From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) by mx.groups.io with SMTP id smtpd.web11.16301.1630327705025065052 for ; Mon, 30 Aug 2021 05:48:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=UJP78cxz; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.222.181, mailfrom: gjb@semihalf.com) Received: by mail-qk1-f181.google.com with SMTP id y144so15388685qkb.6 for ; Mon, 30 Aug 2021 05:48:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=8PabKCO/s3PqbOK86yOyzLS8Gn3GK85qyiV5whiuQrw=; b=UJP78cxzAYLFuD7gM/KC0hxx6I/ZKgdTW7ZqKQYkpJEDE4OnxzAltqRBWei1a3p/RB YOqli5V3M9ZDbX77zF3U5r5+fJjykOuGuNkVa0siDKUCNtMjaJJ3V/IYSfaP4yTHcoxL 3sxd8gvBEjKvk3Kz8dtCaIcIzhxHlN18wNPty2F8yRv2Wp5dQZYJv0DF3/ILWp2whpQh qiZuaDhir65fPz6swm5Oc+tYExyOMl3YachD8AP8XhdSWSNRKSzXl8K9NNBsAs/DPhlN fGicObkuc3las6AoB/gdvw1s8TY8ju9hs/b2DLwXZOM4E3e8mpGbzfgfrXj4eY/3iAQs hRqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=8PabKCO/s3PqbOK86yOyzLS8Gn3GK85qyiV5whiuQrw=; b=WLnXpb1vfOifEiMnlIYF9qu7JYMox5AYAyqh245BkAQ5+6FeZQGUSWzvlxjpiqNoKX LQBtenqsXNAp80AuWactaWVihUvZutAiZ2+PgVQPebrbSNo/+HLoaE42+esFlrQreml1 gIt4t1XvOfahYZtGXwEdnAPOXO1QHBVzBN1FX0LRbcEvs0jjLmBWTfKdQEkDyiB5Kzqb CzQGyyp8/0l9ZCpQqP6aa3wCXzSGISbOdzEidcgPDYmEqA+0TXnCxoYNWw/OyQA170n+ R3WyuL9Gxw+Rsm7MduXlfiUrfE3rbRFrfay2cUEwnyVdYHdvZeGqvIbLABhDX3iCfM9b qePg== X-Gm-Message-State: AOAM5306NrMhqgzYKSSwVolkbaWCtsI7FEbu0qsKUa2HOxGNtJRZpeQb YmskbRhYEbRPFxValcW0z5Bt+XJW4ASoqRfhfd3ijQ6c4VUvXQ== X-Google-Smtp-Source: ABdhPJxjto3f3MN87yOxEXuqDkDThe0S3LRIRBER4fMvcPhK3haTaRZ4NmHRWyQ7+oGRaiKonZn23NcNRZYUlWGnCnY= X-Received: by 2002:a37:54f:: with SMTP id 76mr22322515qkf.226.1630327703818; Mon, 30 Aug 2021 05:48:23 -0700 (PDT) MIME-Version: 1.0 References: <20210802104633.2833333-1-gjb@semihalf.com> <20210802104633.2833333-3-gjb@semihalf.com> In-Reply-To: From: "Grzegorz Bernacki" Date: Mon, 30 Aug 2021 14:48:12 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables. To: Patrick Rudolph Cc: edk2-devel-groups-io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Patrick, Current implementation does not allow to use data in EFI_VARIABLE_AUTHENTICATION_2 format as a source of default data. I will add the possibility to use that kind of data to initialize secure boot default data. thanks, greg wt., 24 sie 2021 o 14:26 Grzegorz Bernacki napisa=C5=82(= a): > > Hi Patrick, > > Yes, I tested the dbx enrollment, but with my own data. Please let me > try that dbx. > > thanks, > greg > > wt., 24 sie 2021 o 14:22 Patrick Rudolph > napisa=C5=82(a): > > > > Hi Grzegorz, > > I tried this patch, but I cannot enroll the DBX downloaded from here: > > https://uefi.org/revocationlistfile > > > > Is it even possible with current code? Did you test DBX enrollment as w= ell using the revocation list file? > > > > Regards, > > Patrick > > > > On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki wr= ote: > >> > >> This commits add library, which consist functions to > >> enrolll Secure Boot keys and initialize Secure Boot > >> default variables. Some of the functions was moved > >> from SecureBootConfigImpl.c file. > >> > >> Signed-off-by: Grzegorz Bernacki > >> Reviewed-by: Sunny Wang > >> Reviewed-by: Jiewen Yao > >> --- > >> SecurityPkg/SecurityPkg.dec = | 4 + > >> SecurityPkg/SecurityPkg.dsc = | 1 + > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.inf | 80 ++++ > >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h = | 134 ++++++ > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c | 482 ++++++++++++++++++++ > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.uni | 16 + > >> 6 files changed, 717 insertions(+) > >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.inf > >> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProv= isionLib.h > >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.c > >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib= /SecureBootVariableProvisionLib.uni > >> > >> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > >> index 8f3710e59f..e30c39f321 100644 > >> --- a/SecurityPkg/SecurityPkg.dec > >> +++ b/SecurityPkg/SecurityPkg.dec > >> @@ -91,6 +91,10 @@ > >> ## @libraryclass Provides helper functions related to creation/rem= oval Secure Boot variables. > >> # > >> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h > >> + > >> + ## @libraryclass Provides support to enroll Secure Boot keys. > >> + # > >> + SecureBootVariableProvisionLib|Include/Library/SecureBootVariablePr= ovisionLib.h > >> [Guids] > >> ## Security package token space guid. > >> # Include/Guid/SecurityPkgTokenSpace.h > >> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > >> index 854f250625..99c227dad2 100644 > >> --- a/SecurityPkg/SecurityPkg.dsc > >> +++ b/SecurityPkg/SecurityPkg.dsc > >> @@ -71,6 +71,7 @@ > >> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEv= entLogRecordLib.inf > >> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemor= yLibNull.inf > >> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Sec= ureBootVariableLib.inf > >> + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariab= leProvisionLib/SecureBootVariableProvisionLib.inf > >> > >> [LibraryClasses.ARM] > >> # > >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/Secure= BootVariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvis= ionLib/SecureBootVariableProvisionLib.inf > >> new file mode 100644 > >> index 0000000000..a09abd29ce > >> --- /dev/null > >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVar= iableProvisionLib.inf > >> @@ -0,0 +1,80 @@ > >> +## @file > >> +# Provides initialization of Secure Boot keys and databases. > >> +# > >> +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> >> +# Copyright (c) 2021, Semihalf All rights reserved.
> >> +# > >> +# SPDX-License-Identifier: BSD-2-Clause-Patent > >> +# > >> +## > >> + > >> +[Defines] > >> + INF_VERSION =3D 0x00010005 > >> + BASE_NAME =3D SecureBootVariableLib > >> + MODULE_UNI_FILE =3D SecureBootVariableLib.uni > >> + FILE_GUID =3D 18192DD0-9430-45F1-80C7-5C52061C= D183 > >> + MODULE_TYPE =3D DXE_DRIVER > >> + VERSION_STRING =3D 1.0 > >> + LIBRARY_CLASS =3D SecureBootVariableProvisionLib|D= XE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION > >> + > >> +# > >> +# The following information is for reference only and not required by= the build tools. > >> +# > >> +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 > >> +# > >> + > >> +[Sources] > >> + SecureBootVariableProvisionLib.c > >> + > >> +[Packages] > >> + MdePkg/MdePkg.dec > >> + MdeModulePkg/MdeModulePkg.dec > >> + SecurityPkg/SecurityPkg.dec > >> + CryptoPkg/CryptoPkg.dec > >> + > >> +[LibraryClasses] > >> + BaseLib > >> + BaseMemoryLib > >> + DebugLib > >> + MemoryAllocationLib > >> + BaseCryptLib > >> + DxeServicesLib > >> + SecureBootVariableLib > >> + > >> +[Guids] > >> + ## CONSUMES ## Variable:L"SetupMode" > >> + ## PRODUCES ## Variable:L"SetupMode" > >> + ## CONSUMES ## Variable:L"SecureBoot" > >> + ## PRODUCES ## Variable:L"SecureBoot" > >> + ## PRODUCES ## Variable:L"PK" > >> + ## PRODUCES ## Variable:L"KEK" > >> + ## CONSUMES ## Variable:L"PKDefault" > >> + ## CONSUMES ## Variable:L"KEKDefault" > >> + ## CONSUMES ## Variable:L"dbDefault" > >> + ## CONSUMES ## Variable:L"dbxDefault" > >> + ## CONSUMES ## Variable:L"dbtDefault" > >> + gEfiGlobalVariableGuid > >> + > >> + ## SOMETIMES_CONSUMES ## Variable:L"DB" > >> + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > >> + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > >> + gEfiImageSecurityDatabaseGuid > >> + > >> + ## CONSUMES ## Variable:L"SecureBootEnable" > >> + ## PRODUCES ## Variable:L"SecureBootEnable" > >> + gEfiSecureBootEnableDisableGuid > >> + > >> + ## CONSUMES ## Variable:L"CustomMode" > >> + ## PRODUCES ## Variable:L"CustomMode" > >> + gEfiCustomModeEnableGuid > >> + > >> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > >> + gEfiCertX509Guid ## CONSUMES > >> + gEfiCertPkcs7Guid ## CONSUMES > >> + > >> + gDefaultPKFileGuid > >> + gDefaultKEKFileGuid > >> + gDefaultdbFileGuid > >> + gDefaultdbxFileGuid > >> + gDefaultdbtFileGuid > >> + > >> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLi= b.h b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> new file mode 100644 > >> index 0000000000..ba8009b5cd > >> --- /dev/null > >> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> @@ -0,0 +1,134 @@ > >> +/** @file > >> + Provides a functions to enroll keys based on default values. > >> + > >> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved. > >> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> >> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> >> +Copyright (c) 2021, Semihalf All rights reserved.
> >> +SPDX-License-Identifier: BSD-2-Clause-Patent > >> + > >> +**/ > >> + > >> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > >> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > >> + > >> +/** > >> + Sets the content of the 'db' variable based on 'dbDefault' variable= content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTi= me() and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTi= me() and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbxFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTi= me() and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbtFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTi= me() and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollKEKFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'PK' variable based on 'PKDefault' variable= content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTi= me() and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollPKFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Initializes PKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitPKDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes KEKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitKEKDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbtDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbtDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbxDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbxDefault ( > >> + IN VOID > >> + ); > >> +#endif > >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/Secure= BootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisio= nLib/SecureBootVariableProvisionLib.c > >> new file mode 100644 > >> index 0000000000..848f7ce929 > >> --- /dev/null > >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVar= iableProvisionLib.c > >> @@ -0,0 +1,482 @@ > >> +/** @file > >> + This library provides functions to set/clear Secure Boot > >> + keys and databases. > >> + > >> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<= BR> > >> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP
> >> + Copyright (c) 2021, ARM Ltd. All rights reserved.
> >> + Copyright (c) 2021, Semihalf All rights reserved.
> >> + SPDX-License-Identifier: BSD-2-Clause-Patent > >> +**/ > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> + > >> +/** > >> + Enroll a key/certificate based on a default variable. > >> + > >> + @param[in] VariableName The name of the key/database. > >> + @param[in] DefaultName The name of the default variable. > >> + @param[in] VendorGuid The namespace (ie. vendor GUID) of t= he variable > >> + > >> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthH= eader. > >> + @retval EFI_SUCCESS Successful enrollment. > >> + @return Error codes from GetTime () and SetV= ariable (). > >> +**/ > >> +STATIC > >> +EFI_STATUS > >> +EnrollFromDefault ( > >> + IN CHAR16 *VariableName, > >> + IN CHAR16 *DefaultName, > >> + IN EFI_GUID *VendorGuid > >> + ) > >> +{ > >> + VOID *Data; > >> + UINTN DataSize; > >> + EFI_STATUS Status; > >> + > >> + Status =3D EFI_SUCCESS; > >> + > >> + DataSize =3D 0; > >> + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Dat= a, &DataSize); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", Default= Name, Status)); > >> + return Status; > >> + } > >> + > >> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r"= , Status)); > >> + return Status; > >> + } > >> + > >> + // > >> + // Allocate memory for auth variable > >> + // > >> + Status =3D gRT->SetVariable ( > >> + VariableName, > >> + VendorGuid, > >> + (EFI_VARIABLE_NON_VOLATILE | > >> + EFI_VARIABLE_BOOTSERVICE_ACCESS | > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS= ), > >> + DataSize, > >> + Data > >> + ); > >> + > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__= , VariableName, > >> + VendorGuid, Status)); > >> + } > >> + > >> + if (Data !=3D NULL) { > >> + FreePool (Data); > >> + } > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes PKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitPKDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalV= ariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status =3D=3D EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n= ", EFI_PK_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT= _VARIABLE_NAME)); > >> + > >> + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize,= &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_= VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + Status =3D gRT->SetVariable ( > >> + EFI_PK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERV= ICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE= _NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes KEKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitKEKDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobal= VariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status =3D=3D EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n= ", EFI_KEK_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAUL= T_VARIABLE_NAME)); > >> + > >> + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize= , &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT= _VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + > >> + Status =3D gRT->SetVariable ( > >> + EFI_KEK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERV= ICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABL= E_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalV= ariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status =3D=3D EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n= ", EFI_DB_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT= _VARIABLE_NAME)); > >> + > >> + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize,= &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + return Status; > >> + } > >> + > >> + Status =3D gRT->SetVariable ( > >> + EFI_DB_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERV= ICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIAB= LE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbxDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbxDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobal= VariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status =3D=3D EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n= ", EFI_DBX_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAUL= T_VARIABLE_NAME)); > >> + > >> + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize= , &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT= _VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + Status =3D gRT->SetVariable ( > >> + EFI_DBX_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERV= ICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABL= E_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbtDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfull= y. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbtDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobal= VariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status =3D=3D EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n= ", EFI_DBT_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAUL= T_VARIABLE_NAME)); > >> + > >> + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize= , &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + return Status; > >> + } > >> + > >> + Status =3D gRT->SetVariable ( > >> + EFI_DBT_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERV= ICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABL= E_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return EFI_SUCCESS; > >> +} > >> + > >> +/** > >> + Sets the content of the 'db' variable based on 'dbDefault' variable= content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetT= ime () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status =3D EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE, > >> + EFI_DB_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetT= ime () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbxFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status =3D EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE1, > >> + EFI_DBX_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetT= ime () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbtFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status =3D EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE2, > >> + EFI_DBT_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetT= ime () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollKEKFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status =3D EnrollFromDefault ( > >> + EFI_KEY_EXCHANGE_KEY_NAME, > >> + EFI_KEK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variab= le content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARI= ABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetT= ime () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollPKFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status =3D EnrollFromDefault ( > >> + EFI_PLATFORM_KEY_NAME, > >> + EFI_PK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid > >> + ); > >> + > >> + return Status; > >> +} > >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/Secure= BootVariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvis= ionLib/SecureBootVariableProvisionLib.uni > >> new file mode 100644 > >> index 0000000000..68d928ef30 > >> --- /dev/null > >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVar= iableProvisionLib.uni > >> @@ -0,0 +1,16 @@ > >> +// /** @file > >> +// > >> +// Provides initialization of Secure Boot keys and databases. > >> +// > >> +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> >> +// Copyright (c) 2021, Semihalf All rights reserved.
> >> +// > >> +// SPDX-License-Identifier: BSD-2-Clause-Patent > >> +// > >> +// **/ > >> + > >> + > >> +#string STR_MODULE_ABSTRACT #language en-US "Provides fun= ctions to initialize PK, KEK and databases based on default variables." > >> + > >> +#string STR_MODULE_DESCRIPTION #language en-US "Provides fun= ctions to initialize PK, KEK and databases based on default variables." > >> + > >> -- > >> 2.25.1 > >> > >> > >> > >>=20 > >> > >>