TianoCore EDK2 master
Loading...
Searching...
No Matches
TlsAuthConfigLib.c
Go to the documentation of this file.
1
14#include <Uefi/UefiBaseType.h>
15#include <Uefi/UefiSpec.h>
16
17#include <Guid/HttpTlsCipherList.h>
18#include <Guid/TlsAuthentication.h>
19
20#include <Library/BaseLib.h>
21#include <Library/DebugLib.h>
22#include <Library/MemoryAllocationLib.h>
23#include <Library/QemuFwCfgLib.h>
24#include <Library/UefiRuntimeServicesTableLib.h>
25
33STATIC
34VOID
35SetCaCerts (
36 VOID
37 )
38{
39 EFI_STATUS Status;
40 FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;
41 UINTN HttpsCaCertsSize;
42 VOID *HttpsCaCerts;
43
44 Status = QemuFwCfgFindFile (
45 "etc/edk2/https/cacerts",
46 &HttpsCaCertsItem,
47 &HttpsCaCertsSize
48 );
49 if (EFI_ERROR (Status)) {
50 DEBUG ((
51 DEBUG_VERBOSE,
52 "%a:%a: not touching CA cert list\n",
53 gEfiCallerBaseName,
54 __func__
55 ));
56 return;
57 }
58
59 //
60 // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This
61 // serves two purposes:
62 //
63 // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we
64 // cannot make it volatile without deleting it first.
65 //
66 // (b) If we fail to recreate the variable later, deleting the current one is
67 // still justified if the fw_cfg file exists. Emptying the set of trusted
68 // CA certificates will fail HTTPS boot, which is better than trusting
69 // any certificate that's possibly missing from the fw_cfg file.
70 //
71 Status = gRT->SetVariable (
72 EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName
73 &gEfiTlsCaCertificateGuid, // VendorGuid
74 0, // Attributes
75 0, // DataSize
76 NULL // Data
77 );
78 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
79 //
80 // This is fatal.
81 //
82 DEBUG ((
83 DEBUG_ERROR,
84 "%a:%a: failed to delete %g:\"%s\"\n",
85 gEfiCallerBaseName,
86 __func__,
87 &gEfiTlsCaCertificateGuid,
88 EFI_TLS_CA_CERTIFICATE_VARIABLE
89 ));
90 ASSERT_EFI_ERROR (Status);
91 CpuDeadLoop ();
92 }
93
94 if (HttpsCaCertsSize == 0) {
95 DEBUG ((
96 DEBUG_VERBOSE,
97 "%a:%a: applied empty CA cert list\n",
98 gEfiCallerBaseName,
99 __func__
100 ));
101 return;
102 }
103
104 HttpsCaCerts = AllocatePool (HttpsCaCertsSize);
105 if (HttpsCaCerts == NULL) {
106 DEBUG ((
107 DEBUG_ERROR,
108 "%a:%a: failed to allocate HttpsCaCerts\n",
109 gEfiCallerBaseName,
110 __func__
111 ));
112 return;
113 }
114
115 QemuFwCfgSelectItem (HttpsCaCertsItem);
116 QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);
117
118 Status = gRT->SetVariable (
119 EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName
120 &gEfiTlsCaCertificateGuid, // VendorGuid
121 EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes
122 HttpsCaCertsSize, // DataSize
123 HttpsCaCerts // Data
124 );
125 if (EFI_ERROR (Status)) {
126 DEBUG ((
127 DEBUG_ERROR,
128 "%a:%a: failed to set %g:\"%s\": %r\n",
129 gEfiCallerBaseName,
130 __func__,
131 &gEfiTlsCaCertificateGuid,
132 EFI_TLS_CA_CERTIFICATE_VARIABLE,
133 Status
134 ));
135 goto FreeHttpsCaCerts;
136 }
137
138 DEBUG ((
139 DEBUG_VERBOSE,
140 "%a:%a: stored CA cert list (%Lu byte(s))\n",
141 gEfiCallerBaseName,
142 __func__,
143 (UINT64)HttpsCaCertsSize
144 ));
145
146FreeHttpsCaCerts:
147 FreePool (HttpsCaCerts);
148}
149
158STATIC
159VOID
160SetCipherSuites (
161 VOID
162 )
163{
164 EFI_STATUS Status;
165 FIRMWARE_CONFIG_ITEM HttpsCiphersItem;
166 UINTN HttpsCiphersSize;
167 VOID *HttpsCiphers;
168
169 Status = QemuFwCfgFindFile (
170 "etc/edk2/https/ciphers",
171 &HttpsCiphersItem,
172 &HttpsCiphersSize
173 );
174 if (EFI_ERROR (Status)) {
175 DEBUG ((
176 DEBUG_VERBOSE,
177 "%a:%a: not touching cipher suites\n",
178 gEfiCallerBaseName,
179 __func__
180 ));
181 return;
182 }
183
184 //
185 // From this point on, any failure is fatal. An ordered cipher preference
186 // list is available from QEMU, thus we cannot let the firmware attempt HTTPS
187 // boot with either pre-existent or non-existent preferences. An empty set of
188 // cipher suites does not fail HTTPS boot automatically; the default cipher
189 // suite preferences would take effect, and we must prevent that.
190 //
191 // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If
192 // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot
193 // make it volatile without deleting it first.
194 //
195 Status = gRT->SetVariable (
196 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
197 &gEdkiiHttpTlsCipherListGuid, // VendorGuid
198 0, // Attributes
199 0, // DataSize
200 NULL // Data
201 );
202 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
203 DEBUG ((
204 DEBUG_ERROR,
205 "%a:%a: failed to delete %g:\"%s\"\n",
206 gEfiCallerBaseName,
207 __func__,
208 &gEdkiiHttpTlsCipherListGuid,
209 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
210 ));
211 goto Done;
212 }
213
214 if (HttpsCiphersSize == 0) {
215 DEBUG ((
216 DEBUG_ERROR,
217 "%a:%a: list of cipher suites must not be empty\n",
218 gEfiCallerBaseName,
219 __func__
220 ));
221 Status = EFI_INVALID_PARAMETER;
222 goto Done;
223 }
224
225 HttpsCiphers = AllocatePool (HttpsCiphersSize);
226 if (HttpsCiphers == NULL) {
227 DEBUG ((
228 DEBUG_ERROR,
229 "%a:%a: failed to allocate HttpsCiphers\n",
230 gEfiCallerBaseName,
231 __func__
232 ));
233 Status = EFI_OUT_OF_RESOURCES;
234 goto Done;
235 }
236
237 QemuFwCfgSelectItem (HttpsCiphersItem);
238 QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers);
239
240 Status = gRT->SetVariable (
241 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
242 &gEdkiiHttpTlsCipherListGuid, // VendorGuid
243 EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes
244 HttpsCiphersSize, // DataSize
245 HttpsCiphers // Data
246 );
247 if (EFI_ERROR (Status)) {
248 DEBUG ((
249 DEBUG_ERROR,
250 "%a:%a: failed to set %g:\"%s\"\n",
251 gEfiCallerBaseName,
252 __func__,
253 &gEdkiiHttpTlsCipherListGuid,
254 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
255 ));
256 goto FreeHttpsCiphers;
257 }
258
259 DEBUG ((
260 DEBUG_VERBOSE,
261 "%a:%a: stored list of cipher suites (%Lu byte(s))\n",
262 gEfiCallerBaseName,
263 __func__,
264 (UINT64)HttpsCiphersSize
265 ));
266
267FreeHttpsCiphers:
268 FreePool (HttpsCiphers);
269
270Done:
271 if (EFI_ERROR (Status)) {
272 ASSERT_EFI_ERROR (Status);
273 CpuDeadLoop ();
274 }
275}
276
277RETURN_STATUS
278EFIAPI
279TlsAuthConfigInit (
280 VOID
281 )
282{
283 SetCaCerts ();
284 SetCipherSuites ();
285
286 return RETURN_SUCCESS;
287}
UINTN
UINT64 UINTN
Definition: ProcessorBind.h:112
CpuDeadLoop
VOID EFIAPI CpuDeadLoop(VOID)
Definition: CpuDeadLoop.c:25
FreePool
VOID EFIAPI FreePool(IN VOID *Buffer)
Definition: MemoryAllocationLib.c:266
gRT
EFI_RUNTIME_SERVICES * gRT
Definition: MockUefiRuntimeServicesTableLib.c:13
NULL
#define NULL
Definition: Base.h:319
STATIC
#define STATIC
Definition: Base.h:264
RETURN_SUCCESS
#define RETURN_SUCCESS
Definition: Base.h:1066
ASSERT_EFI_ERROR
#define ASSERT_EFI_ERROR(StatusParameter)
Definition: DebugLib.h:462
DEBUG
#define DEBUG(Expression)
Definition: DebugLib.h:434
AllocatePool
VOID *EFIAPI AllocatePool(IN UINTN AllocationSize)
Definition: MemoryAllocationLib.c:195
QemuFwCfgFindFile
RETURN_STATUS EFIAPI QemuFwCfgFindFile(IN CONST CHAR8 *Name, OUT FIRMWARE_CONFIG_ITEM *Item, OUT UINTN *Size)
Definition: QemuFwCfgLib.c:250
QemuFwCfgReadBytes
VOID EFIAPI QemuFwCfgReadBytes(IN UINTN Size, IN VOID *Buffer OPTIONAL)
Definition: QemuFwCfgNull.c:66
QemuFwCfgSelectItem
VOID EFIAPI QemuFwCfgSelectItem(IN FIRMWARE_CONFIG_ITEM QemuFwCfgItem)
Definition: QemuFwCfgLib.c:33
SetCaCerts
STATIC VOID SetCaCerts(VOID)
Definition: TlsAuthConfigLib.c:35
SetCipherSuites
STATIC VOID SetCipherSuites(VOID)
Definition: TlsAuthConfigLib.c:160
EFI_STATUS
RETURN_STATUS EFI_STATUS
Definition: UefiBaseType.h:29