TianoCore EDK2 master
Loading...
Searching...
No Matches
SecureBootVariableLib.c
Go to the documentation of this file.
1
12#include <Uefi.h>
13#include <UefiSecureBoot.h>
14#include <Guid/GlobalVariable.h>
15#include <Guid/AuthenticatedVariableFormat.h>
16#include <Guid/ImageAuthentication.h>
17#include <Library/BaseLib.h>
18#include <Library/BaseMemoryLib.h>
19#include <Library/DebugLib.h>
20#include <Library/UefiLib.h>
21#include <Library/MemoryAllocationLib.h>
22#include <Library/UefiRuntimeServicesTableLib.h>
23#include <Library/SecureBootVariableLib.h>
24#include <Library/PlatformPKProtectionLib.h>
25
26// This time can be used when deleting variables, as it should be greater than any variable time.
27EFI_TIME mMaxTimestamp = {
28 0xFFFF, // Year
29 0xFF, // Month
30 0xFF, // Day
31 0xFF, // Hour
32 0xFF, // Minute
33 0xFF, // Second
34 0x00,
35 0x00000000, // Nanosecond
36 0,
37 0,
38 0x00
39};
40
41//
42// This epoch time is the date that is used when creating SecureBoot default variables.
43// NOTE: This is a placeholder date that doesn't correspond to anything else.
44//
45EFI_TIME mDefaultPayloadTimestamp = {
46 1970, // Year (1970)
47 1, // Month (Jan)
48 1, // Day (1)
49 0, // Hour
50 0, // Minute
51 0, // Second
52 0, // Pad1
53 0, // Nanosecond
54 0, // Timezone (Dummy value)
55 0, // Daylight (Dummy value)
56 0 // Pad2
57};
58
68STATIC
69EFI_STATUS
70CreateSigList (
71 IN VOID *Data,
72 IN UINTN Size,
73 OUT EFI_SIGNATURE_LIST **SigList
74 )
75{
76 UINTN SigListSize;
77 EFI_SIGNATURE_LIST *TmpSigList;
78 EFI_SIGNATURE_DATA *SigData;
79
80 //
81 // Allocate data for Signature Database
82 //
83 SigListSize = sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) - 1 + Size;
84 TmpSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (SigListSize);
85 if (TmpSigList == NULL) {
86 return EFI_OUT_OF_RESOURCES;
87 }
88
89 //
90 // Only gEfiCertX509Guid type is supported
91 //
92 TmpSigList->SignatureListSize = (UINT32)SigListSize;
93 TmpSigList->SignatureSize = (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1 + Size);
94 TmpSigList->SignatureHeaderSize = 0;
95 CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid);
96
97 //
98 // Copy key data
99 //
100 SigData = (EFI_SIGNATURE_DATA *)(TmpSigList + 1);
101 CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid);
102 CopyMem (&SigData->SignatureData[0], Data, Size);
103
104 *SigList = TmpSigList;
105
106 return EFI_SUCCESS;
107}
108
119STATIC
120EFI_STATUS
121ConcatenateSigList (
122 IN EFI_SIGNATURE_LIST *SigLists,
123 IN EFI_SIGNATURE_LIST *SigListAppend,
124 OUT EFI_SIGNATURE_LIST **SigListOut,
125 IN OUT UINTN *SigListsSize
126 )
127{
128 EFI_SIGNATURE_LIST *TmpSigList;
129 UINT8 *Offset;
130 UINTN NewSigListsSize;
131
132 NewSigListsSize = *SigListsSize + SigListAppend->SignatureListSize;
133
134 TmpSigList = (EFI_SIGNATURE_LIST *)AllocateZeroPool (NewSigListsSize);
135 if (TmpSigList == NULL) {
136 return EFI_OUT_OF_RESOURCES;
137 }
138
139 CopyMem (TmpSigList, SigLists, *SigListsSize);
140
141 Offset = (UINT8 *)TmpSigList;
142 Offset += *SigListsSize;
143 CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSize);
144
145 *SigListsSize = NewSigListsSize;
146 *SigListOut = TmpSigList;
147 return EFI_SUCCESS;
148}
149
167EFI_STATUS
168EFIAPI
169SecureBootCreateDataFromInput (
170 OUT UINTN *SigListsSize,
171 OUT EFI_SIGNATURE_LIST **SigListOut,
172 IN UINTN KeyInfoCount,
173 IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo
174 )
175{
176 EFI_SIGNATURE_LIST *EfiSig;
177 EFI_SIGNATURE_LIST *TmpEfiSig;
178 EFI_SIGNATURE_LIST *TmpEfiSig2;
179 EFI_STATUS Status;
180 VOID *Buffer;
181 UINTN Size;
182 UINTN InputIndex;
183 UINTN KeyIndex;
184
185 if ((SigListOut == NULL) || (SigListsSize == NULL)) {
186 return EFI_INVALID_PARAMETER;
187 }
188
189 if ((KeyInfoCount == 0) || (KeyInfo == NULL)) {
190 return EFI_INVALID_PARAMETER;
191 }
192
193 InputIndex = 0;
194 KeyIndex = 0;
195 EfiSig = NULL;
196 *SigListsSize = 0;
197 while (InputIndex < KeyInfoCount) {
198 if (KeyInfo[InputIndex].Data != NULL) {
199 Size = KeyInfo[InputIndex].DataSize;
200 Buffer = AllocateCopyPool (Size, KeyInfo[InputIndex].Data);
201 if (Buffer == NULL) {
202 if (EfiSig != NULL) {
203 FreePool (EfiSig);
204 }
205
206 return EFI_OUT_OF_RESOURCES;
207 }
208
209 Status = CreateSigList (Buffer, Size, &TmpEfiSig);
210
211 if (EFI_ERROR (Status)) {
212 FreePool (Buffer);
213 break;
214 }
215
216 //
217 // Concatenate lists if more than one section found
218 //
219 if (KeyIndex == 0) {
220 EfiSig = TmpEfiSig;
221 *SigListsSize = TmpEfiSig->SignatureListSize;
222 } else {
223 ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize);
224 FreePool (EfiSig);
225 FreePool (TmpEfiSig);
226 EfiSig = TmpEfiSig2;
227 }
228
229 KeyIndex++;
230 FreePool (Buffer);
231 }
232
233 InputIndex++;
234 }
235
236 if (KeyIndex == 0) {
237 return EFI_NOT_FOUND;
238 }
239
240 *SigListOut = EfiSig;
241
242 return EFI_SUCCESS;
243}
244
264EFI_STATUS
265EFIAPI
266CreateTimeBasedPayload (
267 IN OUT UINTN *DataSize,
268 IN OUT UINT8 **Data,
269 IN EFI_TIME *Time
270 )
271{
272 UINT8 *NewData;
273 UINT8 *Payload;
274 UINTN PayloadSize;
275 EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
276 UINTN DescriptorSize;
277
278 if ((Data == NULL) || (DataSize == NULL) || (Time == NULL)) {
279 DEBUG ((DEBUG_ERROR, "%a(), invalid arg\n", __func__));
280 return EFI_INVALID_PARAMETER;
281 }
282
283 //
284 // In Setup mode or Custom mode, the variable does not need to be signed but the
285 // parameters to the SetVariable() call still need to be prepared as authenticated
286 // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
287 // data in it.
288 //
289 Payload = *Data;
290 PayloadSize = *DataSize;
291
292 DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
293 NewData = (UINT8 *)AllocateZeroPool (DescriptorSize + PayloadSize);
294 if (NewData == NULL) {
295 DEBUG ((DEBUG_ERROR, "%a() Out of resources.\n", __func__));
296 return EFI_OUT_OF_RESOURCES;
297 }
298
299 if ((Payload != NULL) && (PayloadSize != 0)) {
300 CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
301 }
302
303 DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *)(NewData);
304
305 CopyMem (&DescriptorData->TimeStamp, Time, sizeof (EFI_TIME));
306
307 DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
308 DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
309 DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
310 CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
311
312 if (Payload != NULL) {
313 FreePool (Payload);
314 Payload = NULL;
315 }
316
317 *DataSize = DescriptorSize + PayloadSize;
318 *Data = NewData;
319 return EFI_SUCCESS;
320}
321
333EFI_STATUS
334EFIAPI
335DeleteVariable (
336 IN CHAR16 *VariableName,
337 IN EFI_GUID *VendorGuid
338 )
339{
340 EFI_STATUS Status;
341 VOID *Variable;
342 UINT8 *Data;
343 UINTN DataSize;
344 UINT32 Attr;
345
346 GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
347 if (Variable == NULL) {
348 return EFI_SUCCESS;
349 }
350
351 FreePool (Variable);
352
353 Data = NULL;
354 DataSize = 0;
355 Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
356 | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
357
358 Status = CreateTimeBasedPayload (&DataSize, &Data, &mMaxTimestamp);
359 if (EFI_ERROR (Status)) {
360 DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
361 return Status;
362 }
363
364 Status = gRT->SetVariable (
365 VariableName,
366 VendorGuid,
367 Attr,
368 DataSize,
369 Data
370 );
371 if (Data != NULL) {
372 FreePool (Data);
373 }
374
375 return Status;
376}
377
389EFI_STATUS
390EFIAPI
391SetSecureBootMode (
392 IN UINT8 SecureBootMode
393 )
394{
395 return gRT->SetVariable (
396 EFI_CUSTOM_MODE_NAME,
397 &gEfiCustomModeEnableGuid,
398 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
399 sizeof (UINT8),
400 &SecureBootMode
401 );
402}
403
411EFI_STATUS
412EFIAPI
413GetSetupMode (
414 OUT UINT8 *SetupMode
415 )
416{
417 UINTN Size;
418 EFI_STATUS Status;
419
420 Size = sizeof (*SetupMode);
421 Status = gRT->GetVariable (
422 EFI_SETUP_MODE_NAME,
423 &gEfiGlobalVariableGuid,
424 NULL,
425 &Size,
426 SetupMode
427 );
428 if (EFI_ERROR (Status)) {
429 return Status;
430 }
431
432 return EFI_SUCCESS;
433}
434
442BOOLEAN
443EFIAPI
444IsSecureBootEnabled (
445 VOID
446 )
447{
448 EFI_STATUS Status;
449 UINT8 *SecureBoot;
450
451 SecureBoot = NULL;
452
453 Status = GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&SecureBoot, NULL);
454 //
455 // Skip verification if SecureBoot variable doesn't exist.
456 //
457 if (EFI_ERROR (Status)) {
458 DEBUG ((DEBUG_ERROR, "Cannot check SecureBoot variable %r \n ", Status));
459 return FALSE;
460 }
461
462 //
463 // Skip verification if SecureBoot is disabled but not AuditMode
464 //
465 if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
466 FreePool (SecureBoot);
467 return FALSE;
468 } else {
469 return TRUE;
470 }
471}
472
480EFI_STATUS
481EFIAPI
482DeleteDb (
483 VOID
484 )
485{
486 EFI_STATUS Status;
487
488 Status = DeleteVariable (
489 EFI_IMAGE_SECURITY_DATABASE,
490 &gEfiImageSecurityDatabaseGuid
491 );
492
493 return Status;
494}
495
503EFI_STATUS
504EFIAPI
505DeleteDbx (
506 VOID
507 )
508{
509 EFI_STATUS Status;
510
511 Status = DeleteVariable (
512 EFI_IMAGE_SECURITY_DATABASE1,
513 &gEfiImageSecurityDatabaseGuid
514 );
515
516 return Status;
517}
518
526EFI_STATUS
527EFIAPI
528DeleteDbt (
529 VOID
530 )
531{
532 EFI_STATUS Status;
533
534 Status = DeleteVariable (
535 EFI_IMAGE_SECURITY_DATABASE2,
536 &gEfiImageSecurityDatabaseGuid
537 );
538
539 return Status;
540}
541
549EFI_STATUS
550EFIAPI
551DeleteKEK (
552 VOID
553 )
554{
555 EFI_STATUS Status;
556
557 Status = DeleteVariable (
558 EFI_KEY_EXCHANGE_KEY_NAME,
559 &gEfiGlobalVariableGuid
560 );
561
562 return Status;
563}
564
572EFI_STATUS
573EFIAPI
574DeletePlatformKey (
575 VOID
576 )
577{
578 EFI_STATUS Status;
579
580 Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
581 if (EFI_ERROR (Status)) {
582 return Status;
583 }
584
585 Status = DeleteVariable (
586 EFI_PLATFORM_KEY_NAME,
587 &gEfiGlobalVariableGuid
588 );
589 return Status;
590}
591
598EFI_STATUS
599EFIAPI
600DeleteSecureBootVariables (
601 VOID
602 )
603{
604 EFI_STATUS Status, TempStatus;
605
606 DEBUG ((DEBUG_INFO, "%a - Attempting to delete the Secure Boot variables.\n", __func__));
607
608 //
609 // Step 1: Notify that a PK update is coming shortly...
610 Status = DisablePKProtection ();
611 if (EFI_ERROR (Status)) {
612 DEBUG ((DEBUG_ERROR, "%a - Failed to signal PK update start! %r\n", __func__, Status));
613 // Classify this as a PK deletion error.
614 Status = EFI_ABORTED;
615 }
616
617 //
618 // Step 2: Attempt to delete the PK.
619 // Let's try to nuke the PK, why not...
620 if (!EFI_ERROR (Status)) {
621 Status = DeletePlatformKey ();
622 DEBUG ((DEBUG_INFO, "%a - PK Delete = %r\n", __func__, Status));
623 // If the PK is not found, then our work here is done.
624 if (Status == EFI_NOT_FOUND) {
625 Status = EFI_SUCCESS;
626 }
627 // If any other error occurred, let's inform the caller that the PK delete in particular failed.
628 else if (EFI_ERROR (Status)) {
629 Status = EFI_ABORTED;
630 }
631 }
632
633 //
634 // Step 3: Attempt to delete remaining keys/databases...
635 // Now that the PK is deleted (assuming Status == EFI_SUCCESS) the system is in SETUP_MODE.
636 // Arguably we could leave these variables in place and let them be deleted by whoever wants to
637 // update all the SecureBoot variables. However, for cleanliness sake, let's try to
638 // get rid of them here.
639 if (!EFI_ERROR (Status)) {
640 //
641 // If any of THESE steps have an error, report the error but attempt to delete all keys.
642 // Using TempStatus will prevent an error from being trampled by an EFI_SUCCESS.
643 // Overwrite Status ONLY if TempStatus is an error.
644 //
645 // If the error is EFI_NOT_FOUND, we can safely ignore it since we were trying to delete
646 // the variables anyway.
647 //
648 TempStatus = DeleteKEK ();
649 DEBUG ((DEBUG_INFO, "%a - KEK Delete = %r\n", __func__, TempStatus));
650 if (EFI_ERROR (TempStatus) && (TempStatus != EFI_NOT_FOUND)) {
651 Status = EFI_ACCESS_DENIED;
652 }
653
654 TempStatus = DeleteDb ();
655 DEBUG ((DEBUG_INFO, "%a - db Delete = %r\n", __func__, TempStatus));
656 if (EFI_ERROR (TempStatus) && (TempStatus != EFI_NOT_FOUND)) {
657 Status = EFI_ACCESS_DENIED;
658 }
659
660 TempStatus = DeleteDbx ();
661 DEBUG ((DEBUG_INFO, "%a - dbx Delete = %r\n", __func__, TempStatus));
662 if (EFI_ERROR (TempStatus) && (TempStatus != EFI_NOT_FOUND)) {
663 Status = EFI_ACCESS_DENIED;
664 }
665
666 TempStatus = DeleteDbt ();
667 DEBUG ((DEBUG_INFO, "%a - dbt Delete = %r\n", __func__, TempStatus));
668 if (EFI_ERROR (TempStatus) && (TempStatus != EFI_NOT_FOUND)) {
669 Status = EFI_ACCESS_DENIED;
670 }
671 }
672
673 return Status;
674}// DeleteSecureBootVariables()
675
691EFI_STATUS
692EFIAPI
693EnrollFromInput (
694 IN CHAR16 *VariableName,
695 IN EFI_GUID *VendorGuid,
696 IN UINTN DataSize,
697 IN VOID *Data
698 )
699{
700 VOID *Payload;
701 UINTN PayloadSize;
702 EFI_STATUS Status;
703
704 Payload = NULL;
705
706 if ((VariableName == NULL) || (VendorGuid == 0)) {
707 DEBUG ((DEBUG_ERROR, "Input vendor variable invalid: %p and %p\n", VariableName, VendorGuid));
708 Status = EFI_INVALID_PARAMETER;
709 goto Exit;
710 }
711
712 if ((Data == NULL) || (DataSize == 0)) {
713 // You might as well just use DeleteVariable...
714 DEBUG ((DEBUG_ERROR, "Input argument invalid: %p: %x\n", Data, DataSize));
715 Status = EFI_INVALID_PARAMETER;
716 goto Exit;
717 }
718
719 // Bring in the noise...
720 PayloadSize = DataSize;
721 Payload = AllocateZeroPool (DataSize);
722 // Bring in the funk...
723 if (Payload == NULL) {
724 return EFI_OUT_OF_RESOURCES;
725 } else {
726 CopyMem (Payload, Data, DataSize);
727 }
728
729 Status = CreateTimeBasedPayload (&PayloadSize, (UINT8 **)&Payload, &mDefaultPayloadTimestamp);
730 if (EFI_ERROR (Status) || (Payload == NULL)) {
731 DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r\n", Status));
732 Payload = NULL;
733 Status = EFI_OUT_OF_RESOURCES;
734 goto Exit;
735 }
736
737 //
738 // Allocate memory for auth variable
739 //
740 Status = gRT->SetVariable (
741 VariableName,
742 VendorGuid,
743 (EFI_VARIABLE_NON_VOLATILE |
744 EFI_VARIABLE_BOOTSERVICE_ACCESS |
745 EFI_VARIABLE_RUNTIME_ACCESS |
746 EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
747 PayloadSize,
748 Payload
749 );
750
751 if (EFI_ERROR (Status)) {
752 DEBUG ((
753 DEBUG_ERROR,
754 "error: %a (\"%s\", %g): %r\n",
755 __func__,
756 VariableName,
757 VendorGuid,
758 Status
759 ));
760 }
761
762Exit:
763 //
764 // Always Put Away Your Toys
765 // Payload will be reassigned by CreateTimeBasedPayload()...
766 if (Payload != NULL) {
767 FreePool (Payload);
768 Payload = NULL;
769 }
770
771 return Status;
772}
773
788EFI_STATUS
789EFIAPI
790SetSecureBootVariablesToDefault (
791 IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload
792 )
793{
794 EFI_STATUS Status;
795 UINT8 *Data;
796 UINTN DataSize;
797
798 DEBUG ((DEBUG_INFO, "%a() Entry\n", __func__));
799
800 if (SecureBootPayload == NULL) {
801 DEBUG ((DEBUG_ERROR, "%a - Invalid SecureBoot payload is supplied!\n", __func__));
802 return EFI_INVALID_PARAMETER;
803 }
804
805 //
806 // Right off the bat, if SecureBoot is currently enabled, bail.
807 if (IsSecureBootEnabled ()) {
808 DEBUG ((DEBUG_ERROR, "%a - Cannot set default keys while SecureBoot is enabled!\n", __func__));
809 return EFI_ABORTED;
810 }
811
812 DEBUG ((DEBUG_INFO, "%a - Setting up key %s!\n", __func__, SecureBootPayload->SecureBootKeyName));
813
814 //
815 // Start running down the list, creating variables in our wake.
816 // dbx is a good place to start.
817 Data = (UINT8 *)SecureBootPayload->DbxPtr;
818 DataSize = SecureBootPayload->DbxSize;
819 Status = EnrollFromInput (
820 EFI_IMAGE_SECURITY_DATABASE1,
821 &gEfiImageSecurityDatabaseGuid,
822 DataSize,
823 Data
824 );
825
826 // If that went well, try the db (make sure to pick the right one!).
827 if (!EFI_ERROR (Status)) {
828 Data = (UINT8 *)SecureBootPayload->DbPtr;
829 DataSize = SecureBootPayload->DbSize;
830 Status = EnrollFromInput (
831 EFI_IMAGE_SECURITY_DATABASE,
832 &gEfiImageSecurityDatabaseGuid,
833 DataSize,
834 Data
835 );
836 if (EFI_ERROR (Status)) {
837 DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DB %r!\n", __func__, Status));
838 }
839 } else {
840 DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DBX %r!\n", __func__, Status));
841 }
842
843 // Keep it going. Keep it going. dbt if supplied...
844 if (!EFI_ERROR (Status) && (SecureBootPayload->DbtPtr != NULL)) {
845 Data = (UINT8 *)SecureBootPayload->DbtPtr;
846 DataSize = SecureBootPayload->DbtSize;
847 Status = EnrollFromInput (
848 EFI_IMAGE_SECURITY_DATABASE2,
849 &gEfiImageSecurityDatabaseGuid,
850 DataSize,
851 Data
852 );
853 if (EFI_ERROR (Status)) {
854 DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DBT %r!\n", __func__, Status));
855 }
856 }
857
858 // Keep it going. Keep it going. KEK...
859 if (!EFI_ERROR (Status)) {
860 Data = (UINT8 *)SecureBootPayload->KekPtr;
861 DataSize = SecureBootPayload->KekSize;
862 Status = EnrollFromInput (
863 EFI_KEY_EXCHANGE_KEY_NAME,
864 &gEfiGlobalVariableGuid,
865 DataSize,
866 Data
867 );
868 if (EFI_ERROR (Status)) {
869 DEBUG ((DEBUG_ERROR, "%a - Failed to enroll KEK %r!\n", __func__, Status));
870 }
871 }
872
873 //
874 // Finally! The Big Daddy of them all.
875 // The PK!
876 //
877 if (!EFI_ERROR (Status)) {
878 //
879 // Finally, install the key.
880 Data = (UINT8 *)SecureBootPayload->PkPtr;
881 DataSize = SecureBootPayload->PkSize;
882 Status = EnrollFromInput (
883 EFI_PLATFORM_KEY_NAME,
884 &gEfiGlobalVariableGuid,
885 DataSize,
886 Data
887 );
888
889 //
890 // Report PK creation errors.
891 if (EFI_ERROR (Status)) {
892 DEBUG ((DEBUG_ERROR, "%a - Failed to update the PK! - %r\n", __func__, Status));
893 Status = EFI_SECURITY_VIOLATION;
894 }
895 }
896
897 return Status;
898}
UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112
EFI_CUSTOM_MODE_NAME
#define EFI_CUSTOM_MODE_NAME
Definition: AuthenticatedVariableFormat.h:51
CopyMem
VOID *EFIAPI CopyMem(OUT VOID *DestinationBuffer, IN CONST VOID *SourceBuffer, IN UINTN Length)
Definition: CopyMemWrapper.c:41
CopyGuid
GUID *EFIAPI CopyGuid(OUT GUID *DestinationGuid, IN CONST GUID *SourceGuid)
Definition: MemLibGuid.c:39
AllocateZeroPool
VOID *EFIAPI AllocateZeroPool(IN UINTN AllocationSize)
Definition: MemoryAllocationLib.c:234
FreePool
VOID EFIAPI FreePool(IN VOID *Buffer)
Definition: MemoryAllocationLib.c:266
AllocateCopyPool
VOID *EFIAPI AllocateCopyPool(IN UINTN AllocationSize, IN CONST VOID *Buffer)
Definition: MemoryAllocationLib.c:590
EFI_SETUP_MODE_NAME
#define EFI_SETUP_MODE_NAME
Definition: GlobalVariable.h:121
EFI_KEY_EXCHANGE_KEY_NAME
#define EFI_KEY_EXCHANGE_KEY_NAME
Definition: GlobalVariable.h:126
EFI_PLATFORM_KEY_NAME
#define EFI_PLATFORM_KEY_NAME
Definition: GlobalVariable.h:131
EFI_SECURE_BOOT_MODE_NAME
#define EFI_SECURE_BOOT_MODE_NAME
Definition: GlobalVariable.h:143
EFI_IMAGE_SECURITY_DATABASE2
#define EFI_IMAGE_SECURITY_DATABASE2
Definition: ImageAuthentication.h:36
EFI_IMAGE_SECURITY_DATABASE1
#define EFI_IMAGE_SECURITY_DATABASE1
Definition: ImageAuthentication.h:31
EFI_IMAGE_SECURITY_DATABASE
#define EFI_IMAGE_SECURITY_DATABASE
Definition: ImageAuthentication.h:26
gRT
EFI_RUNTIME_SERVICES * gRT
Definition: MockUefiRuntimeServicesTableLib.c:13
NULL
#define NULL
Definition: Base.h:319
CONST
#define CONST
Definition: Base.h:259
STATIC
#define STATIC
Definition: Base.h:264
TRUE
#define TRUE
Definition: Base.h:301
FALSE
#define FALSE
Definition: Base.h:307
IN
#define IN
Definition: Base.h:279
OFFSET_OF
#define OFFSET_OF(TYPE, Field)
Definition: Base.h:758
OUT
#define OUT
Definition: Base.h:284
DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434
DisablePKProtection
EFI_STATUS EFIAPI DisablePKProtection(VOID)
Definition: PlatformPKProtectionLibVarPolicy.c:29
ConcatenateSigList
STATIC EFI_STATUS ConcatenateSigList(IN EFI_SIGNATURE_LIST *SigLists, IN EFI_SIGNATURE_LIST *SigListAppend, OUT EFI_SIGNATURE_LIST **SigListOut, IN OUT UINTN *SigListsSize)
Definition: SecureBootVariableLib.c:121
SetSecureBootMode
EFI_STATUS EFIAPI SetSecureBootMode(IN UINT8 SecureBootMode)
Definition: SecureBootVariableLib.c:391
CreateTimeBasedPayload
EFI_STATUS EFIAPI CreateTimeBasedPayload(IN OUT UINTN *DataSize, IN OUT UINT8 **Data, IN EFI_TIME *Time)
Definition: SecureBootVariableLib.c:266
IsSecureBootEnabled
BOOLEAN EFIAPI IsSecureBootEnabled(VOID)
Definition: SecureBootVariableLib.c:444
GetSetupMode
EFI_STATUS EFIAPI GetSetupMode(OUT UINT8 *SetupMode)
Definition: SecureBootVariableLib.c:413
DeleteVariable
EFI_STATUS EFIAPI DeleteVariable(IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid)
Definition: SecureBootVariableLib.c:335
SecureBootCreateDataFromInput
EFI_STATUS EFIAPI SecureBootCreateDataFromInput(OUT UINTN *SigListsSize, OUT EFI_SIGNATURE_LIST **SigListOut, IN UINTN KeyInfoCount, IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo)
Definition: SecureBootVariableLib.c:169
DeleteDbx
EFI_STATUS EFIAPI DeleteDbx(VOID)
Definition: SecureBootVariableLib.c:505
SetSecureBootVariablesToDefault
EFI_STATUS EFIAPI SetSecureBootVariablesToDefault(IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload)
Definition: SecureBootVariableLib.c:790
DeletePlatformKey
EFI_STATUS EFIAPI DeletePlatformKey(VOID)
Definition: SecureBootVariableLib.c:574
DeleteDb
EFI_STATUS EFIAPI DeleteDb(VOID)
Definition: SecureBootVariableLib.c:482
DeleteKEK
EFI_STATUS EFIAPI DeleteKEK(VOID)
Definition: SecureBootVariableLib.c:551
DeleteDbt
EFI_STATUS EFIAPI DeleteDbt(VOID)
Definition: SecureBootVariableLib.c:528
DeleteSecureBootVariables
EFI_STATUS EFIAPI DeleteSecureBootVariables(VOID)
Definition: SecureBootVariableLib.c:600
CreateSigList
STATIC EFI_STATUS CreateSigList(IN VOID *Data, IN UINTN Size, OUT EFI_SIGNATURE_LIST **SigList)
Definition: SecureBootVariableLib.c:70
EnrollFromInput
EFI_STATUS EFIAPI EnrollFromInput(IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINTN DataSize, IN VOID *Data)
Definition: SecureBootVariableLib.c:693
Exit
VOID EFIAPI Exit(IN EFI_STATUS Status)
Definition: ApplicationEntryPoint.c:83
EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29
EFI_SUCCESS
#define EFI_SUCCESS
Definition: UefiBaseType.h:112
GetEfiGlobalVariable2
EFI_STATUS EFIAPI GetEfiGlobalVariable2(IN CONST CHAR16 *Name, OUT VOID **Value, OUT UINTN *Size OPTIONAL)
Definition: UefiLib.c:1470
GetVariable2
EFI_STATUS EFIAPI GetVariable2(IN CONST CHAR16 *Name, IN CONST EFI_GUID *Guid, OUT VOID **Value, OUT UINTN *Size OPTIONAL)
Definition: UefiLib.c:1317
EFI_VARIABLE_NON_VOLATILE
#define EFI_VARIABLE_NON_VOLATILE
Definition: UefiMultiPhase.h:15
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
#define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
Definition: UefiMultiPhase.h:26
EFI_SIGNATURE_DATA
Definition: ImageAuthentication.h:55
EFI_SIGNATURE_DATA::SignatureOwner
EFI_GUID SignatureOwner
Definition: ImageAuthentication.h:59
EFI_SIGNATURE_DATA::SignatureData
UINT8 SignatureData[1]
Definition: ImageAuthentication.h:63
EFI_SIGNATURE_LIST
Definition: ImageAuthentication.h:66
EFI_SIGNATURE_LIST::SignatureHeaderSize
UINT32 SignatureHeaderSize
Definition: ImageAuthentication.h:78
EFI_SIGNATURE_LIST::SignatureType
EFI_GUID SignatureType
Definition: ImageAuthentication.h:70
EFI_SIGNATURE_LIST::SignatureListSize
UINT32 SignatureListSize
Definition: ImageAuthentication.h:74
EFI_SIGNATURE_LIST::SignatureSize
UINT32 SignatureSize
Definition: ImageAuthentication.h:82
EFI_TIME
Definition: UefiBaseType.h:68
EFI_VARIABLE_AUTHENTICATION_2
Definition: UefiMultiPhase.h:236
EFI_VARIABLE_AUTHENTICATION_2::TimeStamp
EFI_TIME TimeStamp
Definition: UefiMultiPhase.h:241
EFI_VARIABLE_AUTHENTICATION_2::AuthInfo
WIN_CERTIFICATE_UEFI_GUID AuthInfo
Definition: UefiMultiPhase.h:245
GUID
Definition: Base.h:213
SECURE_BOOT_CERTIFICATE_INFO
Definition: UefiSecureBoot.h:19
SECURE_BOOT_PAYLOAD_INFO
Definition: UefiSecureBoot.h:36
WIN_CERTIFICATE_UEFI_GUID
Definition: WinCertificate.h:67
WIN_CERTIFICATE_UEFI_GUID::Hdr
WIN_CERTIFICATE Hdr
Definition: WinCertificate.h:72
WIN_CERTIFICATE_UEFI_GUID::CertType
EFI_GUID CertType
Definition: WinCertificate.h:77
WIN_CERTIFICATE::wRevision
UINT16 wRevision
Definition: WinCertificate.h:34
WIN_CERTIFICATE::dwLength
UINT32 dwLength
Definition: WinCertificate.h:29
WIN_CERTIFICATE::wCertificateType
UINT16 wCertificateType
Definition: WinCertificate.h:40