DatabaseSizeVariable size.
[in]SignatureTypeThe type of the signature.
[out]OffsetThe offset to save a new hash of certificate.
Returns
TRUE The signature list is found in the forbidden database.
FALSE The signature list is not found in the forbidden database.

Definition at line 1325 of file SecureBootConfigImpl.c.

◆ HashPeImage()

BOOLEAN HashPeImage ( IN UINT32  HashAlg)

Calculate hash of Pe/Coff image based on the authenticode image hashing in PE/COFF Specification 8.0 Appendix A

Notes: PE/COFF image has been checked by BasePeCoffLib PeCoffLoaderGetImageInfo() in the function LoadPeImage ().

Parameters
[in]HashAlgHash algorithm type.
Return values
TRUESuccessfully hash image.
FALSEFail in hash image.

Definition at line 1831 of file SecureBootConfigImpl.c.

◆ HashPeImageByType()

EFI_STATUS HashPeImageByType ( VOID  )

Recognize the Hash algorithm in PE/COFF Authenticode and calculate hash of Pe/Coff image based on the authenticated image hashing in PE/COFF Specification 8.0 Appendix A

Return values
EFI_UNSUPPORTEDHash algorithm is not supported.
EFI_SUCCESSHash successfully.

Definition at line 2093 of file SecureBootConfigImpl.c.

◆ InstallSecureBootConfigForm()

EFI_STATUS InstallSecureBootConfigForm ( IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData)

This function publish the SecureBoot configuration Form.

Parameters
[in,out]PrivateDataPoints to SecureBoot configuration private data.
Return values
EFI_SUCCESSHII Form is installed successfully.
EFI_OUT_OF_RESOURCESNot enough resource for HII Form installation.
OthersOther errors as indicated.

Definition at line 5218 of file SecureBootConfigImpl.c.

◆ IsAuthentication2Format()

BOOLEAN IsAuthentication2Format ( IN EFI_FILE_HANDLE  FileHandle)

This code checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format The function reads file content but won't open/close given FileHandle.

Parameters
[in]FileHandleThe FileHandle to be checked
Return values
TRUEThe content is EFI_VARIABLE_AUTHENTICATION_2 format.
FALSEThe content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.

Definition at line 221 of file SecureBootConfigImpl.c.

◆ IsCertHashFoundInDbx()

BOOLEAN IsCertHashFoundInDbx ( IN UINT8 *  Certificate,
IN UINTN  CertSize 
)

Check whether the hash of an X.509 certificate is in forbidden database (DBX).

Parameters
[in]CertificatePointer to X.509 Certificate that is searched for.
[in]CertSizeSize of X.509 Certificate.
Returns
TRUE Found the certificate hash in the forbidden database.
FALSE Certificate hash is Not found in the forbidden database.

Definition at line 1210 of file SecureBootConfigImpl.c.

◆ IsDerEncodeCertificate()

BOOLEAN IsDerEncodeCertificate ( IN CONST CHAR16 *  FileSuffix)

This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.

Parameters
[in]FileSuffixThe suffix of the input certificate file
Return values
TRUEIt's a DER-encoded certificate.
FALSEIt's NOT a DER-encoded certificate.

Definition at line 195 of file SecureBootConfigImpl.c.

◆ IsSignatureFoundInDatabase()

BOOLEAN IsSignatureFoundInDatabase ( IN CHAR16 *  VariableName,
IN UINT8 *  Signature,
IN UINTN  SignatureSize 
)

Check whether signature is in specified database.

Parameters
[in]VariableNameName of database variable that is searched in.
[in]SignaturePointer to signature that is searched for.
[in]SignatureSizeSize of Signature.
Returns
TRUE Found the signature in the variable database.
FALSE Not found the signature in the variable database.

Definition at line 1049 of file SecureBootConfigImpl.c.

◆ IsX509CertInDbx()

BOOLEAN IsX509CertInDbx ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Check whether a certificate from a file exists in dbx.

Parameters
[in]PrivateDataThe module's private data.
[in]VariableNameVariable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE1.
Return values
TRUEThe X509 certificate is found in dbx successfully.
FALSEThe X509 certificate is not found in dbx.

Definition at line 1627 of file SecureBootConfigImpl.c.

◆ KeyEnrollReset()

STATIC EFI_STATUS EFIAPI KeyEnrollReset ( VOID  )

This function reinitializes Secure Boot variables with default values.

Return values
EFI_SUCCESSSuccess to update the signature list page
othersFail to delete or enroll signature data.

Definition at line 4365 of file SecureBootConfigImpl.c.

◆ LoadPeImage()

EFI_STATUS LoadPeImage ( VOID  )

Load PE/COFF image information into internal buffer and check its validity.

Return values
EFI_SUCCESSSuccessful
EFI_UNSUPPORTEDInvalid PE/COFF file
EFI_ABORTEDSerious error occurs, like file I/O error etc.

Definition at line 1734 of file SecureBootConfigImpl.c.

◆ LoadSignatureData()

EFI_STATUS LoadSignatureData ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN UINT16  LabelId,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase,
IN UINT16  ListIndex 
)

This function to load signature data under the signature list.

Parameters
[in]PrivateDataModule's private data.
[in]LabelIdLabel number to insert opcodes.
[in]FormIdForm ID of current page.
[in]QuestionIdBaseBase question id of the signature list.
[in]ListIndexIndicate to load which signature list.
Return values
EFI_SUCCESSSuccess to update the signature list page
EFI_OUT_OF_RESOURCESUnable to allocate required resources.

Definition at line 4189 of file SecureBootConfigImpl.c.

◆ LoadSignatureList()

EFI_STATUS LoadSignatureList ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN UINT16  LabelId,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase 
)

This function to load signature list, the update the menu page.

Parameters
[in]PrivateDataModule's private data.
[in]LabelIdLabel number to insert opcodes.
[in]FormIdForm ID of current page.
[in]QuestionIdBaseBase question id of the signature list.
Return values
EFI_SUCCESSSuccess to update the signature list page
EFI_OUT_OF_RESOURCESUnable to allocate required resources.

Definition at line 3636 of file SecureBootConfigImpl.c.

◆ ParseHashValue()

EFI_STATUS ParseHashValue ( IN EFI_SIGNATURE_LIST ListEntry,
IN EFI_SIGNATURE_DATA DataEntry,
OUT CHAR16 **  BufferToReturn 
)

Parse hash value from EFI_SIGNATURE_DATA, and save in the CHAR16 type array. The buffer is callee allocated and should be freed by the caller.

Parameters
[in]ListEntryThe pointer point to the signature list.
[in]DataEntryThe signature data we are processing.
[out]BufferToReturnBuffer to save the hash value.
Return values
EFI_INVALID_PARAMETERInvalid List or Data or Buffer.
EFI_OUT_OF_RESOURCESA memory allocation failed.
EFI_SUCCESSOperation success.

Definition at line 3891 of file SecureBootConfigImpl.c.

◆ SaveSecureBootVariable()

EFI_STATUS SaveSecureBootVariable ( IN UINT8  VarValue)

Set Secure Boot option into variable space.

Parameters
[in]VarValueThe option of Secure Boot.
Return values
EFI_SUCCESSThe operation is finished successfully.
OthersOther errors as indicated.

Definition at line 275 of file SecureBootConfigImpl.c.

◆ SecureBootCallback()

EFI_STATUS EFIAPI SecureBootCallback ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL This,
IN EFI_BROWSER_ACTION  Action,
IN EFI_QUESTION_ID  QuestionId,
IN UINT8  Type,
IN EFI_IFR_TYPE_VALUE Value,
OUT EFI_BROWSER_ACTION_REQUEST *  ActionRequest 
)

This function is called to provide results data to the driver.

Parameters
[in]ThisPoints to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in]ActionSpecifies the type of action taken by the browser.
[in]QuestionIdA unique value which is sent to the original exporting driver so that it can identify the type of data to expect.
[in]TypeThe type of value for the question.
[in]ValueA pointer to the data being sent to the original exporting driver.
[out]ActionRequestOn return, points to the action requested by the callback function.
Return values
EFI_SUCCESSThe callback successfully handled the action.
EFI_OUT_OF_RESOURCESNot enough storage is available to hold the variable and its data.
EFI_DEVICE_ERRORThe variable could not be saved.
EFI_UNSUPPORTEDThe specified Action is not supported by the callback.

Definition at line 4516 of file SecureBootConfigImpl.c.

◆ SecureBootConfigImageRead()

EFI_STATUS EFIAPI SecureBootConfigImageRead ( IN VOID *  FileHandle,
IN UINTN  FileOffset,
IN OUT UINTN ReadSize,
OUT VOID *  Buffer 
)

Reads contents of a PE/COFF image in memory buffer.

Caution: This function may receive untrusted input. PE/COFF image is external input, so this function will make sure the PE/COFF image content read is within the image buffer.

Parameters
FileHandlePointer to the file handle to read the PE/COFF image.
FileOffsetOffset into the PE/COFF image to begin the read operation.
ReadSizeOn input, the size in bytes of the requested read operation. On output, the number of bytes actually read.
BufferOutput buffer that contains the data read from the PE/COFF image.
Return values
EFI_SUCCESSThe specified portion of the PE/COFF image was read and the size

Definition at line 1694 of file SecureBootConfigImpl.c.

◆ SecureBootExtractConfig()

EFI_STATUS EFIAPI SecureBootExtractConfig ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL This,
IN CONST EFI_STRING  Request,
OUT EFI_STRING *  Progress,
OUT EFI_STRING *  Results 
)

This function allows a caller to extract the current configuration for one or more named elements from the target driver.

Parameters
[in]ThisPoints to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in]RequestA null-terminated Unicode string in <ConfigRequest> format.
[out]ProgressOn return, points to a character in the Request string. Points to the string's null terminator if request was successful. Points to the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) if the request was not successful.
[out]ResultsA null-terminated Unicode string in <ConfigAltResp> format which has all values filled in for the names in the Request string. String to be allocated by the called function.
Return values
EFI_SUCCESSThe Results is filled with the requested values.
EFI_OUT_OF_RESOURCESNot enough memory to store the results.
EFI_INVALID_PARAMETERRequest is illegal syntax, or unknown name.
EFI_NOT_FOUNDRouting data doesn't match any storage in this driver.

Definition at line 3461 of file SecureBootConfigImpl.c.

◆ SecureBootExtractConfigFromVariable()

VOID SecureBootExtractConfigFromVariable ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN OUT SECUREBOOT_CONFIGURATION ConfigData 
)

This function extracts configuration from variable.

Parameters
[in]PrivatePoint to SecureBoot configuration driver private data.
[in,out]ConfigDataPoint to SecureBoot configuration private data.

Definition at line 3337 of file SecureBootConfigImpl.c.

◆ SecureBootRouteConfig()

EFI_STATUS EFIAPI SecureBootRouteConfig ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL This,
IN CONST EFI_STRING  Configuration,
OUT EFI_STRING *  Progress 
)

This function processes the results of changes in configuration.

Parameters
[in]ThisPoints to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in]ConfigurationA null-terminated Unicode string in <ConfigResp> format.
[out]ProgressA pointer to a string filled in with the offset of the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) or the terminating NULL if all was successful.
Return values
EFI_SUCCESSThe Results is processed successfully.
EFI_INVALID_PARAMETERConfiguration is NULL.
EFI_NOT_FOUNDRouting data doesn't match any storage in this driver.

Definition at line 3568 of file SecureBootConfigImpl.c.

◆ UninstallSecureBootConfigForm()

VOID UninstallSecureBootConfigForm ( IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData)

This function removes SecureBoot configuration Form.

Parameters
[in,out]PrivateDataPoints to SecureBoot configuration private data.

Definition at line 5322 of file SecureBootConfigImpl.c.

◆ UpdateDeletePage()

EFI_STATUS UpdateDeletePage ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN CHAR16 *  VariableName,
IN EFI_GUID VendorGuid,
IN UINT16  LabelNumber,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase 
)

List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT) by GUID in the page for user to select and delete as needed.

Parameters
[in]PrivateDataModule's private data.
[in]VariableNameThe variable name of the vendor's signature database.
[in]VendorGuidA unique identifier for the vendor.
[in]LabelNumberLabel number to insert opcodes.
[in]FormIdForm ID of current page.
[in]QuestionIdBaseBase question id of the signature list.
Return values
EFI_SUCCESSSuccess to update the signature list page
EFI_OUT_OF_RESOURCESUnable to allocate required resources.

Definition at line 2519 of file SecureBootConfigImpl.c.

◆ UpdateSecureBootString()

EFI_STATUS UpdateSecureBootString ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private)

Update SecureBoot strings based on new Secure Boot Mode State. String includes STR_SECURE_BOOT_STATE_CONTENT and STR_CUR_SECURE_BOOT_MODE_CONTENT.

Parameters
[in]PrivateDataModule's private data.
Returns
EFI_SUCCESS Update secure boot strings successfully.
other Fail to update secure boot strings.

Definition at line 3302 of file SecureBootConfigImpl.c.

Variable Documentation

◆ gSecureBootPrivateData

SECUREBOOT_CONFIG_PRIVATE_DATA* gSecureBootPrivateData = NULL

Definition at line 113 of file SecureBootConfigImpl.c.

◆ mCertificate

WIN_CERTIFICATE* mCertificate = NULL

Definition at line 76 of file SecureBootConfigImpl.c.

◆ mCertType

EFI_GUID mCertType

Definition at line 82 of file SecureBootConfigImpl.c.

◆ mDerEncodedSuffix

CHAR16* mDerEncodedSuffix[]
Initial value:
= {
L".cer",
L".der",
L".crt",
NULL
}
NULL
#define NULL
Definition: Base.h:319

Definition at line 89 of file SecureBootConfigImpl.c.

◆ mHash

HASH_TABLE mHash[]
Initial value:
= {
{ L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL },
{ L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
{ L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
{ L"SHA512", 64, &mHashOidValue[40], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final }
}
Sha256GetContextSize
UINTN EFIAPI Sha256GetContextSize(VOID)
Definition: CryptSha256.c:20
Sha384GetContextSize
UINTN EFIAPI Sha384GetContextSize(VOID)
Definition: CryptSha512.c:20
Sha512Final
BOOLEAN EFIAPI Sha512Final(IN OUT VOID *Sha512Context, OUT UINT8 *HashValue)
Definition: CryptSha512.c:389
Sha512GetContextSize
UINTN EFIAPI Sha512GetContextSize(VOID)
Definition: CryptSha512.c:246
Sha512Init
BOOLEAN EFIAPI Sha512Init(OUT VOID *Sha512Context)
Definition: CryptSha512.c:270
Sha256Init
BOOLEAN EFIAPI Sha256Init(OUT VOID *Sha256Context)
Definition: CryptSha256.c:44
Sha256Final
BOOLEAN EFIAPI Sha256Final(IN OUT VOID *Sha256Context, OUT UINT8 *HashValue)
Definition: CryptSha256.c:161
Sha384Update
BOOLEAN EFIAPI Sha384Update(IN OUT VOID *Sha384Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha512.c:115
Sha256Update
BOOLEAN EFIAPI Sha256Update(IN OUT VOID *Sha256Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha256.c:113
Sha384Final
BOOLEAN EFIAPI Sha384Final(IN OUT VOID *Sha384Context, OUT UINT8 *HashValue)
Definition: CryptSha512.c:163
Sha384Init
BOOLEAN EFIAPI Sha384Init(OUT VOID *Sha384Context)
Definition: CryptSha512.c:44
Sha512Update
BOOLEAN EFIAPI Sha512Update(IN OUT VOID *Sha512Context, IN CONST VOID *Data, IN UINTN DataSize)
Definition: CryptSha512.c:341

Definition at line 65 of file SecureBootConfigImpl.c.

◆ mHashOidValue

UINT8 mHashOidValue[]
Initial value:
= {
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,
0x2B, 0x0E, 0x03, 0x02, 0x1A,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
}

Definition at line 56 of file SecureBootConfigImpl.c.

◆ mImageBase

UINT8* mImageBase = NULL

Definition at line 78 of file SecureBootConfigImpl.c.

◆ mImageDigest

UINT8 mImageDigest[MAX_DIGEST_SIZE]

Definition at line 80 of file SecureBootConfigImpl.c.

◆ mImageDigestSize

UINTN mImageDigestSize

Definition at line 81 of file SecureBootConfigImpl.c.

◆ mImageSize

UINTN mImageSize = 0

Definition at line 79 of file SecureBootConfigImpl.c.

◆ mImageType

IMAGE_TYPE mImageType

Definition at line 77 of file SecureBootConfigImpl.c.

◆ mIsEnterSecureBootForm

BOOLEAN mIsEnterSecureBootForm = FALSE

Definition at line 51 of file SecureBootConfigImpl.c.

◆ mNtHeader

EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader

Definition at line 84 of file SecureBootConfigImpl.c.

◆ mPeCoffHeaderOffset

UINT32 mPeCoffHeaderOffset = 0

Definition at line 75 of file SecureBootConfigImpl.c.

◆ mSecDataDir

EFI_IMAGE_SECURITY_DATA_DIRECTORY* mSecDataDir = NULL

Definition at line 83 of file SecureBootConfigImpl.c.

◆ mSecureBootConfigPrivateDateTemplate

SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate
Initial value:
= {
SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE,
{
SecureBootExtractConfig,
SecureBootRouteConfig,
SecureBootCallback
}
}
SecureBootExtractConfig
EFI_STATUS EFIAPI SecureBootExtractConfig(IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Request, OUT EFI_STRING *Progress, OUT EFI_STRING *Results)
Definition: SecureBootConfigImpl.c:3461
SecureBootRouteConfig
EFI_STATUS EFIAPI SecureBootRouteConfig(IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Configuration, OUT EFI_STRING *Progress)
Definition: SecureBootConfigImpl.c:3568
SecureBootCallback
EFI_STATUS EFIAPI SecureBootCallback(IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN EFI_BROWSER_ACTION Action, IN EFI_QUESTION_ID QuestionId, IN UINT8 Type, IN EFI_IFR_TYPE_VALUE *Value, OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest)
Definition: SecureBootConfigImpl.c:4516

Definition at line 20 of file SecureBootConfigImpl.c.

◆ mSecureBootHiiVendorDevicePath

HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath
Initial value:
= {
{
{
HARDWARE_DEVICE_PATH,
HW_VENDOR_DP,
{
(UINT8)(sizeof (VENDOR_DEVICE_PATH)),
(UINT8)((sizeof (VENDOR_DEVICE_PATH)) >> 8)
}
},
SECUREBOOT_CONFIG_FORM_SET_GUID
},
{
END_DEVICE_PATH_TYPE,
END_ENTIRE_DEVICE_PATH_SUBTYPE,
{
(UINT8)(END_DEVICE_PATH_LENGTH),
(UINT8)((END_DEVICE_PATH_LENGTH) >> 8)
}
}
}
HARDWARE_DEVICE_PATH
#define HARDWARE_DEVICE_PATH
Definition: DevicePath.h:68
HW_VENDOR_DP
#define HW_VENDOR_DP
Definition: DevicePath.h:133
VENDOR_DEVICE_PATH
Definition: DevicePath.h:140

Definition at line 29 of file SecureBootConfigImpl.c.

◆ mSecureBootStorageName

CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"

Definition at line 18 of file SecureBootConfigImpl.c.

◆ mSupportX509Suffix

CHAR16* mSupportX509Suffix = L"*.cer/der/crt"

Definition at line 95 of file SecureBootConfigImpl.c.

◆ mX509EnrollPromptString

CHAR16* mX509EnrollPromptString[]
Initial value:
= {
L"",
L"Only DER encoded certificate file (*.cer/der/crt) is supported.",
L"Public key length should be equal to or greater than 2048 bits.",
NULL
}

Definition at line 106 of file SecureBootConfigImpl.c.

◆ mX509EnrollPromptTitle

CHAR16* mX509EnrollPromptTitle[]
Initial value:
= {
L"",
L"ERROR: Unsupported file type!",
L"ERROR: Unsupported certificate!",
NULL
}

Definition at line 100 of file SecureBootConfigImpl.c.