/**
Read then Measure and log an EFI boot variable, and extend the measurement result into PCR[5].
@param[in] VarName A Null-terminated string that is the name of the vendor's variable.
@param[in] VendorGuid A unique identifier for the vendor.
@param[out] VarSize The size of the variable data.
@param[out] VarData Pointer to the content of the variable.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_OUT_OF_RESOURCES Out of memory.
@retval EFI_DEVICE_ERROR The operation was unsuccessful.
**/
EFI_STATUS
EFIAPI
ReadAndMeasureBootVariable (
IN CHAR16 *VarName,
IN EFI_GUID *VendorGuid,
OUT UINTN *VarSize,
OUT VOID **VarData
)
{
EFI_STATUS Status;
*VarData = ReadVariable (VarName, VendorGuid, VarSize);
if (*VarData == NULL) {
return EFI_NOT_FOUND;
}
Status = MeasureVariable (
5,
EV_EFI_VARIABLE_BOOT,
VarName,
VendorGuid,
*VarData,
*VarSize
);
return Status;
}
/**
SecureBoot Hook for processing image verification.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
@param[in] DataSize Size of Data found. If size is less than the
data, this value contains the required size.
@param[in] Data Data pointer.
**/
VOID
EFIAPI
SecureBootHook (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
IN UINTN DataSize,
IN VOID *Data
)
{
EFI_STATUS Status;
if (!IsSecureAuthorityVariable (VariableName, VendorGuid)) {
return ;
}
if (IsDataMeasured (VariableName, VendorGuid, Data, DataSize)) {
DEBUG ((EFI_D_ERROR, "MeasureSecureAuthorityVariable - IsDataMeasured\n"));
return ;
}
Status = MeasureVariable (
VariableName,
VendorGuid,
Data,
DataSize
);
DEBUG ((EFI_D_ERROR, "MeasureBootPolicyVariable - %r\n", Status));
if (!EFI_ERROR (Status)) {
AddDataMeasured (VariableName, VendorGuid, Data, DataSize);
}
return ;
}
/**
SecureBoot Hook for SetVariable.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
**/
VOID
EFIAPI
SecureBootHook (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
)
{
EFI_STATUS Status;
UINTN VariableDataSize;
VOID *VariableData;
if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {
return ;
}
//
// We should NOT use Data and DataSize here,because it may include signature,
// or is just partial with append attributes, or is deleted.
// We should GetVariable again, to get full variable content.
//
Status = InternalGetVariable (
VariableName,
VendorGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
VariableData = NULL;
VariableDataSize = 0;
}
Status = MeasureVariable (
VariableName,
VendorGuid,
VariableData,
VariableDataSize
);
DEBUG ((EFI_D_ERROR, "MeasureBootPolicyVariable - %r\n", Status));
if (VariableData != NULL) {
FreePool (VariableData);
}
return ;
}
/**
SecureBoot Hook for SetVariable.
@param[in] VariableName Name of Variable to be found.
@param[in] VendorGuid Variable vendor GUID.
**/
VOID
EFIAPI
SecureBootHook (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid
)
{
EFI_STATUS Status;
UINTN VariableDataSize;
VOID *VariableData;
if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {
return ;
}
//
// We should NOT use Data and DataSize here,because it may include signature,
// or is just partial with append attributes, or is deleted.
// We should GetVariable again, to get full variable content.
//
Status = InternalGetVariable (
VariableName,
VendorGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
//
// Measure DBT only if present and not empty
//
if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0 &&
CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid)) {
DEBUG((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2));
return;
} else {
VariableData = NULL;
VariableDataSize = 0;
}
}
Status = MeasureVariable (
VariableName,
VendorGuid,
VariableData,
VariableDataSize
);
DEBUG ((EFI_D_INFO, "MeasureBootPolicyVariable - %r\n", Status));
if (VariableData != NULL) {
FreePool (VariableData);
}
//
// "SecureBoot" is 8bit & read-only. It can only be changed according to PK update
//
if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&
CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {
Status = InternalGetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&VariableData,
&VariableDataSize
);
if (EFI_ERROR (Status)) {
return;
}
//
// If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready
//
ASSERT(mSecureBootVarData != NULL);
if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {
FreePool(mSecureBootVarData);
mSecureBootVarData = VariableData;
mSecureBootVarDataSize = VariableDataSize;
DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));
Status = MeasureVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
mSecureBootVarData,
mSecureBootVarDataSize
);
DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));
} else {
//
// "SecureBoot" variable is not changed
//
FreePool(VariableData);
}
}
return ;
}
