From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web10.10958.1655152800432763979 for ; Mon, 13 Jun 2022 13:40:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=iojZiK8n; spf=pass (domain: gmail.com, ip: 209.85.215.173, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f173.google.com with SMTP id 184so6567487pga.12 for ; Mon, 13 Jun 2022 13:40:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=93TYIj2LjroFL5yGd53GTvUcaMjXNxQQl9/r6LDkllY=; b=iojZiK8nDP6X9vqy9rO70aWTKf2wearEuTxsKk/15hKLNWSwIxnkULTmPWiSiKEG0C NyXQPHam0tKnZ3gM4H+vgJFl/RMm9nYb24d5IB6fsN924JkkBXTssZ+8xZwgtXsmC9Qb BlsDF9yPmlEopJtlrxJR8NqzQ9y3F1Oc8GAs2A8/KdSb4fyeHYAH/CHlTVI0A1FCngtm JM1zb895OlXigkLA4ZaeAx0cYD+QJHSFu9y9ZjRWUuqZPjghKD9+w5apGN+xCzXmzIX3 FsMOAAzT98D0SQeKKX/xqg1f2dnY0HcGHPAgmCtiQGoLcejXEalnqktr+G2Fti4qDryG osSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=93TYIj2LjroFL5yGd53GTvUcaMjXNxQQl9/r6LDkllY=; b=m84KMHSEX5cMy6kh+HXKEweNo9VvOeyImmyRmpFtv52f87NRPm1fPugFbsaXVba+ED CW2ArGOSb3HqEfT/WlDC8ZR8iWMRzmr8v8pt8YLJuHy6tcP1G3WPuuPwIbVsdYp7ilwd gtgDsqFyRcBvrmp2hoan1w7f4Gt1oQt3QRUJAyJ4j/gC3aoNolIC7W2GCNNhWasfOgnM G6cATFDTESUoeLRtNUXgVboJDZ1sPqrgyoKffaT3ItzselGKntGXXGXTlnVtN3NM0fje vYanrdE/+6fInCdZf1DRNV9gqlyO1g7C+3QrE/hXAGdGxhtHGWB/oZ8vqityMdA3IPfH yd5g== X-Gm-Message-State: AJIora8HVGx+ZyBo0khq0eJA5sbIelhfm0/qplecZSMRhTax3NxX+Ro4 FEvTXOUC2HwC2yk3FsO2EF1tBmz7QkecAw== X-Google-Smtp-Source: ABdhPJymRbd61Ed63Uf30rg/50KrRiTGN62YoYYqcqvYp4p+AxHLf+sGdo2xim+2PivbRUeQzxx3Fw== X-Received: by 2002:a05:6a00:1805:b0:51c:3a7:54dc with SMTP id y5-20020a056a00180500b0051c03a754dcmr761267pfa.15.1655152799668; Mon, 13 Jun 2022 13:39:59 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.39.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:39:59 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v2 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Date: Mon, 13 Jun 2022 13:39:34 -0700 Message-Id: <20220613203943.704-4-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909 This change updated the interface of 'CreateTimeBasedPayload' by requiring the caller to provide a timestamp, instead of relying on time protocol to be ready during runtime. It intends to extend the library availability during boot environment. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 53 ++++++++++++-------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 9 +++- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 8 +-- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index e0d137666e0e..3b33a356aba3 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -6,8 +6,10 @@ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) 2021, Semihalf All rights reserved.
+ Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include #include #include #include @@ -21,6 +23,21 @@ #include #include "Library/DxeServicesLib.h" +// This time can be used when deleting variables, as it should be greater than any variable time. +EFI_TIME mMaxTimestamp = { + 0xFFFF, // Year + 0xFF, // Month + 0xFF, // Day + 0xFF, // Hour + 0xFF, // Minute + 0xFF, // Second + 0x00, + 0x00000000, // Nanosecond + 0, + 0, + 0x00 +}; + /** Creates EFI Signature List structure. @param[in] Data A pointer to signature data. @@ -118,7 +135,7 @@ ConcatenateSigList ( @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListOut a pointer to a callee-allocated buffer with signature lists + @param[out] SigListsOut a pointer to a callee-allocated buffer with signature lists @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. @@ -210,28 +227,30 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payload. On output, Pointer to the new payload date buffer allocated from pool, it's caller's responsibility to free the memory when finish using it. + @param[in] Time Pointer to time information to created time based payload. @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. @retval EFI_INVALID_PARAMETER The parameter is invalid. @retval Others Unexpected error happens. -**/ +--*/ EFI_STATUS +EFIAPI CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data, + IN EFI_TIME *Time ) { - EFI_STATUS Status; UINT8 *NewData; UINT8 *Payload; UINTN PayloadSize; EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; UINTN DescriptorSize; - EFI_TIME Time; - if ((Data == NULL) || (DataSize == NULL)) { + if ((Data == NULL) || (DataSize == NULL) || (Time == NULL)) { + DEBUG ((DEBUG_ERROR, "%a(), invalid arg\n", __FUNCTION__)); return EFI_INVALID_PARAMETER; } @@ -247,6 +266,7 @@ CreateTimeBasedPayload ( DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); NewData = (UINT8 *)AllocateZeroPool (DescriptorSize + PayloadSize); if (NewData == NULL) { + DEBUG ((DEBUG_ERROR, "%a() Out of resources.\n", __FUNCTION__)); return EFI_OUT_OF_RESOURCES; } @@ -256,19 +276,7 @@ CreateTimeBasedPayload ( DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *)(NewData); - ZeroMem (&Time, sizeof (EFI_TIME)); - Status = gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool (NewData); - return Status; - } - - Time.Pad1 = 0; - Time.Nanosecond = 0; - Time.TimeZone = 0; - Time.Daylight = 0; - Time.Pad2 = 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + CopyMem (&DescriptorData->TimeStamp, Time, sizeof (EFI_TIME)); DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); DescriptorData->AuthInfo.Hdr.wRevision = 0x0200; @@ -277,6 +285,7 @@ CreateTimeBasedPayload ( if (Payload != NULL) { FreePool (Payload); + Payload = NULL; } *DataSize = DescriptorSize + PayloadSize; @@ -296,6 +305,7 @@ CreateTimeBasedPayload ( **/ EFI_STATUS +EFIAPI DeleteVariable ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid @@ -319,7 +329,7 @@ DeleteVariable ( Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&DataSize, &Data); + Status = CreateTimeBasedPayload (&DataSize, &Data, &mMaxTimestamp); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); return Status; @@ -351,6 +361,7 @@ DeleteVariable ( **/ EFI_STATUS +EFIAPI SetSecureBootMode ( IN UINT8 SecureBootMode ) diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/SecurityPkg/Include/Library/SecureBootVariableLib.h index 7b7afd9cde7c..9f2d41220b70 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -6,6 +6,7 @@ Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
(C) Copyright 2018 Hewlett Packard Enterprise Development LP
Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) 2021, Semihalf All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -24,6 +25,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent --*/ EFI_STATUS +EFIAPI SetSecureBootMode ( IN UINT8 SecureBootMode ); @@ -73,6 +75,7 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payload. On output, Pointer to the new payload date buffer allocated from pool, it's caller's responsibility to free the memory when finish using it. + @param[in] Time Pointer to time information to created time based payload. @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload. @@ -81,9 +84,11 @@ SecureBootFetchData ( --*/ EFI_STATUS +EFIAPI CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data, + IN EFI_TIME *Time ); /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index ed7af3dd9cd5..87db5a258021 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -4,6 +4,7 @@ # # Copyright (c) 2021, ARM Ltd. All rights reserved.
# Copyright (c) 2021, Semihalf All rights reserved.
+# Copyright (c) Microsoft Corporation. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -68,12 +69,5 @@ [Guids] ## PRODUCES ## Variable:L"CustomMode" gEfiCustomModeEnableGuid - gEfiCertTypeRsa2048Sha256Guid ## CONSUMES gEfiCertX509Guid ## CONSUMES gEfiCertPkcs7Guid ## CONSUMES - - gDefaultPKFileGuid - gDefaultKEKFileGuid - gDefaultdbFileGuid - gDefaultdbxFileGuid - gDefaultdbtFileGuid -- 2.35.1.windows.2