From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (NAM12-BN8-obe.outbound.protection.outlook.com [40.107.237.137]) by mx.groups.io with SMTP id smtpd.web11.2915.1622663010773241656 for ; Wed, 02 Jun 2021 12:43:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=Pmmeorgs; spf=pass (domain: microsoft.com, ip: 40.107.237.137, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ia/UIO2uscDNFqmhDph867Sq/SzGnjRQjRahDhqswSRje0jliL1IoSv3vu62OATmM26dalRkAlubJk4N9v+71rR1o+YsJCpYWTPTpOuGx1Xzhvysx9f36o5YtiLXCF32oU8Gokl1GaB3p4L7A58Lz6xkjJNH+cXrQsRRUfh0bjKaDE3MfjelAjTXpp0PSfGieV7+3BMII+xmSbqwGdy/JyTuiiNBs8NqLUQiwRByMCcYOiFSN3iAZCr8pPvzEsMXzIazMTjpHDiBCsuBDbftFHiLxMKFinYJlxmQjCu2hzNIH1oHIYSolE2//n5i9w/VJJLWUKknCldhwpDsWfTRgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mq/POLTb5CdxDoKV9kBuBj0TRY1zstL5586cXmL3/Dk=; b=AnWlRJto07Cb2dosp00ubgE7gNhoc+Oog8CVxZefj8uVzSfE61eHHU0HtIDo/Q+fvbwZk+i/fklFHBHcd0+kQFd6n180qIQLWQN9tDWIDbLtu1OZCC14SDinCX9tjXWRAAarIKYbM3svWc72fGcdD9is3oOfQgWh81fOgQgZG/uY3x1mziRUKkHthSSOdLI0qvh3qDi+Am4nQJ/qHx5V9ZwB2QI/tyUpyW57mjPWRLZAwrxk4RBI/FpRo63J0WgwxzCc97IR0fnLoqpMADTMahjMHQLyuOYmGfAIWiUIkfiHkEn3V1wdzKwp8XKKgKMAVDX84GOhfmIlzlgpEC54Eg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mq/POLTb5CdxDoKV9kBuBj0TRY1zstL5586cXmL3/Dk=; b=Pmmeorgsg8OV2qyVr5kvFqH1VAIjQdsKfopXvECXc7w30Vnp1CJ2OT8cU+ZFU6NOeIT5q+sCwMVIebsDciku+DZFo/QsonJM3/mEk+99fyUb9aRW++IoeRAqYQD41ZP7pn/cmk6cjvUwAKPa9d+2pacIzKWFsbAdcGT8OSnP7oY= Received: from MW4PR21MB1907.namprd21.prod.outlook.com (2603:10b6:303:71::8) by MW4PR21MB2073.namprd21.prod.outlook.com (2603:10b6:303:120::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.10; Wed, 2 Jun 2021 19:43:25 +0000 Received: from MW4PR21MB1907.namprd21.prod.outlook.com ([fe80::1425:4744:6399:9d32]) by MW4PR21MB1907.namprd21.prod.outlook.com ([fe80::1425:4744:6399:9d32%5]) with mapi id 15.20.4219.010; Wed, 2 Jun 2021 19:43:25 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "pete@akeo.ie" , "gjb@semihalf.com" CC: "Lindholm, Leif" , "ardb+tianocore@kernel.org" , Samer El-Haj-Mahmoud , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Yao, Jiewen" , "jian.j.wang@intel.com" , "min.m.xu@intel.com" , "lersek@redhat.com" Subject: Re: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Topic: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create library for setting Secure Boot variables. Thread-Index: AQHXV9ZN6Is7D5wewUSuMxtaoIiIwKsBHmik Date: Wed, 2 Jun 2021 19:43:25 +0000 Message-ID: References: <20210601131229.630611-1-gjb@semihalf.com> <20210601131229.630611-3-gjb@semihalf.com>,<6bd2683f-6082-17d7-5592-93a5864903a7@akeo.ie> In-Reply-To: <6bd2683f-6082-17d7-5592-93a5864903a7@akeo.ie> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-06-02T19:39:45.2115318Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.153.42] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 9804a99f-b104-452d-5a7f-08d925feaff2 x-ms-traffictypediagnostic: MW4PR21MB2073: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:86; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 8mQgIN5XE6sZYcG77tbggYchoNfBOeeMnwLYvOm5YMJVsL2mLVW3AUHXgSLakPkNLoWRxOhnHoCoD6Ez0WsOfWV5Te2QcvYtPKP1gRoGnez0RCEqmeTp9uUwRy1cbQrVM+VLWlFp4PUggr6UOrfGqNzDnNSVBX+8h2f8IoLAT03T9wEKw/u1LxES7QKTNVXzw/AjbWEypK331u8LZkvNNTrPXyIvdKcqVGjyubKAUcHvwu8J5kfJGau7tJyYVyPGRnmo1+XwQfc4U61RfZkLgKDCLeRTvbmUXsuIX19nQzyKboN6+yeRoTWnVbssaugRhvuVzC9hVlXnCmS25CnkfFqz2/9/wzCvyjz+1wCNiIa6YqCGt7zX+pRylzloeQn7Xw8AWuOQsL9tyO6L6VnXFz4JbfQg1O2vlcpWEaO2MUYmTHUo0iQw0HRhe5og1ncZu7sH4tHHzCk/Ht32bTkxk8ZgyPPKG6W2m+HMRqaFM+boO93yj0WkJ6NNJV4ph7NeUlIm0SG2ePLsUQeB1vT5PNgjz707S6PSOSV6Du3GfzkOAc8WHvquxMQvN2f21OcL3a1b9q3SuaaGkMlFvRNsQnUK7yYeNzDwADENNQEx6nwQ9ybFywqD81VsNjsT3bL6U7yHj2XoRW82TSg26CZy8wpLdL/0rDHSO3XKrWgYrsRN+v5R3Id/Jw9CxzyyDuDa/QSGaf+VwL9GgFXwiKxWGkSkCiLe2ohPG3vCkU+fMEjbkmQLzUH1ZBMGHsxn46fTKYbvMgdkfa1Qp+K8E4Eaug== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW4PR21MB1907.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(83380400001)(166002)(38100700002)(122000001)(71200400001)(82950400001)(2906002)(6506007)(7696005)(54906003)(53546011)(33656002)(15650500001)(26005)(186003)(7416002)(76116006)(110136005)(5660300002)(52536014)(66946007)(10290500003)(66476007)(8676002)(316002)(8936002)(30864003)(82960400001)(55016002)(64756008)(86362001)(4326008)(9686003)(66446008)(478600001)(966005)(8990500004)(66556008)(559001)(579004);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 2 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?K2UKqqSzETKnE8547zfhL7uo4VLMpGArW6YFIOxs61+vP0hwaR8Xb5jQmhud?= =?us-ascii?Q?9fdo6TTFefI21q/77fJNbaeghOHLBAUuVCEVNjdXZW+XxjakS7321GshN1D7?= =?us-ascii?Q?e5IAA845aURFK1U+Xc/uwiYr8kycyQQdrn8HSBxNrIwgI/bx/CWpfq/2587m?= =?us-ascii?Q?m6oLHqqMMy0ccVGzVvBSDNqtZ7qih97wBI1EpTTB8JGD2dFhQ4pOLIumJrkC?= =?us-ascii?Q?Z7yaSWlnkCg3Kn4uDQmCeBR1eVEbvxBl6hlSIePH3aAVtu3hkCsMwp+MEdDV?= =?us-ascii?Q?AWR9EE3L3DfNGlIiAtB3tPXLZSqre5HHMdupSppE9B6owD0QaceoXnYvA+L/?= =?us-ascii?Q?Usz0Jx2NSg9Hwq35cUoaHZ31/qYdBYivNp9Q3F3JTJ4IX9MdcS/oux/NxIo0?= =?us-ascii?Q?BFoZ/9cgNyLB2ylf3kSSLYJqd117lm6M8NjslVQXp7sgulENVeRU3/qVTmd+?= =?us-ascii?Q?OTDP8UEiRmXID5MectgEKnDhAGXMYUaQIaTgp1hO9faENsiD1uotJGwxy0s2?= =?us-ascii?Q?6uTq3aJM07zECJwTHE9ODn1J7j+S7DzasIWXtFUR1RxmqiZFIXPpIBlYBOaS?= =?us-ascii?Q?ny9H9aYEJZrwHD0PmAVMg2ID8GMW2Togtx+F5fwdmXwQEvAyuZKXUUKTrqgb?= =?us-ascii?Q?s3fmZVnOIBlBBAAaIULdDHbULCX3daHyK1V1w9ap7Zl4e0/d9DeBv4HGv8mx?= =?us-ascii?Q?1VQQVCwKqKRvrW+i7GQN870FMaY84YVuGPT+G5ZC06TsOBYimKkDXFi2w0dg?= =?us-ascii?Q?5cZ+N+yIcvjcOZ9LJdMJXVnVymjwGFwiXkI0jN2dN8YeKAlET6iTVGwILPlf?= =?us-ascii?Q?n4mGfklP5tyXfvGHvOi9E7s6qRuoLqNUwzBQTuI4xh1hdRrsGWfWWWvLHPAJ?= =?us-ascii?Q?SIi1D3EZSy6FUe75wGkjpLWRukNrdYxw0nI//CV/RWb+/qVEsqH+TmcZL852?= =?us-ascii?Q?ugTsiopUt+LfCwRQrcYP7pieRy4c9mgZ4HhdA+M8?= x-ms-exchange-antispam-messagedata-1: ErP/377ii4T51S3yO5U6Q9AmmJaL6F5hc9a1eK5dVT0vCfimuF1HWwAMa5p2O8lkDDQgJJRdrwy2rYHlvPW/4/FjWjM3d4hLEMT+ACi5/EFim05ibNTWpmlmDWbGWLhyQaIvTI71shnd8PKQCqQZcJEqkKq28Hj/RtNJ9O8pfUwZt8iq2YDUsEEBLdPTIUSoGwe2dzluu51J5mjPpr/lt9zF2FKkF3MqXEDrMdottPPPuXpFts3mzUJtBIbmYtJZEVKElvabFj+tstFMc0PE3wNKX+42SqUSU9Yxy/G7owceWNaZjDiBc3XKEwJmF/oFlNdXRJMa0hz2QZTV0ZgLE63a+pEfuhK0ViJC2huFQQzb/g== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1907.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9804a99f-b104-452d-5a7f-08d925feaff2 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2021 19:43:25.2387 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: SvDV/y2mU8KsMRxqtwB1ugp4NdP3tmuCbtM6UrWlZyEzOpMDQlBoQTwEEngUFpKjd/QIEkVw2kSJKlrUrXR71Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR21MB2073 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MW4PR21MB190720D0ADE0D5E7D26338BBEF3D9MW4PR21MB1907namp_" --_000_MW4PR21MB190720D0ADE0D5E7D26338BBEF3D9MW4PR21MB1907namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > +CreateTimeBasedPayload ( I feel like we have a couple other instances of this floating around. Shou= ld we consolidate on a single implementation? - Bret From: Pete Batard via groups.io Sent: Wednesday, June 2, 2021 10:39 AM To: devel@edk2.groups.io; gjb@semihalf.com Cc: Lindholm, Leif; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud; sunny.Wang@arm.com; mw@semihalf= .com; upstream@semihalf.com; Yao, Jiewen; jian.j.wang@intel.com; min.m.xu@intel.com; = lersek@redhat.com Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Create li= brary for setting Secure Boot variables. On 2021.06.01 14:12, Grzegorz Bernacki wrote: > This commits add library, which consist functions related > creation/removal Secure Boot variables. Some of the functions > was moved from SecureBootConfigImpl.c file. > > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/SecurityPkg.dsc = | 1 + > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf = | 79 ++ > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Dxe.inf | 1 + > SecurityPkg/Include/Library/SecureBootVariableLib.h = | 252 +++++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c = | 979 ++++++++++++++++++++ > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig= Impl.c | 189 +--- > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni = | 16 + > 7 files changed, 1329 insertions(+), 188 deletions(-) > create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBoo= tVariableLib.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBoo= tVariableLib.c > create mode 100644 SecurityPkg/Library/SecureBootVariableLib/SecureBoo= tVariableLib.uni > > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index bd4b810bce..854f250625 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -70,6 +70,7 @@ > RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEve= ntLogRecordLib.inf > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemory= LibNull.inf > + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Secur= eBootVariableLib.inf > > [LibraryClasses.ARM] > # > diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariabl= eLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.= inf > new file mode 100644 > index 0000000000..84367841d5 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.in= f > @@ -0,0 +1,79 @@ > +## @file > +# Provides initialization of Secure Boot keys and databases. > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D SecureBootVariableLib > + MODULE_UNI_FILE =3D SecureBootVariableLib.uni > + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F= 6F > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D SecureBootVariableLib|DXE_DRIVER D= XE_RUNTIME_DRIVER UEFI_APPLICATION > + > +# > +# The following information is for reference only and not required by t= he build tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 > +# > + > +[Sources] > + SecureBootVariableLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + DxeServicesLib > + > +[Guids] > + ## CONSUMES ## Variable:L"SetupMode" > + ## PRODUCES ## Variable:L"SetupMode" > + ## CONSUMES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"PK" > + ## PRODUCES ## Variable:L"KEK" > + ## CONSUMES ## Variable:L"PKDefault" > + ## CONSUMES ## Variable:L"KEKDefault" > + ## CONSUMES ## Variable:L"dbDefault" > + ## CONSUMES ## Variable:L"dbxDefault" > + ## CONSUMES ## Variable:L"dbtDefault" > + gEfiGlobalVariableGuid > + > + ## SOMETIMES_CONSUMES ## Variable:L"DB" > + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > + gEfiImageSecurityDatabaseGuid > + > + ## CONSUMES ## Variable:L"SecureBootEnable" > + ## PRODUCES ## Variable:L"SecureBootEnable" > + gEfiSecureBootEnableDisableGuid > + > + ## CONSUMES ## Variable:L"CustomMode" > + ## PRODUCES ## Variable:L"CustomMode" > + gEfiCustomModeEnableGuid > + > + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > + gEfiCertX509Guid ## CONSUMES > + gEfiCertPkcs7Guid ## CONSUMES > + > + gDefaultPKFileGuid > + gDefaultKEKFileGuid > + gDefaultdbFileGuid > + gDefaultdbxFileGuid > + gDefaultdbtFileGuid > + > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secur= eBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/= SecureBootConfigDxe.inf > index 573efa6379..30d9cd8025 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo= nfigDxe.inf > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo= nfigDxe.inf > @@ -54,6 +54,7 @@ > DevicePathLib > FileExplorerLib > PeCoffLib > + SecureBootVariableLib > > [Guids] > ## SOMETIMES_CONSUMES ## Variable:L"CustomMode" > diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Secur= ityPkg/Include/Library/SecureBootVariableLib.h > new file mode 100644 > index 0000000000..2961c93a36 > --- /dev/null > +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h > @@ -0,0 +1,252 @@ > +/** @file > + Provides a function to enroll keys based on default values. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__ > +#define __SECURE_BOOT_VARIABLE_LIB_H__ > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: STANDARD_SEC= URE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the s= pecial mode successfully. > + @return other Fail to operate the secure boot mo= de. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > +); > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outp= ut > + > + @retval other Error codes from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +); > + > +/** > + Create a time based data payload by concatenating the EFI_VARIABLE_AU= THENTICATION_2 > + descriptor with the input data. NO authentication is required in this= function. > + > + @param[in, out] DataSize On input, the size of Data buffer in= bytes. > + On output, the size of data returned= in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to = be wrapped or > + pointer to NULL to wrap an empty pay= load. > + On output, Pointer to the new payloa= d date buffer allocated from pool, > + it's caller's responsibility to free= the memory when finish using it. > + > + @retval EFI_SUCCESS Create time based payload successful= ly. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resource= s to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > +); > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable c= ontent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +); > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +); > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +); > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +); > + > +/** > + Sets the content of the 'PK' variable based on 'PKDefault' variable c= ontent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'PK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime= () and SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeletePlatformKey ( > + VOID > +); > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ); > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ); > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ); > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ); > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ); > +#endif > diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariabl= eLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > new file mode 100644 > index 0000000000..16bad5530a > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > @@ -0,0 +1,979 @@ > +/** @file > + This library provides functions to set/clear Secure Boot > + keys and databases. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include "Library/DxeServicesLib.h" > + > +/** Creates EFI Signature List structure. > + > + @param[in] Data A pointer to signature data. > + @param[in] Size Size of signature data. > + @param[out] SigList Created Signature List. > + > + @retval EFI_SUCCESS Signature List was created successfull= y. > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +CreateSigList ( > + IN VOID *Data, > + IN UINTN Size, > + OUT EFI_SIGNATURE_LIST **SigList > + ) > +{ > + UINTN SigListSize; > + EFI_SIGNATURE_LIST *TmpSigList; > + EFI_SIGNATURE_DATA *SigData; > + > + // > + // Allocate data for Signature Database > + // > + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_D= ATA) - 1 + Size; > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + // > + // Only gEfiCertX509Guid type is supported > + // > + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; > + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) -= 1 + Size); > + TmpSigList->SignatureHeaderSize =3D 0; > + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); > + > + // > + // Copy key data > + // > + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); > + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); > + CopyMem (&SigData->SignatureData[0], Data, Size); > + > + *SigList =3D TmpSigList; > + > + return EFI_SUCCESS; > +} > + > +/** Adds new signature list to signature database. > + > + @param[in] SigLists A pointer to signature database. > + @param[in] SiglListAppend A signature list to be added. > + @param[out] *SigListOut Created signature database. > + @param[out] SigListsSize A size of created signature database. > + > + @retval EFI_SUCCESS Signature List was added successfully. > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +ConcatenateSigList ( > + IN EFI_SIGNATURE_LIST *SigLists, > + IN EFI_SIGNATURE_LIST *SigListAppend, > + OUT EFI_SIGNATURE_LIST **SigListOut, > + IN OUT UINTN *SigListsSize > +) > +{ > + EFI_SIGNATURE_LIST *TmpSigList; > + UINT8 *Offset; > + UINTN NewSigListsSize; > + > + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; > + > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSi= ze); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + CopyMem (TmpSigList, SigLists, *SigListsSize); > + > + Offset =3D (UINT8 *)TmpSigList; > + Offset +=3D *SigListsSize; > + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListS= ize); > + > + *SigListsSize =3D NewSigListsSize; > + *SigListOut =3D TmpSigList; > + return EFI_SUCCESS; > +} > + > +/** > + Create a EFI Signature List with data fetched from section specified = as a argument. > + Found keys are verified using RsaGetPublicKeyFromX509(). > + > + @param[in] KeyFileGuid A pointer to to the FFS filename GUI= D > + @param[out] SigListsSize A pointer to size of signature list > + @param[out] SigListsOut a pointer to a callee-allocated buff= er with signature lists > + > + @retval EFI_SUCCESS Create time based payload successful= ly. > + @retval EFI_NOT_FOUND Section with key has not been found. > + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. > + @retval Others Unexpected error happens. > + > +--*/ > +STATIC > +EFI_STATUS > +SecureBootFetchData ( > + IN EFI_GUID *KeyFileGuid, > + OUT UINTN *SigListsSize, > + OUT EFI_SIGNATURE_LIST **SigListOut > +) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig2; > + EFI_STATUS Status; > + VOID *Buffer; > + VOID *RsaPubKey; > + UINTN Size; > + UINTN KeyIndex; > + > + > + KeyIndex =3D 0; > + EfiSig =3D NULL; > + *SigListsSize =3D 0; > + while (1) { > + Status =3D GetSectionFromAnyFv ( > + KeyFileGuid, > + EFI_SECTION_RAW, > + KeyIndex, > + &Buffer, > + &Size > + ); > + > + if (Status =3D=3D EFI_SUCCESS) { > + RsaPubKey =3D NULL; > + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FAL= SE) { > + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION= __, KeyIndex)); > + if (EfiSig !=3D NULL) { > + FreePool(EfiSig); > + } > + FreePool(Buffer); > + return EFI_INVALID_PARAMETER; > + } > + > + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); > + > + // > + // Concatenate lists if more than one section found > + // > + if (KeyIndex =3D=3D 0) { > + EfiSig =3D TmpEfiSig; > + *SigListsSize =3D TmpEfiSig->SignatureListSize; > + } else { > + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSiz= e); > + FreePool (EfiSig); > + FreePool (TmpEfiSig); > + EfiSig =3D TmpEfiSig2; > + } > + > + KeyIndex++; > + FreePool (Buffer); > + } if (Status =3D=3D EFI_NOT_FOUND) { > + break; > + } > + }; > + > + if (KeyIndex =3D=3D 0) { > + return EFI_NOT_FOUND; > + } > + > + *SigListOut =3D EfiSig; > + > + return EFI_SUCCESS; > +} > + > +/** > + Create a time based data payload by concatenating the EFI_VARIABLE_AU= THENTICATION_2 > + descriptor with the input data. NO authentication is required in this= function. > + > + @param[in, out] DataSize On input, the size of Data buffer in= bytes. > + On output, the size of data returned= in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to = be wrapped or > + pointer to NULL to wrap an empty pay= load. > + On output, Pointer to the new payloa= d date buffer allocated from pool, > + it's caller's responsibility to free= the memory when finish using it. > + > + @retval EFI_SUCCESS Create time based payload successful= ly. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resource= s to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > + ) > +{ > + EFI_STATUS Status; > + UINT8 *NewData; > + UINT8 *Payload; > + UINTN PayloadSize; > + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > + UINTN DescriptorSize; > + EFI_TIME Time; > + > + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // In Setup mode or Custom mode, the variable does not need to be sig= ned but the > + // parameters to the SetVariable() call still need to be prepared as = authenticated > + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor wit= hout certificate > + // data in it. > + // > + Payload =3D *Data; > + PayloadSize =3D *DataSize; > + > + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthI= nfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > + if (NewData =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > + } > + > + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > + > + ZeroMem (&Time, sizeof (EFI_TIME)); > + Status =3D gRT->GetTime (&Time, NULL); > + if (EFI_ERROR (Status)) { > + FreePool(NewData); > + return Status; > + } > + Time.Pad1 =3D 0; > + Time.Nanosecond =3D 0; > + Time.TimeZone =3D 0; > + Time.Daylight =3D 0; > + Time.Pad2 =3D 0; > + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > + > + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERT= IFICATE_UEFI_GUID, CertData); > + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > + DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_G= UID; > + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > + > + if (Payload !=3D NULL) { > + FreePool(Payload); > + } > + > + *DataSize =3D DescriptorSize + PayloadSize; > + *Data =3D NewData; > + return EFI_SUCCESS; > +} > + > +/** > + Internal helper function to delete a Variable given its name and GUID= , NO authentication > + required. > + > + @param[in] VariableName Name of the Variable. > + @param[in] VendorGuid GUID of the Variable. > + > + @retval EFI_SUCCESS Variable deleted successfully. > + @retval Others The driver failed to start the devic= e. > + > +--*/ > +EFI_STATUS > +DeleteVariable ( > + IN CHAR16 *VariableName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + EFI_STATUS Status; > + VOID* Variable; > + UINT8 *Data; > + UINTN DataSize; > + UINT32 Attr; > + > + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > + if (Variable =3D=3D NULL) { > + return EFI_SUCCESS; > + } > + FreePool (Variable); > + > + Data =3D NULL; > + DataSize =3D 0; > + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS = | EFI_VARIABLE_BOOTSERVICE_ACCESS > + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > + > + Status =3D CreateTimeBasedPayload (&DataSize, &Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", = Status)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + Attr, > + DataSize, > + Data > + ); > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + return Status; > +} > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: STANDARD_SEC= URE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the s= pecial mode successfully. > + @return other Fail to operate the secure boot mo= de. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > + ) > +{ > + return gRT->SetVariable ( > + EFI_CUSTOM_MODE_NAME, > + &gEfiCustomModeEnableGuid, > + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_AC= CESS, > + sizeof (UINT8), > + &SecureBootMode > + ); > +} > + > + > +/** > + Enroll a key/certificate based on a default variable. > + > + @param[in] VariableName The name of the key/database. > + @param[in] DefaultName The name of the default variable. > + @param[in] VendorGuid The namespace (ie. vendor GUID) of the= variable > + > + > + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHea= der. > + @retval EFI_SUCCESS Successful enrollment. > + @return Error codes from GetTime () and SetVar= iable (). > +--*/ > +STATIC > +EFI_STATUS > +EnrollFromDefault ( > + IN CHAR16 *VariableName, > + IN CHAR16 *DefaultName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + VOID *Data; > + UINTN DataSize; > + EFI_STATUS Status; > + > + Status =3D EFI_SUCCESS; > + > + DataSize =3D 0; > + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data,= &DataSize); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultNa= me, Status)); > + return Status; > + } > + > + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", = Status)); > + return Status; > + } > + > + // > + // Allocate memory for auth variable > + // > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + (EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS | > + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > + DataSize, > + Data > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, = VariableName, > + VendorGuid, Status)); > + } > + > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + > + return Status; > +} > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVar= iableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_PK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_V= ARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &= EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VA= RIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_N= AME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_KEK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_= VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, = &EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_V= ARIABLE_NAME)); > + return Status; > + } > + > + > + Status =3D gRT->SetVariable ( > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_= NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVar= iableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DB_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_V= ARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &= EfiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE= _NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DBX_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_= VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, = &EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_V= ARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_= NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVa= riableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n",= EFI_DBT_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_= VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, = &EfiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVIC= E_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_= NAME)); > + } > + > + FreePool (EfiSig); > + > + return EFI_SUCCESS; > +} > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outp= ut > + > + @retval other Retval from GetVariable. > +--*/ > +BOOLEAN > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +) > +{ > + UINTN Size; > + EFI_STATUS Status; > + > + Size =3D sizeof (*SetupMode); > + Status =3D gRT->GetVariable ( > + EFI_SETUP_MODE_NAME, > + &gEfiGlobalVariableGuid, > + NULL, > + &Size, > + SetupMode > + ); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable c= ontent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE, > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE1, > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE1, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE2, > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE2, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable= content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIAB= LE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTim= e () and SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_PLATFORM_KEY_NAME, > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Remove the PK variable. > + > + @retval EFI_SUCCESS Delete PK successfully. > + @retval Others Could not allow to delete PK. > + > +--*/ > +EFI_STATUS > +DeletePlatformKey ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D DeleteVariable ( > + EFI_PLATFORM_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + return Status; > +} > diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secur= eBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/S= ecureBootConfigImpl.c > index e82bfe7757..67e5e594ed 100644 > --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo= nfigImpl.c > +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootCo= nfigImpl.c > @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > > #include "SecureBootConfigImpl.h" > #include > +#include > > CHAR16 mSecureBootStorageName[] =3D L"SECUREBOOT_CONFIGUR= ATION"; > > @@ -237,168 +238,6 @@ SaveSecureBootVariable ( > return Status; > } > > -/** > - Create a time based data payload by concatenating the EFI_VARIABLE_AU= THENTICATION_2 > - descriptor with the input data. NO authentication is required in this= function. > - > - @param[in, out] DataSize On input, the size of Data buffer in= bytes. > - On output, the size of data returned= in Data > - buffer in bytes. > - @param[in, out] Data On input, Pointer to data buffer to = be wrapped or > - pointer to NULL to wrap an empty pay= load. > - On output, Pointer to the new payloa= d date buffer allocated from pool, > - it's caller's responsibility to free= the memory when finish using it. > - > - @retval EFI_SUCCESS Create time based payload successful= ly. > - @retval EFI_OUT_OF_RESOURCES There are not enough memory resource= s to create time based payload. > - @retval EFI_INVALID_PARAMETER The parameter is invalid. > - @retval Others Unexpected error happens. > - > -**/ > -EFI_STATUS > -CreateTimeBasedPayload ( > - IN OUT UINTN *DataSize, > - IN OUT UINT8 **Data > - ) > -{ > - EFI_STATUS Status; > - UINT8 *NewData; > - UINT8 *Payload; > - UINTN PayloadSize; > - EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > - UINTN DescriptorSize; > - EFI_TIME Time; > - > - if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > - return EFI_INVALID_PARAMETER; > - } > - > - // > - // In Setup mode or Custom mode, the variable does not need to be sig= ned but the > - // parameters to the SetVariable() call still need to be prepared as = authenticated > - // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor wit= hout certificate > - // data in it. > - // > - Payload =3D *Data; > - PayloadSize =3D *DataSize; > - > - DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthI= nfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > - NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > - if (NewData =3D=3D NULL) { > - return EFI_OUT_OF_RESOURCES; > - } > - > - if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > - CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > - } > - > - DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > - > - ZeroMem (&Time, sizeof (EFI_TIME)); > - Status =3D gRT->GetTime (&Time, NULL); > - if (EFI_ERROR (Status)) { > - FreePool(NewData); > - return Status; > - } > - Time.Pad1 =3D 0; > - Time.Nanosecond =3D 0; > - Time.TimeZone =3D 0; > - Time.Daylight =3D 0; > - Time.Pad2 =3D 0; > - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > - > - DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERT= IFICATE_UEFI_GUID, CertData); > - DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > - DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT_TYPE_EFI_G= UID; > - CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > - > - if (Payload !=3D NULL) { > - FreePool(Payload); > - } > - > - *DataSize =3D DescriptorSize + PayloadSize; > - *Data =3D NewData; > - return EFI_SUCCESS; > -} > - > -/** > - Internal helper function to delete a Variable given its name and GUID= , NO authentication > - required. > - > - @param[in] VariableName Name of the Variable. > - @param[in] VendorGuid GUID of the Variable. > - > - @retval EFI_SUCCESS Variable deleted successfully. > - @retval Others The driver failed to start the devic= e. > - > -**/ > -EFI_STATUS > -DeleteVariable ( > - IN CHAR16 *VariableName, > - IN EFI_GUID *VendorGuid > - ) > -{ > - EFI_STATUS Status; > - VOID* Variable; > - UINT8 *Data; > - UINTN DataSize; > - UINT32 Attr; > - > - GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > - if (Variable =3D=3D NULL) { > - return EFI_SUCCESS; > - } > - FreePool (Variable); > - > - Data =3D NULL; > - DataSize =3D 0; > - Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS = | EFI_VARIABLE_BOOTSERVICE_ACCESS > - | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > - > - Status =3D CreateTimeBasedPayload (&DataSize, &Data); > - if (EFI_ERROR (Status)) { > - DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", = Status)); > - return Status; > - } > - > - Status =3D gRT->SetVariable ( > - VariableName, > - VendorGuid, > - Attr, > - DataSize, > - Data > - ); > - if (Data !=3D NULL) { > - FreePool (Data); > - } > - return Status; > -} > - > -/** > - > - Set the platform secure boot mode into "Custom" or "Standard" mode. > - > - @param[in] SecureBootMode New secure boot mode: STANDARD_SEC= URE_BOOT_MODE or > - CUSTOM_SECURE_BOOT_MODE. > - > - @return EFI_SUCCESS The platform has switched to the s= pecial mode successfully. > - @return other Fail to operate the secure boot mo= de. > - > -**/ > -EFI_STATUS > -SetSecureBootMode ( > - IN UINT8 SecureBootMode > - ) > -{ > - return gRT->SetVariable ( > - EFI_CUSTOM_MODE_NAME, > - &gEfiCustomModeEnableGuid, > - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_AC= CESS, > - sizeof (UINT8), > - &SecureBootMode > - ); > -} > - > /** > This code checks if the encode type and key strength of X.509 > certificate is qualified. > @@ -646,32 +485,6 @@ ON_EXIT: > return Status; > } > > -/** > - Remove the PK variable. > - > - @retval EFI_SUCCESS Delete PK successfully. > - @retval Others Could not allow to delete PK. > - > -**/ > -EFI_STATUS > -DeletePlatformKey ( > - VOID > -) > -{ > - EFI_STATUS Status; > - > - Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > - if (EFI_ERROR (Status)) { > - return Status; > - } > - > - Status =3D DeleteVariable ( > - EFI_PLATFORM_KEY_NAME, > - &gEfiGlobalVariableGuid > - ); > - return Status; > -} > - > /** > Enroll a new KEK item from public key storing file (*.pbk). > > diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariabl= eLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.= uni > new file mode 100644 > index 0000000000..2c51e4db53 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.un= i > @@ -0,0 +1,16 @@ > +// /** @file > +// > +// Provides initialization of Secure Boot keys and databases. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> +// Copyright (c) 2021, Semihalf All rights reserved.
> +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides funct= ion to initialize PK, KEK and databases based on default variables." > + > +#string STR_MODULE_DESCRIPTION #language en-US "Provides funct= ion to initialize PK, KEK and databases based on default variables." > + > Reviewed-by: Pete Batard Tested-by: Pete Batard on Raspberry Pi 4 --_000_MW4PR21MB190720D0ADE0D5E7D26338BBEF3D9MW4PR21MB1907namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

> +CreateTimeBasedPayload (

I feel like we have a couple other instances of thi= s floating around. Should we consolidate on a single implementation?

 

- Bret

 

From: Pete Batard via groups.io
Sent: Wednesday, June 2, 2021 10:39 AM
To: devel@edk2.groups.io; gjb@semihalf.com
Cc: Lindholm, Leif; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud; sunny.Wang@arm.com; mw@semihalf.com; upstream@sem= ihalf.com; Yao, Jiewen; jian.j.wang@intel.com; min.m.xu@= intel.com; lersek@redhat.com
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v2 1/6] SecurityPkg: Cr= eate library for setting Secure Boot variables.

 

On 2021.06.01 14:12,= Grzegorz Bernacki wrote:
> This commits add library, which consist functions related
> creation/removal Secure Boot variables. Some of the functions
> was moved from SecureBootConfigImpl.c file.
>
> Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
> ---
>   SecurityPkg/SecurityPkg.dsc     =             &nb= sp;            =             &nb= sp;        |   1 +
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVaria= bleLib.inf           |&nb= sp; 79 ++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf |   1 +
>   SecurityPkg/Include/Library/SecureBootVariableLib.h =             &nb= sp;            = | 252 +++++
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVaria= bleLib.c           &= nbsp; | 979 ++++++++++++++++++++
>   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigImpl.c  | 189 +---
>   SecurityPkg/Library/SecureBootVariableLib/SecureBootVaria= bleLib.uni           |&nb= sp; 16 +
>   7 files changed, 1329 insertions(+), 188 deletions(-)
>   create mode 100644 SecurityPkg/Library/SecureBootVariable= Lib/SecureBootVariableLib.inf
>   create mode 100644 SecurityPkg/Include/Library/SecureBoot= VariableLib.h
>   create mode 100644 SecurityPkg/Library/SecureBootVariable= Lib/SecureBootVariableLib.c
>   create mode 100644 SecurityPkg/Library/SecureBootVariable= Lib/SecureBootVariableLib.uni
>
> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.ds= c
> index bd4b810bce..854f250625 100644
> --- a/SecurityPkg/SecurityPkg.dsc
> +++ b/SecurityPkg/SecurityPkg.dsc
> @@ -70,6 +70,7 @@
>     RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcL= ibNull.inf
>     TcgEventLogRecordLib|SecurityPkg/Library/TcgE= ventLogRecordLib/TcgEventLogRecordLib.inf
>     MmUnblockMemoryLib|MdePkg/Library/MmUnblockMe= moryLib/MmUnblockMemoryLibNull.inf
> +  SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableL= ib/SecureBootVariableLib.inf
>  
>   [LibraryClasses.ARM]
>     #
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVari= ableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableL= ib.inf
> new file mode 100644
> index 0000000000..84367841d5
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .inf
> @@ -0,0 +1,79 @@
> +## @file
> +#  Provides initialization of Secure Boot keys and databases. > +#
> +#  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR><= br> > +#  Copyright (c) 2021, Semihalf All rights reserved.<BR><= br> > +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION        &n= bsp;           =3D 0x0001= 0005
> +  BASE_NAME        &nbs= p;             = = =3D SecureBootVariableLib
> +  MODULE_UNI_FILE       &nbs= p;        =3D SecureBootVariableLib.uni<= br> > +  FILE_GUID        &nbs= p;             = = =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6F
> +  MODULE_TYPE        &n= bsp;           =3D DXE_DR= IVER
> +  VERSION_STRING        = ;         =3D 1.0
> +  LIBRARY_CLASS        =           =3D SecureBootVariab= leLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
> +
> +#
> +# The following information is for reference only and not required b= y the build tools.
> +#
> +#  VALID_ARCHITECTURES       = ;    =3D IA32 X64 AARCH64
> +#
> +
> +[Sources]
> +  SecureBootVariableLib.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +  CryptoPkg/CryptoPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  BaseMemoryLib
> +  DebugLib
> +  MemoryAllocationLib
> +  BaseCryptLib
> +  DxeServicesLib
> +
> +[Guids]
> +  ## CONSUMES        &n= bsp;   ## Variable:L"SetupMode"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"SetupMode"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"SecureBoot"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"SecureBoot"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"PK"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"KEK"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"PKDefault"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"KEKDefault"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"dbDefault"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"dbxDefault"
> +  ## CONSUMES        &n= bsp;   ## Variable:L"dbtDefault"
> +  gEfiGlobalVariableGuid
> +
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DB"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBX"
> +  ## SOMETIMES_CONSUMES  ## Variable:L"DBT"
> +  gEfiImageSecurityDatabaseGuid
> +
> +  ## CONSUMES        &n= bsp;   ## Variable:L"SecureBootEnable"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"SecureBootEnable"
> +  gEfiSecureBootEnableDisableGuid
> +
> +  ## CONSUMES        &n= bsp;   ## Variable:L"CustomMode"
> +  ## PRODUCES        &n= bsp;   ## Variable:L"CustomMode"
> +  gEfiCustomModeEnableGuid
> +
> +  gEfiCertTypeRsa2048Sha256Guid  ## CONSUMES
> +  gEfiCertX509Guid       &nb= sp;       ## CONSUMES
> +  gEfiCertPkcs7Guid       &n= bsp;      ## CONSUMES
> +
> +  gDefaultPKFileGuid
> +  gDefaultKEKFileGuid
> +  gDefaultdbFileGuid
> +  gDefaultdbxFileGuid
> +  gDefaultdbtFileGuid
> +
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigD= xe/SecureBootConfigDxe.inf
> index 573efa6379..30d9cd8025 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoo= tConfigDxe.inf
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoo= tConfigDxe.inf
> @@ -54,6 +54,7 @@
>     DevicePathLib
>     FileExplorerLib
>     PeCoffLib
> +  SecureBootVariableLib
>  
>   [Guids]
>     ## SOMETIMES_CONSUMES    =   ## Variable:L"CustomMode"
> diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Se= curityPkg/Include/Library/SecureBootVariableLib.h
> new file mode 100644
> index 0000000000..2961c93a36
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h
> @@ -0,0 +1,252 @@
> +/** @file
> +  Provides a function to enroll keys based on default values. > +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.&l= t;BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR&g= t;
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__
> +#define __SECURE_BOOT_VARIABLE_LIB_H__
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or = "Standard" mode.
> +
> +  @param[in]   SecureBootMode    =     New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +           &n= bsp;            = ;             C= USTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS       =          The platform has switched = to the special mode successfully.
> +  @return other        =             &nb= sp; Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +);
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode      &nbs= p;      Pointer to UINT8 for SetupMode output
> +
> +  @retval other        =              Er= ror codes from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +  OUT UINT8 *SetupMode
> +);
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VAR= IABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required= in this function.
> +
> +  @param[in, out]   DataSize    &= nbsp;  On input, the size of Data buffer in bytes.
> +           &n= bsp;            = ;           On output, th= e size of data returned in Data
> +           &n= bsp;            = ;           buffer in byt= es.
> +  @param[in, out]   Data     = ;      On input, Pointer to data buffer to be wrap= ped or
> +           &n= bsp;            = ;           pointer to NU= LL to wrap an empty payload.
> +           &n= bsp;            = ;           On output, Po= inter to the new payload date buffer allocated from pool,
> +           &n= bsp;            = ;           it's caller's= responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS       =        Create time based payload successfully= .
> +  @retval EFI_OUT_OF_RESOURCES     There ar= e not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter= is invalid.
> +  @retval Others        = ;           Unexpected er= ror happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN        &= nbsp;   *DataSize,
> +  IN OUT UINT8        &= nbsp;   **Data
> +);
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' va= riable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +);
> +
> +/**
> +  Sets the content of the 'PK' variable based on 'PKDefault' va= riable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +);
> +
> +/**
> +  Clears the content of the 'PK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2(), GetTime() and SetVariable()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeletePlatformKey (
> +  VOID
> +);
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  );
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  );
> +#endif
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVari= ableLib.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .c
> new file mode 100644
> index 0000000000..16bad5530a
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .c
> @@ -0,0 +1,979 @@
> +/** @file
> +  This library provides functions to set/clear Secure Boot
> +  keys and databases.
> +
> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.&l= t;BR>
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR&g= t;
> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +#include <Guid/GlobalVariable.h>
> +#include <Guid/AuthenticatedVariableFormat.h>
> +#include <Guid/ImageAuthentication.h>
> +#include <Library/BaseCryptLib.h>
> +#include <Library/BaseLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/UefiLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +#include <Library/UefiRuntimeServicesTableLib.h>
> +#include <Library/SecureBootVariableLib.h>
> +#include "Library/DxeServicesLib.h"
> +
> +/** Creates EFI Signature List structure.
> +
> +  @param[in]      Data  &nbs= p;  A pointer to signature data.
> +  @param[in]      Size  &nbs= p;  Size of signature data.
> +  @param[out]     SigList  Created Sig= nature List.
> +
> +  @retval  EFI_SUCCESS      =      Signature List was created successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate m= emory.
> +--*/
> +STATIC
> +EFI_STATUS
> +CreateSigList (
> +  IN VOID         =        *Data,
> +  IN UINTN         = ;      Size,
> +  OUT EFI_SIGNATURE_LIST **SigList
> +  )
> +{
> +  UINTN         &n= bsp;        SigListSize;
> +  EFI_SIGNATURE_LIST     *TmpSigList;
> +  EFI_SIGNATURE_DATA     *SigData;
> +
> +  //
> +  // Allocate data for Signature Database
> +  //
> +  SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIG= NATURE_DATA) - 1 + Size;
> +  TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigLi= stSize);
> +  if (TmpSigList =3D=3D NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  //
> +  // Only gEfiCertX509Guid type is supported
> +  //
> +  TmpSigList->SignatureListSize =3D (UINT32)SigListSize;
> +  TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNAT= URE_DATA) - 1 + Size);
> +  TmpSigList->SignatureHeaderSize =3D 0;
> +  CopyGuid (&TmpSigList->SignatureType, &gEfiCertX50= 9Guid);
> +
> +  //
> +  // Copy key data
> +  //
> +  SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1);
> +  CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVar= iableGuid);
> +  CopyMem (&SigData->SignatureData[0], Data, Size);
> +
> +  *SigList =3D TmpSigList;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/** Adds new signature list to signature database.
> +
> +  @param[in]      SigLists  =       A pointer to signature database.
> +  @param[in]      SiglListAppend = A signature list to be added.
> +  @param[out]     *SigListOut  &n= bsp;  Created signature database.
> +  @param[out]     SigListsSize  &= nbsp; A size of created signature database.
> +
> +  @retval  EFI_SUCCESS      =      Signature List was added successfully.
> +  @retval  EFI_OUT_OF_RESOURCES  Failed to allocate m= emory.
> +--*/
> +STATIC
> +EFI_STATUS
> +ConcatenateSigList (
> +  IN  EFI_SIGNATURE_LIST *SigLists,
> +  IN  EFI_SIGNATURE_LIST *SigListAppend,
> +  OUT EFI_SIGNATURE_LIST **SigListOut,
> +  IN OUT UINTN        &= nbsp;  *SigListsSize
> +)
> +{
> +  EFI_SIGNATURE_LIST *TmpSigList;
> +  UINT8         &n= bsp;    *Offset;
> +  UINTN         &n= bsp;    NewSigListsSize;
> +
> +  NewSigListsSize =3D *SigListsSize + SigListAppend->Signatu= reListSize;
> +
> +  TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSi= gListsSize);
> +  if (TmpSigList =3D=3D NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  CopyMem (TmpSigList, SigLists, *SigListsSize);
> +
> +  Offset =3D (UINT8 *)TmpSigList;
> +  Offset +=3D *SigListsSize;
> +  CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->Sig= natureListSize);
> +
> +  *SigListsSize =3D NewSigListsSize;
> +  *SigListOut =3D TmpSigList;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a EFI Signature List with data fetched from section sp= ecified as a argument.
> +  Found keys are verified using RsaGetPublicKeyFromX509().
> +
> +  @param[in]        KeyFileG= uid    A pointer to to the FFS filename GUID
> +  @param[out]       SigListsSize&= nbsp;  A pointer to size of signature list
> +  @param[out]       SigListsOut&n= bsp;   a pointer to a callee-allocated buffer with signature list= s
> +
> +  @retval EFI_SUCCESS       =        Create time based payload successfully= .
> +  @retval EFI_NOT_FOUND      &nbs= p;     Section with key has not been found.
> +  @retval EFI_INVALID_PARAMETER    Embedded key = has a wrong format.
> +  @retval Others        = ;           Unexpected er= ror happens.
> +
> +--*/
> +STATIC
> +EFI_STATUS
> +SecureBootFetchData (
> +    IN  EFI_GUID     &n= bsp;     *KeyFileGuid,
> +    OUT UINTN      &nbs= p;       *SigListsSize,
> +    OUT EFI_SIGNATURE_LIST **SigListOut
> +)
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig;
> +  EFI_SIGNATURE_LIST *TmpEfiSig2;
> +  EFI_STATUS         St= atus;
> +  VOID         &nb= sp;     *Buffer;
> +  VOID         &nb= sp;     *RsaPubKey;
> +  UINTN         &n= bsp;     Size;
> +  UINTN         &n= bsp;     KeyIndex;
> +
> +
> +  KeyIndex =3D 0;
> +  EfiSig =3D NULL;
> +  *SigListsSize =3D 0;
> +  while (1) {
> +    Status =3D GetSectionFromAnyFv (
> +           &n= bsp;   KeyFileGuid,
> +           &n= bsp;   EFI_SECTION_RAW,
> +           &n= bsp;   KeyIndex,
> +           &n= bsp;   &Buffer,
> +           &n= bsp;   &Size
> +           &n= bsp;   );
> +
> +    if (Status =3D=3D EFI_SUCCESS) {
> +      RsaPubKey =3D NULL;
> +      if (RsaGetPublicKeyFromX509 (Buffer, = Size, &RsaPubKey) =3D=3D FALSE) {
> +        DEBUG ((DEBUG_ERROR, &quo= t;%a: Invalid key format: %d\n", __FUNCTION__, KeyIndex));
> +        if (EfiSig !=3D NULL) { > +          FreePool(EfiS= ig);
> +        }
> +        FreePool(Buffer);
> +        return EFI_INVALID_PARAME= TER;
> +      }
> +
> +      Status =3D CreateSigList (Buffer, Siz= e, &TmpEfiSig);
> +
> +      //
> +      // Concatenate lists if more than one= section found
> +      //
> +      if (KeyIndex =3D=3D 0) {
> +        EfiSig =3D TmpEfiSig;
> +        *SigListsSize =3D TmpEfiS= ig->SignatureListSize;
> +      } else {
> +        ConcatenateSigList (EfiSi= g, TmpEfiSig, &TmpEfiSig2, SigListsSize);
> +        FreePool (EfiSig);
> +        FreePool (TmpEfiSig);
> +        EfiSig =3D TmpEfiSig2; > +      }
> +
> +      KeyIndex++;
> +      FreePool (Buffer);
> +    } if (Status =3D=3D EFI_NOT_FOUND) {
> +      break;
> +    }
> +  };
> +
> +  if (KeyIndex =3D=3D 0) {
> +    return EFI_NOT_FOUND;
> +  }
> +
> +  *SigListOut =3D EfiSig;
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Create a time based data payload by concatenating the EFI_VAR= IABLE_AUTHENTICATION_2
> +  descriptor with the input data. NO authentication is required= in this function.
> +
> +  @param[in, out]   DataSize    &= nbsp;  On input, the size of Data buffer in bytes.
> +           &n= bsp;            = ;           On output, th= e size of data returned in Data
> +           &n= bsp;            = ;           buffer in byt= es.
> +  @param[in, out]   Data     = ;      On input, Pointer to data buffer to be wrap= ped or
> +           &n= bsp;            = ;           pointer to NU= LL to wrap an empty payload.
> +           &n= bsp;            = ;           On output, Po= inter to the new payload date buffer allocated from pool,
> +           &n= bsp;            = ;           it's caller's= responsibility to free the memory when finish using it.
> +
> +  @retval EFI_SUCCESS       =        Create time based payload successfully= .
> +  @retval EFI_OUT_OF_RESOURCES     There ar= e not enough memory resources to create time based payload.
> +  @retval EFI_INVALID_PARAMETER    The parameter= is invalid.
> +  @retval Others        = ;           Unexpected er= ror happens.
> +
> +--*/
> +EFI_STATUS
> +CreateTimeBasedPayload (
> +  IN OUT UINTN        &= nbsp;   *DataSize,
> +  IN OUT UINT8        &= nbsp;   **Data
> +  )
> +{
> +  EFI_STATUS        &nb= sp;            =   Status;
> +  UINT8         &n= bsp;            = ;      *NewData;
> +  UINT8         &n= bsp;            = ;      *Payload;
> +  UINTN         &n= bsp;            = ;      PayloadSize;
> +  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorDa= ta;
> +  UINTN         &n= bsp;            = ;      DescriptorSize;
> +  EFI_TIME         = ;            &n= bsp;   Time;
> +
> +  if (Data =3D=3D NULL || DataSize =3D=3D NULL) {
> +    return EFI_INVALID_PARAMETER;
> +  }
> +
> +  //
> +  // In Setup mode or Custom mode, the variable does not need t= o be signed but the
> +  // parameters to the SetVariable() call still need to be prep= ared as authenticated
> +  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descri= ptor without certificate
> +  // data in it.
> +  //
> +  Payload     =3D *Data;
> +  PayloadSize =3D *DataSize;
> +
> +  DescriptorSize    =3D OFFSET_OF (EFI_VARIABLE_= AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertDat= a);
> +  NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + Paylo= adSize);
> +  if (NewData =3D=3D NULL) {
> +    return EFI_OUT_OF_RESOURCES;
> +  }
> +
> +  if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > +    CopyMem (NewData + DescriptorSize, Payload, Paylo= adSize);
> +  }
> +
> +  DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData= );
> +
> +  ZeroMem (&Time, sizeof (EFI_TIME));
> +  Status =3D gRT->GetTime (&Time, NULL);
> +  if (EFI_ERROR (Status)) {
> +    FreePool(NewData);
> +    return Status;
> +  }
> +  Time.Pad1       =3D 0;
> +  Time.Nanosecond =3D 0;
> +  Time.TimeZone   =3D 0;
> +  Time.Daylight   =3D 0;
> +  Time.Pad2       =3D 0;
> +  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof= (EFI_TIME));
> +
> +  DescriptorData->AuthInfo.Hdr.dwLength   &nb= sp;     =3D OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertD= ata);
> +  DescriptorData->AuthInfo.Hdr.wRevision   &n= bsp;    =3D 0x0200;
> +  DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT= _TYPE_EFI_GUID;
> +  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEf= iCertPkcs7Guid);
> +
> +  if (Payload !=3D NULL) {
> +    FreePool(Payload);
> +  }
> +
> +  *DataSize =3D DescriptorSize + PayloadSize;
> +  *Data     =3D NewData;
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Internal helper function to delete a Variable given its name = and GUID, NO authentication
> +  required.
> +
> +  @param[in]      VariableName &n= bsp;          Name of the Vari= able.
> +  @param[in]      VendorGuid &nbs= p;            GUID o= f the Variable.
> +
> +  @retval EFI_SUCCESS       =        Variable deleted successfully.
> +  @retval Others        = ;           The driver fa= iled to start the device.
> +
> +--*/
> +EFI_STATUS
> +DeleteVariable (
> +  IN  CHAR16       &nbs= p;            *Varia= bleName,
> +  IN  EFI_GUID       &n= bsp;          *VendorGuid
> +  )
> +{
> +  EFI_STATUS        &nb= sp;     Status;
> +  VOID*         &n= bsp;         Variable;
> +  UINT8         &n= bsp;         *Data;
> +  UINTN         &n= bsp;         DataSize;
> +  UINT32         &= nbsp;        Attr;
> +
> +  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);=
> +  if (Variable =3D=3D NULL) {
> +    return EFI_SUCCESS;
> +  }
> +  FreePool (Variable);
> +
> +  Data     =3D NULL;
> +  DataSize =3D 0;
> +  Attr     =3D EFI_VARIABLE_NON_VOLATILE | = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> +           &n= bsp; | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> +
> +  Status =3D CreateTimeBasedPayload (&DataSize, &Data);=
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-ba= sed data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      VariableName,
> +           &n= bsp;      VendorGuid,
> +           &n= bsp;      Attr,
> +           &n= bsp;      DataSize,
> +           &n= bsp;      Data
> +           &n= bsp;      );
> +  if (Data !=3D NULL) {
> +    FreePool (Data);
> +  }
> +  return Status;
> +}
> +
> +/**
> +
> +  Set the platform secure boot mode into "Custom" or = "Standard" mode.
> +
> +  @param[in]   SecureBootMode    =     New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> +           &n= bsp;            = ;             C= USTOM_SECURE_BOOT_MODE.
> +
> +  @return EFI_SUCCESS       =          The platform has switched = to the special mode successfully.
> +  @return other        =             &nb= sp; Fail to operate the secure boot mode.
> +
> +--*/
> +EFI_STATUS
> +SetSecureBootMode (
> +  IN  UINT8  SecureBootMode
> +  )
> +{
> +  return gRT->SetVariable (
> +           &n= bsp;    EFI_CUSTOM_MODE_NAME,
> +           &n= bsp;    &gEfiCustomModeEnableGuid,
> +           &n= bsp;    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS,
> +           &n= bsp;    sizeof (UINT8),
> +           &n= bsp;    &SecureBootMode
> +           &n= bsp;    );
> +}
> +
> +
> +/**
> +  Enroll a key/certificate based on a default variable.
> +
> +  @param[in] VariableName      &n= bsp; The name of the key/database.
> +  @param[in] DefaultName      &nb= sp;  The name of the default variable.
> +  @param[in] VendorGuid      &nbs= p;   The namespace (ie. vendor GUID) of the variable
> +
> +
> +  @retval EFI_OUT_OF_RESOURCES   Out of memory while = allocating AuthHeader.
> +  @retval EFI_SUCCESS       =      Successful enrollment.
> +  @return         =             &nb= sp;  Error codes from GetTime () and SetVariable ().
> +--*/
> +STATIC
> +EFI_STATUS
> +EnrollFromDefault (
> +  IN CHAR16   *VariableName,
> +  IN CHAR16   *DefaultName,
> +  IN EFI_GUID *VendorGuid
> +  )
> +{
> +  VOID       *Data;
> +  UINTN       DataSize;
> +  EFI_STATUS  Status;
> +
> +  Status =3D EFI_SUCCESS;
> +
> +  DataSize =3D 0;
> +  Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariable= Guid, &Data, &DataSize);
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_ERROR, "error: Get= Variable (\"%s): %r\n", DefaultName, Status));
> +      return Status;
> +  }
> +
> +  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);<= br> > +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "Fail to create time-ba= sed data payload: %r", Status));
> +    return Status;
> +  }
> +
> +  //
> +  // Allocate memory for auth variable
> +  //
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      VariableName,
> +           &n= bsp;      VendorGuid,
> +           &n= bsp;      (EFI_VARIABLE_NON_VOLATILE |
> +           &n= bsp;       EFI_VARIABLE_BOOTSERVICE_ACCESS |<= br> > +           &n= bsp;       EFI_VARIABLE_RUNTIME_ACCESS |
> +           &n= bsp;       EFI_VARIABLE_TIME_BASED_AUTHENTICA= TED_WRITE_ACCESS),
> +           &n= bsp;      DataSize,
> +           &n= bsp;      Data
> +           &n= bsp;      );
> +
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_ERROR, "error: %a (\"%s\&= quot;, %g): %r\n", __FUNCTION__, VariableName,
> +      VendorGuid, Status));
> +  }
> +
> +  if (Data !=3D NULL) {
> +    FreePool (Data);
> +  }
> +
> +  return Status;
> +}
> +
> +/** Initializes PKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitPKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN         &n= bsp;     SigListsSize;
> +  EFI_STATUS        &nb= sp; Status;
> +  UINT8         &n= bsp;     *Data;
> +  UINTN         &n= bsp;     DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &g= EfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status =3D=3D EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old= value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)= ) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n"= , EFI_PK_DEFAULT_VARIABLE_NAME));
> +
> +  Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &= ;SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not foun= d\n", EFI_PK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      EFI_PK_DEFAULT_VARIABLE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIAB= LE_BOOTSERVICE_ACCESS,
> +           &n= bsp;      SigListsSize,
> +           &n= bsp;      (VOID *)EfiSig
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n"= ;, EFI_PK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes KEKDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitKEKDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN         &n= bsp;     SigListsSize;
> +  EFI_STATUS        &nb= sp; Status;
> +  UINT8         &n= bsp;    *Data;
> +  UINTN         &n= bsp;     DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &= gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status =3D=3D EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old= value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)= ) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n"= , EFI_KEK_DEFAULT_VARIABLE_NAME));
> +
> +  Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &am= p;SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not foun= d\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      EFI_KEK_DEFAULT_VARIABLE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIAB= LE_BOOTSERVICE_ACCESS,
> +           &n= bsp;      SigListsSize,
> +           &n= bsp;      (VOID *)EfiSig
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n"= ;, EFI_KEK_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN         &n= bsp;     SigListsSize;
> +  EFI_STATUS        &nb= sp; Status;
> +  UINT8         &n= bsp;    *Data;
> +  UINTN         &n= bsp;     DataSize;
> +
> +  Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &g= EfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status =3D=3D EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old= value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)= ) {
> +    return Status;
> +  }
> +
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n"= , EFI_DB_DEFAULT_VARIABLE_NAME));
> +
> +  Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &= ;SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      EFI_DB_DEFAULT_VARIABLE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIAB= LE_BOOTSERVICE_ACCESS,
> +           &n= bsp;      SigListsSize,
> +           &n= bsp;      (VOID *)EfiSig
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +      DEBUG ((DEBUG_INFO, "Failed to s= et %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbxDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbxDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN         &n= bsp;     SigListsSize;
> +  EFI_STATUS        &nb= sp; Status;
> +  UINT8         &n= bsp;    *Data;
> +  UINTN         &n= bsp;     DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &= gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status =3D=3D EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old= value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)= ) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n"= , EFI_DBX_DEFAULT_VARIABLE_NAME));
> +
> +  Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &am= p;SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Content for %s not foun= d\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
> +    return Status;
> +  }
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      EFI_DBX_DEFAULT_VARIABLE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIAB= LE_BOOTSERVICE_ACCESS,
> +           &n= bsp;      SigListsSize,
> +           &n= bsp;      (VOID *)EfiSig
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n"= ;, EFI_DBX_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return Status;
> +}
> +
> +/** Initializes dbtDefault variable with data from FFS section.
> +
> +
> +  @retval  EFI_SUCCESS      =      Variable was initialized successfully.
> +  @retval  EFI_UNSUPPORTED     &n= bsp; Variable already exists.
> +--*/
> +EFI_STATUS
> +SecureBootInitdbtDefault (
> +  IN VOID
> +  )
> +{
> +  EFI_SIGNATURE_LIST *EfiSig;
> +  UINTN         &n= bsp;     SigListsSize;
> +  EFI_STATUS        &nb= sp; Status;
> +  UINT8         &n= bsp;    *Data;
> +  UINTN         &n= bsp;     DataSize;
> +
> +  //
> +  // Check if variable exists, if so do not change it
> +  //
> +  Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &= gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
> +  if (Status =3D=3D EFI_SUCCESS) {
> +    DEBUG ((DEBUG_INFO, "Variable %s exists. Old= value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
> +    FreePool (Data);
> +    return EFI_UNSUPPORTED;
> +  }
> +
> +  if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)= ) {
> +    return Status;
> +  }
> +
> +  //
> +  // Variable does not exist, can be initialized
> +  //
> +  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n"= , EFI_DBT_DEFAULT_VARIABLE_NAME));
> +
> +  Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &am= p;SigListsSize, &EfiSig);
> +  if (EFI_ERROR (Status)) {
> +      return Status;
> +  }
> +
> +  Status =3D gRT->SetVariable (
> +           &n= bsp;      EFI_DBT_DEFAULT_VARIABLE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIAB= LE_BOOTSERVICE_ACCESS,
> +           &n= bsp;      SigListsSize,
> +           &n= bsp;      (VOID *)EfiSig
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +    DEBUG ((DEBUG_INFO, "Failed to set %s\n"= ;, EFI_DBT_DEFAULT_VARIABLE_NAME));
> +  }
> +
> +  FreePool (EfiSig);
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Fetches the value of SetupMode variable.
> +
> +  @param[out] SetupMode      &nbs= p;      Pointer to UINT8 for SetupMode output
> +
> +  @retval other        =              Re= tval from GetVariable.
> +--*/
> +BOOLEAN
> +EFIAPI
> +GetSetupMode (
> +    OUT UINT8 *SetupMode
> +)
> +{
> +  UINTN      Size;
> +  EFI_STATUS Status;
> +
> +  Size =3D sizeof (*SetupMode);
> +  Status =3D gRT->GetVariable (
> +           &n= bsp;      EFI_SETUP_MODE_NAME,
> +           &n= bsp;      &gEfiGlobalVariableGuid,
> +           &n= bsp;      NULL,
> +           &n= bsp;      &Size,
> +           &n= bsp;      SetupMode
> +           &n= bsp;      );
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  Sets the content of the 'db' variable based on 'dbDefault' va= riable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D EnrollFromDefault (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE,
> +           &n= bsp; EFI_DB_DEFAULT_VARIABLE_NAME,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'db' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDb (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D DeleteVariable (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbx' variable based on 'dbxDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbxFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D EnrollFromDefault (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE1,
> +           &n= bsp; EFI_DBX_DEFAULT_VARIABLE_NAME,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbx' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbx (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D DeleteVariable (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE1,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'dbt' variable based on 'dbtDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollDbtFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D EnrollFromDefault (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE2,
> +           &n= bsp; EFI_DBT_DEFAULT_VARIABLE_NAME,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid);
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'dbt' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteDbt (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D DeleteVariable (
> +           &n= bsp; EFI_IMAGE_SECURITY_DATABASE2,
> +           &n= bsp; &gEfiImageSecurityDatabaseGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollKEKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D EnrollFromDefault (
> +           &n= bsp; EFI_KEY_EXCHANGE_KEY_NAME,
> +           &n= bsp; EFI_KEK_DEFAULT_VARIABLE_NAME,
> +           &n= bsp; &gEfiGlobalVariableGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Clears the content of the 'KEK' variable.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +DeleteKEK (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D DeleteVariable (
> +           &n= bsp; EFI_KEY_EXCHANGE_KEY_NAME,
> +           &n= bsp; &gEfiGlobalVariableGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Sets the content of the 'KEK' variable based on 'KEKDefault' = variable content.
> +
> +  @retval EFI_OUT_OF_RESOURCES      If= memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
> +           &n= bsp;            = ;            while V= endorGuid is NULL.
> +  @retval other        =              Er= rors from GetVariable2 (), GetTime () and SetVariable ()
> +--*/
> +EFI_STATUS
> +EFIAPI
> +EnrollPKFromDefault (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D EnrollFromDefault (
> +           &n= bsp; EFI_PLATFORM_KEY_NAME,
> +           &n= bsp; EFI_PK_DEFAULT_VARIABLE_NAME,
> +           &n= bsp; &gEfiGlobalVariableGuid
> +           &n= bsp; );
> +
> +  return Status;
> +}
> +
> +/**
> +  Remove the PK variable.
> +
> +  @retval EFI_SUCCESS    Delete PK successfully.=
> +  @retval Others        = ; Could not allow to delete PK.
> +
> +--*/
> +EFI_STATUS
> +DeletePlatformKey (
> +  VOID
> +)
> +{
> +  EFI_STATUS Status;
> +
> +  Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> +  if (EFI_ERROR (Status)) {
> +    return Status;
> +  }
> +
> +  Status =3D DeleteVariable (
> +           &n= bsp; EFI_PLATFORM_KEY_NAME,
> +           &n= bsp; &gEfiGlobalVariableGuid
> +           &n= bsp; );
> +  return Status;
> +}
> diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDx= e/SecureBootConfigImpl.c
> index e82bfe7757..67e5e594ed 100644
> --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoo= tConfigImpl.c
> +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBoo= tConfigImpl.c
> @@ -9,6 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  
>   #include "SecureBootConfigImpl.h"
>   #include <Library/BaseCryptLib.h>
> +#include <Library/SecureBootVariableLib.h>
>  
>   CHAR16        &nb= sp;     mSecureBootStorageName[] =3D L"SECUREBOOT_= CONFIGURATION";
>  
> @@ -237,168 +238,6 @@ SaveSecureBootVariable (
>     return Status;
>   }
>  
> -/**
> -  Create a time based data payload by concatenating the EFI_VAR= IABLE_AUTHENTICATION_2
> -  descriptor with the input data. NO authentication is required= in this function.
> -
> -  @param[in, out]   DataSize    &= nbsp;  On input, the size of Data buffer in bytes.
> -           &n= bsp;            = ;           On output, th= e size of data returned in Data
> -           &n= bsp;            = ;           buffer in byt= es.
> -  @param[in, out]   Data     = ;      On input, Pointer to data buffer to be wrap= ped or
> -           &n= bsp;            = ;           pointer to NU= LL to wrap an empty payload.
> -           &n= bsp;            = ;           On output, Po= inter to the new payload date buffer allocated from pool,
> -           &n= bsp;            = ;           it's caller's= responsibility to free the memory when finish using it.
> -
> -  @retval EFI_SUCCESS       =        Create time based payload successfully= .
> -  @retval EFI_OUT_OF_RESOURCES     There ar= e not enough memory resources to create time based payload.
> -  @retval EFI_INVALID_PARAMETER    The parameter= is invalid.
> -  @retval Others        = ;           Unexpected er= ror happens.
> -
> -**/
> -EFI_STATUS
> -CreateTimeBasedPayload (
> -  IN OUT UINTN        &= nbsp;   *DataSize,
> -  IN OUT UINT8        &= nbsp;   **Data
> -  )
> -{
> -  EFI_STATUS        &nb= sp;            =   Status;
> -  UINT8         &n= bsp;            = ;      *NewData;
> -  UINT8         &n= bsp;            = ;      *Payload;
> -  UINTN         &n= bsp;            = ;      PayloadSize;
> -  EFI_VARIABLE_AUTHENTICATION_2    *DescriptorDa= ta;
> -  UINTN         &n= bsp;            = ;      DescriptorSize;
> -  EFI_TIME         = ;            &n= bsp;   Time;
> -
> -  if (Data =3D=3D NULL || DataSize =3D=3D NULL) {
> -    return EFI_INVALID_PARAMETER;
> -  }
> -
> -  //
> -  // In Setup mode or Custom mode, the variable does not need t= o be signed but the
> -  // parameters to the SetVariable() call still need to be prep= ared as authenticated
> -  // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descri= ptor without certificate
> -  // data in it.
> -  //
> -  Payload     =3D *Data;
> -  PayloadSize =3D *DataSize;
> -
> -  DescriptorSize    =3D OFFSET_OF (EFI_VARIABLE_= AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertDat= a);
> -  NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + Paylo= adSize);
> -  if (NewData =3D=3D NULL) {
> -    return EFI_OUT_OF_RESOURCES;
> -  }
> -
> -  if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > -    CopyMem (NewData + DescriptorSize, Payload, Paylo= adSize);
> -  }
> -
> -  DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData= );
> -
> -  ZeroMem (&Time, sizeof (EFI_TIME));
> -  Status =3D gRT->GetTime (&Time, NULL);
> -  if (EFI_ERROR (Status)) {
> -    FreePool(NewData);
> -    return Status;
> -  }
> -  Time.Pad1       =3D 0;
> -  Time.Nanosecond =3D 0;
> -  Time.TimeZone   =3D 0;
> -  Time.Daylight   =3D 0;
> -  Time.Pad2       =3D 0;
> -  CopyMem (&DescriptorData->TimeStamp, &Time, sizeof= (EFI_TIME));
> -
> -  DescriptorData->AuthInfo.Hdr.dwLength   &nb= sp;     =3D OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertD= ata);
> -  DescriptorData->AuthInfo.Hdr.wRevision   &n= bsp;    =3D 0x0200;
> -  DescriptorData->AuthInfo.Hdr.wCertificateType =3D WIN_CERT= _TYPE_EFI_GUID;
> -  CopyGuid (&DescriptorData->AuthInfo.CertType, &gEf= iCertPkcs7Guid);
> -
> -  if (Payload !=3D NULL) {
> -    FreePool(Payload);
> -  }
> -
> -  *DataSize =3D DescriptorSize + PayloadSize;
> -  *Data     =3D NewData;
> -  return EFI_SUCCESS;
> -}
> -
> -/**
> -  Internal helper function to delete a Variable given its name = and GUID, NO authentication
> -  required.
> -
> -  @param[in]      VariableName &n= bsp;          Name of the Vari= able.
> -  @param[in]      VendorGuid &nbs= p;            GUID o= f the Variable.
> -
> -  @retval EFI_SUCCESS       =        Variable deleted successfully.
> -  @retval Others        = ;           The driver fa= iled to start the device.
> -
> -**/
> -EFI_STATUS
> -DeleteVariable (
> -  IN  CHAR16       &nbs= p;            *Varia= bleName,
> -  IN  EFI_GUID       &n= bsp;          *VendorGuid
> -  )
> -{
> -  EFI_STATUS        &nb= sp;     Status;
> -  VOID*         &n= bsp;         Variable;
> -  UINT8         &n= bsp;         *Data;
> -  UINTN         &n= bsp;         DataSize;
> -  UINT32         &= nbsp;        Attr;
> -
> -  GetVariable2 (VariableName, VendorGuid, &Variable, NULL);=
> -  if (Variable =3D=3D NULL) {
> -    return EFI_SUCCESS;
> -  }
> -  FreePool (Variable);
> -
> -  Data     =3D NULL;
> -  DataSize =3D 0;
> -  Attr     =3D EFI_VARIABLE_NON_VOLATILE | = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
> -           &n= bsp; | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
> -
> -  Status =3D CreateTimeBasedPayload (&DataSize, &Data);=
> -  if (EFI_ERROR (Status)) {
> -    DEBUG ((EFI_D_ERROR, "Fail to create time-ba= sed data payload: %r", Status));
> -    return Status;
> -  }
> -
> -  Status =3D gRT->SetVariable (
> -           &n= bsp;      VariableName,
> -           &n= bsp;      VendorGuid,
> -           &n= bsp;      Attr,
> -           &n= bsp;      DataSize,
> -           &n= bsp;      Data
> -           &n= bsp;      );
> -  if (Data !=3D NULL) {
> -    FreePool (Data);
> -  }
> -  return Status;
> -}
> -
> -/**
> -
> -  Set the platform secure boot mode into "Custom" or = "Standard" mode.
> -
> -  @param[in]   SecureBootMode    =     New secure boot mode: STANDARD_SECURE_BOOT_MODE or
> -           &n= bsp;            = ;             C= USTOM_SECURE_BOOT_MODE.
> -
> -  @return EFI_SUCCESS       =          The platform has switched = to the special mode successfully.
> -  @return other        =             &nb= sp; Fail to operate the secure boot mode.
> -
> -**/
> -EFI_STATUS
> -SetSecureBootMode (
> -  IN     UINT8     = ;    SecureBootMode
> -  )
> -{
> -  return gRT->SetVariable (
> -           &n= bsp;    EFI_CUSTOM_MODE_NAME,
> -           &n= bsp;    &gEfiCustomModeEnableGuid,
> -           &n= bsp;    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS,
> -           &n= bsp;    sizeof (UINT8),
> -           &n= bsp;    &SecureBootMode
> -           &n= bsp;    );
> -}
> -
>   /**
>     This code checks if the encode type and key s= trength of X.509
>     certificate is qualified.
> @@ -646,32 +485,6 @@ ON_EXIT:
>     return Status;
>   }
>  
> -/**
> -  Remove the PK variable.
> -
> -  @retval EFI_SUCCESS    Delete PK successfully.=
> -  @retval Others        = ; Could not allow to delete PK.
> -
> -**/
> -EFI_STATUS
> -DeletePlatformKey (
> -  VOID
> -)
> -{
> -  EFI_STATUS Status;
> -
> -  Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);
> -  if (EFI_ERROR (Status)) {
> -    return Status;
> -  }
> -
> -  Status =3D DeleteVariable (
> -           &n= bsp; EFI_PLATFORM_KEY_NAME,
> -           &n= bsp; &gEfiGlobalVariableGuid
> -           &n= bsp; );
> -  return Status;
> -}
> -
>   /**
>     Enroll a new KEK item from public key storing= file (*.pbk).
>  
> diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVari= ableLib.uni b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableL= ib.uni
> new file mode 100644
> index 0000000000..2c51e4db53
> --- /dev/null
> +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib= .uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +//
> +// Provides initialization of Secure Boot keys and databases.
> +//
> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT       = ;      #language en-US "Provides function to = initialize PK, KEK and databases based on default variables."
> +
> +#string STR_MODULE_DESCRIPTION      &n= bsp;   #language en-US "Provides function to initialize PK, = KEK and databases based on default variables."
> +
>

Reviewed-by: Pete Batard <pete@akeo.ie>
Tested-by: Pete Batard <pete@akeo.ie> on Raspberry Pi 4




 

--_000_MW4PR21MB190720D0ADE0D5E7D26338BBEF3D9MW4PR21MB1907namp_--