From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) by mx.groups.io with SMTP id smtpd.web08.38049.1629807998424497782 for ; Tue, 24 Aug 2021 05:26:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@semihalf-com.20150623.gappssmtp.com header.s=20150623 header.b=WbSag7Od; spf=none, err=SPF record not found (domain: semihalf.com, ip: 209.85.222.182, mailfrom: gjb@semihalf.com) Received: by mail-qk1-f182.google.com with SMTP id y144so22857184qkb.6 for ; Tue, 24 Aug 2021 05:26:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=semihalf-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=mkGZie7RMZH6rZcttM2MmcXeWTbzKDRdRQSTxDRFGwk=; b=WbSag7OdKaU5d1wJuhbQexI+fatbWVqNBRtiMIyzOgyFXXB2P7uZ6F1AD0bhAq++Mv F7GM4/vMr09oMbYRfKT4C6EiC/LSZGNP/xBKQoUYAoDgVgTbAqLxG9uUtPhydh0z45Xg D6QrCGXmX9I/VGWyn6g2LoFR31hQdV9T37hBTfsm/oZzFoLiBH+KIKZfvyrCgOvbAsp6 UrB5BynMCCyAAl0N6GAyA2h+U3egJJ2uQOHck/szf3e9kHvX7KMqIv3zIL+Z6D4WGCzY wcdOUg+iXw6i45ktNPntyPLhAkBgLatv65Kt5t3ANB9BFvzjbes4nzB5IDb5g2qE+BiQ /3vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mkGZie7RMZH6rZcttM2MmcXeWTbzKDRdRQSTxDRFGwk=; b=sW6ZOo9SrJDkvXdMR825ftev3i04yIPYFgpMDsYg49LEUga+K9zSguYH3pB78fyluR QxrZ0FhwrV6/vw8rmMoO8FKo9SH12NjjbNMjdVFY5M1QwxoXkWkIdRrJCp2z7xNR1+Ep 1sxOGPrZEzyxWth3AWRAc+FxS/evFJ45GvA1qnrOpbB+zQLBBqSOJgBW1ws1ikQ5oEkD Zs1A4C94AgWEVRpY6nPX6pdT9srqli57bAJpxRdzh7pJHfTmU0R9qwqN5dXQy5F39oqW moV5i+ANQNcuGUivxLOqjj17vPBhsGx+DC8HhbMcT39LBeuJByb/koh3ba14X7IaawjH v9sg== X-Gm-Message-State: AOAM533ls9wUW/Fpbfc+HsHp6tQYRIhwMo8GyXqL79hJNIRKeCSu4hLh zPuT2vzdQ1v+m1a+FDFO9vmZaYoraTXQZxYQqWhscw== X-Google-Smtp-Source: ABdhPJw4B1z3Af1izPSwC8oKqXV1haa+m9GlH9vvC7Mpk4uPVyk6H9J9cd35oyBafvLCRssKB558JqQaNgCvlInBP2Y= X-Received: by 2002:a05:620a:e12:: with SMTP id y18mr24997669qkm.464.1629807997229; Tue, 24 Aug 2021 05:26:37 -0700 (PDT) MIME-Version: 1.0 References: <20210802104633.2833333-1-gjb@semihalf.com> <20210802104633.2833333-3-gjb@semihalf.com> In-Reply-To: From: "Grzegorz Bernacki" Date: Tue, 24 Aug 2021 14:26:26 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables. To: Patrick Rudolph Cc: edk2-devel-groups-io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Patrick, Yes, I tested the dbx enrollment, but with my own data. Please let me try that dbx. thanks, greg wt., 24 sie 2021 o 14:22 Patrick Rudolph napisa=C5=82(a): > > Hi Grzegorz, > I tried this patch, but I cannot enroll the DBX downloaded from here: > https://uefi.org/revocationlistfile > > Is it even possible with current code? Did you test DBX enrollment as wel= l using the revocation list file? > > Regards, > Patrick > > On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki wrot= e: >> >> This commits add library, which consist functions to >> enrolll Secure Boot keys and initialize Secure Boot >> default variables. Some of the functions was moved >> from SecureBootConfigImpl.c file. >> >> Signed-off-by: Grzegorz Bernacki >> Reviewed-by: Sunny Wang >> Reviewed-by: Jiewen Yao >> --- >> SecurityPkg/SecurityPkg.dec = | 4 + >> SecurityPkg/SecurityPkg.dsc = | 1 + >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePr= ovisionLib.inf | 80 ++++ >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h = | 134 ++++++ >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePr= ovisionLib.c | 482 ++++++++++++++++++++ >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariablePr= ovisionLib.uni | 16 + >> 6 files changed, 717 insertions(+) >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/S= ecureBootVariableProvisionLib.inf >> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvis= ionLib.h >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/S= ecureBootVariableProvisionLib.c >> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/S= ecureBootVariableProvisionLib.uni >> >> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec >> index 8f3710e59f..e30c39f321 100644 >> --- a/SecurityPkg/SecurityPkg.dec >> +++ b/SecurityPkg/SecurityPkg.dec >> @@ -91,6 +91,10 @@ >> ## @libraryclass Provides helper functions related to creation/remov= al Secure Boot variables. >> # >> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h >> + >> + ## @libraryclass Provides support to enroll Secure Boot keys. >> + # >> + SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProv= isionLib.h >> [Guids] >> ## Security package token space guid. >> # Include/Guid/SecurityPkgTokenSpace.h >> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc >> index 854f250625..99c227dad2 100644 >> --- a/SecurityPkg/SecurityPkg.dsc >> +++ b/SecurityPkg/SecurityPkg.dsc >> @@ -71,6 +71,7 @@ >> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEven= tLogRecordLib.inf >> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryL= ibNull.inf >> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Secur= eBootVariableLib.inf >> + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariable= ProvisionLib/SecureBootVariableProvisionLib.inf >> >> [LibraryClasses.ARM] >> # >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBo= otVariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvisio= nLib/SecureBootVariableProvisionLib.inf >> new file mode 100644 >> index 0000000000..a09abd29ce >> --- /dev/null >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= bleProvisionLib.inf >> @@ -0,0 +1,80 @@ >> +## @file >> +# Provides initialization of Secure Boot keys and databases. >> +# >> +# Copyright (c) 2021, ARM Ltd. All rights reserved.
>> +# Copyright (c) 2021, Semihalf All rights reserved.
>> +# >> +# SPDX-License-Identifier: BSD-2-Clause-Patent >> +# >> +## >> + >> +[Defines] >> + INF_VERSION =3D 0x00010005 >> + BASE_NAME =3D SecureBootVariableLib >> + MODULE_UNI_FILE =3D SecureBootVariableLib.uni >> + FILE_GUID =3D 18192DD0-9430-45F1-80C7-5C52061CD1= 83 >> + MODULE_TYPE =3D DXE_DRIVER >> + VERSION_STRING =3D 1.0 >> + LIBRARY_CLASS =3D SecureBootVariableProvisionLib|DXE= _DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION >> + >> +# >> +# The following information is for reference only and not required by t= he build tools. >> +# >> +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 >> +# >> + >> +[Sources] >> + SecureBootVariableProvisionLib.c >> + >> +[Packages] >> + MdePkg/MdePkg.dec >> + MdeModulePkg/MdeModulePkg.dec >> + SecurityPkg/SecurityPkg.dec >> + CryptoPkg/CryptoPkg.dec >> + >> +[LibraryClasses] >> + BaseLib >> + BaseMemoryLib >> + DebugLib >> + MemoryAllocationLib >> + BaseCryptLib >> + DxeServicesLib >> + SecureBootVariableLib >> + >> +[Guids] >> + ## CONSUMES ## Variable:L"SetupMode" >> + ## PRODUCES ## Variable:L"SetupMode" >> + ## CONSUMES ## Variable:L"SecureBoot" >> + ## PRODUCES ## Variable:L"SecureBoot" >> + ## PRODUCES ## Variable:L"PK" >> + ## PRODUCES ## Variable:L"KEK" >> + ## CONSUMES ## Variable:L"PKDefault" >> + ## CONSUMES ## Variable:L"KEKDefault" >> + ## CONSUMES ## Variable:L"dbDefault" >> + ## CONSUMES ## Variable:L"dbxDefault" >> + ## CONSUMES ## Variable:L"dbtDefault" >> + gEfiGlobalVariableGuid >> + >> + ## SOMETIMES_CONSUMES ## Variable:L"DB" >> + ## SOMETIMES_CONSUMES ## Variable:L"DBX" >> + ## SOMETIMES_CONSUMES ## Variable:L"DBT" >> + gEfiImageSecurityDatabaseGuid >> + >> + ## CONSUMES ## Variable:L"SecureBootEnable" >> + ## PRODUCES ## Variable:L"SecureBootEnable" >> + gEfiSecureBootEnableDisableGuid >> + >> + ## CONSUMES ## Variable:L"CustomMode" >> + ## PRODUCES ## Variable:L"CustomMode" >> + gEfiCustomModeEnableGuid >> + >> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES >> + gEfiCertX509Guid ## CONSUMES >> + gEfiCertPkcs7Guid ## CONSUMES >> + >> + gDefaultPKFileGuid >> + gDefaultKEKFileGuid >> + gDefaultdbFileGuid >> + gDefaultdbxFileGuid >> + gDefaultdbtFileGuid >> + >> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.= h b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> new file mode 100644 >> index 0000000000..ba8009b5cd >> --- /dev/null >> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h >> @@ -0,0 +1,134 @@ >> +/** @file >> + Provides a functions to enroll keys based on default values. >> + >> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
>> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
>> +Copyright (c) 2021, ARM Ltd. All rights reserved.
>> +Copyright (c) 2021, Semihalf All rights reserved.
>> +SPDX-License-Identifier: BSD-2-Clause-Patent >> + >> +**/ >> + >> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ >> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ >> + >> +/** >> + Sets the content of the 'db' variable based on 'dbDefault' variable c= ontent. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbxFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbtFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollKEKFromDefault ( >> + VOID >> +); >> + >> +/** >> + Sets the content of the 'PK' variable based on 'PKDefault' variable c= ontent. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() >> +--*/ >> +EFI_STATUS >> +EFIAPI >> +EnrollPKFromDefault ( >> + VOID >> +); >> + >> +/** >> + Initializes PKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitPKDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes KEKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitKEKDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbtDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbtDefault ( >> + IN VOID >> + ); >> + >> +/** >> + Initializes dbxDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +--*/ >> +EFI_STATUS >> +SecureBootInitDbxDefault ( >> + IN VOID >> + ); >> +#endif >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBo= otVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionL= ib/SecureBootVariableProvisionLib.c >> new file mode 100644 >> index 0000000000..848f7ce929 >> --- /dev/null >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= bleProvisionLib.c >> @@ -0,0 +1,482 @@ >> +/** @file >> + This library provides functions to set/clear Secure Boot >> + keys and databases. >> + >> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved. >> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP
>> + Copyright (c) 2021, ARM Ltd. All rights reserved.
>> + Copyright (c) 2021, Semihalf All rights reserved.
>> + SPDX-License-Identifier: BSD-2-Clause-Patent >> +**/ >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +/** >> + Enroll a key/certificate based on a default variable. >> + >> + @param[in] VariableName The name of the key/database. >> + @param[in] DefaultName The name of the default variable. >> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the= variable >> + >> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHea= der. >> + @retval EFI_SUCCESS Successful enrollment. >> + @return Error codes from GetTime () and SetVar= iable (). >> +**/ >> +STATIC >> +EFI_STATUS >> +EnrollFromDefault ( >> + IN CHAR16 *VariableName, >> + IN CHAR16 *DefaultName, >> + IN EFI_GUID *VendorGuid >> + ) >> +{ >> + VOID *Data; >> + UINTN DataSize; >> + EFI_STATUS Status; >> + >> + Status =3D EFI_SUCCESS; >> + >> + DataSize =3D 0; >> + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data,= &DataSize); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultNa= me, Status)); >> + return Status; >> + } >> + >> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", = Status)); >> + return Status; >> + } >> + >> + // >> + // Allocate memory for auth variable >> + // >> + Status =3D gRT->SetVariable ( >> + VariableName, >> + VendorGuid, >> + (EFI_VARIABLE_NON_VOLATILE | >> + EFI_VARIABLE_BOOTSERVICE_ACCESS | >> + EFI_VARIABLE_RUNTIME_ACCESS | >> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), >> + DataSize, >> + Data >> + ); >> + >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, = VariableName, >> + VendorGuid, Status)); >> + } >> + >> + if (Data !=3D NULL) { >> + FreePool (Data); >> + } >> + >> + return Status; >> +} >> + >> +/** Initializes PKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitPKDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVar= iableGuid, (VOID **) &Data, &DataSize); >> + if (Status =3D=3D EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_PK_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_V= ARIABLE_NAME)); >> + >> + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &= EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VA= RIABLE_NAME)); >> + return Status; >> + } >> + >> + Status =3D gRT->SetVariable ( >> + EFI_PK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_N= AME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes KEKDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitKEKDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); >> + if (Status =3D=3D EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_KEK_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_= VARIABLE_NAME)); >> + >> + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, = &EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_V= ARIABLE_NAME)); >> + return Status; >> + } >> + >> + >> + Status =3D gRT->SetVariable ( >> + EFI_KEK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_= NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVar= iableGuid, (VOID **) &Data, &DataSize); >> + if (Status =3D=3D EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DB_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_V= ARIABLE_NAME)); >> + >> + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &= EfiSig); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + Status =3D gRT->SetVariable ( >> + EFI_DB_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE= _NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbxDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbxDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); >> + if (Status =3D=3D EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DBX_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_= VARIABLE_NAME)); >> + >> + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, = &EfiSig); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_V= ARIABLE_NAME)); >> + return Status; >> + } >> + >> + Status =3D gRT->SetVariable ( >> + EFI_DBX_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_= NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return Status; >> +} >> + >> +/** Initializes dbtDefault variable with data from FFS section. >> + >> + @retval EFI_SUCCESS Variable was initialized successfully. >> + @retval EFI_UNSUPPORTED Variable already exists. >> +**/ >> +EFI_STATUS >> +SecureBootInitDbtDefault ( >> + IN VOID >> + ) >> +{ >> + EFI_SIGNATURE_LIST *EfiSig; >> + UINTN SigListsSize; >> + EFI_STATUS Status; >> + UINT8 *Data; >> + UINTN DataSize; >> + >> + // >> + // Check if variable exists, if so do not change it >> + // >> + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); >> + if (Status =3D=3D EFI_SUCCESS) { >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DBT_DEFAULT_VARIABLE_NAME)); >> + FreePool (Data); >> + return EFI_UNSUPPORTED; >> + } >> + >> + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { >> + return Status; >> + } >> + >> + // >> + // Variable does not exist, can be initialized >> + // >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_= VARIABLE_NAME)); >> + >> + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, = &EfiSig); >> + if (EFI_ERROR (Status)) { >> + return Status; >> + } >> + >> + Status =3D gRT->SetVariable ( >> + EFI_DBT_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid, >> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, >> + SigListsSize, >> + (VOID *)EfiSig >> + ); >> + if (EFI_ERROR (Status)) { >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_= NAME)); >> + } >> + >> + FreePool (EfiSig); >> + >> + return EFI_SUCCESS; >> +} >> + >> +/** >> + Sets the content of the 'db' variable based on 'dbDefault' variable c= ontent. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status =3D EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE, >> + EFI_DB_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbxFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status =3D EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE1, >> + EFI_DBX_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollDbtFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status =3D EnrollFromDefault ( >> + EFI_IMAGE_SECURITY_DATABASE2, >> + EFI_DBT_DEFAULT_VARIABLE_NAME, >> + &gEfiImageSecurityDatabaseGuid); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollKEKFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status =3D EnrollFromDefault ( >> + EFI_KEY_EXCHANGE_KEY_NAME, >> + EFI_KEK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid >> + ); >> + >> + return Status; >> +} >> + >> +/** >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. >> + >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails >> + while VendorGuid is NULL. >> + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () >> +**/ >> +EFI_STATUS >> +EFIAPI >> +EnrollPKFromDefault ( >> + VOID >> +) >> +{ >> + EFI_STATUS Status; >> + >> + Status =3D EnrollFromDefault ( >> + EFI_PLATFORM_KEY_NAME, >> + EFI_PK_DEFAULT_VARIABLE_NAME, >> + &gEfiGlobalVariableGuid >> + ); >> + >> + return Status; >> +} >> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBo= otVariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvisio= nLib/SecureBootVariableProvisionLib.uni >> new file mode 100644 >> index 0000000000..68d928ef30 >> --- /dev/null >> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVaria= bleProvisionLib.uni >> @@ -0,0 +1,16 @@ >> +// /** @file >> +// >> +// Provides initialization of Secure Boot keys and databases. >> +// >> +// Copyright (c) 2021, ARM Ltd. All rights reserved.
>> +// Copyright (c) 2021, Semihalf All rights reserved.
>> +// >> +// SPDX-License-Identifier: BSD-2-Clause-Patent >> +// >> +// **/ >> + >> + >> +#string STR_MODULE_ABSTRACT #language en-US "Provides funct= ions to initialize PK, KEK and databases based on default variables." >> + >> +#string STR_MODULE_DESCRIPTION #language en-US "Provides funct= ions to initialize PK, KEK and databases based on default variables." >> + >> -- >> 2.25.1 >> >> >> >>=20 >> >>