public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Anthony Perard <anthony.perard@citrix.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Julien Grall <julien.grall@arm.com>
Subject: [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file
Date: Sat, 27 Apr 2019 02:53:21 +0200	[thread overview]
Message-ID: <20190427005328.27005-10-lersek@redhat.com> (raw)
In-Reply-To: <20190427005328.27005-1-lersek@redhat.com>

"EnrollDefaultKeys.c" defines three structure types: SINGLE_HEADER,
REPEATING_HEADER, and SETTINGS. The definitions are scattered over the C
file, and lack high-level summary comments.

Extract the structures to "EnrollDefaultKeys.h", and add the missing
comments.

Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@arm.com>
Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=1747
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf |   1 +
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h   | 121 ++++++++++++++++++++
 OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c   | 101 +---------------
 3 files changed, 124 insertions(+), 99 deletions(-)

diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
index 3a215df50863..9f315a8e6d90 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf
@@ -11,16 +11,17 @@ [Defines]
   BASE_NAME                      = EnrollDefaultKeys
   FILE_GUID                      = A0BAA8A3-041D-48A8-BC87-C36D121B5E3D
   MODULE_TYPE                    = UEFI_APPLICATION
   VERSION_STRING                 = 0.1
   ENTRY_POINT                    = ShellCEntryLib
 
 [Sources]
   EnrollDefaultKeys.c
+  EnrollDefaultKeys.h
 
 [Packages]
   MdeModulePkg/MdeModulePkg.dec
   MdePkg/MdePkg.dec
   SecurityPkg/SecurityPkg.dec
   ShellPkg/ShellPkg.dec
 
 [Guids]
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
new file mode 100644
index 000000000000..9bcd87ff4f44
--- /dev/null
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -0,0 +1,121 @@
+/** @file
+  Type definitions for the EnrollDefaultKeys application.
+
+  Copyright (C) 2014-2019, Red Hat, Inc.
+
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef ENROLL_DEFAULT_KEYS_H_
+#define ENROLL_DEFAULT_KEYS_H_
+
+#include <Uefi/UefiBaseType.h>
+
+//
+// Convenience structure types for constructing "signature lists" for
+// authenticated UEFI variables.
+//
+// The most important thing about the variable payload is that it is a list of
+// lists, where the element size of any given *inner* list is constant.
+//
+// Since X509 certificates vary in size, each of our *inner* lists will contain
+// one element only (one X.509 certificate). This is explicitly mentioned in
+// the UEFI specification, in "28.4.1 Signature Database", in a Note.
+//
+// The list structure looks as follows:
+//
+// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
+//   struct EFI_TIME {                                              |
+//     UINT16 Year;                                                 |
+//     UINT8  Month;                                                |
+//     UINT8  Day;                                                  |
+//     UINT8  Hour;                                                 |
+//     UINT8  Minute;                                               |
+//     UINT8  Second;                                               |
+//     UINT8  Pad1;                                                 |
+//     UINT32 Nanosecond;                                           |
+//     INT16  TimeZone;                                             |
+//     UINT8  Daylight;                                             |
+//     UINT8  Pad2;                                                 |
+//   } TimeStamp;                                                   |
+//                                                                  |
+//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
+//     struct WIN_CERTIFICATE {                                   | |
+//       UINT32 dwLength; ----------------------------------------+ |
+//       UINT16 wRevision;                                        | |
+//       UINT16 wCertificateType;                                 | |
+//     } Hdr;                                                     | +- DataSize
+//                                                                | |
+//     EFI_GUID CertType;                                         | |
+//     UINT8    CertData[1] = { <--- "struct hack"                | |
+//       struct EFI_SIGNATURE_LIST {                            | | |
+//         EFI_GUID SignatureType;                              | | |
+//         UINT32   SignatureListSize; -------------------------+ | |
+//         UINT32   SignatureHeaderSize;                        | | |
+//         UINT32   SignatureSize; ---------------------------+ | | |
+//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
+//                                                            v | | |
+//         struct EFI_SIGNATURE_DATA {                        | | | |
+//           EFI_GUID SignatureOwner;                         | | | |
+//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
+//             X.509 payload                                  | | | |
+//           }                                                | | | |
+//         } Signatures[];                                      | | |
+//       } SigLists[];                                            | |
+//     };                                                         | |
+//   } AuthInfo;                                                  | |
+// };                                                               |
+//
+// Given that the "struct hack" invokes undefined behavior (which is why C99
+// introduced the flexible array member), and because subtracting those pesky
+// sizes of 1 is annoying, and because the format is fully specified in the
+// UEFI specification, we'll introduce two matching convenience structures that
+// are customized for our X.509 purposes.
+//
+#pragma pack (1)
+typedef struct {
+  EFI_TIME TimeStamp;
+
+  //
+  // dwLength covers data below
+  //
+  UINT32   dwLength;
+  UINT16   wRevision;
+  UINT16   wCertificateType;
+  EFI_GUID CertType;
+} SINGLE_HEADER;
+
+typedef struct {
+  //
+  // SignatureListSize covers data below
+  //
+  EFI_GUID SignatureType;
+  UINT32   SignatureListSize;
+  UINT32   SignatureHeaderSize; // constant 0
+  UINT32   SignatureSize;
+
+  //
+  // SignatureSize covers data below
+  //
+  EFI_GUID SignatureOwner;
+
+  //
+  // X.509 certificate follows
+  //
+} REPEATING_HEADER;
+#pragma pack ()
+
+
+//
+// A structure that collects the values of UEFI variables related to Secure
+// Boot.
+//
+typedef struct {
+  UINT8 SetupMode;
+  UINT8 SecureBoot;
+  UINT8 SecureBootEnable;
+  UINT8 CustomMode;
+  UINT8 VendorKeys;
+} SETTINGS;
+
+#endif /* ENROLL_DEFAULT_KEYS_H_ */
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 671efef8d6ad..fefea6638887 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -10,16 +10,18 @@
 #include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE
 #include <Library/BaseMemoryLib.h>               // CopyGuid()
 #include <Library/DebugLib.h>                    // ASSERT()
 #include <Library/MemoryAllocationLib.h>         // FreePool()
 #include <Library/ShellCEntryLib.h>              // ShellAppMain()
 #include <Library/UefiLib.h>                     // AsciiPrint()
 #include <Library/UefiRuntimeServicesTableLib.h> // gRT
 
+#include "EnrollDefaultKeys.h"
+
 //
 // We'll use the certificate below as both Platform Key and as first Key
 // Exchange Key.
 //
 // "Red Hat Secure Boot (PK/KEK key 1)/emailAddress=secalert@redhat.com"
 // SHA1: fd:fc:7f:3c:7e:f3:e0:57:76:ad:d7:98:78:21:6c:9b:e0:e1:95:97
 //
 STATIC CONST UINT8 mRedHatPkKek1[] = {
@@ -538,107 +540,16 @@ STATIC CONST UINT8 mSha256OfDevNull[] = {
 // EFI_SIGNATURE_DATA.SignatureData, and not the organization that issued
 // EFI_SIGNATURE_DATA.SignatureData.
 //
 STATIC CONST EFI_GUID mMicrosoftOwnerGuid = {
   0x77fa9abd, 0x0359, 0x4d32,
   { 0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b },
 };
 
-//
-// The most important thing about the variable payload is that it is a list of
-// lists, where the element size of any given *inner* list is constant.
-//
-// Since X509 certificates vary in size, each of our *inner* lists will contain
-// one element only (one X.509 certificate). This is explicitly mentioned in
-// the UEFI specification, in "28.4.1 Signature Database", in a Note.
-//
-// The list structure looks as follows:
-//
-// struct EFI_VARIABLE_AUTHENTICATION_2 {                           |
-//   struct EFI_TIME {                                              |
-//     UINT16 Year;                                                 |
-//     UINT8  Month;                                                |
-//     UINT8  Day;                                                  |
-//     UINT8  Hour;                                                 |
-//     UINT8  Minute;                                               |
-//     UINT8  Second;                                               |
-//     UINT8  Pad1;                                                 |
-//     UINT32 Nanosecond;                                           |
-//     INT16  TimeZone;                                             |
-//     UINT8  Daylight;                                             |
-//     UINT8  Pad2;                                                 |
-//   } TimeStamp;                                                   |
-//                                                                  |
-//   struct WIN_CERTIFICATE_UEFI_GUID {                           | |
-//     struct WIN_CERTIFICATE {                                   | |
-//       UINT32 dwLength; ----------------------------------------+ |
-//       UINT16 wRevision;                                        | |
-//       UINT16 wCertificateType;                                 | |
-//     } Hdr;                                                     | +- DataSize
-//                                                                | |
-//     EFI_GUID CertType;                                         | |
-//     UINT8    CertData[1] = { <--- "struct hack"                | |
-//       struct EFI_SIGNATURE_LIST {                            | | |
-//         EFI_GUID SignatureType;                              | | |
-//         UINT32   SignatureListSize; -------------------------+ | |
-//         UINT32   SignatureHeaderSize;                        | | |
-//         UINT32   SignatureSize; ---------------------------+ | | |
-//         UINT8    SignatureHeader[SignatureHeaderSize];     | | | |
-//                                                            v | | |
-//         struct EFI_SIGNATURE_DATA {                        | | | |
-//           EFI_GUID SignatureOwner;                         | | | |
-//           UINT8    SignatureData[1] = { <--- "struct hack" | | | |
-//             X.509 payload                                  | | | |
-//           }                                                | | | |
-//         } Signatures[];                                      | | |
-//       } SigLists[];                                            | |
-//     };                                                         | |
-//   } AuthInfo;                                                  | |
-// };                                                               |
-//
-// Given that the "struct hack" invokes undefined behavior (which is why C99
-// introduced the flexible array member), and because subtracting those pesky
-// sizes of 1 is annoying, and because the format is fully specified in the
-// UEFI specification, we'll introduce two matching convenience structures that
-// are customized for our X.509 purposes.
-//
-#pragma pack (1)
-typedef struct {
-  EFI_TIME TimeStamp;
-
-  //
-  // dwLength covers data below
-  //
-  UINT32   dwLength;
-  UINT16   wRevision;
-  UINT16   wCertificateType;
-  EFI_GUID CertType;
-} SINGLE_HEADER;
-
-typedef struct {
-  //
-  // SignatureListSize covers data below
-  //
-  EFI_GUID SignatureType;
-  UINT32   SignatureListSize;
-  UINT32   SignatureHeaderSize; // constant 0
-  UINT32   SignatureSize;
-
-  //
-  // SignatureSize covers data below
-  //
-  EFI_GUID SignatureOwner;
-
-  //
-  // X.509 certificate follows
-  //
-} REPEATING_HEADER;
-#pragma pack ()
-
 /**
   Enroll a set of certificates in a global variable, overwriting it.
 
   The variable will be rewritten with NV+BS+RT+AT attributes.
 
   @param[in] VariableName  The name of the variable to overwrite.
 
   @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to
@@ -839,24 +750,16 @@ GetExact (
     AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "
       "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);
     return EFI_PROTOCOL_ERROR;
   }
 
   return EFI_SUCCESS;
 }
 
-typedef struct {
-  UINT8 SetupMode;
-  UINT8 SecureBoot;
-  UINT8 SecureBootEnable;
-  UINT8 CustomMode;
-  UINT8 VendorKeys;
-} SETTINGS;
-
 STATIC
 EFI_STATUS
 GetSettings (
   OUT SETTINGS *Settings
   )
 {
   EFI_STATUS Status;
 
-- 
2.19.1.3.g30247aa5d201



  parent reply	other threads:[~2019-04-27  0:54 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-27  0:53 [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27  0:53 ` [PATCH 01/16] OvmfPkg: introduce EnrollDefaultKeys application Laszlo Ersek
2019-04-30  5:21   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 02/16] OvmfPkg/EnrollDefaultKeys: update @file comment blocks Laszlo Ersek
2019-04-30  5:13   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 03/16] OvmfPkg/EnrollDefaultKeys: refresh INF file Laszlo Ersek
2019-04-29 12:25   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 04/16] ArmVirtPkg: build EnrollDefaultKeys.efi Laszlo Ersek
2019-04-29 12:26   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 05/16] OvmfPkg/EnrollDefaultKeys: clean up minor whitespace wart Laszlo Ersek
2019-04-29 12:26   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 06/16] OvmfPkg/EnrollDefaultKeys: clean up global variable name prefixes Laszlo Ersek
2019-04-29 12:27   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 07/16] OvmfPkg/EnrollDefaultKeys: clean up acronym capitalization in identifiers Laszlo Ersek
2019-04-30  5:10   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 08/16] OvmfPkg/EnrollDefaultKeys: remove unneeded EFIAPI call. conv. specifiers Laszlo Ersek
2019-04-29 12:28   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` Laszlo Ersek [this message]
2019-04-29 12:30   ` [edk2-devel] [PATCH 09/16] OvmfPkg/EnrollDefaultKeys: extract typedefs to a header file Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 10/16] OvmfPkg/EnrollDefaultKeys: split out certificate and signature constants Laszlo Ersek
2019-04-29 12:33   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 11/16] OvmfPkg/EnrollDefaultKeys: extract MICROSOFT_VENDOR_GUID Laszlo Ersek
2019-04-30  5:11   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 12/16] OvmfPkg/EnrollDefaultKeys: describe functions with leading comment blocks Laszlo Ersek
2019-04-30  5:12   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 13/16] OvmfPkg/EnrollDefaultKeys: document the steps of the entry point function Laszlo Ersek
2019-04-29 12:36   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 14/16] OvmfPkg: introduce OVMF_PK_KEK1_APP_PREFIX_GUID Laszlo Ersek
2019-04-30  5:24   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 15/16] OvmfPkg/EnrollDefaultKeys: enroll PK/KEK1 from the Type 11 SMBIOS table Laszlo Ersek
2019-04-30  5:34   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  0:53 ` [PATCH 16/16] OvmfPkg/EnrollDefaultKeys: remove Red Hat's hard-coded PK/KEK1 Laszlo Ersek
2019-04-30  5:35   ` [edk2-devel] " Philippe Mathieu-Daudé
2019-04-27  1:07 ` [edk2-devel] [PATCH 00/16] OvmfPkg, ArmVirtPkg: upstream the EnrollDefaultKeys app Laszlo Ersek
2019-04-27  8:14 ` Ard Biesheuvel
2019-04-30  7:51 ` [edk2-devel] " Gary Lin
2019-04-30 12:32 ` Laszlo Ersek
2019-04-30 19:42   ` Ard Biesheuvel
2019-04-30 20:04     ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190427005328.27005-10-lersek@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox