From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com [209.85.208.182]) by mx.groups.io with SMTP id smtpd.web08.22494.1627640634334530583 for ; Fri, 30 Jul 2021 03:23:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=N/rSZVAV; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.208.182, mailfrom: gjb@semihalf.com) Received: by mail-lj1-f182.google.com with SMTP id l17so11688686ljn.2 for ; Fri, 30 Jul 2021 03:23:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bS9dO7tP35eK+jLF600V4hMv4fCV3UQqV4P58o7hptI=; b=N/rSZVAV7GhyjfDabF4AOyYBzRYlBuFvE6PRQDB1lOhmstila6W5zgk47cf3UCMx/J weTEWqCdMZJmv5UBvH0IWsaZz9FcDpGwMLgyrDcrsfMzSziiIaMg5lc/aZIIoJ/BcPwq E93xYVCNLZJDciclcb5IE00glz0kvQBmNYvLMWz4meAMJ7n0X8A/n8ov7EDahZ7Bn0ja BPezzbWY6/2PuJsZqsK5+7Bn4E+4EPVUKnSU94rUGi4ijtDDMU8W7TNB1Ivu1mRK+qS2 69OANKLy+vHR4nOzAdgnD5KlbQU3oIyjbS3WAnRFjf5G7LQQYK644xoID2jiuWy989o9 ZqDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bS9dO7tP35eK+jLF600V4hMv4fCV3UQqV4P58o7hptI=; b=RXskPqOXkplezuMa/1gY8P0XLUHsyGkhFKYVeN60T8ddejsSATev8RSyXWRcbuszOA w2H8cmeNvEp34bDccW7GArAb2uGa/TXTuteq0W8UK51ffD2CPzkvmsMxtGuubceG/Vvw Klv3tgY/3cEPs7OF3yOLhJ2MmQYzda+PRKv/wIzbU5864+7P+Opw1mKMDi1lwmmUkWRC ZMvVy/2p5ivQj6i4XI3dTF78gAyZktwlWXlf6thh2aypmjyj4x/F016bvrNG7otZppCv L9Ose3lljPjfJO+Zn57ATW5dro1ON0uPxfEvpIhBg2V/0cZQvrUTJeGtntRCbQ33BVaX KqNA== X-Gm-Message-State: AOAM530wysWPkPLW+J3S2eqNzMErGEDFh//ZVxDXbGVh3dxlDvj7mnaY NOArCJNN7FHgjoB8l5Y15aY9DZ+GqMqjtqnD X-Google-Smtp-Source: ABdhPJx72a+m1h1P8FU3ysi/qWs4evf1djbSJcygPBlB7ZUJqZJ/dpMeI+KNubPQDAFs7sWD/UbzMw== X-Received: by 2002:a2e:b894:: with SMTP id r20mr1172246ljp.44.1627640632499; Fri, 30 Jul 2021 03:23:52 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id d5sm114174lfs.61.2021.07.30.03.23.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jul 2021 03:23:52 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Jiewen Yao , Sunny Wang Subject: [PATCH v7 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. Date: Fri, 30 Jul 2021 12:23:21 +0200 Message-Id: <20210730102326.2814466-7-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 In-Reply-To: <20210730102326.2814466-1-gjb@semihalf.com> References: <20210730102326.2814466-1-gjb@semihalf.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This commit removes functions which were added to SecureBootVariableLib. It also adds dependecy on that library. Signed-off-by: Grzegorz Bernacki Reviewed-by: Jiewen Yao eviewed-by: Sunny Wang --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 190 +------------------- 2 files changed, 4 insertions(+), 188 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf index 573efa6379..14c7311b08 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf @@ -54,6 +54,8 @@ DevicePathLib FileExplorerLib PeCoffLib + SecureBootVariableLib + SecureBootVariableProvisionLib [Guids] ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index e82bfe7757..f527aa32e6 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -9,6 +9,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include +#include +#include CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"; @@ -237,168 +239,6 @@ SaveSecureBootVariable ( return Status; } -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 - descriptor with the input data. NO authentication is required in this function. - - @param[in, out] DataSize On input, the size of Data buffer in bytes. - On output, the size of data returned in Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be wrapped or - pointer to NULL to wrap an empty payload. - On output, Pointer to the new payload date buffer allocated from pool, - it's caller's responsibility to free the memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed but the - // parameters to the SetVariable() call still need to be prepared as authenticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate - // data in it. - // - Payload = *Data; - PayloadSize = *DataSize; - - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload != NULL) && (PayloadSize != 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status = gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 = 0; - Time.Nanosecond = 0; - Time.TimeZone = 0; - Time.Daylight = 0; - Time.Pad2 = 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload != NULL) { - FreePool(Payload); - } - - *DataSize = DescriptorSize + PayloadSize; - *Data = NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, NO authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data = NULL; - DataSize = 0; - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status = CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data != NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the special mode successfully. - @return other Fail to operate the secure boot mode. - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootMode - ); -} - /** This code checks if the encode type and key strength of X.509 certificate is qualified. @@ -646,32 +486,6 @@ ON_EXIT: return Status; } -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - /** Enroll a new KEK item from public key storing file (*.pbk). -- 2.25.1