From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR03-AM5-obe.outbound.protection.outlook.com (EUR03-AM5-obe.outbound.protection.outlook.com [40.107.3.51]) by mx.groups.io with SMTP id smtpd.web12.5472.1622023928960872460 for ; Wed, 26 May 2021 03:12:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=dQoFnNJv; spf=pass (domain: arm.com, ip: 40.107.3.51, mailfrom: sunny.wang@arm.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=evPrgigli5FDX02muCrGks0OpmaUOVZwYrp6E9nTqkM=; b=dQoFnNJv4TOXEKu8wujTgvvhDw9wUPfdHwgHxpXw6lV3ad9CLgqzesTXageaGPid+KZrW0klmQpDcXO5d3MnShJ0qtBYNdwFnsdrmnn444ZfoMWMajEqglNs7sFz4RQMHrXWc2U5FEPKMLxvWEjRwdQ78xU6oxFAfD9O52yLzK0= Received: from AM5PR0602CA0019.eurprd06.prod.outlook.com (2603:10a6:203:a3::29) by DB9PR08MB6492.eurprd08.prod.outlook.com (2603:10a6:10:23d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Wed, 26 May 2021 10:12:06 +0000 Received: from VE1EUR03FT057.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:a3:cafe::c3) by AM5PR0602CA0019.outlook.office365.com (2603:10a6:203:a3::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Wed, 26 May 2021 10:12:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; edk2.groups.io; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;edk2.groups.io; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT057.mail.protection.outlook.com (10.152.19.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25 via Frontend Transport; Wed, 26 May 2021 10:12:05 +0000 Received: ("Tessian outbound 0f1e4509c199:v92"); Wed, 26 May 2021 10:12:05 +0000 X-CR-MTA-TID: 64aa7808 Received: from aac6b28dd91c.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 940ED1AD-23AB-4EAD-B9E7-7CD80A81E1EB.1; Wed, 26 May 2021 10:11:54 +0000 Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id aac6b28dd91c.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 26 May 2021 10:11:54 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gEggrrNdcN7jexUDyMLDZpqUI/vRbrEujtuZP1OvxvjPXILDZL7k5SM7HhG8zfh6OegwxhDthUFh3O1BU73MJp22R9UvDILC5iVmCDIm4+4S/KtuaFhyL80AaRHVhzVsNQxESfT9fBoM7un63OI9l5nccgCGAACph8t/HudMIC9Z8jqgxE8DUlCQTewsLwxxihdQJvgpMYNRG799q/yyjed/6Zb5gvR0Rbs8QM22BQzqLNJacwBp6OVfRp3FCoeK1s/OySlnQCbuN/4OYlDJ+WwD2yRd+3JdSphR86rqBDtWadpYoT03YfTFbKjvK/UePIGORc07XPASZx9taGFs+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=evPrgigli5FDX02muCrGks0OpmaUOVZwYrp6E9nTqkM=; b=CcIrzHDkBBxgvAKi+HelufMw1yP10ZP726AqRqhWHzoWGMZnesbtjDo6qzJ7hUUNXiT8MI5nFuIbA5s38U8b/l6v7WvgBDddMX7ygEnSgYVwq7nwk0FYIxuOzPIRNsKwfVAxDJcxyE/Bl7NjEjC/kj+TOrcDoeqCpwWxF1a3+bXQuJbbanMrEH4I7HQNz2TJ2+T3xfYAk8x/mkFc0Wp17+cZ0Yv2bnDxhRk88B1eBuIo+KTvwA54Mb4SxX23TQhaNnh3oxthk1xgjVLXjG4xZupEaosZp74lqVcjObZPC6byt0gxPQv5v3wxtxEhOxmBVmkaiRjV5WZ5aSeX3s4Asg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=evPrgigli5FDX02muCrGks0OpmaUOVZwYrp6E9nTqkM=; b=dQoFnNJv4TOXEKu8wujTgvvhDw9wUPfdHwgHxpXw6lV3ad9CLgqzesTXageaGPid+KZrW0klmQpDcXO5d3MnShJ0qtBYNdwFnsdrmnn444ZfoMWMajEqglNs7sFz4RQMHrXWc2U5FEPKMLxvWEjRwdQ78xU6oxFAfD9O52yLzK0= Received: from DB8PR08MB3993.eurprd08.prod.outlook.com (2603:10a6:10:ad::26) by DB6PR0801MB1654.eurprd08.prod.outlook.com (2603:10a6:4:3a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.25; Wed, 26 May 2021 10:11:51 +0000 Received: from DB8PR08MB3993.eurprd08.prod.outlook.com ([fe80::9154:9191:b8a3:388c]) by DB8PR08MB3993.eurprd08.prod.outlook.com ([fe80::9154:9191:b8a3:388c%7]) with mapi id 15.20.4173.020; Wed, 26 May 2021 10:11:51 +0000 From: "Sunny Wang" To: "devel@edk2.groups.io" , Sunny Wang , Grzegorz Bernacki CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , Samer El-Haj-Mahmoud , "upstream@semihalf.com" , "jiewen.yao@intel.com" , "jian.j.wang@intel.com" , "min.m.xu@intel.com" , "lersek@redhat.com" Subject: Re: [edk2-devel] [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Topic: [edk2-devel] [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Index: AQHXUhN8+RcngL8buEGwXdwiWFTk36r1hsqQgAACMLA= Date: Wed, 26 May 2021 10:11:51 +0000 Message-ID: References: <20210526094204.73600-1-gjb@semihalf.com> <20210526094204.73600-3-gjb@semihalf.com> <1682957906E2CAD3.2072@groups.io> In-Reply-To: <1682957906E2CAD3.2072@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ts-tracking-id: E61343D7AACA2A4F90A26E3690DFB17D.0 x-checkrecipientchecked: true Authentication-Results-Original: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=arm.com; x-originating-ip: [2001:b011:200f:40dc:1082:4e81:1cf8:48a3] x-ms-publictraffictype: Email X-MS-Office365-Filtering-Correlation-Id: c56b8238-be18-4e95-780f-08d9202eb6d6 x-ms-traffictypediagnostic: DB6PR0801MB1654:|DB9PR08MB6492: x-ms-exchange-transport-forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true nodisclaimer: true x-ms-oob-tlc-oobclassifiers: OLM:191;OLM:191; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: LXfaDaM4zCGqLux0JxJ4K9NAKTju3uHji4RiNJvmMldmRYOpeKgiUux9ZqwnRlEQoMnf5dhVdaYQR0ggtWoe+ydPZSVGJ9g8Wp/2xyT4twV7aBVo7ttxcfWXmZaVTOtBuv19c2ggZhbTQJHk7Pq/dvrlsvbp5oUx6AKsdPM97/WnieckGkTp/esrdgUNsajIvBp80fwrsEgR1jieJNhu+RbuM3QqUFA5sj4f81NSaSJHMHxiVVG1AReD/hWlc7avP3P09Z/Bj8q3qpJfDWK2FJk7drsWeAPxjn83QqjyLSgxpiJUJY+JD7kKtbwjQV7O+nCHJJTOnJpCO8pJbYZhKV/hLmWHVOc5y7UMucwe3U9JFusWSEd3ls9mRRpYHmANyOz0sPrUAptgIQ6WuvtrC/N/CG5+rEiUZNzO7RgeVxCoy6wuZSkQrPl5VQVQeKU8u75LtZCXXPJdS+hjPqpX8XURPBVZPPYiaouL5ysqxF/wkO9XCxiCsmkzTQz+ztkVzyKvFGUwulijDfjwNE+l4y7P65ED/U7SXW2AkIYB/y2zXCWuAYsqxlYfhG/CyUNZWmueFrS3ldrMxkgY83/gx1NErsBSMvmfpXl+pmcsCt4Z0TQkNEEb1LGHsQoVTfHCg7zF7znh165mL5qrBKMtEtpcqAqswSUX7PtJnBp+MBaJkuli+b7mlr1Zrp6sIKYMR1SHv6HWgtWXkPqZgajfXcEMxFzSGCEa0JZbKnijpqI= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR08MB3993.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(346002)(376002)(136003)(39860400002)(366004)(33656002)(7696005)(8936002)(38100700002)(186003)(71200400001)(2906002)(6506007)(53546011)(4326008)(83380400001)(8676002)(122000001)(9686003)(52536014)(76116006)(478600001)(316002)(966005)(55016002)(54906003)(19627235002)(5660300002)(66476007)(66446008)(66946007)(64756008)(66556008)(110136005)(15650500001)(30864003)(86362001)(579004)(559001);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?vHQn8tn145rhRqXGxb8G4Tc6RWd0nk52WE1MDDgZ0QvAHtf5IWvnvz7bIBRw?= =?us-ascii?Q?RHlAQtRNWWUv2IPuWc2cE+qF7CFsBilmJMeEI7ghIDmuer+bW1pe0eVvffxr?= =?us-ascii?Q?59gpH98LOZDJF0uAXVDydayt9L/7zZNAP16NbD3aSsRqLXHHOjw3llNKdn8n?= =?us-ascii?Q?vfLW37y25iFV2QMuICZeIYekwkaNJRjRsKp9zqikl7q6hcRAJms4TZxO1tX/?= =?us-ascii?Q?7nE5A6hqrvYjF8qA1TPmu1sXZP9PN1kyYcny2RG9fS5ujXlK6n4xoL6Z+zVZ?= =?us-ascii?Q?tPMyWizIdkLaEq6Whut1g5TepU0CKHgrzUxI9xk41wZ0BlmB+QegKvOFGbQl?= =?us-ascii?Q?+Wpjaeogvb04VMHOFxaXs5dmvfvK75anWGCurvt3hoohMokpl0T62Sz1ZNIV?= =?us-ascii?Q?rQQNS4eUpHqf0hMMMFAxMPP6xCz6TZvBUSiOs/049W1uatD07ti0FG8XV6BC?= =?us-ascii?Q?eVZYDT3E4bul5tOY68l24FBDAQS4blLOh3oyftHYoGZJltcz7oldUU6BxxsW?= =?us-ascii?Q?htS4WSBryujtJdJ7roW3oRwN4uauAg6wBy5KExHcGBdTlmVcR8Z7TzVcoEMZ?= =?us-ascii?Q?DtUUjNYhRxqINjDjmZLSfjN2aQZh7aqe00i2wy4eG2MW5U3HGc18wIZ9b1sv?= =?us-ascii?Q?Y/N0QlnRCWGSM3Y+K74dysMdCLuJJM8g54Pe7eHHy9BpJc9P4L1faVF9R9a9?= =?us-ascii?Q?H57Pa0QzuangeQw33st3IHDSuh59/kmdsOWD+IU5fES4R8NUykeI71s1GvQt?= =?us-ascii?Q?dWLJwbJgX7GyLRpXd6UXluCZOdFBND+mgB0k5VQEVAMLrCQRuQjnaWIWIuI9?= =?us-ascii?Q?jLYOCl4409OTf6PEivFeNT7hy4VPkhRUzubniLauRIT1sIImvZbbayx9Qbqa?= =?us-ascii?Q?DhyOh9dFuosCUrO6GtrAOnx07hXOnSDbGozG4MlqRWqXkbb3GDovLq9JdHqk?= =?us-ascii?Q?kWW8mwpnHPugoVJzJvraAd+g3e5aWlU4bXI9nCAS+071KBUYHwWNLYUG6bd5?= =?us-ascii?Q?jGxbH6N0OShDTafgaAc6IYnECt5UeYwzK1yvbhGjLLH39tjx/KT+B/l5FyKM?= =?us-ascii?Q?DMpcSbkaf0OUnmwu5W0tzQHISsP5eOHtsEbXiyeOEITi7d35Y7/3sIfVDgeE?= =?us-ascii?Q?TjuKFPnXNK8GXgYkPHYaDUiH+JINR3ilhGI5kZOKxnV9C7cdbvjQNT/QvtJw?= =?us-ascii?Q?emW0BkSv+S7DMxsC2mbQRC6nHwV/Y6jCFRE3/rq8WjmlHNUVd2P1BPFbjtjL?= =?us-ascii?Q?fSLT2JRTe2IhHm7iIWUu/N9BKR4dJpWncFDpwXmg45It/0box1dvPdwD3+tY?= =?us-ascii?Q?gnPG11aFRbEcCXNxoFT3p+fN8s4jFWr+ctiIj42IKviPSLYzdtTIW41I67pZ?= =?us-ascii?Q?5Fkz4+qaCkci77RMc2QKEF43V6be?= MIME-Version: 1.0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1654 Original-Authentication-Results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=arm.com; Return-Path: Sunny.Wang@arm.com X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT057.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 911fdd93-1f51-48de-1f8e-08d9202eae81 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lNUnKJSWYzBfSCpulQB/C1WyT8AbjIUGQ4a9J70LS8QhHbGff08umozWvc84YOQ4tY6oUjL+0gl2yf0up2Yqb80Yxjj0U9c21UHIlDTO5W1kbxOcXAqZhH0Yc3aifA+BmfQ7q4SRrIEb3Mh+E71P0GjBTmP4DPnYreo6lmACqlp8khyUmNxFT1E13hQZjBKUO4tonm22PzjuFAtaFpJQYRFCZSDvRvtiHIB1WVpfAmfBIU/CGbSRz3SvjEEg9OGFoI/Q8E4SRhiZSSVWeSN9BJwBqKxHcQsIwe4clv/fERqlnbPFxJRo4iSBquoBYTaMlQeGdJ8Ym0KC7Dnt6eg16PLm+NdgynFVvxrXTthl7Bn/aUu/5RylaVpwZMsMtXvQALn7MgBSrVZtx3i54HhWRsnA2kLC1RdIhOpBcS2hELKP3gtmiRSB06NMD83aVf2UF8FyJthQNKTmgozDcN5zz3ZhR9FJcxB3WSHtTstw0vJdae1tBspHz9Xg1V5RwdQ6g/nn1H/I64kbSu0QXkXq5hfExmfcH4Uvf8uMbexLxgFkzyzXsRSDLNWrbvTddAhH653sB8rAHW7GEDZgaT8cLJvc/LYq/UeQZ2VjSCrc9V2TeOT618lALAgBmLHv8nHet0+WvnF73KPlzBjMzw/OMMlIN98LZo29DvbLU1uqNuzUfvYNYTGhAcOnx7JMogyyrvzDSVWN4v9FjmA+ed4AL0E6HDDQbyM3y0YjCnMYrWSK3fQEvxOSv90wYONbY2D8DnvDejqtimT1KC/lE1CQDA== X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(346002)(39860400002)(376002)(136003)(396003)(36840700001)(46966006)(70206006)(336012)(70586007)(19627235002)(53546011)(15650500001)(186003)(33656002)(82310400003)(316002)(54906003)(7696005)(9686003)(966005)(55016002)(5660300002)(26005)(107886003)(8936002)(86362001)(478600001)(81166007)(52536014)(82740400003)(36860700001)(8676002)(47076005)(2906002)(356005)(30864003)(4326008)(6506007)(110136005)(83380400001)(579004)(559001);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2021 10:12:05.6409 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c56b8238-be18-4e95-780f-08d9202eb6d6 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT057.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6492 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Just aware that the patch series hasn't been sent out by devel@edk2.groups.= io. I will review other related patches once the patch series gets sent out by= devel@edk2.groups.io. Best Regards, Sunny Wang -----Original Message----- From: devel@edk2.groups.io On Behalf Of Sunny Wang = via groups.io Sent: Wednesday, May 26, 2021 5:59 PM To: Grzegorz Bernacki ; devel@edk2.groups.io Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud ; upstream@semihalf.com; jiewen.yao@intel.com; j= ian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com Subject: Re: [edk2-devel] [PATCH 1/6] SecurityPkg: Create library for sett= ing Secure Boot variables. Already internally reviewed this. Looks good! Thanks for working on this, = Greg! Reviewed-by: Sunny Wang -----Original Message----- From: Grzegorz Bernacki Sent: Wednesday, May 26, 2021 5:42 PM To: devel@edk2.groups.io Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud ; Sunny Wang ; gjb@semihalf.= com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; mi= n.m.xu@intel.com; lersek@redhat.com Subject: [PATCH 1/6] SecurityPkg: Create library for setting Secure Boot v= ariables. This commits add library, which consist functions related creation/removal Secure Boot variables. Some of the functions was moved from SecureBootConfigImpl.c file. Signed-off-by: Grzegorz Bernacki --- SecurityPkg/SecurityPkg.dsc = | 1 + SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf = | 79 ++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe= .inf | 1 + SecurityPkg/Include/Library/SecBootVariableLib.h = | 252 +++++ SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c = | 979 ++++++++++++++++++++ SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImp= l.c | 189 +--- SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni = | 16 + 7 files changed, 1329 insertions(+), 188 deletions(-) create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariable= Lib.inf create mode 100644 SecurityPkg/Include/Library/SecBootVariableLib.h create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariable= Lib.c create mode 100644 SecurityPkg/Library/SecBootVariableLib/SecBootVariable= Lib.uni diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index bd4b810bce..c7658e00cb 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -70,6 +70,7 @@ RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventL= ogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLib= Null.inf + SecBootDefaultKeyLib|SecurityPkg/Library/SecBootVariableLib/SecBootVari= ableLib.inf [LibraryClasses.ARM] # diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf= b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf new file mode 100644 index 0000000000..357b3f27a5 --- /dev/null +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.inf @@ -0,0 +1,79 @@ +## @file +# Provides initialization of Secure Boot keys and databases. +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SecBootVariableLib + MODULE_UNI_FILE =3D SecBootVariableLib.uni + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D SecBootVariableLib|DXE_DRIVER DXE_RU= NTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the= build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + SecBootVariableLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + CryptoPkg/CryptoPkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + MemoryAllocationLib + BaseCryptLib + DxeServicesLib + +[Guids] + ## CONSUMES ## Variable:L"SetupMode" + ## PRODUCES ## Variable:L"SetupMode" + ## CONSUMES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"SecureBoot" + ## PRODUCES ## Variable:L"PK" + ## PRODUCES ## Variable:L"KEK" + ## CONSUMES ## Variable:L"PKDefault" + ## CONSUMES ## Variable:L"KEKDefault" + ## CONSUMES ## Variable:L"dbDefault" + ## CONSUMES ## Variable:L"dbxDefault" + ## CONSUMES ## Variable:L"dbtDefault" + gEfiGlobalVariableGuid + + ## SOMETIMES_CONSUMES ## Variable:L"DB" + ## SOMETIMES_CONSUMES ## Variable:L"DBX" + ## SOMETIMES_CONSUMES ## Variable:L"DBT" + gEfiImageSecurityDatabaseGuid + + ## CONSUMES ## Variable:L"SecureBootEnable" + ## PRODUCES ## Variable:L"SecureBootEnable" + gEfiSecureBootEnableDisableGuid + + ## CONSUMES ## Variable:L"CustomMode" + ## PRODUCES ## Variable:L"CustomMode" + gEfiCustomModeEnableGuid + + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES + gEfiCertX509Guid ## CONSUMES + gEfiCertPkcs7Guid ## CONSUMES + + gDefaultPKFileGuid + gDefaultKEKFileGuid + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultdbtFileGuid + diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureB= ootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigDxe.inf index 573efa6379..ae93712569 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igDxe.inf @@ -54,6 +54,7 @@ DevicePathLib FileExplorerLib PeCoffLib + SecBootVariableLib [Guids] ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" diff --git a/SecurityPkg/Include/Library/SecBootVariableLib.h b/SecurityPk= g/Include/Library/SecBootVariableLib.h new file mode 100644 index 0000000000..e7988ea648 --- /dev/null +++ b/SecurityPkg/Include/Library/SecBootVariableLib.h @@ -0,0 +1,252 @@ +/** @file + Provides a function to enroll keys based on default values. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __SEC_BOOT_VARIABLE_LIB_H__ +#define __SEC_BOOT_VARIABLE_LIB_H__ + +/** + + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECUR= E_BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spe= cial mode successfully. + @return other Fail to operate the secure boot mode= . + +--*/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode +); + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Error codes from GetVariable. +--*/ +BOOLEAN +EFIAPI +CheckSetupMode ( + OUT UINT8 *SetupMode +); + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTH= ENTICATION_2 + descriptor with the input data. NO authentication is required in this f= unction. + + @param[in, out] DataSize On input, the size of Data buffer in b= ytes. + On output, the size of data returned i= n Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be= wrapped or + pointer to NULL to wrap an empty paylo= ad. + On output, Pointer to the new payload = date buffer allocated from pool, + it's caller's responsibility to free t= he memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully= . + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources = to create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data +); + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable con= tent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +); + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +); + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +); + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +); + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +); + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +); + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +); + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +); + +/** + Sets the content of the 'PK' variable based on 'PKDefault' variable con= tent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +); + +/** + Clears the content of the 'PK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2(), GetTime()= and SetVariable() +--*/ +EFI_STATUS +EFIAPI +DeletePlatformKey ( + VOID +); + +/** Initializes PKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitPKDefault ( + IN VOID + ); + +/** Initializes KEKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitKEKDefault ( + IN VOID + ); + +/** Initializes dbDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbDefault ( + IN VOID + ); + +/** Initializes dbtDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbtDefault ( + IN VOID + ); + +/** Initializes dbxDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbxDefault ( + IN VOID + ); +#endif diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c b= /SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c new file mode 100644 index 0000000000..8cbaa7d60a --- /dev/null +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.c @@ -0,0 +1,979 @@ +/** @file + This library provides functions to set/clear Secure Boot + keys and databases. + +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+(C) Copyright 2018 Hewlett Packard Enterprise Development LP
+Copyright (c) 2021, ARM Ltd. All rights reserved.
+Copyright (c) 2021, Semihalf All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "Library/DxeServicesLib.h" + +/** Creates EFI Signature List structure. + + @param[in] Data A pointer to signature data. + @param[in] Size Size of signature data. + @param[out] SigList Created Signature List. + + @retval EFI_SUCCESS Signature List was created successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +--*/ +STATIC +EFI_STATUS +CreateSigList ( + IN VOID *Data, + IN UINTN Size, + OUT EFI_SIGNATURE_LIST **SigList + ) +{ + UINTN SigListSize; + EFI_SIGNATURE_LIST *TmpSigList; + EFI_SIGNATURE_DATA *SigData; + + // + // Allocate data for Signature Database + // + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DAT= A) - 1 + Size; + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Only gEfiCertX509Guid type is supported + // + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - 1= + Size); + TmpSigList->SignatureHeaderSize =3D 0; + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); + + // + // Copy key data + // + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); + CopyMem (&SigData->SignatureData[0], Data, Size); + + *SigList =3D TmpSigList; + + return EFI_SUCCESS; +} + +/** Adds new signature list to signature database. + + @param[in] SigLists A pointer to signature database. + @param[in] SiglListAppend A signature list to be added. + @param[out] *SigListOut Created signature database. + @param[out] SigListsSize A size of created signature database. + + @retval EFI_SUCCESS Signature List was added successfully. + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. +--*/ +STATIC +EFI_STATUS +ConcatenateSigList ( + IN EFI_SIGNATURE_LIST *SigLists, + IN EFI_SIGNATURE_LIST *SigListAppend, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN OUT UINTN *SigListsSize +) +{ + EFI_SIGNATURE_LIST *TmpSigList; + UINT8 *Offset; + UINTN NewSigListsSize; + + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; + + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSize= ); + if (TmpSigList =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + CopyMem (TmpSigList, SigLists, *SigListsSize); + + Offset =3D (UINT8 *)TmpSigList; + Offset +=3D *SigListsSize; + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSiz= e); + + *SigListsSize =3D NewSigListsSize; + *SigListOut =3D TmpSigList; + return EFI_SUCCESS; +} + +/** + Create a EFI Signature List with data fetched from section specified as= a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListsOut a pointer to a callee-allocated buffer= with signature lists + + @retval EFI_SUCCESS Create time based payload successfully= . + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +--*/ +STATIC +EFI_STATUS +SecBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut +) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig; + EFI_SIGNATURE_LIST *TmpEfiSig2; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + + + KeyIndex =3D 0; + EfiSig =3D NULL; + *SigListsSize =3D 0; + while (1) { + Status =3D GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status =3D=3D EFI_SUCCESS) { + RsaPubKey =3D NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE= ) { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__= , KeyIndex)); + if (EfiSig !=3D NULL) { + FreePool(EfiSig); + } + FreePool(Buffer); + return EFI_INVALID_PARAMETER; + } + + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); + + // + // Concatenate lists if more than one section found + // + if (KeyIndex =3D=3D 0) { + EfiSig =3D TmpEfiSig; + *SigListsSize =3D TmpEfiSig->SignatureListSize; + } else { + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize)= ; + FreePool (EfiSig); + FreePool (TmpEfiSig); + EfiSig =3D TmpEfiSig2; + } + + KeyIndex++; + FreePool (Buffer); + } if (Status =3D=3D EFI_NOT_FOUND) { + break; + } + }; + + if (KeyIndex =3D=3D 0) { + return EFI_NOT_FOUND; + } + + *SigListOut =3D EfiSig; + + return EFI_SUCCESS; +} + +/** + Create a time based data payload by concatenating the EFI_VARIABLE_AUTH= ENTICATION_2 + descriptor with the input data. NO authentication is required in this f= unction. + + @param[in, out] DataSize On input, the size of Data buffer in b= ytes. + On output, the size of data returned i= n Data + buffer in bytes. + @param[in, out] Data On input, Pointer to data buffer to be= wrapped or + pointer to NULL to wrap an empty paylo= ad. + On output, Pointer to the new payload = date buffer allocated from pool, + it's caller's responsibility to free t= he memory when finish using it. + + @retval EFI_SUCCESS Create time based payload successfully= . + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources = to create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. + +--*/ +EFI_STATUS +CreateTimeBasedPayload ( + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data + ) +{ + EFI_STATUS Status; + UINT8 *NewData; + UINT8 *Payload; + UINTN PayloadSize; + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; + UINTN DescriptorSize; + EFI_TIME Time; + + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + // + // In Setup mode or Custom mode, the variable does not need to be signe= d but the + // parameters to the SetVariable() call still need to be prepared as au= thenticated + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor witho= ut certificate + // data in it. + // + Payload =3D *Data; + PayloadSize =3D *DataSize; + + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInf= o) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); + if (NewData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); + } + + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); + + ZeroMem (&Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (&Time, NULL); + if (EFI_ERROR (Status)) { + FreePool(NewData); + return Status; + } + Time.Pad1 =3D 0; + Time.Nanosecond =3D 0; + Time.TimeZone =3D 0; + Time.Daylight =3D 0; + Time.Pad2 =3D 0; + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIF= ICATE_UEFI_GUID, CertData); + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; + DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUI= D; + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); + + if (Payload !=3D NULL) { + FreePool(Payload); + } + + *DataSize =3D DescriptorSize + PayloadSize; + *Data =3D NewData; + return EFI_SUCCESS; +} + +/** + Internal helper function to delete a Variable given its name and GUID, = NO authentication + required. + + @param[in] VariableName Name of the Variable. + @param[in] VendorGuid GUID of the Variable. + + @retval EFI_SUCCESS Variable deleted successfully. + @retval Others The driver failed to start the device. + +--*/ +EFI_STATUS +DeleteVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + EFI_STATUS Status; + VOID* Variable; + UINT8 *Data; + UINTN DataSize; + UINT32 Attr; + + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); + if (Variable =3D=3D NULL) { + return EFI_SUCCESS; + } + FreePool (Variable); + + Data =3D NULL; + DataSize =3D 0; + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | = EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + Status =3D CreateTimeBasedPayload (&DataSize, &Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", St= atus)); + return Status; + } + + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + Attr, + DataSize, + Data + ); + if (Data !=3D NULL) { + FreePool (Data); + } + return Status; +} + +/** + + Set the platform secure boot mode into "Custom" or "Standard" mode. + + @param[in] SecureBootMode New secure boot mode: STANDARD_SECUR= E_BOOT_MODE or + CUSTOM_SECURE_BOOT_MODE. + + @return EFI_SUCCESS The platform has switched to the spe= cial mode successfully. + @return other Fail to operate the secure boot mode= . + +--*/ +EFI_STATUS +SetSecureBootMode ( + IN UINT8 SecureBootMode + ) +{ + return gRT->SetVariable ( + EFI_CUSTOM_MODE_NAME, + &gEfiCustomModeEnableGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCE= SS, + sizeof (UINT8), + &SecureBootMode + ); +} + + +/** + Enroll a key/certificate based on a default variable. + + @param[in] VariableName The name of the key/database. + @param[in] DefaultName The name of the default variable. + @param[in] VendorGuid The namespace (ie. vendor GUID) of the v= ariable + + + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeade= r. + @retval EFI_SUCCESS Successful enrollment. + @return Error codes from GetTime () and SetVaria= ble (). +--*/ +STATIC +EFI_STATUS +EnrollFromDefault ( + IN CHAR16 *VariableName, + IN CHAR16 *DefaultName, + IN EFI_GUID *VendorGuid + ) +{ + VOID *Data; + UINTN DataSize; + EFI_STATUS Status; + + Status =3D EFI_SUCCESS; + + DataSize =3D 0; + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &= DataSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName= , Status)); + return Status; + } + + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", St= atus)); + return Status; + } + + // + // Allocate memory for auth variable + // + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + DataSize, + Data + ); + + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, Va= riableName, + VendorGuid, Status)); + } + + if (Data !=3D NULL) { + FreePool (Data); + } + + return Status; +} + +/** Initializes PKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitPKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", E= FI_PK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSi= g); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARI= ABLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_= ACCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAM= E)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes KEKDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitKEKDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVari= ableGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", E= FI_KEK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VA= RIABLE_NAME)); + + Status =3D SecBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiS= ig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VAR= IABLE_NAME)); + return Status; + } + + + Status =3D gRT->SetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_= ACCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NA= ME)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", E= FI_DB_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VAR= IABLE_NAME)); + + Status =3D SecBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSi= g); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_= ACCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_N= AME)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbxDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbxDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVari= ableGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", E= FI_DBX_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VA= RIABLE_NAME)); + + Status =3D SecBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiS= ig); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VAR= IABLE_NAME)); + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_= ACCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NA= ME)); + } + + FreePool (EfiSig); + + return Status; +} + +/** Initializes dbtDefault variable with data from FFS section. + + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +--*/ +EFI_STATUS +SecBootInitdbtDefault ( + IN VOID + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + UINTN SigListsSize; + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVari= ableGuid, (VOID **) &Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", E= FI_DBT_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { + return Status; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VA= RIABLE_NAME)); + + Status =3D SecBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiS= ig); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D gRT->SetVariable ( + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_= ACCESS, + SigListsSize, + (VOID *)EfiSig + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NA= ME)); + } + + FreePool (EfiSig); + + return EFI_SUCCESS; +} + +/** + Fetches the value of SetupMode variable. + + @param[out] SetupMode Pointer to UINT8 for SetupMode output + + @retval other Retval from GetVariable. +--*/ +BOOLEAN +EFIAPI +CheckSetupMode ( + OUT UINT8 *SetupMode +) +{ + UINTN Size; + EFI_STATUS Status; + + Size =3D sizeof (*SetupMode); + Status =3D gRT->GetVariable ( + EFI_SETUP_MODE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &Size, + SetupMode + ); + if (EFI_ERROR (Status)) { + return Status; + } + + return EFI_SUCCESS; +} + +/** + Sets the content of the 'db' variable based on 'dbDefault' variable con= tent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE, + EFI_DB_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'db' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDb ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbx' variable based on 'dbxDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbxFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE1, + EFI_DBX_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Clears the content of the 'dbx' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDbx ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'dbt' variable based on 'dbtDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollDbtFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_IMAGE_SECURITY_DATABASE2, + EFI_DBT_DEFAULT_VARIABLE_NAME, + &gEfiImageSecurityDatabaseGuid); + + return Status; +} + +/** + Clears the content of the 'dbt' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteDbt ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_IMAGE_SECURITY_DATABASE2, + &gEfiImageSecurityDatabaseGuid + ); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollKEKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_KEY_EXCHANGE_KEY_NAME, + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Clears the content of the 'KEK' variable. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +DeleteKEK ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D DeleteVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Sets the content of the 'KEK' variable based on 'KEKDefault' variable c= ontent. + + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE= _AUTHENTICATION_2 fails + while VendorGuid is NULL. + @retval other Errors from GetVariable2 (), GetTime = () and SetVariable () +--*/ +EFI_STATUS +EFIAPI +EnrollPKFromDefault ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D EnrollFromDefault ( + EFI_PLATFORM_KEY_NAME, + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid + ); + + return Status; +} + +/** + Remove the PK variable. + + @retval EFI_SUCCESS Delete PK successfully. + @retval Others Could not allow to delete PK. + +--*/ +EFI_STATUS +DeletePlatformKey ( + VOID +) +{ + EFI_STATUS Status; + + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); + if (EFI_ERROR (Status)) { + return Status; + } + + Status =3D DeleteVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid + ); + return Status; +} diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureB= ootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigImpl.c index e82bfe7757..562f55b087 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConf= igImpl.c @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include +#include CHAR16 mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGURATI= ON"; @@ -237,168 +238,6 @@ SaveSecureBootVariable ( return Status; } -/** - Create a time based data payload by concatenating the EFI_VARIABLE_AUTH= ENTICATION_2 - descriptor with the input data. NO authentication is required in this f= unction. - - @param[in, out] DataSize On input, the size of Data buffer in b= ytes. - On output, the size of data returned i= n Data - buffer in bytes. - @param[in, out] Data On input, Pointer to data buffer to be= wrapped or - pointer to NULL to wrap an empty paylo= ad. - On output, Pointer to the new payload = date buffer allocated from pool, - it's caller's responsibility to free t= he memory when finish using it. - - @retval EFI_SUCCESS Create time based payload successfully= . - @retval EFI_OUT_OF_RESOURCES There are not enough memory resources = to create time based payload. - @retval EFI_INVALID_PARAMETER The parameter is invalid. - @retval Others Unexpected error happens. - -**/ -EFI_STATUS -CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data - ) -{ - EFI_STATUS Status; - UINT8 *NewData; - UINT8 *Payload; - UINTN PayloadSize; - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; - UINTN DescriptorSize; - EFI_TIME Time; - - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - // - // In Setup mode or Custom mode, the variable does not need to be signe= d but the - // parameters to the SetVariable() call still need to be prepared as au= thenticated - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor witho= ut certificate - // data in it. - // - Payload =3D *Data; - PayloadSize =3D *DataSize; - - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInf= o) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); - if (NewData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); - } - - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); - - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool(NewData); - return Status; - } - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); - - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIF= ICATE_UEFI_GUID, CertData); - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_GUI= D; - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); - - if (Payload !=3D NULL) { - FreePool(Payload); - } - - *DataSize =3D DescriptorSize + PayloadSize; - *Data =3D NewData; - return EFI_SUCCESS; -} - -/** - Internal helper function to delete a Variable given its name and GUID, = NO authentication - required. - - @param[in] VariableName Name of the Variable. - @param[in] VendorGuid GUID of the Variable. - - @retval EFI_SUCCESS Variable deleted successfully. - @retval Others The driver failed to start the device. - -**/ -EFI_STATUS -DeleteVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid - ) -{ - EFI_STATUS Status; - VOID* Variable; - UINT8 *Data; - UINTN DataSize; - UINT32 Attr; - - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); - if (Variable =3D=3D NULL) { - return EFI_SUCCESS; - } - FreePool (Variable); - - Data =3D NULL; - DataSize =3D 0; - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | = EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - - Status =3D CreateTimeBasedPayload (&DataSize, &Data); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", St= atus)); - return Status; - } - - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - Attr, - DataSize, - Data - ); - if (Data !=3D NULL) { - FreePool (Data); - } - return Status; -} - -/** - - Set the platform secure boot mode into "Custom" or "Standard" mode. - - @param[in] SecureBootMode New secure boot mode: STANDARD_SECUR= E_BOOT_MODE or - CUSTOM_SECURE_BOOT_MODE. - - @return EFI_SUCCESS The platform has switched to the spe= cial mode successfully. - @return other Fail to operate the secure boot mode= . - -**/ -EFI_STATUS -SetSecureBootMode ( - IN UINT8 SecureBootMode - ) -{ - return gRT->SetVariable ( - EFI_CUSTOM_MODE_NAME, - &gEfiCustomModeEnableGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCE= SS, - sizeof (UINT8), - &SecureBootMode - ); -} - /** This code checks if the encode type and key strength of X.509 certificate is qualified. @@ -646,32 +485,6 @@ ON_EXIT: return Status; } -/** - Remove the PK variable. - - @retval EFI_SUCCESS Delete PK successfully. - @retval Others Could not allow to delete PK. - -**/ -EFI_STATUS -DeletePlatformKey ( - VOID -) -{ - EFI_STATUS Status; - - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D DeleteVariable ( - EFI_PLATFORM_KEY_NAME, - &gEfiGlobalVariableGuid - ); - return Status; -} - /** Enroll a new KEK item from public key storing file (*.pbk). diff --git a/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni= b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni new file mode 100644 index 0000000000..2c51e4db53 --- /dev/null +++ b/SecurityPkg/Library/SecBootVariableLib/SecBootVariableLib.uni @@ -0,0 +1,16 @@ +// /** @file +// +// Provides initialization of Secure Boot keys and databases. +// +// Copyright (c) 2021, ARM Ltd. All rights reserved.
+// Copyright (c) 2021, Semihalf All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "Provides functio= n to initialize PK, KEK and databases based on default variables." + +#string STR_MODULE_DESCRIPTION #language en-US "Provides functio= n to initialize PK, KEK and databases based on default variables." + -- 2.25.1 IMPORTANT NOTICE: The contents of this email and any attachments are confi= dential and may also be privileged. If you are not the intended recipient, = please notify the sender immediately and do not disclose the contents to an= y other person, use it for any purpose, or store or copy the information in= any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confi= dential and may also be privileged. If you are not the intended recipient, = please notify the sender immediately and do not disclose the contents to an= y other person, use it for any purpose, or store or copy the information in= any medium. Thank you.