From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com [209.85.167.46]) by mx.groups.io with SMTP id smtpd.web10.18275.1627901230255932210 for ; Mon, 02 Aug 2021 03:47:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=Q/prJ2W/; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.167.46, mailfrom: gjb@semihalf.com) Received: by mail-lf1-f46.google.com with SMTP id m13so32862904lfg.13 for ; Mon, 02 Aug 2021 03:47:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bS9dO7tP35eK+jLF600V4hMv4fCV3UQqV4P58o7hptI=; b=Q/prJ2W/30bpJAU62mr4imErAjUgN+333eaKrL9oDE5NxKbziVHA38oiuiwcJXrL+s HyPzSaBtY35Sr76NYdIuEPlXjsiSn3NIfURHGqiliAwrmDJ4Bmn6Fb896E2xY+toQuEF 587L5I/e3RhjdXYqBzrFDl/2xrBwVtF/3yHnPDNy6JgEiDwYtOQ49HhuwMox1c9hujoB FSQ0Dk2uQ7Ao0I8omyG7Y2uzd43JncO0FiUmLcIXGjgv6O389X4gLDTkhAI7hS2dJF/d 830lE6dx27XPzP5ItKPwYGj82RCfuN8kBsubTDxeU43XRfOxCS5yc0ygrFThFgWWpGUe PAHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bS9dO7tP35eK+jLF600V4hMv4fCV3UQqV4P58o7hptI=; b=Z7+eBgP045o2C0UGCGplN2e1VE9uO4VRdcvcR7xU5cPgmzDUJc7FwweQJdalRSz4YW 2cDJwUJjv4ZDsLhUDJzB6uRzwev+wkhUAQi6h+fGDOVf8RIgfU8dvrM3A1tDslz/HYJJ hSXc2xviHAfWz2M0io2tF+fwPM3ibMimhvCqtnalGz6HjcTYMpZfgyyXGDN6JLPz4pfz 7/+EZ+wlK71thLylcRb+UAj1xJ7wuNU9O88YVgJKWKdEmubSvxQjdZjYx1ybzxQ/UOkk uvI5BPubqdaVzkuP1zfFysavyFMkRv1BkoxATr92SSVmSSxLlpDkMOiBXQ7ZKq6skaNC 1k0Q== X-Gm-Message-State: AOAM533tA2EaDmf9wojxaVQpZGKSrJNSeTC+CqVL9p+iFiHe/q7In3+8 UUP28KBpWKsbMdmJITD/vA3lxz+L63OdgxWH X-Google-Smtp-Source: ABdhPJxTP/SwZiqDCqBd4XFF6qrwS4kG9cnIFbzlyXVAdQAfPFwwZXI/gNIH3HML4tdsmq2CwoTI6w== X-Received: by 2002:a19:5e4c:: with SMTP id z12mr12383247lfi.275.1627901228361; Mon, 02 Aug 2021 03:47:08 -0700 (PDT) Return-Path: Received: from gilgamesh.lab.semihalf.net ([83.142.187.85]) by smtp.gmail.com with ESMTPSA id t27sm570174lfl.302.2021.08.02.03.47.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Aug 2021 03:47:08 -0700 (PDT) From: "Grzegorz Bernacki" To: devel@edk2.groups.io Cc: leif@nuviainc.com, ardb+tianocore@kernel.org, Samer.El-Haj-Mahmoud@arm.com, sunny.Wang@arm.com, mw@semihalf.com, upstream@semihalf.com, jiewen.yao@intel.com, jian.j.wang@intel.com, min.m.xu@intel.com, lersek@redhat.com, sami.mujawar@arm.com, afish@apple.com, ray.ni@intel.com, jordan.l.justen@intel.com, rebecca@bsdio.com, grehan@freebsd.org, thomas.abraham@arm.com, chasel.chiu@intel.com, nathaniel.l.desimone@intel.com, gaoliming@byosoft.com.cn, eric.dong@intel.com, michael.d.kinney@intel.com, zailiang.sun@intel.com, yi.qian@intel.com, graeme@nuviainc.com, rad@semihalf.com, pete@akeo.ie, Grzegorz Bernacki , Jiewen Yao , Sunny Wang Subject: [PATCH v8 06/11] SecurityPkg: Remove duplicated functions from SecureBootConfigDxe. Date: Mon, 2 Aug 2021 12:46:28 +0200 Message-Id: <20210802104633.2833333-7-gjb@semihalf.com> X-Mailer: git-send-email 2.29.0 In-Reply-To: <20210802104633.2833333-1-gjb@semihalf.com> References: <20210802104633.2833333-1-gjb@semihalf.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit This commit removes functions which were added to SecureBootVariableLib. It also adds dependecy on that library. Signed-off-by: Grzegorz Bernacki Reviewed-by: Jiewen Yao eviewed-by: Sunny Wang --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 2 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 190 +------------------- 2 files changed, 4 insertions(+), 188 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf index 573efa6379..14c7311b08 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf @@ -54,6 +54,8 @@ DevicePathLib FileExplorerLib PeCoffLib + SecureBootVariableLib + SecureBootVariableProvisionLib [Guids] ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index e82bfe7757..f527aa32e6 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -9,6 +9,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include +#include +#include CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"; @@ -237,168 +239,6 @@ SaveSecureBootVariable ( return Status; } -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 - descriptor with the input data. NO authentication is required in this function. - - @param[in, out] DataSize On input, the size of Data buffer in bytes. - On output, the size of data returned in Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be wrapped or - pointer to NULL to wrap an empty payload. - On output, Pointer to the new payload date buffer allocated from pool, - it's caller's responsibility to free the memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully. - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data == NULL || DataSize == NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signed but the - // parameters to the SetVariable() call still need to be prepared as authenticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate - // data in it. - // - Payload = *Data; - PayloadSize = *DataSize; - - DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload != NULL) && (PayloadSize != 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status = gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 = 0; - Time.Nanosecond = 0; - Time.TimeZone = 0; - Time.Daylight = 0; - Time.Pad2 = 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload != NULL) { - FreePool(Payload); - } - - *DataSize = DescriptorSize + PayloadSize; - *Data = NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, NO authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable == NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data = NULL; - DataSize = 0; - Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status = CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status)); - return Status; - } - - Status = gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data != NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the special mode successfully. - @return other Fail to operate the secure boot mode. - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS, - sizeof (UINT8), - &SecureBootMode - ); -} - /** This code checks if the encode type and key strength of X.509 certificate is qualified. @@ -646,32 +486,6 @@ ON_EXIT: return Status; } -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status = DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - /** Enroll a new KEK item from public key storing file (*.pbk). -- 2.25.1