From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web12.32572.1656633242932660723 for ; Thu, 30 Jun 2022 16:54:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=EN8JXoCQ; spf=pass (domain: gmail.com, ip: 209.85.215.174, mailfrom: kuqin12@gmail.com) Received: by mail-pg1-f174.google.com with SMTP id r66so856480pgr.2 for ; Thu, 30 Jun 2022 16:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=c7XLGhrOILUcQREdb0OCYMMIa4RbThrhfovqFKKdjKs=; b=EN8JXoCQCoFq4Un5SEw60IImOJJw40aLG53VaVsMCHK4AL/dAeujUxVsmiBcBBjhOz B3S2Dx4zuKpyQA9yHNNvSrFXkOdPMR9OpxUbvGKajxNK1sprKs2mb2V6zVvTwZfs7EgL KbRkneton38esEcgW+fZJRZWH14ukVmoVRRqa9iNy4ApoiwzVu+zrvy/8PByfa+ZSeIB tpc3fvaod1Zx5F8HHVH4XJReVvVMSk0LUXND0AhPeOj+ENC81Jz6DNkMm6EcPWXfC4aP RGB/vajU3FwTzZujczrBEEAg7tTifO6rIWOe2wTJymnv6ApPGtJ609YhD4yKO2FxfzWG aiLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=c7XLGhrOILUcQREdb0OCYMMIa4RbThrhfovqFKKdjKs=; b=eYF3PieIerH/Wc0u1gWUcd/VKcwdw5W9wif12DIxm3JrCHNxj4/asaSb4BSgoYZuCe G6QKM59mqZfyja4qaymMbG35aG9NghBgfeyvoFLnMGOnjZFvUCXumgwIjp4Z0v6KT1eV O9hcmW/hGuvb19hRRiMy7DCSwyNQkyrR8oHzSRdrzt1f/181+Vg1EEjmFtjIJtMrYGs4 0G7tYbI+WDQ14qB+DGnec6y7Qg1MDk886AC1EhM/4AkweA1eh55tx8ZLUsFwAsa8ER6l jCMLqIrRgd7OYOaTMWjI2bPWrlGD0Ox1g1LkFsvTIQBvaS/dsmp5mrb/NJyBN1vpmPxy 4fHA== X-Gm-Message-State: AJIora+i2h/SJDP/8S4z2OQVLVdVTdwPacivQaLHVbIaMAd1r1r3nETN M2FRtYeWQo9rwr3X0PNgP8Hms3lS/j8= X-Google-Smtp-Source: AGRyM1t2soh95Y7Zb2c4XZht2AIKYlUdsQzWify4qfE3tK67wz0/biLVQKjWEf4PfnKgkpEoszzYjQ== X-Received: by 2002:a62:542:0:b0:525:a313:fe28 with SMTP id 63-20020a620542000000b00525a313fe28mr18338553pff.73.1656633242118; Thu, 30 Jun 2022 16:54:02 -0700 (PDT) Return-Path: Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:01 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [PATCH v3 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Date: Thu, 30 Jun 2022 16:53:38 -0700 Message-Id: <20220630235341.1746-9-kuqin12@gmail.com> X-Mailer: git-send-email 2.36.0.windows.1 In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change is in pair with the previous SecureBootVariableLib change, which updated the interface of `CreateTimeBasedPayload`. This change added a helper function to query the current time through Real Time Clock protocol. This function is used when needing to format an authenticated variable payload. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 127 ++++++++++++++++++-- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + 2 files changed, 119 insertions(+), 9 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index a13c349a0f89..4299a6b5e56d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h"=0D #include =0D #include =0D +#include =0D #include =0D #include =0D #include =0D @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType =3D UNKNOWN_FILE_TYPE;=0D }=0D =0D +/**=0D + Helper function to populate an EFI_TIME instance.=0D +=0D + @param[in] Time FileContext cached in SecureBootConfig driver=0D +=0D +**/=0D +STATIC=0D +EFI_STATUS=0D +GetCurrentTime (=0D + IN EFI_TIME *Time=0D + )=0D +{=0D + EFI_STATUS Status;=0D + VOID *TestPointer;=0D +=0D + if (Time =3D=3D NULL) {=0D + return EFI_INVALID_PARAMETER;=0D + }=0D +=0D + Status =3D gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL= , &TestPointer);=0D + if (EFI_ERROR (Status)) {=0D + return Status;=0D + }=0D +=0D + ZeroMem (Time, sizeof (EFI_TIME));=0D + Status =3D gRT->GetTime (Time, NULL);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((=0D + DEBUG_ERROR,=0D + "%a(), GetTime() failed, status =3D '%r'\n",=0D + __FUNCTION__,=0D + Status=0D + ));=0D + return Status;=0D + }=0D +=0D + Time->Pad1 =3D 0;=0D + Time->Nanosecond =3D 0;=0D + Time->TimeZone =3D 0;=0D + Time->Daylight =3D 0;=0D + Time->Pad2 =3D 0;=0D +=0D + return EFI_SUCCESS;=0D +}=0D +=0D /**=0D This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix.=0D =0D @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr;=0D UINTN DataSize;=0D EFI_SIGNATURE_LIST *PkCert;=0D + EFI_TIME Time;=0D =0D PkCert =3D NULL;=0D =0D @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS;=0D DataSize =3D PkCert->SignatureListSize;=0D - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time);= =0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D goto ON_EXIT;=0D @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize;=0D UINT8 *KeyBuffer;=0D UINTN KeyLenInBytes;=0D + EFI_TIME Time;=0D =0D Attr =3D 0;=0D DataSize =3D 0;=0D @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( //=0D Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS;=0D - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D goto ON_EXIT;=0D @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize;=0D UINTN KekSigListSize;=0D UINT32 Attr;=0D + EFI_TIME Time;=0D =0D X509Data =3D NULL;=0D X509DataSize =3D 0;=0D @@ -735,7 +796,13 @@ EnrollX509ToKek ( //=0D Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS;=0D - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D goto ON_EXIT;=0D @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize;=0D UINTN SigDBSize;=0D UINT32 Attr;=0D + EFI_TIME Time;=0D =0D X509DataSize =3D 0;=0D SigDBSize =3D 0;=0D @@ -910,7 +978,13 @@ EnrollX509toSigDB ( //=0D Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS;=0D - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time);= =0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D goto ON_EXIT;=0D @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix;=0D UINTN NameLength;=0D EFI_TIME *Time;=0D + EFI_TIME NewTime;=0D =0D X509DataSize =3D 0;=0D DbSize =3D 0;=0D @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize =3D DbSize;=0D }=0D =0D - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);=0D + Status =3D GetCurrentTime (&NewTime);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime)= ;=0D if (EFI_ERROR (Status)) {=0D goto ON_EXIT;=0D }=0D @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize;=0D UINT32 Attr;=0D WIN_CERTIFICATE_UEFI_GUID *GuidCertData;=0D + EFI_TIME Time;=0D =0D Data =3D NULL;=0D GuidCertData =3D NULL;=0D @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( =0D Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS=0D | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS;=0D - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));=0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time);= =0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus));=0D goto ON_EXIT;=0D @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize;=0D UINTN DeleteKekIndex;=0D UINTN GuidIndex;=0D + EFI_TIME Time;=0D =0D Data =3D NULL;=0D OldData =3D NULL;=0D @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( =0D DataSize =3D Offset;=0D if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) = {=0D - Status =3D CreateTimeBasedPayload (&DataSize, &OldData);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));= =0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus));=0D goto ON_EXIT;=0D @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound;=0D UINT32 ItemDataSize;=0D UINTN GuidIndex;=0D + EFI_TIME Time;=0D =0D Data =3D NULL;=0D OldData =3D NULL;=0D @@ -2931,7 +3027,13 @@ DeleteSignature ( =0D DataSize =3D Offset;=0D if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) = {=0D - Status =3D CreateTimeBasedPayload (&DataSize, &OldData);=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));= =0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus));=0D goto ON_EXIT;=0D @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset;=0D UINT8 *VariableData;=0D UINT8 *NewVariableData;=0D + EFI_TIME Time;=0D =0D Status =3D EFI_SUCCESS;=0D VariableAttr =3D 0;=0D @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( }=0D =0D if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) = !=3D 0) {=0D - Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= );=0D + Status =3D GetCurrentTime (&Time);=0D + if (EFI_ERROR (Status)) {=0D + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status));= =0D + goto ON_EXIT;=0D + }=0D +=0D + Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= , &Time);=0D if (EFI_ERROR (Status)) {=0D DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus));=0D goto ON_EXIT;=0D diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 420687a21141..1671d5be7ccd 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -111,6 +111,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES=0D gEfiDevicePathProtocolGuid ## PRODUCES=0D gEfiHiiPopupProtocolGuid=0D + gEfiRealTimeClockArchProtocolGuid ## CONSUMES=0D =0D [Depex]=0D gEfiHiiConfigRoutingProtocolGuid AND=0D --=20 2.36.0.windows.1