From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web12.32569.1656633237326093412 for ; Thu, 30 Jun 2022 16:53:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=cpgHkQHw; spf=pass (domain: gmail.com, ip: 209.85.215.182, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f182.google.com with SMTP id q140so838525pgq.6 for ; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ZoEpo8V5g0nkhAmm7uaP1XvCeue4IEC1UVIT4CKOdh4=; b=cpgHkQHwHXQl7MNr512PoISKRclCvXV8cyxiVceiExKPTTeUOtzZsxLMYfctRc9A8f oi7426jfGRBkfg3vkpzuA7YpHzN/p46BtDDbtoChMksSlpBgX4VT2GaOKIVeCijAVWIj vMllliQ7KTGZHh+FJGoog+s6myQYGr4IY6ZRyQbrAB3vQE2IgZDbJE3dexKxTI1kzC6+ t1711MlMPCAXygoHm6g5yvrey9MfJqFXo5LJkuMqo6cNoGpeZVRmVR0ohu6dD6aBub8f tw53rF4YB7skwemLJVhCnLipU6js03rdUYIHFFuRAyq4WLzmo9uL4C9eGDemzR4Tpipn d/KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ZoEpo8V5g0nkhAmm7uaP1XvCeue4IEC1UVIT4CKOdh4=; b=hN7UbKyd2i0f3yd1An9GT3mLSofWorBgb+otNwbdacthgsqeBxLV3Rr7YuSgEf+Jmd n5vf6k2ET7bQLVcL9Ir1T15i3l4/yGWCSgxDIjmAUwrhCYoRjrF6qq4/2cF45VIANJC5 vNLtlCDFKxMhg0eW1J8pvLCEdsVG89oZgXxdab1XHYuj8Se8WjF5AyrTjrbeWt/oJy9m XHH4YSN/RrXXdhhOOJZnbGRSj2ImSJmS+3CbG0vlPZF1zFdz75pxa6LJ5joId76wHfgn yiLphi9Ke2os4kJ/v6W7y5ZN+dd9xQYPVGmbtLHnhA3Y3OQMiR/db0DSQ+qouhrDRNh+ 79cA== X-Gm-Message-State: AJIora+14aJgm8YUIpI64XLIN3CGiVNS523zSDV18KYzSluW2Ik5OfzP BB8JaSqNuY6jrzyur45bCL6chuN2eHw= X-Google-Smtp-Source: AGRyM1s1RM5a92d0HiXyE8vY26tDg738ZzfDyJ4BFn7rD5SQJ9y7WUozfTl1nJIOChajJ3nCLNCYOg== X-Received: by 2002:a63:8849:0:b0:40d:e25:9fb2 with SMTP id l70-20020a638849000000b0040d0e259fb2mr9923655pgd.592.1656633238555; Thu, 30 Jun 2022 16:53:58 -0700 (PDT) Return-Path: Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:58 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [PATCH v3 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Date: Thu, 30 Jun 2022 16:53:33 -0700 Message-Id: <20220630235341.1746-4-kuqin12@gmail.com> X-Mailer: git-send-email 2.36.0.windows.1 In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change updated the interface of 'CreateTimeBasedPayload' by requiring the caller to provide a timestamp, instead of relying on time protocol to be ready during runtime. It intends to extend the library availability during boot environment. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 53 += +++++++++++-------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 9 += ++- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 8 += -- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index e0d137666e0e..3b33a356aba3 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -6,8 +6,10 @@ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
=0D Copyright (c) 2021, ARM Ltd. All rights reserved.
=0D Copyright (c) 2021, Semihalf All rights reserved.
=0D + Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D **/=0D +#include =0D #include =0D #include =0D #include =0D @@ -21,6 +23,21 @@ #include =0D #include "Library/DxeServicesLib.h"=0D =0D +// This time can be used when deleting variables, as it should be greater = than any variable time.=0D +EFI_TIME mMaxTimestamp =3D {=0D + 0xFFFF, // Year=0D + 0xFF, // Month=0D + 0xFF, // Day=0D + 0xFF, // Hour=0D + 0xFF, // Minute=0D + 0xFF, // Second=0D + 0x00,=0D + 0x00000000, // Nanosecond=0D + 0,=0D + 0,=0D + 0x00=0D +};=0D +=0D /** Creates EFI Signature List structure.=0D =0D @param[in] Data A pointer to signature data.=0D @@ -118,7 +135,7 @@ ConcatenateSigList ( =0D @param[in] KeyFileGuid A pointer to to the FFS filename GUID=0D @param[out] SigListsSize A pointer to size of signature list=0D - @param[out] SigListOut a pointer to a callee-allocated buffer w= ith signature lists=0D + @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists=0D =0D @retval EFI_SUCCESS Create time based payload successfully.= =0D @retval EFI_NOT_FOUND Section with key has not been found.=0D @@ -210,28 +227,30 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payloa= d.=0D On output, Pointer to the new payload d= ate buffer allocated from pool,=0D it's caller's responsibility to free th= e memory when finish using it.=0D + @param[in] Time Pointer to time information to created = time based payload.=0D =0D @retval EFI_SUCCESS Create time based payload successfully.= =0D @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload.=0D @retval EFI_INVALID_PARAMETER The parameter is invalid.=0D @retval Others Unexpected error happens.=0D =0D -**/=0D +--*/=0D EFI_STATUS=0D +EFIAPI=0D CreateTimeBasedPayload (=0D - IN OUT UINTN *DataSize,=0D - IN OUT UINT8 **Data=0D + IN OUT UINTN *DataSize,=0D + IN OUT UINT8 **Data,=0D + IN EFI_TIME *Time=0D )=0D {=0D - EFI_STATUS Status;=0D UINT8 *NewData;=0D UINT8 *Payload;=0D UINTN PayloadSize;=0D EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;=0D UINTN DescriptorSize;=0D - EFI_TIME Time;=0D =0D - if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL)) {=0D + if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL) || (Time =3D=3D NULL)) = {=0D + DEBUG ((DEBUG_ERROR, "%a(), invalid arg\n", __FUNCTION__));=0D return EFI_INVALID_PARAMETER;=0D }=0D =0D @@ -247,6 +266,7 @@ CreateTimeBasedPayload ( DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) += OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);=0D NewData =3D (UINT8 *)AllocateZeroPool (DescriptorSize + PayloadSi= ze);=0D if (NewData =3D=3D NULL) {=0D + DEBUG ((DEBUG_ERROR, "%a() Out of resources.\n", __FUNCTION__));=0D return EFI_OUT_OF_RESOURCES;=0D }=0D =0D @@ -256,19 +276,7 @@ CreateTimeBasedPayload ( =0D DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *)(NewData);=0D =0D - ZeroMem (&Time, sizeof (EFI_TIME));=0D - Status =3D gRT->GetTime (&Time, NULL);=0D - if (EFI_ERROR (Status)) {=0D - FreePool (NewData);=0D - return Status;=0D - }=0D -=0D - Time.Pad1 =3D 0;=0D - Time.Nanosecond =3D 0;=0D - Time.TimeZone =3D 0;=0D - Time.Daylight =3D 0;=0D - Time.Pad2 =3D 0;=0D - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));=0D + CopyMem (&DescriptorData->TimeStamp, Time, sizeof (EFI_TIME));=0D =0D DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData);=0D DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200;=0D @@ -277,6 +285,7 @@ CreateTimeBasedPayload ( =0D if (Payload !=3D NULL) {=0D FreePool (Payload);=0D + Payload =3D NULL;=0D }=0D =0D *DataSize =3D DescriptorSize + PayloadSize;=0D @@ -296,6 +305,7 @@ CreateTimeBasedPayload ( =0D **/=0D EFI_STATUS=0D +EFIAPI=0D DeleteVariable (=0D IN CHAR16 *VariableName,=0D IN EFI_GUID *VendorGuid=0D @@ -319,7 +329,7 @@ DeleteVariable ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS=0D | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;=0D =0D - Status =3D CreateTimeBasedPayload (&DataSize, &Data);=0D + Status =3D CreateTimeBasedPayload (&DataSize, &Data, &mMaxTimestamp);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D return Status;=0D @@ -351,6 +361,7 @@ DeleteVariable ( =0D **/=0D EFI_STATUS=0D +EFIAPI=0D SetSecureBootMode (=0D IN UINT8 SecureBootMode=0D )=0D diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 7b7afd9cde7c..9f2d41220b70 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -6,6 +6,7 @@ Copyright (c) 2011 - 2018, Intel Corporation. All rights re= served.
(C) Copyright 2018 Hewlett Packard Enterprise Development LP
=0D Copyright (c) 2021, ARM Ltd. All rights reserved.
=0D Copyright (c) 2021, Semihalf All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -24,6 +25,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =0D --*/=0D EFI_STATUS=0D +EFIAPI=0D SetSecureBootMode (=0D IN UINT8 SecureBootMode=0D );=0D @@ -73,6 +75,7 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payloa= d.=0D On output, Pointer to the new payload d= ate buffer allocated from pool,=0D it's caller's responsibility to free th= e memory when finish using it.=0D + @param[in] Time Pointer to time information to created = time based payload.=0D =0D @retval EFI_SUCCESS Create time based payload successfully.= =0D @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload.=0D @@ -81,9 +84,11 @@ SecureBootFetchData ( =0D --*/=0D EFI_STATUS=0D +EFIAPI=0D CreateTimeBasedPayload (=0D - IN OUT UINTN *DataSize,=0D - IN OUT UINT8 **Data=0D + IN OUT UINTN *DataSize,=0D + IN OUT UINT8 **Data,=0D + IN EFI_TIME *Time=0D );=0D =0D /**=0D diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index ed7af3dd9cd5..87db5a258021 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -4,6 +4,7 @@ #=0D # Copyright (c) 2021, ARM Ltd. All rights reserved.
=0D # Copyright (c) 2021, Semihalf All rights reserved.
=0D +# Copyright (c) Microsoft Corporation.=0D #=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D @@ -68,12 +69,5 @@ [Guids] ## PRODUCES ## Variable:L"CustomMode"=0D gEfiCustomModeEnableGuid=0D =0D - gEfiCertTypeRsa2048Sha256Guid ## CONSUMES=0D gEfiCertX509Guid ## CONSUMES=0D gEfiCertPkcs7Guid ## CONSUMES=0D -=0D - gDefaultPKFileGuid=0D - gDefaultKEKFileGuid=0D - gDefaultdbFileGuid=0D - gDefaultdbxFileGuid=0D - gDefaultdbtFileGuid=0D --=20 2.36.0.windows.1