From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 128AB20945B6F for ; Thu, 21 Sep 2017 18:52:59 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Sep 2017 18:56:06 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,426,1500966000"; d="scan'208";a="154692472" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by fmsmga006.fm.intel.com with ESMTP; 21 Sep 2017 18:56:06 -0700 Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 21 Sep 2017 18:56:06 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 21 Sep 2017 18:56:05 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.175]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.159]) with mapi id 14.03.0319.002; Fri, 22 Sep 2017 09:56:03 +0800 From: "Zhang, Chao B" To: "Chen, Chen A" , "edk2-devel@lists.01.org" CC: "Long, Qin" Thread-Topic: [PATCH] SecurityPkg/SecureBootConfigImpl.c: Secure Boot DBX UI Enhancement. Thread-Index: AQHTMz8Wz/kFj16Pd0S9n1Fw9sIfOKLAJJoA Date: Fri, 22 Sep 2017 01:56:02 +0000 Message-ID: References: <20170922010645.5404-1-chen.a.chen@intel.com> In-Reply-To: <20170922010645.5404-1-chen.a.chen@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] SecurityPkg/SecureBootConfigImpl.c: Secure Boot DBX UI Enhancement. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Sep 2017 01:52:59 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Chao Zhang -----Original Message----- From: Chen, Chen A=20 Sent: Friday, September 22, 2017 9:07 AM To: edk2-devel@lists.01.org Cc: Chen, Chen A ; Zhang, Chao B ; Long, Qin Subject: [PATCH] SecurityPkg/SecureBootConfigImpl.c: Secure Boot DBX UI Enh= ancement. Use 2-level format to display signature list and signature data. Support batch delete operation to delete signature list or signature data. Display more useful information for each signature data. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chen A Chen Cc: Zhang Chao B Cc: Long Qin --- .../SecureBootConfigDxe/SecureBootConfig.vfr | 53 +- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 1036 ++++++++++++++++= +++- .../SecureBootConfigDxe/SecureBootConfigImpl.h | 35 + .../SecureBootConfigDxe/SecureBootConfigNvData.h | 23 +- .../SecureBootConfigStrings.uni | 26 + 5 files changed, 1144 insertions(+), 29 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index bbecff2b08..296b9c9b9e 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo +++ nfig.vfr @@ -316,11 +316,11 @@ formset =20 subtitle text =3D STRING_TOKEN(STR_NULL); =20 - goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, + goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, prompt =3D STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), help =3D STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE), flags =3D INTERACTIVE, - key =3D SECUREBOOT_DELETE_SIGNATURE_FROM_DBX; + key =3D KEY_VALUE_FROM_DBX_TO_LIST_FORM; =20 endform; =20 @@ -360,17 +360,58 @@ formset endform; =20 // - // Form: 'Delete Signature' for DBX Options. + // Form: Display Signature List. // - form formid =3D SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - title =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE); + form formid =3D SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + title =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_LIST_FORM); + + subtitle text =3D STRING_TOKEN(STR_NULL); + + grayoutif ideqval SECUREBOOT_CONFIGURATION.ListCount =3D=3D 0; + label LABEL_DELETE_ALL_LIST_BUTTON; + // + // Will create a goto button dynamically here. + // + label LABEL_END; + endif; + + subtitle text =3D STRING_TOKEN(STR_NULL); + label LABEL_SIGNATURE_LIST_START; + label LABEL_END; + subtitle text =3D STRING_TOKEN(STR_NULL); =20 - label LABEL_DBX_DELETE; + endform; + + // + // Form: Display Signature Data. + // + form formid =3D SECUREBOOT_DELETE_SIGNATURE_DATA_FORM, + title =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_DATA_FORM); + + subtitle text =3D STRING_TOKEN(STR_NULL); + + goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + prompt =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA), + help =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_ALL_DATA_HELP), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_DELETE_ALL_DATA; + + grayoutif ideqval SECUREBOOT_CONFIGURATION.CheckedDataCount =3D=3D 0; + goto SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + prompt =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA), + help =3D STRING_TOKEN(STR_SECURE_BOOT_DELETE_CHECK_DATA_HELP), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_DELETE_CHECK_DATA; + endif; + + subtitle text =3D STRING_TOKEN(STR_NULL); + label LABEL_SIGNATURE_DATA_START; label LABEL_END; subtitle text =3D STRING_TOKEN(STR_NULL); =20 endform; =20 + // // Form: 'Delete Signature' for DBT Options. // diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 2eaf24633d..3df1f431a9 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo +++ nfigImpl.c @@ -13,6 +13,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. **/ =20 #include "SecureBootConfigImpl.h" +#include =20 CHAR16 mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGURATIO= N"; =20 @@ -3051,6 +3052,184 @@ ON_EXIT: } =20 /** + This function to delete signature list or data, according by DelType. + + @param[in] PrivateData Module's private data. + @param[in] DelType Indicate delete signature list or data= . + @param[in] CheckedCount Indicate how many signature data have + been checked in current signature list= . + + @retval EFI_SUCCESS Success to update the signature list p= age + @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources. +**/ +EFI_STATUS +DeleteSignatureEx ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, + IN SIGNATURE_DELETE_TYPE DelType, + IN UINT32 CheckedCount + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_LIST *ListWalker; + EFI_SIGNATURE_LIST *NewCertList; + EFI_SIGNATURE_DATA *DataWalker; + CHAR16 *VariableName; + UINT32 VariableAttr; + UINTN VariableDataSize; + UINTN RemainingSize; + UINTN ListIndex; + UINTN Index; + UINTN Offset; + UINT8 *VariableData; + UINT8 *NewVariableData; + + Status =3D EFI_SUCCESS; + VariableName =3D NULL; + VariableAttr =3D 0; + VariableDataSize =3D 0; + ListIndex =3D 0; + Offset =3D 0; + VariableData =3D NULL; + NewVariableData =3D NULL; + + VariableName =3D AllocateZeroPool (100); if (VariableName =3D=3D NULL) = { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (PrivateData->VariableName =3D=3D VARIABLE_DB) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE); }=20 + else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1); }=20 + else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2); }=20 + else { + goto ON_EXIT; + } + + Status =3D gRT->GetVariable ( + VariableName, + &gEfiImageSecurityDatabaseGuid, + &VariableAttr, + &VariableDataSize, + VariableData + ); + if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) { + goto ON_EXIT; + } + + VariableData =3D AllocateZeroPool (VariableDataSize); if (VariableData= =20 + =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + Status =3D gRT->GetVariable ( + VariableName, + &gEfiImageSecurityDatabaseGuid, + &VariableAttr, + &VariableDataSize, + VariableData + ); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + + Status =3D SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE); if (EFI_ERROR=20 + (Status)) { + goto ON_EXIT; + } + + NewVariableData =3D AllocateZeroPool (VariableDataSize); if=20 + (NewVariableData =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + RemainingSize =3D VariableDataSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)(VariableData); if (DelType =3D=3D= =20 + DELETE_SIGNATURE_LIST_ALL) { + VariableDataSize =3D 0; + } else { + while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->Signatur= eListSize) && ListIndex < PrivateData->ListIndex) { + CopyMem ((UINT8 *)NewVariableData + Offset, ListWalker, ListWalker->= SignatureListSize); + Offset +=3D ListWalker->SignatureListSize; + + RemainingSize -=3D ListWalker->SignatureListSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalk= er->SignatureListSize); + ListIndex++; + } + + if (CheckedCount =3D=3D SIGNATURE_DATA_COUNTS (ListWalker) || DelType = =3D=3D DELETE_SIGNATURE_LIST_ONE) { + RemainingSize -=3D ListWalker->SignatureListSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker + ListWalk= er->SignatureListSize); + } else { + NewCertList =3D (EFI_SIGNATURE_LIST *)(NewVariableData + Offset); + // + // Copy header. + // + CopyMem ((UINT8 *)NewVariableData, ListWalker, sizeof (EFI_SIGNATURE= _LIST) + ListWalker->SignatureHeaderSize); + Offset +=3D sizeof (EFI_SIGNATURE_LIST) +=20 + ListWalker->SignatureHeaderSize; + + DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)ListWalker + sizeof(E= FI_SIGNATURE_LIST) + ListWalker->SignatureHeaderSize); + for (Index =3D 0; Index < SIGNATURE_DATA_COUNTS(ListWalker); Index = =3D Index + 1) { + if (PrivateData->CheckArray[Index]) { + // + // Delete checked siganture data, and update the size of whole s= ignature list. + // + NewCertList->SignatureListSize -=3D NewCertList->SignatureSize; + } else { + // + // Remain the unchecked signature data. + // + CopyMem ((UINT8 *)NewVariableData + Offset, DataWalker, ListWalk= er->SignatureSize); + Offset +=3D ListWalker->SignatureSize; + } + DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)DataWalker + ListWa= lker->SignatureSize); + } + + RemainingSize -=3D ListWalker->SignatureListSize; + } + + // + // Copy remaining data, maybe 0. + // + CopyMem((UINT8 *)NewVariableData + Offset, ListWalker, RemainingSize); + Offset +=3D RemainingSize; + + VariableDataSize =3D Offset; + } + + if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) = !=3D 0) { + Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); + goto ON_EXIT; + } + } + + Status =3D gRT->SetVariable ( + VariableName, + &gEfiImageSecurityDatabaseGuid, + VariableAttr, + VariableDataSize, + NewVariableData + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed to set variable, Status =3D %r", Status))= ; + goto ON_EXIT; + } + +ON_EXIT: + SECUREBOOT_FREE_NON_NULL (VariableName); + SECUREBOOT_FREE_NON_NULL (VariableData); + SECUREBOOT_FREE_NON_NULL (NewVariableData); + + return Status; +} + +/** =20 Update SecureBoot strings based on new Secure Boot Mode State. String in= cludes STR_SECURE_BOOT_STATE_CONTENT and STR_CUR_SECURE_BOOT_MODE_CONTENT. @@ -3381,6 +3560,731 @@ SecureBootRouteConfig ( } =20 /** + This function to load signature list, the update the menu page. + + @param[in] PrivateData Module's private data. + @param[in] LabelId Label number to insert opcodes. + @param[in] FormId Form ID of current page. + @param[in] QuestionIdBase Base question id of the signature list. + + @retval EFI_SUCCESS Success to update the signature list pag= e + @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources. +**/ +EFI_STATUS +LoadSignatureList ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, + IN UINT16 LabelId, + IN EFI_FORM_ID FormId, + IN EFI_QUESTION_ID QuestionIdBase + ) +{ + EFI_STATUS Status; + EFI_STRING_ID ListType; + EFI_SIGNATURE_LIST *ListWalker; + EFI_IFR_GUID_LABEL *StartLabel; + EFI_IFR_GUID_LABEL *EndLabel; + EFI_IFR_GUID_LABEL *StartGoto; + EFI_IFR_GUID_LABEL *EndGoto; + EFI_FORM_ID DstFormId; + VOID *StartOpCodeHandle; + VOID *EndOpCodeHandle; + VOID *StartGotoHandle; + VOID *EndGotoHandle; + UINTN DataSize; + UINTN RemainingSize; + UINT16 Index; + UINT8 *VariableData; + CHAR16 *VariableName; + CHAR16 *NameBuffer; + CHAR16 *HelpBuffer; + + Status =3D EFI_SUCCESS; + StartOpCodeHandle =3D NULL; + EndOpCodeHandle =3D NULL; + Index =3D 0; + VariableData =3D NULL; + VariableName =3D NULL; + NameBuffer =3D NULL; + HelpBuffer =3D NULL; + + // + // Initialize the container for dynamic opcodes. + // + StartOpCodeHandle =3D HiiAllocateOpCodeHandle (); if=20 + (StartOpCodeHandle =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + EndOpCodeHandle =3D HiiAllocateOpCodeHandle (); if (EndOpCodeHandle =3D= =3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + StartGotoHandle =3D HiiAllocateOpCodeHandle (); if (StartGotoHandle =3D= =3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + EndGotoHandle =3D HiiAllocateOpCodeHandle (); if (EndGotoHandle =3D=3D= =20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + // + // Create Hii Extend Label OpCode. + // + StartLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode ( + StartOpCodeHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof (EFI_IFR_GUID_LABEL) + ); StartLabel->ExtendOpCode =3D=20 + EFI_IFR_EXTEND_OP_LABEL; + StartLabel->Number =3D LabelId; + + EndLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode ( + EndOpCodeHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof (EFI_IFR_GUID_LABEL) + ); + EndLabel->ExtendOpCode =3D EFI_IFR_EXTEND_OP_LABEL; + EndLabel->Number =3D LABEL_END; + + StartGoto =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode( + StartGotoHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof(EFI_IFR_GUID_LABEL) + ); + StartGoto->ExtendOpCode =3D EFI_IFR_EXTEND_OP_LABEL; + StartGoto->Number =3D LABEL_DELETE_ALL_LIST_BUTTON; + + EndGoto =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode( + EndGotoHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof(EFI_IFR_GUID_LABEL) + ); + EndGoto->ExtendOpCode =3D EFI_IFR_EXTEND_OP_LABEL; EndGoto->Number =3D= =20 + LABEL_END; + + VariableName =3D AllocateZeroPool (100); if (VariableName =3D=3D NULL) = { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (PrivateData->VariableName =3D=3D VARIABLE_DB) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE); + DstFormId =3D FORMID_SECURE_BOOT_DB_OPTION_FORM; + } else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1); + DstFormId =3D FORMID_SECURE_BOOT_DBX_OPTION_FORM; + } else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2); + DstFormId =3D FORMID_SECURE_BOOT_DBT_OPTION_FORM; + } else { + goto ON_EXIT; + } + + HiiCreateGotoOpCode ( + StartGotoHandle, + DstFormId, + STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST), + STRING_TOKEN (STR_SECURE_BOOT_DELETE_ALL_LIST), + EFI_IFR_FLAG_CALLBACK, + KEY_SECURE_BOOT_DELETE_ALL_LIST + ); + + // + // Read Variable, the variable name save in the PrivateData->VariableNam= e. + // + DataSize =3D 0; + Status =3D gRT->GetVariable (VariableName,=20 + &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, VariableData); if (EFI_= ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) { + goto ON_EXIT; + } + + VariableData =3D AllocateZeroPool (DataSize); if (VariableData =3D=3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + Status =3D gRT->GetVariable (VariableName,=20 + &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, VariableData); if (EFI_= ERROR (Status)) { + goto ON_EXIT; + } + + NameBuffer =3D AllocateZeroPool (100); + if (NameBuffer =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + HelpBuffer =3D AllocateZeroPool (100); + if (HelpBuffer =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + RemainingSize =3D DataSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)VariableData; + while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL= istSize)) { + if (CompareGuid (&ListWalker->SignatureType, &gEfiCertRsa2048Guid)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_RSA2048_SHA256); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Guid)= ) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha1Guid)= ) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA1); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertSha256Gui= d)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_SHA256); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha25= 6Guid)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA256); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha38= 4Guid)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA384); + } else if (CompareGuid (&ListWalker->SignatureType, &gEfiCertX509Sha51= 2Guid)) { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_X509_SHA512); + } else { + ListType =3D STRING_TOKEN (STR_LIST_TYPE_UNKNOWN); + } + + UnicodeSPrint (NameBuffer, + 100, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_LI= ST_NAME_FORMAT), NULL), + Index + 1 + ); + UnicodeSPrint (HelpBuffer, + 100, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_LI= ST_HELP_FORMAT), NULL), + HiiGetString (PrivateData->HiiHandle, ListType, NULL), + SIGNATURE_DATA_COUNTS (ListWalker) + ); + + HiiCreateGotoOpCode ( + StartOpCodeHandle, + SECUREBOOT_DELETE_SIGNATURE_DATA_FORM, + HiiSetString (PrivateData->HiiHandle, 0, NameBuffer, NULL), + HiiSetString (PrivateData->HiiHandle, 0, HelpBuffer, NULL), + EFI_IFR_FLAG_CALLBACK, + QuestionIdBase + Index++ + ); + + ZeroMem (NameBuffer, 100); + ZeroMem (HelpBuffer, 100); + + RemainingSize -=3D ListWalker->SignatureListSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker +=20 + ListWalker->SignatureListSize); } + +ON_EXIT: + HiiUpdateForm ( + PrivateData->HiiHandle, + &gSecureBootConfigFormSetGuid, + FormId, + StartOpCodeHandle, + EndOpCodeHandle + ); + + HiiUpdateForm ( + PrivateData->HiiHandle, + &gSecureBootConfigFormSetGuid, + FormId, + StartGotoHandle, + EndGotoHandle + ); + + SECUREBOOT_FREE_NON_OPCODE (StartOpCodeHandle); =20 + SECUREBOOT_FREE_NON_OPCODE (EndOpCodeHandle); =20 + SECUREBOOT_FREE_NON_OPCODE (StartGotoHandle); =20 + SECUREBOOT_FREE_NON_OPCODE (EndGotoHandle); + + SECUREBOOT_FREE_NON_NULL (VariableName); SECUREBOOT_FREE_NON_NULL=20 + (VariableData); SECUREBOOT_FREE_NON_NULL (NameBuffer); =20 + SECUREBOOT_FREE_NON_NULL (HelpBuffer); + + PrivateData->ListCount =3D Index; + + return Status; +} + +/** + Parse hash value from EFI_SIGANTURE_DATA, and save in the CHAR16 type ar= ray. + The buffer is callee allocated and should be freed by the caller. + + @param[in] ListEntry The pointer point to the signatu= re list. + @param[in] DataEntry The signature data we are proces= sing. + @param[out] BufferToReturn Buffer to save the hash value. + + @retval EFI_INVALID_PARAMETER Invalid List or Data or Buffer. + @retval EFI_OUT_OF_RESOURCES A memory allocation failed. + @retval EFI_SUCCESS Operation success. +**/ +EFI_STATUS +ParseHashValue ( + IN EFI_SIGNATURE_LIST *ListEntry, + IN EFI_SIGNATURE_DATA *DataEntry, + OUT CHAR16 **BufferToReturn + ) +{ + UINTN Index; + UINTN BufferIndex; + UINTN TotalSize; + UINTN DataSize; + UINTN Line; + UINTN OneLineBytes; + + // + // Assume that, display 8 bytes in one line. + // + OneLineBytes =3D 8; + + if (ListEntry =3D=3D NULL || DataEntry =3D=3D NULL || BufferToReturn =3D= =3D NULL) { + return EFI_INVALID_PARAMETER; + } + + DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID); Line =3D=20 + (DataSize + OneLineBytes - 1) / OneLineBytes; + + // + // Each byte will split two Hex-number, and each line need additional me= mory to save '\r\n'. + // + TotalSize =3D ((DataSize + Line) * 2 * sizeof(CHAR16)); + + *BufferToReturn =3D AllocateZeroPool(TotalSize); if (*BufferToReturn=20 + =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + for (Index =3D 0, BufferIndex =3D 0; Index < DataSize; Index =3D Index += 1) { + if ((Index > 0) && (Index % OneLineBytes =3D=3D 0)) { + BufferIndex +=3D UnicodeSPrint(&(*BufferToReturn)[BufferIndex], Tota= lSize - sizeof(CHAR16) * BufferIndex, L"\n"); + } + BufferIndex +=3D UnicodeSPrint(&(*BufferToReturn)[BufferIndex],=20 + TotalSize - sizeof(CHAR16) * BufferIndex, L"%02x",=20 + DataEntry->SignatureData[Index]); } BufferIndex +=3D=20 + UnicodeSPrint(&(*BufferToReturn)[BufferIndex], TotalSize -=20 + sizeof(CHAR16) * BufferIndex, L"\n"); + + return EFI_SUCCESS; +} + +/** + Function to get the common name from the X509 format certificate. + The buffer is callee allocated and should be freed by the caller. + + @param[in] ListEntry The pointer point to the signatu= re list. + @param[in] DataEntry The signature data we are proces= sing. + @param[out] BufferToReturn Buffer to save the CN of X509 ce= rtificate. + + @retval EFI_INVALID_PARAMETER Invalid List or Data or Buffer. + @retval EFI_OUT_OF_RESOURCES A memory allocation failed. + @retval EFI_SUCCESS Operation success. + @retval EFI_NOT_FOUND Not found CN field in the X509 c= ertificate. +**/ +EFI_STATUS +GetCommonNameFromX509 ( + IN EFI_SIGNATURE_LIST *ListEntry, + IN EFI_SIGNATURE_DATA *DataEntry, + OUT CHAR16 **BufferToReturn + ) +{ + EFI_STATUS Status; + UINT8 *CNBuffer; + + Status =3D EFI_SUCCESS; + CNBuffer =3D NULL; + + CNBuffer =3D AllocateZeroPool(256); + if (CNBuffer =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + X509GetCommonName ( + (UINT8 *)DataEntry + sizeof(EFI_GUID), + ListEntry->SignatureSize - sizeof(EFI_GUID), + CNBuffer, + 256 + ); + + *BufferToReturn =3D AllocateZeroPool(256 * sizeof(CHAR16)); if=20 + (*BufferToReturn =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + AsciiStrToUnicodeStrS (CNBuffer, *BufferToReturn, 256); + +ON_EXIT: + SECUREBOOT_FREE_NON_NULL (CNBuffer); + + return Status; +} + +/** + Format the help info for the signature data, each help info contain 3 pa= rts. + 1. Onwer Guid. + 2. Content, depends on the type of the signature list. + 3. Revocation time. + + @param[in] PrivateData Module's private data. + @param[in] ListEntry Point to the signature list. + @param[in] DataEntry Point to the siganture data we a= re processing. + @param[out] StringId Save the string id of help info. + + @retval EFI_SUCCESS Operation success. + @retval EFI_OUT_OF_RESOURCES Unable to allocate required reso= urces. +**/ +EFI_STATUS +FormatHelpInfo ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, + IN EFI_SIGNATURE_LIST *ListEntry, + IN EFI_SIGNATURE_DATA *DataEntry, + OUT EFI_STRING_ID *StringId + ) +{ + EFI_STATUS Status; + EFI_TIME *Time; + EFI_STRING_ID ListTypeId; + UINTN DataSize; + UINTN HelpInfoIndex; + UINTN TotalSize; + CHAR16 *GuidString; + CHAR16 *DataString; + CHAR16 *TimeString; + CHAR16 *HelpInfoString; + BOOLEAN IsCert; + + Status =3D EFI_SUCCESS; + Time =3D NULL; + HelpInfoIndex =3D 0; + GuidString =3D NULL; + DataString =3D NULL; + TimeString =3D NULL; + HelpInfoString =3D NULL; + IsCert =3D FALSE; + + if (CompareGuid(&ListEntry->SignatureType, &gEfiCertRsa2048Guid)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_RSA2048_SHA256); + DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID); + IsCert =3D TRUE; + } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Guid)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509); + DataSize =3D ListEntry->SignatureSize - sizeof(EFI_GUID); + IsCert =3D TRUE; + } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertSha1Guid)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_SHA1); + DataSize =3D 20; + } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertSha256Guid)) = { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_SHA256); + DataSize =3D 32; + } else if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha256Gui= d)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA256); + DataSize =3D 32; + Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize); } else=20 + if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha384Guid)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA384); + DataSize =3D 48; + Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize); } else=20 + if (CompareGuid(&ListEntry->SignatureType, &gEfiCertX509Sha512Guid)) { + ListTypeId =3D STRING_TOKEN(STR_LIST_TYPE_X509_SHA512); + DataSize =3D 64; + Time =3D (EFI_TIME *)(DataEntry->SignatureData + DataSize); } else { + Status =3D EFI_UNSUPPORTED; + goto ON_EXIT; + } + + GuidString =3D AllocateZeroPool (100); + if (GuidString =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + TotalSize =3D 1024; + HelpInfoString =3D AllocateZeroPool (TotalSize); if (HelpInfoString =3D= =3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + // + // Format GUID part. + // + GuidToString(&DataEntry->SignatureOwner, GuidString, 100); =20 + HelpInfoIndex +=3D UnicodeSPrint ( + &HelpInfoString[HelpInfoIndex], + TotalSize - sizeof(CHAR16) * HelpInfoIndex, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (S= TR_SIGNATURE_DATA_HELP_FORMAT_GUID), NULL), + GuidString + ); + + // + // Format content part, it depends on the type of signature list, hash v= alue or CN. + // + if (IsCert) { + GetCommonNameFromX509 (ListEntry, DataEntry, &DataString); + HelpInfoIndex +=3D UnicodeSPrint( + &HelpInfoString[HelpInfoIndex], + TotalSize - sizeof(CHAR16) * HelpInfoIndex, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN = (STR_SIGNATURE_DATA_HELP_FORMAT_CN), NULL), + HiiGetString (PrivateData->HiiHandle, ListTypeId, N= ULL), + DataSize, + DataString + ); + } else { + // + // Format hash value for each signature data entry. + // + ParseHashValue (ListEntry, DataEntry, &DataString); + HelpInfoIndex +=3D UnicodeSPrint ( + &HelpInfoString[HelpInfoIndex], + TotalSize - sizeof(CHAR16) * HelpInfoIndex, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN = (STR_SIGNATURE_DATA_HELP_FORMAT_HASH), NULL), + HiiGetString (PrivateData->HiiHandle, ListTypeId, N= ULL), + DataSize, + DataString + ); + } + + // + // Format revocation time part. + // + if (Time !=3D NULL) { + TimeString =3D AllocateZeroPool(100); + if (TimeString =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + UnicodeSPrint ( + TimeString, + 100, + L"%d-%d-%d %d:%d:%d", + Time->Year, + Time->Month, + Time->Day, + Time->Hour, + Time->Minute, + Time->Second + ); + + UnicodeSPrint ( + &HelpInfoString[HelpInfoIndex], + TotalSize - sizeof (CHAR16) * HelpInfoIndex, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_DA= TA_HELP_FORMAT_TIME), NULL), + TimeString + ); + } + + *StringId =3D HiiSetString (PrivateData->HiiHandle, 0, HelpInfoString,=20 + NULL); + +ON_EXIT: + SECUREBOOT_FREE_NON_NULL (GuidString); + SECUREBOOT_FREE_NON_NULL (DataString); + SECUREBOOT_FREE_NON_NULL (TimeString); + SECUREBOOT_FREE_NON_NULL (HelpInfoString); + + return Status; +} + +/** + This functino to load signature data under the signature list. + + @param[in] PrivateData Module's private data. + @param[in] LabelId Label number to insert opcodes. + @param[in] FormId Form ID of current page. + @param[in] QuestionIdBase Base question id of the signature list. + @param[in] ListIndex Indicate to load which signature list. + + @retval EFI_SUCCESS Success to update the signature list pag= e + @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources. +**/ +EFI_STATUS +LoadSignatureData ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, + IN UINT16 LabelId, + IN EFI_FORM_ID FormId, + IN EFI_QUESTION_ID QuestionIdBase, + IN UINT16 ListIndex + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_LIST *ListWalker; + EFI_SIGNATURE_DATA *DataWalker; + EFI_IFR_GUID_LABEL *StartLabel; + EFI_IFR_GUID_LABEL *EndLabel; + EFI_STRING_ID HelpStringId; + VOID *StartOpCodeHandle; + VOID *EndOpCodeHandle; + UINTN DataSize; + UINTN RemainingSize; + UINT16 Index; + UINT8 *VariableData; + CHAR16 *VariableName; + CHAR16 *NameBuffer; + + Status =3D EFI_SUCCESS; + StartOpCodeHandle =3D NULL; + EndOpCodeHandle =3D NULL; + Index =3D 0; + VariableData =3D NULL; + VariableName =3D NULL; + NameBuffer =3D NULL; + + // + // Initialize the container for dynamic opcodes. + // + StartOpCodeHandle =3D HiiAllocateOpCodeHandle (); if=20 + (StartOpCodeHandle =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + EndOpCodeHandle =3D HiiAllocateOpCodeHandle (); if (EndOpCodeHandle =3D= =3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + // + // Create Hii Extend Label OpCode. + // + StartLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode ( + StartOpCodeHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof (EFI_IFR_GUID_LABEL) + ); StartLabel->ExtendOpCode =3D=20 + EFI_IFR_EXTEND_OP_LABEL; + StartLabel->Number =3D LabelId; + + EndLabel =3D (EFI_IFR_GUID_LABEL *)HiiCreateGuidOpCode ( + EndOpCodeHandle, + &gEfiIfrTianoGuid, + NULL, + sizeof (EFI_IFR_GUID_LABEL) + ); + EndLabel->ExtendOpCode =3D EFI_IFR_EXTEND_OP_LABEL; + EndLabel->Number =3D LABEL_END; + + VariableName =3D AllocateZeroPool (100); if (VariableName =3D=3D NULL) = { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + if (PrivateData->VariableName =3D=3D VARIABLE_DB) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE); }=20 + else if (PrivateData->VariableName =3D=3D VARIABLE_DBX) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE1); }=20 + else if (PrivateData->VariableName =3D=3D VARIABLE_DBT) { + UnicodeSPrint (VariableName, 100, EFI_IMAGE_SECURITY_DATABASE2); }=20 + else { + goto ON_EXIT; + } + + // + // Read Variable, the variable name save in the PrivateData->VariableNam= e. + // + DataSize =3D 0; + Status =3D gRT->GetVariable (VariableName,=20 + &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, VariableData); if (EFI_= ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) { + goto ON_EXIT; + } + + VariableData =3D AllocateZeroPool (DataSize); if (VariableData =3D=3D=20 + NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + Status =3D gRT->GetVariable (VariableName,=20 + &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, VariableData); if (EFI_= ERROR (Status)) { + goto ON_EXIT; + } + + NameBuffer =3D AllocateZeroPool (100); + if (NameBuffer =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + goto ON_EXIT; + } + + RemainingSize =3D DataSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)VariableData; + + // + // Skip signature list. + // + while ((RemainingSize > 0) && (RemainingSize >=3D ListWalker->SignatureL= istSize) && ListIndex-- > 0) { + RemainingSize -=3D ListWalker->SignatureListSize; + ListWalker =3D (EFI_SIGNATURE_LIST *)((UINT8 *)ListWalker +=20 + ListWalker->SignatureListSize); } + + DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)ListWalker +=20 + sizeof(EFI_SIGNATURE_LIST) + ListWalker->SignatureHeaderSize); for (Inde= x =3D 0; Index < SIGNATURE_DATA_COUNTS(ListWalker); Index =3D Index + 1) { + // + // Format name buffer. + // + UnicodeSPrint (NameBuffer, + 100, + HiiGetString (PrivateData->HiiHandle, STRING_TOKEN (STR_SIGNATURE_DA= TA_NAME_FORMAT), NULL), + Index + 1 + ); + + // + // Format help info buffer. + // + Status =3D FormatHelpInfo (PrivateData, ListWalker, DataWalker, &HelpS= tringId); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + + HiiCreateCheckBoxOpCode ( + StartOpCodeHandle, + (EFI_QUESTION_ID)(QuestionIdBase + Index), + 0, + 0, + HiiSetString (PrivateData->HiiHandle, 0, NameBuffer, NULL), + HelpStringId, + EFI_IFR_FLAG_CALLBACK, + 0, + NULL + ); + + ZeroMem(NameBuffer, 100); + DataWalker =3D (EFI_SIGNATURE_DATA *)((UINT8 *)DataWalker +=20 + ListWalker->SignatureSize); } + + // + // Allocate a buffer to record which signature data will be checked. + // This memory buffer will be freed when exit from the SECUREBOOT_DELETE= _SIGNATURE_DATA_FORM form. + // + PrivateData->CheckArray =3D AllocateZeroPool (SIGNATURE_DATA_COUNTS=20 + (ListWalker) * sizeof (BOOLEAN)); + +ON_EXIT: + HiiUpdateForm ( + PrivateData->HiiHandle, + &gSecureBootConfigFormSetGuid, + FormId, + StartOpCodeHandle, + EndOpCodeHandle + ); + + SECUREBOOT_FREE_NON_OPCODE (StartOpCodeHandle); =20 + SECUREBOOT_FREE_NON_OPCODE (EndOpCodeHandle); + + SECUREBOOT_FREE_NON_NULL (VariableName); SECUREBOOT_FREE_NON_NULL=20 + (VariableData); SECUREBOOT_FREE_NON_NULL (NameBuffer); + + return Status; +} + +/** This function is called to provide results data to the driver. =20 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. @@ -3474,6 +4378,13 @@ SecureBootCallback ( (QuestionId =3D=3D KEY_SECURE_BOOT_DBX_OPTION) || (QuestionId =3D=3D KEY_SECURE_BOOT_DBT_OPTION)) { CloseEnrolledFile(Private->FileContext); + } else if (QuestionId =3D=3D KEY_SECURE_BOOT_DELETE_ALL_LIST) { + // + // Update ListCount field in varstore + // Button "Delete All Signature List" is + // enable when ListCount is greater than 0. + // + IfrNvData->ListCount =3D Private->ListCount; } } goto EXIT; @@ -3665,16 +4576,89 @@ SecureBootCallback ( ); break; =20 - case SECUREBOOT_DELETE_SIGNATURE_FROM_DBX: - UpdateDeletePage ( + // + // From DBX option to the level-1 form, display signature list. + // + case KEY_VALUE_FROM_DBX_TO_LIST_FORM: + Private->VariableName =3D VARIABLE_DBX; + LoadSignatureList ( Private, - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBX_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - OPTION_DEL_DBX_QUESTION_ID - ); + LABEL_SIGNATURE_LIST_START, + SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + OPTION_SIGNATURE_LIST_QUESTION_ID + ); + break; =20 + // + // Delete all signature list and reload. + // + case KEY_SECURE_BOOT_DELETE_ALL_LIST: + CreatePopUp( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"Press 'Y' to delete signature list.", + L"Press other key to cancel and exit.", + NULL + ); + + if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') { + DeleteSignatureEx (Private, DELETE_SIGNATURE_LIST_ALL, IfrNvData->= CheckedDataCount); + } + + LoadSignatureList ( + Private, + LABEL_SIGNATURE_LIST_START, + SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + OPTION_SIGNATURE_LIST_QUESTION_ID + ); + break; + + // + // Delete one signature list and reload. + // + case KEY_SECURE_BOOT_DELETE_ALL_DATA: + CreatePopUp( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"Press 'Y' to delete signature data.", + L"Press other key to cancel and exit.", + NULL + ); + + if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') { + DeleteSignatureEx (Private, DELETE_SIGNATURE_LIST_ONE, IfrNvData->= CheckedDataCount); + } + + LoadSignatureList ( + Private, + LABEL_SIGNATURE_LIST_START, + SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + OPTION_SIGNATURE_LIST_QUESTION_ID + ); + break; + + // + // Delete checked signature data and reload. + // + case KEY_SECURE_BOOT_DELETE_CHECK_DATA: + CreatePopUp( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"Press 'Y' to delete signature data.", + L"Press other key to cancel and exit.", + NULL + ); + + if (Key.UnicodeChar =3D=3D L'Y' || Key.UnicodeChar =3D=3D L'y') { + DeleteSignatureEx (Private, DELETE_SIGNATURE_DATA, IfrNvData->Chec= kedDataCount); + } + + LoadSignatureList ( + Private, + LABEL_SIGNATURE_LIST_START, + SECUREBOOT_DELETE_SIGNATURE_LIST_FORM, + OPTION_SIGNATURE_LIST_QUESTION_ID + ); break; =20 case SECUREBOOT_DELETE_SIGNATURE_FROM_DBT: @@ -3799,17 +4783,25 @@ SecureBootCallback ( OPTION_DEL_DB_QUESTION_ID, QuestionId - OPTION_DEL_DB_QUESTION_ID ); - } else if ((QuestionId >=3D OPTION_DEL_DBX_QUESTION_ID) && - (QuestionId < (OPTION_DEL_DBX_QUESTION_ID + OPTION_CONFIG= _RANGE))) { - DeleteSignature ( + } else if ((QuestionId >=3D OPTION_SIGNATURE_LIST_QUESTION_ID) && + (QuestionId < (OPTION_SIGNATURE_LIST_QUESTION_ID + OPTION= _CONFIG_RANGE))) { + LoadSignatureData ( Private, - EFI_IMAGE_SECURITY_DATABASE1, - &gEfiImageSecurityDatabaseGuid, - LABEL_DBX_DELETE, - SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, - OPTION_DEL_DBX_QUESTION_ID, - QuestionId - OPTION_DEL_DBX_QUESTION_ID - ); + LABEL_SIGNATURE_DATA_START, + SECUREBOOT_DELETE_SIGNATURE_DATA_FORM, + OPTION_SIGNATURE_DATA_QUESTION_ID, + QuestionId - OPTION_SIGNATURE_LIST_QUESTION_ID + ); + Private->ListIndex =3D QuestionId - OPTION_SIGNATURE_LIST_QUESTION= _ID; + } else if ((QuestionId >=3D OPTION_SIGNATURE_DATA_QUESTION_ID) && + (QuestionId < (OPTION_SIGNATURE_DATA_QUESTION_ID + OPTION= _CONFIG_RANGE))) { + if (Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTIO= N_ID]) { + IfrNvData->CheckedDataCount--; + Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTION_= ID] =3D FALSE; + } else { + IfrNvData->CheckedDataCount++; + Private->CheckArray[QuestionId - OPTION_SIGNATURE_DATA_QUESTION_= ID] =3D TRUE; + } } else if ((QuestionId >=3D OPTION_DEL_DBT_QUESTION_ID) && (QuestionId < (OPTION_DEL_DBT_QUESTION_ID + OPTION_CONFIG= _RANGE))) { DeleteSignature ( @@ -3899,6 +4891,14 @@ SecureBootCallback ( if (SecureBootMode !=3D NULL) { FreePool (SecureBootMode); } + + if (QuestionId =3D=3D KEY_SECURE_BOOT_DELETE_ALL_DATA) { + // + // Free memory when exit from the SECUREBOOT_DELETE_SIGNATURE_DATA_F= ORM form. + // + SECUREBOOT_FREE_NON_NULL (Private->CheckArray); + IfrNvData->CheckedDataCount =3D 0; + } } =20 EXIT: diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.h index 75b18f121c..501215cdf5 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo +++ nfigImpl.h @@ -112,6 +112,23 @@ typedef struct { UINT8 FileType; } SECUREBOOT_FILE_CONTEXT; =20 +#define SECUREBOOT_FREE_NON_NULL(Pointer) \ + do { \ + if ((Pointer) !=3D NULL) { \ + FreePool((Pointer)); \ + (Pointer) =3D NULL; \ + } \ + } while (FALSE) + +#define SECUREBOOT_FREE_NON_OPCODE(Handle) \ + do{ \ + if ((Handle) !=3D NULL) { \ + HiiFreeOpCodeHandle((Handle)); \ + } \ + } while (FALSE) + +#define SIGNATURE_DATA_COUNTS(List) \ + (((List)->SignatureListSize - sizeof(EFI_SIGNATURE_LIST) -=20 +(List)->SignatureHeaderSize) / (List)->SignatureSize) =20 // // We define another format of 5th directory entry: security directory @@ = -134,6 +151,19 @@ typedef struct { EFI_DEVICE_PATH_PROTOCOL End; } HII_VENDOR_DEVICE_PATH; =20 +typedef enum { + VARIABLE_DB, + VARIABLE_DBX, + VARIABLE_DBT, + VARIABLE_MAX +} CURRENT_VARIABLE_NAME; + +typedef enum { + DELETE_SIGNATURE_LIST_ALL, + DELETE_SIGNATURE_LIST_ONE, + DELETE_SIGNATURE_DATA +}SIGNATURE_DELETE_TYPE; + typedef struct { UINTN Signature; =20 @@ -144,6 +174,11 @@ typedef struct { SECUREBOOT_FILE_CONTEXT *FileContext; =20 EFI_GUID *SignatureGUID; + + CURRENT_VARIABLE_NAME VariableName; // The variable name= we are processing. + UINT32 ListCount; // Record current va= riable has how many signature list. + UINTN ListIndex; // Record which sign= ature list is processing. + BOOLEAN *CheckArray; // Record whcih siga= nture data checked.jj } SECUREBOOT_CONFIG_PRIVATE_DATA; =20 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTem= plate; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index 6b69f92b26..d112867e58 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo +++ nfigNvData.h @@ -35,10 +35,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #define SECUREBOOT_ENROLL_SIGNATURE_TO_DB 0x0b #define SECUREBOOT_DELETE_SIGNATURE_FROM_DB 0x0c #define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX 0x0d -#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX 0x0e #define FORMID_SECURE_BOOT_DBT_OPTION_FORM 0x14 #define SECUREBOOT_ENROLL_SIGNATURE_TO_DBT 0x15 #define SECUREBOOT_DELETE_SIGNATURE_FROM_DBT 0x16 +#define SECUREBOOT_DELETE_SIGNATURE_LIST_FORM 0x17 #define=20 +SECUREBOOT_DELETE_SIGNATURE_DATA_FORM 0x18 =20 #define SECURE_BOOT_MODE_CUSTOM 0x01 #define SECURE_BOOT_MODE_STANDARD 0x00 @@ -57,6 +58,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. #define KEY_VALUE_SAVE_AND_EXIT_DBT 0x100d #define KEY_VALUE_NO_SAVE_AND_EXIT_DBT 0x100e =20 +#define KEY_VALUE_FROM_DBX_TO_LIST_FORM 0x100f + #define KEY_SECURE_BOOT_OPTION 0x1100 #define KEY_SECURE_BOOT_PK_OPTION 0x1101 #define KEY_SECURE_BOOT_KEK_OPTION 0x1102 @@ -71,14 +74,18 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX 0x110c #define KEY_SECURE_BOOT_DBT_OPTION 0x110d #define KEY_SECURE_BOOT_SIGNATURE_GUID_DBT 0x110e +#define KEY_SECURE_BOOT_DELETE_ALL_LIST 0x110f +#define KEY_SECURE_BOOT_DELETE_ALL_DATA 0x1110 +#define KEY_SECURE_BOOT_DELETE_CHECK_DATA 0x1111 =20 #define LABEL_KEK_DELETE 0x1200 #define LABEL_DB_DELETE 0x1201 -#define LABEL_DBX_DELETE 0x1202 +#define LABEL_SIGNATURE_LIST_START 0x1202 #define LABEL_DBT_DELETE 0x1203 +#define LABEL_SIGNATURE_DATA_START 0x1204 +#define LABEL_DELETE_ALL_LIST_BUTTON 0x1300 #define LABEL_END 0xffff =20 - #define SECURE_BOOT_MAX_ATTEMPTS_NUM 255 =20 #define CONFIG_OPTION_OFFSET 0x2000 @@ -95,9 +102,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. // #define OPTION_DEL_DB_QUESTION_ID 0x3000 // -// Question ID 0x4000 ~ 0x4FFF is for DBX +// Question ID 0x4000 ~ 0x4FFF is for signature list. +// +#define OPTION_SIGNATURE_LIST_QUESTION_ID 0X4000 +// +// Question ID 0x6000 ~ 0x6FFF is for signature data. // -#define OPTION_DEL_DBX_QUESTION_ID 0x4000 +#define OPTION_SIGNATURE_DATA_QUESTION_ID 0x6000 =20 // // Question ID 0x5000 ~ 0x5FFF is for DBT @@ -128,6 +139,8 @@ typedef stru= ct { EFI_HII_DATE RevocationDate; // The revocation date of the certificate EFI_HII_TIME RevocationTime; // The revocation time of the certificate UINT8 FileEnrollType; // File type of sigunature enroll + UINT32 ListCount; // The count of signature list. + UINT32 CheckedDataCount; // The count of checked signature data. } SECUREBOOT_CONFIGURATION; =20 #endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index 320cc79c47..bf42598fa3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo +++ nfigStrings.uni @@ -29,6 +29,13 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHE= R EXPRESS OR IMPLIED. =20 #string STR_SECURE_BOOT_ENROLL_SIGNATURE #language en-US "Enroll Signatu= re" #string STR_SECURE_BOOT_DELETE_SIGNATURE #language en-US "Delete Signatu= re" +#string STR_SECURE_BOOT_DELETE_LIST_FORM #language en-US "Delete Signatu= re List Form" +#string STR_SECURE_BOOT_DELETE_DATA_FORM #language en-US "Delete Signatu= re Data Form" +#string STR_SECURE_BOOT_DELETE_ALL_LIST #language en-US "Delete All Sig= nature List" +#string STR_SECURE_BOOT_DELETE_ALL_DATA #language en-US "Delete All Sig= nature Data" +#string STR_SECURE_BOOT_DELETE_CHECK_DATA #language en-US "Delete Checked= Signature Data" +#string STR_SECURE_BOOT_DELETE_ALL_DATA_HELP #language en-US "All signat= ure data will be deleted, no matter how many signature data have you checke= d." +#string STR_SECURE_BOOT_DELETE_CHECK_DATA_HELP #language en-US "All checke= d signature data will be deleted." =20 #string STR_SECURE_BOOT_SIGNATURE_GUID #language en-US "Signature GUID= " #string STR_SECURE_BOOT_SIGNATURE_GUID_HELP #language en-US "Input digit c= haracter in 11111111-2222-3333-4444-1234567890ab format." @@ -114,3 +121,22 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EIT= HER EXPRESS OR IMPLIED. #string STR_CERT_TYPE_X509_SHA256_GUID #language en-US "X509_SH= A256_GUID" #string STR_CERT_TYPE_X509_SHA384_GUID #language en-US "X509_SH= A384_GUID" #string STR_CERT_TYPE_X509_SHA512_GUID #language en-US "X509_SH= A512_GUID" + +#string STR_LIST_TYPE_RSA2048_SHA256 #language en-US "RSA2048= _SHA256" +#string STR_LIST_TYPE_X509 #language en-US "X509" +#string STR_LIST_TYPE_SHA1 #language en-US "SHA1" +#string STR_LIST_TYPE_SHA256 #language en-US "SHA256" +#string STR_LIST_TYPE_X509_SHA256 #language en-US "X509_SH= A256" +#string STR_LIST_TYPE_X509_SHA384 #language en-US "X509_SH= A384" +#string STR_LIST_TYPE_X509_SHA512 #language en-US "X509_SH= A512" +#string STR_LIST_TYPE_UNKNOWN #language en-US "UnKnown= " + +#string STR_SIGNATURE_LIST_NAME_FORMAT #language en-US "Signatu= re List, Entry-%d" +#string STR_SIGNATURE_DATA_NAME_FORMAT #language en-US "Signatu= re Data, Entry-%d" +#string STR_SIGNATURE_LIST_HELP_FORMAT #language en-US "List Ty= pe:\n %s\n\nEntry Number:\n %d" +#string STR_SIGNATURE_DATA_HELP_FORMAT_GUID #language en-US "Owner G= UID:\n%s\n\n" +#string STR_SIGNATURE_DATA_HELP_FORMAT_CN #language en-US "%s(%d b= ytes):\nCN =3D %s\n" +#string STR_SIGNATURE_DATA_HELP_FORMAT_HASH #language en-US "%s(%d b= ytes):\n%s\n" +#string STR_SIGNATURE_DATA_HELP_FORMAT_TIME #language en-US "Revocat= ion Time:\n%s" + +#string STR_SIGNATURE_DELETE_ALL_CONFIRM #language en-US "Press '= Y' to delete all signature List." -- 2.13.2.windows.1