EFI_STATUS
SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner,
UINT32 options, int createtimebased)
{
EFI_SIGNATURE_LIST *Cert;
UINTN DataSize;
EFI_STATUS efi_status;
/* Microsoft request: Bugs in some UEFI platforms mean that PK or any
* other secure variable can be updated or deleted programmatically,
* so prevent */
if (!variable_is_setupmode(1))
return EFI_SECURITY_VIOLATION;
if (createtimebased) {
int ds;
efi_status = variable_create_esl(Data, len, &X509_GUID, NULL,
(void **)&Cert, &ds);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to create %s certificate %d\n", var, efi_status);
return efi_status;
}
DataSize = ds;
} else {
/* we expect an efi signature list rather than creating it */
Cert = (EFI_SIGNATURE_LIST *)Data;
DataSize = len;
}
efi_status = CreateTimeBasedPayload(&DataSize, (UINT8 **)&Cert);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to create time based payload %d\n", efi_status);
return efi_status;
}
efi_status = uefi_call_wrapper(RT->SetVariable, 5, var, &owner,
EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_RUNTIME_ACCESS
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
| options,
DataSize, Cert);
return efi_status;
}
static EFI_STATUS shimprotocol_verify(void *buffer, UINT32 size)
{
EFI_STATUS status;
if (!variable_is_secureboot() || variable_is_setupmode())
return EFI_SUCCESS;
if (pkcs7verify_deny(buffer, size))
return EFI_ACCESS_DENIED;
if (pkcs7verify_allow(buffer, size))
return EFI_SUCCESS;
return EFI_ACCESS_DENIED;
return status;
}
static void
enroll_hash(void)
{
EFI_STATUS efi_status;
CHAR16 *file_name = NULL, *title[6], buf0[256], buf1[256], buf2[256],
*var;
EFI_GUID *owner;
UINT8 hash[SHA256_DIGEST_SIZE];
int i, setupmode = variable_is_setupmode();
simple_file_selector(&im, (CHAR16 *[]){
L"Select Binary",
L"",
L"The Selected Binary will have its hash Enrolled",
L"This means it will Subsequently Boot with no prompting",
L"Remember to make sure it is a genuine binary before Enroling its hash",
NULL
}, L"\\", L"", &file_name);