示例#1
0
EFI_STATUS
SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner,
		  UINT32 options, int createtimebased)
{
	EFI_SIGNATURE_LIST *Cert;
	UINTN DataSize;
	EFI_STATUS efi_status;

	/* Microsoft request: Bugs in some UEFI platforms mean that PK or any
	 * other secure variable can be updated or deleted programmatically,
	 * so prevent */
	if (!variable_is_setupmode(1))
		return EFI_SECURITY_VIOLATION;

	if (createtimebased) {
		int ds;
		efi_status = variable_create_esl(Data, len, &X509_GUID, NULL,
						 (void **)&Cert, &ds);
		if (efi_status != EFI_SUCCESS) {
			Print(L"Failed to create %s certificate %d\n", var, efi_status);
			return efi_status;
		}

		DataSize = ds;
	} else {
		/* we expect an efi signature list rather than creating it */
		Cert = (EFI_SIGNATURE_LIST *)Data;
		DataSize = len;
	}
	efi_status = CreateTimeBasedPayload(&DataSize, (UINT8 **)&Cert);
	if (efi_status != EFI_SUCCESS) {
		Print(L"Failed to create time based payload %d\n", efi_status);
		return efi_status;
	}

	efi_status = uefi_call_wrapper(RT->SetVariable, 5, var, &owner,
				       EFI_VARIABLE_NON_VOLATILE
				       | EFI_VARIABLE_RUNTIME_ACCESS 
				       | EFI_VARIABLE_BOOTSERVICE_ACCESS
				       | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
				       | options,
				       DataSize, Cert);

	return efi_status;
}
示例#2
0
static EFI_STATUS shimprotocol_verify(void *buffer, UINT32 size)
{
	EFI_STATUS status;

	if (!variable_is_secureboot() || variable_is_setupmode())
		return EFI_SUCCESS;

	if (pkcs7verify_deny(buffer, size))
		return EFI_ACCESS_DENIED;

	if (pkcs7verify_allow(buffer, size))
		return EFI_SUCCESS;

	return EFI_ACCESS_DENIED;


	return status;
}
示例#3
0
static void
enroll_hash(void)
{
	EFI_STATUS efi_status;
	CHAR16 *file_name = NULL, *title[6], buf0[256], buf1[256], buf2[256],
		*var;
	EFI_GUID *owner;
	UINT8 hash[SHA256_DIGEST_SIZE];
	int i, setupmode = variable_is_setupmode();

	simple_file_selector(&im, (CHAR16 *[]){
			L"Select Binary",
			L"",
			L"The Selected Binary will have its hash Enrolled",
			L"This means it will Subsequently Boot with no prompting",
			L"Remember to make sure it is a genuine binary before Enroling its hash",
			NULL
		}, L"\\", L"", &file_name);