From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.10962.1655152806436217573 for ; Mon, 13 Jun 2022 13:40:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=O4GTXpkH; spf=pass (domain: gmail.com, ip: 209.85.216.49, mailfrom: kuqin12@gmail.com) Received: by mail-pj1-f49.google.com with SMTP id v11-20020a17090a4ecb00b001e2c5b837ccso9895498pjl.3 for ; Mon, 13 Jun 2022 13:40:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Hwj0idEqDxclKv71G1Sh6yL70XYU5g7Z/ZGdEIHHKkQ=; b=O4GTXpkHdAoQ3uiV73jeCEt5xgOBdMWTjD7xoXNYQRuce4Q4ppdxmmcv4DoYq9xyDf 4o/ATCXCfauxFvUby8tPJMZjgTB7NzpLdxMPs8R3NLAoKK5yU3pSvpKqxzj4Mj6szsS3 6UxrTu2H+YqQWXy3NrzZumTaeA7kWWkbU9m8i+vMKsLRXrJjcTrkpE1fTfVzgChWimvv k856pxRsr9rkZU/NCzUDCbvJlzihySMde8ieTEAzlNdMsXMgG6gGd5ejOBwSvWiHFHBt 5if7TnlJABPRysrPfh1jenb+BJklbL+ejIXtHMbYZC1jOz23+P8pQOxCoXFuCbkshPLl Dtzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Hwj0idEqDxclKv71G1Sh6yL70XYU5g7Z/ZGdEIHHKkQ=; b=6/JQUDT+arI1PyP56NgGLA5K+Eov3kqXwnwxmeqgmrXbN315u4mpx0TY1npexalZwG +IJKBw3U4ZJEDVqsG2FeLUfDHloOVs5Fm7cTQ/dcASdtopH8no62CT3+IQK3XlP4PZmB N2uqLabmvmGN/5wNFO5nTiYzmgiEj10bvpjoO1pOESzPlicu8HEQ8bIqtIdiW5xoW6CW C4Kmj9UXmzWCHrArG6W3lNMJ3Nw3MN8z4VNlcoVQmwg9Qd4ZP6TZMAtKHni7PfRJgaSw IxxcmQZ4dcQl2t79haxWzUlGcbiKFQ2VTEg0QmZ2Bg0/AYwnRydU1ccsg65HMeSx2TXD BrLQ== X-Gm-Message-State: AJIora8RhhP0cwoYuM0E0FZ8dknOnumSGODvoEPrLCuMynhidlaoD7D1 3sWVEYDNFSHwyKX2wujYmri+8NCSA6stmQ== X-Google-Smtp-Source: AGRyM1tUqHIBFEo9uUk+FqCuopmewCHW6MO9lArJj4WkoEWzvGbYj6GsCpDrxHiJUJy7tJAkEO0Z0w== X-Received: by 2002:a17:90b:388f:b0:1e8:57db:443 with SMTP id mu15-20020a17090b388f00b001e857db0443mr587686pjb.52.1655152805830; Mon, 13 Jun 2022 13:40:05 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.40.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:40:05 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v2 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Date: Mon, 13 Jun 2022 13:39:39 -0700 Message-Id: <20220613203943.704-9-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3909 This change is in pair with the previous SecureBootVariableLib change, which updated the interface of `CreateTimeBasedPayload`. This change added a helper function to query the current time through Real Time Clock protocol. This function is used when needing to format an authenticated variable payload. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c | 127 ++++++++++++++++++-- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf | 1 + 2 files changed, 119 insertions(+), 9 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index a13c349a0f89..4299a6b5e56d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include #include +#include #include #include #include @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType = UNKNOWN_FILE_TYPE; } +/** + Helper function to populate an EFI_TIME instance. + + @param[in] Time FileContext cached in SecureBootConfig driver + +**/ +STATIC +EFI_STATUS +GetCurrentTime ( + IN EFI_TIME *Time + ) +{ + EFI_STATUS Status; + VOID *TestPointer; + + if (Time == NULL) { + return EFI_INVALID_PARAMETER; + } + + Status = gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL, &TestPointer); + if (EFI_ERROR (Status)) { + return Status; + } + + ZeroMem (Time, sizeof (EFI_TIME)); + Status = gRT->GetTime (Time, NULL); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "%a(), GetTime() failed, status = '%r'\n", + __FUNCTION__, + Status + )); + return Status; + } + + Time->Pad1 = 0; + Time->Nanosecond = 0; + Time->TimeZone = 0; + Time->Daylight = 0; + Time->Pad2 = 0; + + return EFI_SUCCESS; +} + /** This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix. @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr; UINTN DataSize; EFI_SIGNATURE_LIST *PkCert; + EFI_TIME Time; PkCert = NULL; @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; DataSize = PkCert->SignatureListSize; - Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize; UINT8 *KeyBuffer; UINTN KeyLenInBytes; + EFI_TIME Time; Attr = 0; DataSize = 0; @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize; UINTN KekSigListSize; UINT32 Attr; + EFI_TIME Time; X509Data = NULL; X509DataSize = 0; @@ -735,7 +796,13 @@ EnrollX509ToKek ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize; UINTN SigDBSize; UINT32 Attr; + EFI_TIME Time; X509DataSize = 0; SigDBSize = 0; @@ -910,7 +978,13 @@ EnrollX509toSigDB ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix; UINTN NameLength; EFI_TIME *Time; + EFI_TIME NewTime; X509DataSize = 0; DbSize = 0; @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize = DbSize; } - Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + Status = GetCurrentTime (&NewTime); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime); if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize; UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; + EFI_TIME Time; Data = NULL; GuidCertData = NULL; @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize; UINTN DeleteKekIndex; UINTN GuidIndex; + EFI_TIME Time; Data = NULL; OldData = NULL; @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( DataSize = Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound; UINT32 ItemDataSize; UINTN GuidIndex; + EFI_TIME Time; Data = NULL; OldData = NULL; @@ -2931,7 +3027,13 @@ DeleteSignature ( DataSize = Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset; UINT8 *VariableData; UINT8 *NewVariableData; + EFI_TIME Time; Status = EFI_SUCCESS; VariableAttr = 0; @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( } if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&VariableDataSize, &NewVariableData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&VariableDataSize, &NewVariableData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf index 420687a21141..1671d5be7ccd 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf @@ -111,6 +111,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES gEfiHiiPopupProtocolGuid + gEfiRealTimeClockArchProtocolGuid ## CONSUMES [Depex] gEfiHiiConfigRoutingProtocolGuid AND -- 2.35.1.windows.2