/**
Start hash sequence.
@param HashHandle Hash handle.
@retval EFI_SUCCESS Hash sequence start and HandleHandle returned.
@retval EFI_OUT_OF_RESOURCES No enough resource to start hash.
**/
EFI_STATUS
EFIAPI
Sha256HashInit (
OUT HASH_HANDLE *HashHandle
)
{
VOID *Sha256Ctx;
UINTN CtxSize;
CtxSize = Sha256GetContextSize ();
Sha256Ctx = AllocatePool (CtxSize);
ASSERT (Sha256Ctx != NULL);
Sha256Init (Sha256Ctx);
*HashHandle = (HASH_HANDLE)Sha256Ctx;
return EFI_SUCCESS;
}
/**
Initializes for authenticated varibale service.
@retval EFI_SUCCESS The function successfully executed.
@retval EFI_OUT_OF_RESOURCES Failed to allocate enough memory resources.
**/
EFI_STATUS
AutenticatedVariableServiceInitialize (
VOID
)
{
EFI_STATUS Status;
VARIABLE_POINTER_TRACK Variable;
UINT8 VarValue;
UINT32 VarAttr;
UINTN DataSize;
UINTN CtxSize;
VARIABLE_HEADER VariableHeader;
BOOLEAN Valid;
ZeroMem (&VariableHeader, sizeof (VARIABLE_HEADER));
mVariableModuleGlobal->AuthenticatedVariableGuid[Physical] = &gEfiAuthenticatedVariableGuid;
mVariableModuleGlobal->CertRsa2048Sha256Guid[Physical] = &gEfiCertRsa2048Sha256Guid;
mVariableModuleGlobal->ImageSecurityDatabaseGuid[Physical] = &gEfiImageSecurityDatabaseGuid;
//
// Initialize hash context.
//
CtxSize = Sha256GetContextSize ();
mVariableModuleGlobal->HashContext[Physical] = AllocateRuntimePool (CtxSize);
ASSERT (mVariableModuleGlobal->HashContext[Physical] != NULL);
//
// Check "AuthVarKeyDatabase" variable's existence.
// If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
//
Status = FindVariable (
mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB],
&gEfiAuthenticatedVariableGuid,
&Variable,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance
);
if (Variable.CurrPtr == 0x0) {
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
VarValue = 0;
mPubKeyNumber = 0;
Status = UpdateVariable (
mVariableModuleGlobal->VariableName[Physical][VAR_AUTH_KEY_DB],
&gEfiAuthenticatedVariableGuid,
&VarValue,
sizeof(UINT8),
VarAttr,
0,
0,
FALSE,
mVariableModuleGlobal,
&Variable
);
if (EFI_ERROR (Status)) {
return Status;
}
} else {
//
// Load database in global variable for cache.
//
Valid = IsValidVariableHeader (
Variable.CurrPtr,
Variable.Volatile,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance,
&VariableHeader
);
ASSERT (Valid);
DataSize = DataSizeOfVariable (&VariableHeader);
ASSERT (DataSize <= MAX_KEYDB_SIZE);
GetVariableDataPtr (
Variable.CurrPtr,
Variable.Volatile,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance,
(CHAR16 *) mVariableModuleGlobal->PubKeyStore
);
mPubKeyNumber = (UINT32) (DataSize / EFI_CERT_TYPE_RSA2048_SIZE);
}
//
// Check "SetupMode" variable's existence.
// If it doesn't exist, check PK database's existence to determine the value.
// Then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
//
Status = FindVariable (
mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE],
&gEfiGlobalVariableGuid,
&Variable,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance
);
if (Variable.CurrPtr == 0x0) {
Status = FindVariable (
mVariableModuleGlobal->VariableName[Physical][VAR_PLATFORM_KEY],
&gEfiGlobalVariableGuid,
&Variable,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance
);
if (Variable.CurrPtr == 0x0) {
mPlatformMode = SETUP_MODE;
} else {
mPlatformMode = USER_MODE;
}
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
Status = UpdateVariable (
mVariableModuleGlobal->VariableName[Physical][VAR_SETUP_MODE],
&gEfiGlobalVariableGuid,
&mPlatformMode,
sizeof(UINT8),
VarAttr,
0,
0,
FALSE,
mVariableModuleGlobal,
&Variable
);
if (EFI_ERROR (Status)) {
return Status;
}
} else {
GetVariableDataPtr (
Variable.CurrPtr,
Variable.Volatile,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance,
(CHAR16 *) &mPlatformMode
);
}
//
// Check "SignatureSupport" variable's existence.
// If it doesn't exist, then create a new one with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
//
Status = FindVariable (
EFI_SIGNATURE_SUPPORT_NAME,
&gEfiGlobalVariableGuid,
&Variable,
&mVariableModuleGlobal->VariableGlobal[Physical],
mVariableModuleGlobal->FvbInstance
);
if (Variable.CurrPtr == 0x0) {
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
Status = UpdateVariable (
EFI_SIGNATURE_SUPPORT_NAME,
&gEfiGlobalVariableGuid,
mSignatureSupport,
SIGSUPPORT_NUM * sizeof(EFI_GUID),
VarAttr,
0,
0,
FALSE,
mVariableModuleGlobal,
&Variable
);
}
return Status;
}
/**
Extraction handler tries to extract raw data from the input guided section.
It also does authentication check for RSA 2048 SHA 256 signature in the input guided section.
It first checks whether the input guid section is supported.
If not, EFI_INVALID_PARAMETER will return.
@param InputSection Buffer containing the input GUIDed section to be processed.
@param OutputBuffer Buffer to contain the output raw data allocated by the caller.
@param ScratchBuffer A pointer to a caller-allocated buffer for function internal use.
@param AuthenticationStatus A pointer to a caller-allocated UINT32 that indicates the
authentication status of the output buffer.
@retval EFI_SUCCESS Section Data and Auth Status is extracted successfully.
@retval EFI_INVALID_PARAMETER The GUID in InputSection does not match this instance guid.
**/
EFI_STATUS
EFIAPI
Rsa2048Sha256GuidedSectionHandler (
IN CONST VOID *InputSection,
OUT VOID **OutputBuffer,
IN VOID *ScratchBuffer, OPTIONAL
OUT UINT32 *AuthenticationStatus
)
{
EFI_STATUS Status;
UINT32 OutputBufferSize;
VOID *DummyInterface;
EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlockRsa2048Sha256;
BOOLEAN CryptoStatus;
UINT8 Digest[SHA256_DIGEST_SIZE];
UINT8 *PublicKey;
UINTN PublicKeyBufferSize;
VOID *HashContext;
VOID *Rsa;
HashContext = NULL;
Rsa = NULL;
if (IS_SECTION2 (InputSection)) {
//
// Check whether the input guid section is recognized.
//
if (!CompareGuid (
&gEfiCertTypeRsa2048Sha256Guid,
&(((EFI_GUID_DEFINED_SECTION2 *)InputSection)->SectionDefinitionGuid))) {
return EFI_INVALID_PARAMETER;
}
//
// Get the RSA 2048 SHA 256 information.
//
CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION2_HEADER *) InputSection)->CertBlockRsa2048Sha256;
OutputBufferSize = SECTION2_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION2_HEADER);
if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
PERF_START (NULL, "RsaCopy", "DXE", 0);
CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER), OutputBufferSize);
PERF_END (NULL, "RsaCopy", "DXE", 0);
} else {
*OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION2_HEADER);
}
//
// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set
//
ASSERT ((((EFI_GUID_DEFINED_SECTION2 *)InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);
*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;
} else {
//
// Check whether the input guid section is recognized.
//
if (!CompareGuid (
&gEfiCertTypeRsa2048Sha256Guid,
&(((EFI_GUID_DEFINED_SECTION *)InputSection)->SectionDefinitionGuid))) {
return EFI_INVALID_PARAMETER;
}
//
// Get the RSA 2048 SHA 256 information.
//
CertBlockRsa2048Sha256 = &((RSA_2048_SHA_256_SECTION_HEADER *)InputSection)->CertBlockRsa2048Sha256;
OutputBufferSize = SECTION_SIZE (InputSection) - sizeof (RSA_2048_SHA_256_SECTION_HEADER);
if ((((EFI_GUID_DEFINED_SECTION *)InputSection)->Attributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) != 0) {
PERF_START (NULL, "RsaCopy", "DXE", 0);
CopyMem (*OutputBuffer, (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER), OutputBufferSize);
PERF_END (NULL, "RsaCopy", "DXE", 0);
} else {
*OutputBuffer = (UINT8 *)InputSection + sizeof (RSA_2048_SHA_256_SECTION_HEADER);
}
//
// Implicitly RSA 2048 SHA 256 GUIDed section should have STATUS_VALID bit set
//
ASSERT ((((EFI_GUID_DEFINED_SECTION *) InputSection)->Attributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) != 0);
*AuthenticationStatus = EFI_AUTH_STATUS_IMAGE_SIGNED;
}
//
// Check whether there exists EFI_SECURITY_POLICY_PROTOCOL_GUID.
//
Status = gBS->LocateProtocol (&gEfiSecurityPolicyProtocolGuid, NULL, &DummyInterface);
if (!EFI_ERROR (Status)) {
//
// If SecurityPolicy Protocol exist, AUTH platform override bit is set.
//
*AuthenticationStatus |= EFI_AUTH_STATUS_PLATFORM_OVERRIDE;
return EFI_SUCCESS;
}
//
// All paths from here return EFI_SUCESS and result is returned in AuthenticationStatus
//
Status = EFI_SUCCESS;
//
// Fail if the HashType is not SHA 256
//
if (!CompareGuid (&gEfiHashAlgorithmSha256Guid, &CertBlockRsa2048Sha256->HashType)) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: HASH type of section is not supported\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Allocate hash context buffer required for SHA 256
//
HashContext = AllocatePool (Sha256GetContextSize ());
if (HashContext == NULL) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Can not allocate hash context\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Hash public key from data payload with SHA256.
//
ZeroMem (Digest, SHA256_DIGEST_SIZE);
CryptoStatus = Sha256Init (HashContext);
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
CryptoStatus = Sha256Update (HashContext, &CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
CryptoStatus = Sha256Final (HashContext, Digest);
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Fail if the PublicKey is not one of the public keys in PcdRsa2048Sha256PublicKeyBuffer
//
PublicKey = (UINT8 *)PcdGetPtr (PcdRsa2048Sha256PublicKeyBuffer);
DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer = %p\n", PublicKey));
ASSERT (PublicKey != NULL);
DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Token = %08x\n", PcdToken (PcdRsa2048Sha256PublicKeyBuffer)));
PublicKeyBufferSize = LibPcdGetExSize (&gEfiSecurityPkgTokenSpaceGuid, PcdToken (PcdRsa2048Sha256PublicKeyBuffer));
DEBUG ((DEBUG_VERBOSE, "DxePcdRsa2048Sha256: PublicKeyBuffer Size = %08x\n", PublicKeyBufferSize));
ASSERT ((PublicKeyBufferSize % SHA256_DIGEST_SIZE) == 0);
CryptoStatus = FALSE;
while (PublicKeyBufferSize != 0) {
if (CompareMem (Digest, PublicKey, SHA256_DIGEST_SIZE) == 0) {
CryptoStatus = TRUE;
break;
}
PublicKey = PublicKey + SHA256_DIGEST_SIZE;
PublicKeyBufferSize = PublicKeyBufferSize - SHA256_DIGEST_SIZE;
}
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Public key in section is not supported\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Generate & Initialize RSA Context.
//
Rsa = RsaNew ();
if (Rsa == NULL) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaNew() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Set RSA Key Components.
// NOTE: Only N and E are needed to be set as RSA public key for signature verification.
//
CryptoStatus = RsaSetKey (Rsa, RsaKeyN, CertBlockRsa2048Sha256->PublicKey, sizeof(CertBlockRsa2048Sha256->PublicKey));
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyN) failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
CryptoStatus = RsaSetKey (Rsa, RsaKeyE, mRsaE, sizeof (mRsaE));
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaSetKey(RsaKeyE) failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Hash data payload with SHA256.
//
ZeroMem (Digest, SHA256_DIGEST_SIZE);
CryptoStatus = Sha256Init (HashContext);
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Init() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
PERF_START (NULL, "RsaShaData", "DXE", 0);
CryptoStatus = Sha256Update (HashContext, *OutputBuffer, OutputBufferSize);
PERF_END (NULL, "RsaShaData", "DXE", 0);
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Update() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
CryptoStatus = Sha256Final (HashContext, Digest);
if (!CryptoStatus) {
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: Sha256Final() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
goto Done;
}
//
// Verify the RSA 2048 SHA 256 signature.
//
PERF_START (NULL, "RsaVerify", "DXE", 0);
CryptoStatus = RsaPkcs1Verify (
Rsa,
Digest,
SHA256_DIGEST_SIZE,
CertBlockRsa2048Sha256->Signature,
sizeof (CertBlockRsa2048Sha256->Signature)
);
PERF_END (NULL, "RsaVerify", "DXE", 0);
if (!CryptoStatus) {
//
// If RSA 2048 SHA 256 signature verification fails, AUTH tested failed bit is set.
//
DEBUG ((DEBUG_ERROR, "DxeRsa2048Sha256: RsaPkcs1Verify() failed\n"));
*AuthenticationStatus |= EFI_AUTH_STATUS_TEST_FAILED;
}
Done:
//
// Free allocated resources used to perform RSA 2048 SHA 256 signature verification
//
if (Rsa != NULL) {
RsaFree (Rsa);
}
if (HashContext != NULL) {
FreePool (HashContext);
}
DEBUG ((DEBUG_VERBOSE, "DxeRsa2048Sha256: Status = %r AuthenticationStatus = %08x\n", Status, *AuthenticationStatus));
return Status;
}
/**
Initialization for authenticated varibale services.
If this initialization returns error status, other APIs will not work
and expect to be not called then.
@param[in] AuthVarLibContextIn Pointer to input auth variable lib context.
@param[out] AuthVarLibContextOut Pointer to output auth variable lib context.
@retval EFI_SUCCESS Function successfully executed.
@retval EFI_INVALID_PARAMETER If AuthVarLibContextIn == NULL or AuthVarLibContextOut == NULL.
@retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
@retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
**/
EFI_STATUS
EFIAPI
AuthVariableLibInitialize (
IN AUTH_VAR_LIB_CONTEXT_IN *AuthVarLibContextIn,
OUT AUTH_VAR_LIB_CONTEXT_OUT *AuthVarLibContextOut
)
{
EFI_STATUS Status;
UINT8 VarValue;
UINT32 VarAttr;
UINT8 *Data;
UINTN DataSize;
UINTN CtxSize;
UINT8 SecureBootMode;
UINT8 SecureBootEnable;
UINT8 CustomMode;
UINT32 ListSize;
if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
return EFI_INVALID_PARAMETER;
}
mAuthVarLibContextIn = AuthVarLibContextIn;
//
// Initialize hash context.
//
CtxSize = Sha256GetContextSize ();
mHashCtx = AllocateRuntimePool (CtxSize);
if (mHashCtx == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Reserve runtime buffer for public key database. The size excludes variable header and name size.
//
mMaxKeyDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (AUTHVAR_KEYDB_NAME));
mMaxKeyNumber = mMaxKeyDbSize / sizeof (AUTHVAR_KEY_DB_DATA);
mPubKeyStore = AllocateRuntimePool (mMaxKeyDbSize);
if (mPubKeyStore == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Reserve runtime buffer for certificate database. The size excludes variable header and name size.
// Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
//
mMaxCertDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (EFI_CERT_DB_VOLATILE_NAME));
mCertDbStore = AllocateRuntimePool (mMaxCertDbSize);
if (mCertDbStore == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Check "AuthVarKeyDatabase" variable's existence.
// If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
//
Status = AuthServiceInternalFindVariable (
AUTHVAR_KEYDB_NAME,
&gEfiAuthenticatedVariableGuid,
(VOID **) &Data,
&DataSize
);
if (EFI_ERROR (Status)) {
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
VarValue = 0;
mPubKeyNumber = 0;
Status = AuthServiceInternalUpdateVariable (
AUTHVAR_KEYDB_NAME,
&gEfiAuthenticatedVariableGuid,
&VarValue,
sizeof(UINT8),
VarAttr
);
if (EFI_ERROR (Status)) {
return Status;
}
} else {
//
// Load database in global variable for cache.
//
ASSERT ((DataSize != 0) && (Data != NULL));
//
// "AuthVarKeyDatabase" is an internal variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)
// Therefore, there is no memory overflow in underlying CopyMem.
//
CopyMem (mPubKeyStore, (UINT8 *) Data, DataSize);
mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));
}
Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
} else {
DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
}
//
// Create "SetupMode" variable with BS+RT attribute set.
//
if (EFI_ERROR (Status)) {
mPlatformMode = SETUP_MODE;
} else {
mPlatformMode = USER_MODE;
}
Status = AuthServiceInternalUpdateVariable (
EFI_SETUP_MODE_NAME,
&gEfiGlobalVariableGuid,
&mPlatformMode,
sizeof(UINT8),
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
//
// Create "SignatureSupport" variable with BS+RT attribute set.
//
Status = AuthServiceInternalUpdateVariable (
EFI_SIGNATURE_SUPPORT_NAME,
&gEfiGlobalVariableGuid,
mSignatureSupport,
sizeof(mSignatureSupport),
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
//
// If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
// If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
// If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
//
SecureBootEnable = SECURE_BOOT_DISABLE;
Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
if (!EFI_ERROR (Status)) {
if (mPlatformMode == USER_MODE){
SecureBootEnable = *(UINT8 *) Data;
}
} else if (mPlatformMode == USER_MODE) {
//
// "SecureBootEnable" not exist, initialize it in USER_MODE.
//
SecureBootEnable = SECURE_BOOT_ENABLE;
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_ENABLE_NAME,
&gEfiSecureBootEnableDisableGuid,
&SecureBootEnable,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Create "SecureBoot" variable with BS+RT attribute set.
//
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
} else {
SecureBootMode = SECURE_BOOT_MODE_DISABLE;
}
Status = AuthServiceInternalUpdateVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&SecureBootMode,
sizeof (UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
//
// Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
//
CustomMode = STANDARD_SECURE_BOOT_MODE;
Status = AuthServiceInternalUpdateVariable (
EFI_CUSTOM_MODE_NAME,
&gEfiCustomModeEnableGuid,
&CustomMode,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_CUSTOM_MODE_NAME, CustomMode));
//
// Check "certdb" variable's existence.
// If it doesn't exist, then create a new one with
// EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
//
Status = AuthServiceInternalFindVariable (
EFI_CERT_DB_NAME,
&gEfiCertDbGuid,
(VOID **) &Data,
&DataSize
);
if (EFI_ERROR (Status)) {
VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
ListSize = sizeof (UINT32);
Status = AuthServiceInternalUpdateVariable (
EFI_CERT_DB_NAME,
&gEfiCertDbGuid,
&ListSize,
sizeof (UINT32),
VarAttr
);
if (EFI_ERROR (Status)) {
return Status;
}
} else {
//
// Clean up Certs to make certDB & Time based auth variable consistent
//
Status = CleanCertsFromDb();
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "Clean up CertDB fail! Status %x\n", Status));
return Status;
}
}
//
// Create "certdbv" variable with RT+BS+AT set.
//
VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
ListSize = sizeof (UINT32);
Status = AuthServiceInternalUpdateVariable (
EFI_CERT_DB_VOLATILE_NAME,
&gEfiCertDbGuid,
&ListSize,
sizeof (UINT32),
VarAttr
);
if (EFI_ERROR (Status)) {
return Status;
}
//
// Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
//
Status = AuthServiceInternalFindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, (VOID **) &Data, &DataSize);
if (!EFI_ERROR (Status)) {
mVendorKeyState = *(UINT8 *)Data;
} else {
//
// "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
//
mVendorKeyState = VENDOR_KEYS_VALID;
Status = AuthServiceInternalUpdateVariable (
EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
&gEfiVendorKeysNvGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Create "VendorKeys" variable with BS+RT attribute set.
//
Status = AuthServiceInternalUpdateVariable (
EFI_VENDOR_KEYS_VARIABLE_NAME,
&gEfiGlobalVariableGuid,
&mVendorKeyState,
sizeof (UINT8),
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
);
if (EFI_ERROR (Status)) {
return Status;
}
DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
AuthVarLibContextOut->StructVersion = AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION;
AuthVarLibContextOut->StructSize = sizeof (AUTH_VAR_LIB_CONTEXT_OUT);
AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
AuthVarLibContextOut->AuthVarEntryCount = sizeof (mAuthVarEntry) / sizeof (mAuthVarEntry[0]);
mAuthVarAddressPointer[0] = (VOID **) &mPubKeyStore;
mAuthVarAddressPointer[1] = (VOID **) &mCertDbStore;
mAuthVarAddressPointer[2] = (VOID **) &mHashCtx;
mAuthVarAddressPointer[3] = (VOID **) &mAuthVarLibContextIn;
mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindVariable),
mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),
mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),
mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),
mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
mAuthVarAddressPointer[9] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),
AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);
//
// Cache UserPhysicalPresent State.
// Platform should report PhysicalPresent before this point
//
mUserPhysicalPresent = UserPhysicalPresent();
return Status;
}
/**
Calculates the hash of the given data based on the specified hash GUID.
@param[in] Data Pointer to the data buffer to be hashed.
@param[in] DataSize The size of data buffer in bytes.
@param[in] CertGuid The GUID to identify the hash algorithm to be used.
@param[out] HashValue Pointer to a buffer that receives the hash result.
@retval TRUE Data hash calculation succeeded.
@retval FALSE Data hash calculation failed.
**/
BOOLEAN
CalculateDataHash (
IN VOID *Data,
IN UINTN DataSize,
IN EFI_GUID *CertGuid,
OUT UINT8 *HashValue
)
{
BOOLEAN Status;
VOID *HashCtx;
UINTN CtxSize;
Status = FALSE;
HashCtx = NULL;
if (CompareGuid (CertGuid, &gEfiCertSha1Guid)) {
//
// SHA-1 Hash
//
CtxSize = Sha1GetContextSize ();
HashCtx = AllocatePool (CtxSize);
if (HashCtx == NULL) {
goto _Exit;
}
Status = Sha1Init (HashCtx);
Status = Sha1Update (HashCtx, Data, DataSize);
Status = Sha1Final (HashCtx, HashValue);
} else if (CompareGuid (CertGuid, &gEfiCertSha256Guid)) {
//
// SHA256 Hash
//
CtxSize = Sha256GetContextSize ();
HashCtx = AllocatePool (CtxSize);
if (HashCtx == NULL) {
goto _Exit;
}
Status = Sha256Init (HashCtx);
Status = Sha256Update (HashCtx, Data, DataSize);
Status = Sha256Final (HashCtx, HashValue);
} else if (CompareGuid (CertGuid, &gEfiCertSha384Guid)) {
//
// SHA384 Hash
//
CtxSize = Sha384GetContextSize ();
HashCtx = AllocatePool (CtxSize);
if (HashCtx == NULL) {
goto _Exit;
}
Status = Sha384Init (HashCtx);
Status = Sha384Update (HashCtx, Data, DataSize);
Status = Sha384Final (HashCtx, HashValue);
} else if (CompareGuid (CertGuid, &gEfiCertSha512Guid)) {
//
// SHA512 Hash
//
CtxSize = Sha512GetContextSize ();
HashCtx = AllocatePool (CtxSize);
if (HashCtx == NULL) {
goto _Exit;
}
Status = Sha512Init (HashCtx);
Status = Sha512Update (HashCtx, Data, DataSize);
Status = Sha512Final (HashCtx, HashValue);
}
_Exit:
if (HashCtx != NULL) {
FreePool (HashCtx);
}
return Status;
}
