TianoCore EDK2 master
Loading...
Searching...
No Matches
SecureBootVariableProvisionLib.c
Go to the documentation of this file.
1
11#include <Uefi.h>
12#include <UefiSecureBoot.h>
13#include <Guid/GlobalVariable.h>
14#include <Guid/AuthenticatedVariableFormat.h>
15#include <Guid/ImageAuthentication.h>
16#include <Library/BaseLib.h>
17#include <Library/BaseCryptLib.h>
18#include <Library/BaseMemoryLib.h>
19#include <Library/DebugLib.h>
20#include <Library/UefiLib.h>
21#include <Library/MemoryAllocationLib.h>
22#include <Library/UefiRuntimeServicesTableLib.h>
23#include <Library/SecureBootVariableLib.h>
24#include <Library/SecureBootVariableProvisionLib.h>
25#include <Library/DxeServicesLib.h>
26
41STATIC
42EFI_STATUS
43SecureBootFetchData (
44 IN EFI_GUID *KeyFileGuid,
45 OUT UINTN *SigListsSize,
46 OUT EFI_SIGNATURE_LIST **SigListOut
47 )
48{
49 EFI_SIGNATURE_LIST *EfiSig;
50 EFI_STATUS Status;
51 VOID *Buffer;
52 VOID *RsaPubKey;
53 UINTN Size;
54 UINTN KeyIndex;
55 UINTN Index;
56 SECURE_BOOT_CERTIFICATE_INFO *CertInfo;
57 SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo;
58
59 KeyIndex = 0;
60 EfiSig = NULL;
61 *SigListOut = NULL;
62 *SigListsSize = 0;
63 CertInfo = AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO));
64 NewCertInfo = CertInfo;
65 while (1) {
66 if (NewCertInfo == NULL) {
67 Status = EFI_OUT_OF_RESOURCES;
68 break;
69 } else {
70 CertInfo = NewCertInfo;
71 }
72
73 Status = GetSectionFromAnyFv (
74 KeyFileGuid,
75 EFI_SECTION_RAW,
76 KeyIndex,
77 &Buffer,
78 &Size
79 );
80
81 if (Status == EFI_SUCCESS) {
82 RsaPubKey = NULL;
83 if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) == FALSE) {
84 DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __func__, KeyIndex));
85 if (EfiSig != NULL) {
86 FreePool (EfiSig);
87 }
88
89 FreePool (Buffer);
90 Status = EFI_INVALID_PARAMETER;
91 break;
92 }
93
94 CertInfo[KeyIndex].Data = Buffer;
95 CertInfo[KeyIndex].DataSize = Size;
96 KeyIndex++;
97 NewCertInfo = ReallocatePool (
98 sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex,
99 sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + 1),
100 CertInfo
101 );
102 }
103
104 if (Status == EFI_NOT_FOUND) {
105 Status = EFI_SUCCESS;
106 break;
107 }
108 }
109
110 if (EFI_ERROR (Status)) {
111 goto Cleanup;
112 }
113
114 if (KeyIndex == 0) {
115 Status = EFI_NOT_FOUND;
116 goto Cleanup;
117 }
118
119 // Now that we collected all certs from FV, convert it into sig list
120 Status = SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyIndex, CertInfo);
121 if (EFI_ERROR (Status)) {
122 goto Cleanup;
123 }
124
125Cleanup:
126 if (CertInfo) {
127 for (Index = 0; Index < KeyIndex; Index++) {
128 FreePool ((VOID *)CertInfo[Index].Data);
129 }
130
131 FreePool (CertInfo);
132 }
133
134 return Status;
135}
136
148STATIC
149EFI_STATUS
150EnrollFromDefault (
151 IN CHAR16 *VariableName,
152 IN CHAR16 *DefaultName,
153 IN EFI_GUID *VendorGuid
154 )
155{
156 VOID *Data;
157 UINTN DataSize;
158 EFI_STATUS Status;
159
160 Status = EFI_SUCCESS;
161
162 DataSize = 0;
163 Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
164 if (EFI_ERROR (Status)) {
165 DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
166 return Status;
167 }
168
169 Status = EnrollFromInput (VariableName, VendorGuid, DataSize, Data);
170
171 if (Data != NULL) {
172 FreePool (Data);
173 }
174
175 return Status;
176}
177
183EFI_STATUS
184SecureBootInitPKDefault (
185 IN VOID
186 )
187{
188 EFI_SIGNATURE_LIST *EfiSig;
189 UINTN SigListsSize;
190 EFI_STATUS Status;
191 UINT8 *Data;
192 UINTN DataSize;
193
194 //
195 // Check if variable exists, if so do not change it
196 //
197 Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
198 if (Status == EFI_SUCCESS) {
199 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
200 FreePool (Data);
201 return EFI_UNSUPPORTED;
202 }
203
204 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
205 return Status;
206 }
207
208 //
209 // Variable does not exist, can be initialized
210 //
211 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
212
213 Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
214 if (EFI_ERROR (Status)) {
215 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
216 return Status;
217 }
218
219 Status = gRT->SetVariable (
220 EFI_PK_DEFAULT_VARIABLE_NAME,
221 &gEfiGlobalVariableGuid,
222 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
223 SigListsSize,
224 (VOID *)EfiSig
225 );
226 if (EFI_ERROR (Status)) {
227 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
228 }
229
230 FreePool (EfiSig);
231
232 return Status;
233}
234
240EFI_STATUS
241SecureBootInitKEKDefault (
242 IN VOID
243 )
244{
245 EFI_SIGNATURE_LIST *EfiSig;
246 UINTN SigListsSize;
247 EFI_STATUS Status;
248 UINT8 *Data;
249 UINTN DataSize;
250
251 //
252 // Check if variable exists, if so do not change it
253 //
254 Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
255 if (Status == EFI_SUCCESS) {
256 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
257 FreePool (Data);
258 return EFI_UNSUPPORTED;
259 }
260
261 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
262 return Status;
263 }
264
265 //
266 // Variable does not exist, can be initialized
267 //
268 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
269
270 Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
271 if (EFI_ERROR (Status)) {
272 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
273 return Status;
274 }
275
276 Status = gRT->SetVariable (
277 EFI_KEK_DEFAULT_VARIABLE_NAME,
278 &gEfiGlobalVariableGuid,
279 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
280 SigListsSize,
281 (VOID *)EfiSig
282 );
283 if (EFI_ERROR (Status)) {
284 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
285 }
286
287 FreePool (EfiSig);
288
289 return Status;
290}
291
297EFI_STATUS
298SecureBootInitDbDefault (
299 IN VOID
300 )
301{
302 EFI_SIGNATURE_LIST *EfiSig;
303 UINTN SigListsSize;
304 EFI_STATUS Status;
305 UINT8 *Data;
306 UINTN DataSize;
307
308 Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
309 if (Status == EFI_SUCCESS) {
310 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
311 FreePool (Data);
312 return EFI_UNSUPPORTED;
313 }
314
315 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
316 return Status;
317 }
318
319 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
320
321 Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
322 if (EFI_ERROR (Status)) {
323 return Status;
324 }
325
326 Status = gRT->SetVariable (
327 EFI_DB_DEFAULT_VARIABLE_NAME,
328 &gEfiGlobalVariableGuid,
329 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
330 SigListsSize,
331 (VOID *)EfiSig
332 );
333 if (EFI_ERROR (Status)) {
334 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
335 }
336
337 FreePool (EfiSig);
338
339 return Status;
340}
341
347EFI_STATUS
348SecureBootInitDbxDefault (
349 IN VOID
350 )
351{
352 EFI_SIGNATURE_LIST *EfiSig;
353 UINTN SigListsSize;
354 EFI_STATUS Status;
355 UINT8 *Data;
356 UINTN DataSize;
357
358 //
359 // Check if variable exists, if so do not change it
360 //
361 Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
362 if (Status == EFI_SUCCESS) {
363 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
364 FreePool (Data);
365 return EFI_UNSUPPORTED;
366 }
367
368 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
369 return Status;
370 }
371
372 //
373 // Variable does not exist, can be initialized
374 //
375 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
376
377 Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
378 if (EFI_ERROR (Status)) {
379 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
380 return Status;
381 }
382
383 Status = gRT->SetVariable (
384 EFI_DBX_DEFAULT_VARIABLE_NAME,
385 &gEfiGlobalVariableGuid,
386 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
387 SigListsSize,
388 (VOID *)EfiSig
389 );
390 if (EFI_ERROR (Status)) {
391 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
392 }
393
394 FreePool (EfiSig);
395
396 return Status;
397}
398
404EFI_STATUS
405SecureBootInitDbtDefault (
406 IN VOID
407 )
408{
409 EFI_SIGNATURE_LIST *EfiSig;
410 UINTN SigListsSize;
411 EFI_STATUS Status;
412 UINT8 *Data;
413 UINTN DataSize;
414
415 //
416 // Check if variable exists, if so do not change it
417 //
418 Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
419 if (Status == EFI_SUCCESS) {
420 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
421 FreePool (Data);
422 return EFI_UNSUPPORTED;
423 }
424
425 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
426 return Status;
427 }
428
429 //
430 // Variable does not exist, can be initialized
431 //
432 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
433
434 Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
435 if (EFI_ERROR (Status)) {
436 return Status;
437 }
438
439 Status = gRT->SetVariable (
440 EFI_DBT_DEFAULT_VARIABLE_NAME,
441 &gEfiGlobalVariableGuid,
442 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
443 SigListsSize,
444 (VOID *)EfiSig
445 );
446 if (EFI_ERROR (Status)) {
447 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
448 }
449
450 FreePool (EfiSig);
451
452 return EFI_SUCCESS;
453}
454
462EFI_STATUS
463EFIAPI
464EnrollDbFromDefault (
465 VOID
466 )
467{
468 EFI_STATUS Status;
469
470 Status = EnrollFromDefault (
471 EFI_IMAGE_SECURITY_DATABASE,
472 EFI_DB_DEFAULT_VARIABLE_NAME,
473 &gEfiImageSecurityDatabaseGuid
474 );
475
476 return Status;
477}
478
486EFI_STATUS
487EFIAPI
488EnrollDbxFromDefault (
489 VOID
490 )
491{
492 EFI_STATUS Status;
493
494 Status = EnrollFromDefault (
495 EFI_IMAGE_SECURITY_DATABASE1,
496 EFI_DBX_DEFAULT_VARIABLE_NAME,
497 &gEfiImageSecurityDatabaseGuid
498 );
499
500 return Status;
501}
502
510EFI_STATUS
511EFIAPI
512EnrollDbtFromDefault (
513 VOID
514 )
515{
516 EFI_STATUS Status;
517
518 Status = EnrollFromDefault (
519 EFI_IMAGE_SECURITY_DATABASE2,
520 EFI_DBT_DEFAULT_VARIABLE_NAME,
521 &gEfiImageSecurityDatabaseGuid
522 );
523
524 return Status;
525}
526
534EFI_STATUS
535EFIAPI
536EnrollKEKFromDefault (
537 VOID
538 )
539{
540 EFI_STATUS Status;
541
542 Status = EnrollFromDefault (
543 EFI_KEY_EXCHANGE_KEY_NAME,
544 EFI_KEK_DEFAULT_VARIABLE_NAME,
545 &gEfiGlobalVariableGuid
546 );
547
548 return Status;
549}
550
558EFI_STATUS
559EFIAPI
560EnrollPKFromDefault (
561 VOID
562 )
563{
564 EFI_STATUS Status;
565
566 Status = EnrollFromDefault (
567 EFI_PLATFORM_KEY_NAME,
568 EFI_PK_DEFAULT_VARIABLE_NAME,
569 &gEfiGlobalVariableGuid
570 );
571
572 return Status;
573}
UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112
RsaGetPublicKeyFromX509
BOOLEAN EFIAPI RsaGetPublicKeyFromX509(IN CONST UINT8 *Cert, IN UINTN CertSize, OUT VOID **RsaContext)
Definition: CryptX509.c:580
GetSectionFromAnyFv
EFI_STATUS EFIAPI GetSectionFromAnyFv(IN CONST EFI_GUID *NameGuid, IN EFI_SECTION_TYPE SectionType, IN UINTN SectionInstance, OUT VOID **Buffer, OUT UINTN *Size)
Definition: DxeServicesLib.c:374
ReallocatePool
VOID *EFIAPI ReallocatePool(IN UINTN OldSize, IN UINTN NewSize, IN VOID *OldBuffer OPTIONAL)
Definition: MemoryAllocationLib.c:296
FreePool
VOID EFIAPI FreePool(IN VOID *Buffer)
Definition: MemoryAllocationLib.c:266
EFI_DBX_DEFAULT_VARIABLE_NAME
#define EFI_DBX_DEFAULT_VARIABLE_NAME
Definition: GlobalVariable.h:163
EFI_DBT_DEFAULT_VARIABLE_NAME
#define EFI_DBT_DEFAULT_VARIABLE_NAME
Definition: GlobalVariable.h:168
EFI_KEY_EXCHANGE_KEY_NAME
#define EFI_KEY_EXCHANGE_KEY_NAME
Definition: GlobalVariable.h:126
EFI_KEK_DEFAULT_VARIABLE_NAME
#define EFI_KEK_DEFAULT_VARIABLE_NAME
Definition: GlobalVariable.h:148
EFI_PK_DEFAULT_VARIABLE_NAME
#define EFI_PK_DEFAULT_VARIABLE_NAME
Definition: GlobalVariable.h:153
EFI_DB_DEFAULT_VARIABLE_NAME
#define EFI_DB_DEFAULT_VARIABLE_NAME
Definition: GlobalVariable.h:158
EFI_PLATFORM_KEY_NAME
#define EFI_PLATFORM_KEY_NAME
Definition: GlobalVariable.h:131
EFI_IMAGE_SECURITY_DATABASE2
#define EFI_IMAGE_SECURITY_DATABASE2
Definition: ImageAuthentication.h:36
EFI_IMAGE_SECURITY_DATABASE1
#define EFI_IMAGE_SECURITY_DATABASE1
Definition: ImageAuthentication.h:31
EFI_IMAGE_SECURITY_DATABASE
#define EFI_IMAGE_SECURITY_DATABASE
Definition: ImageAuthentication.h:26
gRT
EFI_RUNTIME_SERVICES * gRT
Definition: MockUefiRuntimeServicesTableLib.c:13
NULL
#define NULL
Definition: Base.h:319
STATIC
#define STATIC
Definition: Base.h:264
FALSE
#define FALSE
Definition: Base.h:307
IN
#define IN
Definition: Base.h:279
OUT
#define OUT
Definition: Base.h:284
DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434
AllocatePool
VOID *EFIAPI AllocatePool(IN UINTN AllocationSize)
Definition: MemoryAllocationLib.c:195
SecureBootCreateDataFromInput
EFI_STATUS EFIAPI SecureBootCreateDataFromInput(OUT UINTN *SigListsSize, OUT EFI_SIGNATURE_LIST **SigListOut, IN UINTN KeyInfoCount, IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo)
Definition: SecureBootVariableLib.c:169
EnrollFromInput
EFI_STATUS EFIAPI EnrollFromInput(IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINTN DataSize, IN VOID *Data)
Definition: SecureBootVariableLib.c:693
EnrollFromDefault
STATIC EFI_STATUS EnrollFromDefault(IN CHAR16 *VariableName, IN CHAR16 *DefaultName, IN EFI_GUID *VendorGuid)
Definition: SecureBootVariableProvisionLib.c:150
SecureBootInitDbxDefault
EFI_STATUS SecureBootInitDbxDefault(IN VOID)
Definition: SecureBootVariableProvisionLib.c:348
SecureBootInitDbDefault
EFI_STATUS SecureBootInitDbDefault(IN VOID)
Definition: SecureBootVariableProvisionLib.c:298
SecureBootFetchData
STATIC EFI_STATUS SecureBootFetchData(IN EFI_GUID *KeyFileGuid, OUT UINTN *SigListsSize, OUT EFI_SIGNATURE_LIST **SigListOut)
Definition: SecureBootVariableProvisionLib.c:43
SecureBootInitDbtDefault
EFI_STATUS SecureBootInitDbtDefault(IN VOID)
Definition: SecureBootVariableProvisionLib.c:405
EnrollPKFromDefault
EFI_STATUS EFIAPI EnrollPKFromDefault(VOID)
Definition: SecureBootVariableProvisionLib.c:560
SecureBootInitKEKDefault
EFI_STATUS SecureBootInitKEKDefault(IN VOID)
Definition: SecureBootVariableProvisionLib.c:241
EnrollKEKFromDefault
EFI_STATUS EFIAPI EnrollKEKFromDefault(VOID)
Definition: SecureBootVariableProvisionLib.c:536
SecureBootInitPKDefault
EFI_STATUS SecureBootInitPKDefault(IN VOID)
Definition: SecureBootVariableProvisionLib.c:184
EnrollDbFromDefault
EFI_STATUS EFIAPI EnrollDbFromDefault(VOID)
Definition: SecureBootVariableProvisionLib.c:464
EnrollDbtFromDefault
EFI_STATUS EFIAPI EnrollDbtFromDefault(VOID)
Definition: SecureBootVariableProvisionLib.c:512
EnrollDbxFromDefault
EFI_STATUS EFIAPI EnrollDbxFromDefault(VOID)
Definition: SecureBootVariableProvisionLib.c:488
EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29
EFI_SUCCESS
#define EFI_SUCCESS
Definition: UefiBaseType.h:112
GetVariable2
EFI_STATUS EFIAPI GetVariable2(IN CONST CHAR16 *Name, IN CONST EFI_GUID *Guid, OUT VOID **Value, OUT UINTN *Size OPTIONAL)
Definition: UefiLib.c:1317
EFI_SIGNATURE_LIST
Definition: ImageAuthentication.h:66
GUID
Definition: Base.h:213
SECURE_BOOT_CERTIFICATE_INFO
Definition: UefiSecureBoot.h:19