/** Read then Measure and log an EFI boot variable, and extend the measurement result into PCR[5]. @param[in] VarName A Null-terminated string that is the name of the vendor's variable. @param[in] VendorGuid A unique identifier for the vendor. @param[out] VarSize The size of the variable data. @param[out] VarData Pointer to the content of the variable. @retval EFI_SUCCESS Operation completed successfully. @retval EFI_OUT_OF_RESOURCES Out of memory. @retval EFI_DEVICE_ERROR The operation was unsuccessful. **/ EFI_STATUS EFIAPI ReadAndMeasureBootVariable ( IN CHAR16 *VarName, IN EFI_GUID *VendorGuid, OUT UINTN *VarSize, OUT VOID **VarData ) { EFI_STATUS Status; *VarData = ReadVariable (VarName, VendorGuid, VarSize); if (*VarData == NULL) { return EFI_NOT_FOUND; } Status = MeasureVariable ( 5, EV_EFI_VARIABLE_BOOT, VarName, VendorGuid, *VarData, *VarSize ); return Status; }
/** SecureBoot Hook for processing image verification. @param[in] VariableName Name of Variable to be found. @param[in] VendorGuid Variable vendor GUID. @param[in] DataSize Size of Data found. If size is less than the data, this value contains the required size. @param[in] Data Data pointer. **/ VOID EFIAPI SecureBootHook ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINTN DataSize, IN VOID *Data ) { EFI_STATUS Status; if (!IsSecureAuthorityVariable (VariableName, VendorGuid)) { return ; } if (IsDataMeasured (VariableName, VendorGuid, Data, DataSize)) { DEBUG ((EFI_D_ERROR, "MeasureSecureAuthorityVariable - IsDataMeasured\n")); return ; } Status = MeasureVariable ( VariableName, VendorGuid, Data, DataSize ); DEBUG ((EFI_D_ERROR, "MeasureBootPolicyVariable - %r\n", Status)); if (!EFI_ERROR (Status)) { AddDataMeasured (VariableName, VendorGuid, Data, DataSize); } return ; }
/** SecureBoot Hook for SetVariable. @param[in] VariableName Name of Variable to be found. @param[in] VendorGuid Variable vendor GUID. **/ VOID EFIAPI SecureBootHook ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid ) { EFI_STATUS Status; UINTN VariableDataSize; VOID *VariableData; if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) { return ; } // // We should NOT use Data and DataSize here,because it may include signature, // or is just partial with append attributes, or is deleted. // We should GetVariable again, to get full variable content. // Status = InternalGetVariable ( VariableName, VendorGuid, &VariableData, &VariableDataSize ); if (EFI_ERROR (Status)) { VariableData = NULL; VariableDataSize = 0; } Status = MeasureVariable ( VariableName, VendorGuid, VariableData, VariableDataSize ); DEBUG ((EFI_D_ERROR, "MeasureBootPolicyVariable - %r\n", Status)); if (VariableData != NULL) { FreePool (VariableData); } return ; }
/** SecureBoot Hook for SetVariable. @param[in] VariableName Name of Variable to be found. @param[in] VendorGuid Variable vendor GUID. **/ VOID EFIAPI SecureBootHook ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid ) { EFI_STATUS Status; UINTN VariableDataSize; VOID *VariableData; if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) { return ; } // // We should NOT use Data and DataSize here,because it may include signature, // or is just partial with append attributes, or is deleted. // We should GetVariable again, to get full variable content. // Status = InternalGetVariable ( VariableName, VendorGuid, &VariableData, &VariableDataSize ); if (EFI_ERROR (Status)) { // // Measure DBT only if present and not empty // if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0 && CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid)) { DEBUG((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2)); return; } else { VariableData = NULL; VariableDataSize = 0; } } Status = MeasureVariable ( VariableName, VendorGuid, VariableData, VariableDataSize ); DEBUG ((EFI_D_INFO, "MeasureBootPolicyVariable - %r\n", Status)); if (VariableData != NULL) { FreePool (VariableData); } // // "SecureBoot" is 8bit & read-only. It can only be changed according to PK update // if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) && CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) { Status = InternalGetVariable ( EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VariableData, &VariableDataSize ); if (EFI_ERROR (Status)) { return; } // // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready // ASSERT(mSecureBootVarData != NULL); if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) { FreePool(mSecureBootVarData); mSecureBootVarData = VariableData; mSecureBootVarDataSize = VariableDataSize; DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME)); Status = MeasureVariable ( EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, mSecureBootVarData, mSecureBootVarDataSize ); DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status)); } else { // // "SecureBoot" variable is not changed // FreePool(VariableData); } } return ; }