From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.4977.1625572523629048621 for ; Tue, 06 Jul 2021 04:55:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=KMCtbVAj; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: jiewen.yao@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10036"; a="189477373" X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="189477373" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2021 04:55:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.83,328,1616482800"; d="scan'208";a="460660814" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga008.fm.intel.com with ESMTP; 06 Jul 2021 04:55:22 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 6 Jul 2021 04:55:22 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 6 Jul 2021 04:55:22 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.168) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.4; Tue, 6 Jul 2021 04:55:21 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HvPwo79eFHnU8wG5TPXEkj7zCeC/mbcr7eAzSo/XrtonAeGDcgx/BmjwSwopyKQVYTo8XlMd1YtWMFayBlq/vt5ci2QrsWrZR5Sn8tf2JtgM5PBO9/T8Xk3swYNE8xUpVZPppTqnQMOqYa/gjBG5d0hKB3g7EvFzbXJXrjw4PGyIOwaUGJpuvJf82ywHVUm/dUh6tCDlfQVtyYnJvaASGLyOjQccRIH7LO2Yrc5u8FdTAbLCg+FeFsXvfgGLFzB9p3k3RwjVkbVj4k4HhHz2PZ9izYNfU9roiaOKAZ8qPP3LYA4cbMTsC9jKY0brmeLc59P54ozsuAIDYhUiiebaEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mhYWGD6PUYjSvnuhMk4Q7ZYkKWhkR2SB+t5PdtjBeqw=; b=Xb9PQj/u0bvpIwWZJaiH4DVhUx9lhWByk+hBiQ1k4QOoEzUXJKwVx+y2RoLT4Z7SVWvkzxbKxdFxpxW9Ix0QQ2vPaBulAEGSaRd/qY3rGUSeDRlqYrdejAdrXVwRBKg6ghz71OWt+YR9buTY2s8kZO/O0ogxdJu++qPKrdRk5d3O7GEMPf6CQuXV/icdjslTy3zZED8BC/8LOIZr18d8aUywZqVeKkY7XMP8P5O8befqFRa59Q3UhaW0KH8FajCmG8vdV7jmi1JijYJopb46WzmyKYh8ttUbYn5xud/OTJuIPGPDGz6BWwhSUdvRIb4l8fBn4LZHn+7C5fo1zlX+wg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mhYWGD6PUYjSvnuhMk4Q7ZYkKWhkR2SB+t5PdtjBeqw=; b=KMCtbVAjPjPAlD5FHYD2Q7aVJy7chbd+i9jvti/1h2sP7idKOOsmaj/NnYXqlgB4g75eV3HB3D9qfSIwRjsl2DQotmtJwbEKqXQc+ACVz0k5Rjhuj2mqijzW0jcu4iVz2c34ycswaAGkhzHGjoscwdZFce80M17SDVjLPaqU0n8= Received: from PH0PR11MB4885.namprd11.prod.outlook.com (2603:10b6:510:35::14) by PH0PR11MB5125.namprd11.prod.outlook.com (2603:10b6:510:3e::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4287.24; Tue, 6 Jul 2021 11:55:18 +0000 Received: from PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121]) by PH0PR11MB4885.namprd11.prod.outlook.com ([fe80::6c99:8170:1c3c:9121%3]) with mapi id 15.20.4287.033; Tue, 6 Jul 2021 11:55:18 +0000 From: "Yao, Jiewen" To: Grzegorz Bernacki , "devel@edk2.groups.io" CC: "leif@nuviainc.com" , "ardb+tianocore@kernel.org" , "Samer.El-Haj-Mahmoud@arm.com" , "sunny.Wang@arm.com" , "mw@semihalf.com" , "upstream@semihalf.com" , "Wang, Jian J" , "Xu, Min M" , "lersek@redhat.com" , "sami.mujawar@arm.com" , "afish@apple.com" , "Ni, Ray" , "Justen, Jordan L" , "rebecca@bsdio.com" , "grehan@freebsd.org" , "thomas.abraham@arm.com" , "Chiu, Chasel" , "Desimone, Nathaniel L" , "gaoliming@byosoft.com.cn" , "Dong, Eric" , "Kinney, Michael D" , "Sun, Zailiang" , "Qian, Yi" , "graeme@nuviainc.com" , "rad@semihalf.com" , "pete@akeo.ie" Subject: Re: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables. Thread-Topic: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure Boot variables. Thread-Index: AQHXbloKONegj9ExjUegvt5jCSo3Rqs13tAw Date: Tue, 6 Jul 2021 11:55:18 +0000 Message-ID: References: <20210701091758.1057485-1-gjb@semihalf.com> <20210701091758.1057485-2-gjb@semihalf.com> In-Reply-To: <20210701091758.1057485-2-gjb@semihalf.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.5.1.3 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: semihalf.com; dkim=none (message not signed) header.d=none;semihalf.com; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 89e72135-a5d1-421f-2659-08d94074ed31 x-ms-traffictypediagnostic: PH0PR11MB5125: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:162; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: KA7yb2J973azv1CJaE+0OYsB2/blmWmRZOeiUMAzDykwCMdFpE1co6s20XhwLRmnhtQvm5IMOKE2NuIMupNAh3dZ/cXy2pt8bjRYvFHDyPsFcY6HjSHOjcXsg3YBv3d0PLQKEBJjhIRJRgLNu0AaVvW88dsyZU5zyZdtii2+mn/6z0qIGDkwgw3TrawhAMBzerzRFS3/MT+GFnm7o2JTmBQAiDuKaOYi46sR6W2D0pbGSEtUUzNpHlz4YPhtncAS/uftxgwG6JPsofLqWkadrP6zL7Sh6Q4VcCGzNK5nE1t4BBx8EZCv2inbz+V7nC2PioDYxK0tksx4Z+KFawsP4k+Scz3dB3+cziwcY/s9LzM7GFKFPd9eetrb5K3xpW2220YolZupIUYt8TOHjs0+9hsYcThn0pYuHy6ypfCJNv5VjTGv7vmzgqsu7FKaoBbZmUtsxF9W2OGJNICkJ4dV04N/npDbjTK5FNqNrRUPVC4h258fxk2IB1Dg6iJsK7WH04TT7HY0p4RMqijuNYtWX4kJ1CEcngEQD+sPs0VXQZJGa8585vWMvuah5GGDDbW0rp0Fq8+0S5eUMh0RTtddlsh15saaZGAKeCPwHfZkmWY7UK0MB7ZpEw7VqH5J/7G3DnfKU5RnnyIdm1igWi/8MA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(39860400002)(396003)(136003)(376002)(346002)(33656002)(15650500001)(64756008)(71200400001)(316002)(52536014)(5660300002)(186003)(83380400001)(26005)(6506007)(66556008)(66446008)(30864003)(54906003)(7416002)(38100700002)(4326008)(86362001)(9686003)(478600001)(53546011)(7696005)(110136005)(122000001)(66476007)(19627235002)(76116006)(8676002)(66946007)(2906002)(55016002)(8936002)(579004)(559001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?/qAWCHhumoKJ5WudjqFNNprDG4SgdUpICHK2Qb8jhEHj7cK63H7YbK2/BTon?= =?us-ascii?Q?kLZ5OMAYxNJOr4LWItODybo2uRvLpRNPYvlWeMcPho0amoRzNsXejdvr8Nch?= =?us-ascii?Q?GTNuw0ozvYufkGMKndle9+dtqNWmx4EDq3T2Jc5x4GdvKxwQVLH7TKHx4OhW?= =?us-ascii?Q?WzG39KQAWbtunGoYnFrphjbEqfL9zsm/a+ojdn31BEdH3lVWK0uwAZQ0PAIn?= =?us-ascii?Q?+gvOC69IEtU2Qd8iP2VRRabkwxCjAkxX68YUHNHe/1bZZvc0QFAUP9XZyKMu?= =?us-ascii?Q?gCsT7a3HiQLEyibDl9dJV1ucJkrHWJu5Rl8GSErIKiT73zdC3dhPbmBWn601?= =?us-ascii?Q?+TluuwWHCPP/kbKFbLHEsh2zaSU00IzTTiAQrs9Dizt7vD/NGFsOtAA2JCBh?= =?us-ascii?Q?8TUXvGd2I710nlvG3a+Vzr5UKVmRmSKsNqXV82Wc7QYgW0mu965Pwt6kb4lB?= =?us-ascii?Q?ZIRkWHAwyUjq8JEgREnVpPR9UVslz0tErBSVP7dq2KjO+Dl4CBTy0cNFy8gP?= =?us-ascii?Q?QnuZFNig4Rl7+W42y1PkOqcCi7iPwzZxRb5KU0ZJZzlNDRaXJVLS6NyaSiG2?= =?us-ascii?Q?vVM90yrSYz6Jj95yPZv9Rb2fitfvQxqfPj0HvT/T7+SCTni1oQgX8Eq5Pg1j?= =?us-ascii?Q?dU9QvxiR0HP4wjDJYVR+OdYXUUY+50aFmQ9cyQ/LUD+nRadc+r+FE/KuGcyl?= =?us-ascii?Q?Io5vCQh7cAyYqcG6BAbGVK8z0aG2HCoOqj4aleWmYqOmtvtFRCB8d05hSYjn?= =?us-ascii?Q?px9Ld5/Ms46Pz8Tx/YoWs7VEwJjDSaXMUaRIHvZzZGQGGl4DfAJlyOov220B?= =?us-ascii?Q?urjBOl2ZN4JWMJm8YA4JLoXEFwqi+LUM2SPcHzbRNL7UNyqG3NiCF1p+BnJs?= =?us-ascii?Q?8penL4kftUaD/zyA3M89aEf+7JFZtcH7Yfqx7xJQo1rpg49hE/RM01Xns3/U?= =?us-ascii?Q?ww3KojgnUG4las3Y6elQrHhUtM85A98wGSmK7G/ILKB9+nGO7HvVUSCRkK+g?= =?us-ascii?Q?RnnyAdZ648dEHi9XJUeGKxiYYHGrPwq1qJ3wC9EDwDuPF5FcxYIf3nvCsRiC?= =?us-ascii?Q?jvQAa5uRwwfPsePw2RfPnN78St2XTOYRWcYh420WwJE1MdyuhjmVbiAaJg8D?= =?us-ascii?Q?+zPqQleHVIOba0wbqrM5xSXchvnJXwn7NhTfeoyU14I6tI/58KK1amar8GMm?= =?us-ascii?Q?T3hyYqiCxniRKVGAU6Gqwp1GMczgxPbXEcgtfFscLJHeCeAMgfs9E/ng+4Tr?= =?us-ascii?Q?DWc6noXWBKpeiMk6h1kbE3mvIUfVJiyO7/7K8CuxDyjTmax4X9V+GQ9qXVj4?= =?us-ascii?Q?FWR9FO3/f7mUrbrNd3fZvnDV?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4885.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 89e72135-a5d1-421f-2659-08d94074ed31 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2021 11:55:18.8067 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pNXUnPmX9uzpEWAYnEhuRL/wA89uqDswWmywuTpRRhOuMs583EBmpezbknINQ5bc1VVPNc6EbAPsMXUwj3Xovw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5125 Return-Path: jiewen.yao@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Jiewen Yao > -----Original Message----- > From: Grzegorz Bernacki > Sent: Thursday, July 1, 2021 5:18 PM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer.El-Haj- > Mahmoud@arm.com; sunny.Wang@arm.com; mw@semihalf.com; > upstream@semihalf.com; Yao, Jiewen ; Wang, Jian J > ; Xu, Min M ; > lersek@redhat.com; sami.mujawar@arm.com; afish@apple.com; Ni, Ray > ; Justen, Jordan L ; > rebecca@bsdio.com; grehan@freebsd.org; thomas.abraham@arm.com; Chiu, > Chasel ; Desimone, Nathaniel L > ; gaoliming@byosoft.com.cn; Dong, Eric > ; Kinney, Michael D ; Su= n, > Zailiang ; Qian, Yi ; > graeme@nuviainc.com; rad@semihalf.com; pete@akeo.ie; Grzegorz Bernacki > > Subject: [PATCH v5 01/10] SecurityPkg: Create library for setting Secure = Boot > variables. >=20 > This commits add library, which consist functions related > creation/removal Secure Boot variables. Some of the functions > was moved from SecureBootConfigImpl.c file. >=20 > Signed-off-by: Grzegorz Bernacki > --- > SecurityPkg/SecurityPkg.dsc | = 1 + > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 7= 9 ++ > SecurityPkg/Include/Library/SecureBootVariableLib.h | 25= 1 +++++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 98= 0 > ++++++++++++++++++++ > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni | 1= 6 + > 5 files changed, 1327 insertions(+) > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > create mode 100644 SecurityPkg/Include/Library/SecureBootVariableLib.h > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > create mode 100644 > SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni >=20 > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index bd4b810bce..854f250625 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -70,6 +70,7 @@ > RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf >=20 > TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo > gRecordLib.inf >=20 > MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockM > emoryLibNull.inf > + > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBoo= t > VariableLib.inf >=20 > [LibraryClasses.ARM] > # > diff --git > a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > new file mode 100644 > index 0000000000..84367841d5 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > @@ -0,0 +1,79 @@ > +## @file > +# Provides initialization of Secure Boot keys and databases. > +# > +# Copyright (c) 2021, ARM Ltd. All rights reserved.
> +# Copyright (c) 2021, Semihalf All rights reserved.
> +# > +# SPDX-License-Identifier: BSD-2-Clause-Patent > +# > +## > + > +[Defines] > + INF_VERSION =3D 0x00010005 > + BASE_NAME =3D SecureBootVariableLib > + MODULE_UNI_FILE =3D SecureBootVariableLib.uni > + FILE_GUID =3D D4FFF5CA-6D8E-4DBD-8A4B-7C7CEBD97F6= F > + MODULE_TYPE =3D DXE_DRIVER > + VERSION_STRING =3D 1.0 > + LIBRARY_CLASS =3D SecureBootVariableLib|DXE_DRIVER > DXE_RUNTIME_DRIVER UEFI_APPLICATION > + > +# > +# The following information is for reference only and not required by th= e build > tools. > +# > +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 > +# > + > +[Sources] > + SecureBootVariableLib.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + SecurityPkg/SecurityPkg.dec > + CryptoPkg/CryptoPkg.dec > + > +[LibraryClasses] > + BaseLib > + BaseMemoryLib > + DebugLib > + MemoryAllocationLib > + BaseCryptLib > + DxeServicesLib > + > +[Guids] > + ## CONSUMES ## Variable:L"SetupMode" > + ## PRODUCES ## Variable:L"SetupMode" > + ## CONSUMES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"SecureBoot" > + ## PRODUCES ## Variable:L"PK" > + ## PRODUCES ## Variable:L"KEK" > + ## CONSUMES ## Variable:L"PKDefault" > + ## CONSUMES ## Variable:L"KEKDefault" > + ## CONSUMES ## Variable:L"dbDefault" > + ## CONSUMES ## Variable:L"dbxDefault" > + ## CONSUMES ## Variable:L"dbtDefault" > + gEfiGlobalVariableGuid > + > + ## SOMETIMES_CONSUMES ## Variable:L"DB" > + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > + gEfiImageSecurityDatabaseGuid > + > + ## CONSUMES ## Variable:L"SecureBootEnable" > + ## PRODUCES ## Variable:L"SecureBootEnable" > + gEfiSecureBootEnableDisableGuid > + > + ## CONSUMES ## Variable:L"CustomMode" > + ## PRODUCES ## Variable:L"CustomMode" > + gEfiCustomModeEnableGuid > + > + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > + gEfiCertX509Guid ## CONSUMES > + gEfiCertPkcs7Guid ## CONSUMES > + > + gDefaultPKFileGuid > + gDefaultKEKFileGuid > + gDefaultdbFileGuid > + gDefaultdbxFileGuid > + gDefaultdbtFileGuid > + > diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h > b/SecurityPkg/Include/Library/SecureBootVariableLib.h > new file mode 100644 > index 0000000000..e010667165 > --- /dev/null > +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h > @@ -0,0 +1,251 @@ > +/** @file > + Provides a function to enroll keys based on default values. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#ifndef __SECURE_BOOT_VARIABLE_LIB_H__ > +#define __SECURE_BOOT_VARIABLE_LIB_H__ > + > +/** > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial mode > successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > +); > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Error codes from GetVariable. > +--*/ > +EFI_STATUS > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +); > + > +/** > + Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this = function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e wrapped > or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer allocated > from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources > to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > +); > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +); > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +); > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +); > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +); > + > +/** > + Sets the content of the 'PK' variable based on 'PKDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +); > + > +/** > + Clears the content of the 'PK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2(), GetTime(= ) and > SetVariable() > +--*/ > +EFI_STATUS > +EFIAPI > +DeletePlatformKey ( > + VOID > +); > + > +/** > + Initializes PKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ); > + > +/** > + Initializes KEKDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbtDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ); > + > +/** > + Initializes dbxDefault variable with data from FFS section. > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ); > +#endif > diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariable= Lib.c > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > new file mode 100644 > index 0000000000..f3dafeca6e > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c > @@ -0,0 +1,980 @@ > +/** @file > + This library provides functions to set/clear Secure Boot > + keys and databases. > + > +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP
> +Copyright (c) 2021, ARM Ltd. All rights reserved.
> +Copyright (c) 2021, Semihalf All rights reserved.
> +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include "Library/DxeServicesLib.h" > + > +/** Creates EFI Signature List structure. > + > + @param[in] Data A pointer to signature data. > + @param[in] Size Size of signature data. > + @param[out] SigList Created Signature List. > + > + @retval EFI_SUCCESS Signature List was created successfully= . > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +CreateSigList ( > + IN VOID *Data, > + IN UINTN Size, > + OUT EFI_SIGNATURE_LIST **SigList > + ) > +{ > + UINTN SigListSize; > + EFI_SIGNATURE_LIST *TmpSigList; > + EFI_SIGNATURE_DATA *SigData; > + > + // > + // Allocate data for Signature Database > + // > + SigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DA= TA) - 1 > + Size; > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (SigListSize); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + // > + // Only gEfiCertX509Guid type is supported > + // > + TmpSigList->SignatureListSize =3D (UINT32)SigListSize; > + TmpSigList->SignatureSize =3D (UINT32) (sizeof (EFI_SIGNATURE_DATA) - = 1 + > Size); > + TmpSigList->SignatureHeaderSize =3D 0; > + CopyGuid (&TmpSigList->SignatureType, &gEfiCertX509Guid); > + > + // > + // Copy key data > + // > + SigData =3D (EFI_SIGNATURE_DATA *) (TmpSigList + 1); > + CopyGuid (&SigData->SignatureOwner, &gEfiGlobalVariableGuid); > + CopyMem (&SigData->SignatureData[0], Data, Size); > + > + *SigList =3D TmpSigList; > + > + return EFI_SUCCESS; > +} > + > +/** Adds new signature list to signature database. > + > + @param[in] SigLists A pointer to signature database. > + @param[in] SiglListAppend A signature list to be added. > + @param[out] *SigListOut Created signature database. > + @param[out] SigListsSize A size of created signature database. > + > + @retval EFI_SUCCESS Signature List was added successfully. > + @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. > +--*/ > +STATIC > +EFI_STATUS > +ConcatenateSigList ( > + IN EFI_SIGNATURE_LIST *SigLists, > + IN EFI_SIGNATURE_LIST *SigListAppend, > + OUT EFI_SIGNATURE_LIST **SigListOut, > + IN OUT UINTN *SigListsSize > +) > +{ > + EFI_SIGNATURE_LIST *TmpSigList; > + UINT8 *Offset; > + UINTN NewSigListsSize; > + > + NewSigListsSize =3D *SigListsSize + SigListAppend->SignatureListSize; > + > + TmpSigList =3D (EFI_SIGNATURE_LIST *) AllocateZeroPool (NewSigListsSiz= e); > + if (TmpSigList =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + CopyMem (TmpSigList, SigLists, *SigListsSize); > + > + Offset =3D (UINT8 *)TmpSigList; > + Offset +=3D *SigListsSize; > + CopyMem ((VOID *)Offset, SigListAppend, SigListAppend->SignatureListSi= ze); > + > + *SigListsSize =3D NewSigListsSize; > + *SigListOut =3D TmpSigList; > + return EFI_SUCCESS; > +} > + > +/** > + Create a EFI Signature List with data fetched from section specified a= s a > argument. > + Found keys are verified using RsaGetPublicKeyFromX509(). > + > + @param[in] KeyFileGuid A pointer to to the FFS filename GUID > + @param[out] SigListsSize A pointer to size of signature list > + @param[out] SigListsOut a pointer to a callee-allocated buffe= r with > signature lists > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_NOT_FOUND Section with key has not been found. > + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. > + @retval Others Unexpected error happens. > + > +--*/ > +STATIC > +EFI_STATUS > +SecureBootFetchData ( > + IN EFI_GUID *KeyFileGuid, > + OUT UINTN *SigListsSize, > + OUT EFI_SIGNATURE_LIST **SigListOut > +) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig; > + EFI_SIGNATURE_LIST *TmpEfiSig2; > + EFI_STATUS Status; > + VOID *Buffer; > + VOID *RsaPubKey; > + UINTN Size; > + UINTN KeyIndex; > + > + > + KeyIndex =3D 0; > + EfiSig =3D NULL; > + *SigListsSize =3D 0; > + while (1) { > + Status =3D GetSectionFromAnyFv ( > + KeyFileGuid, > + EFI_SECTION_RAW, > + KeyIndex, > + &Buffer, > + &Size > + ); > + > + if (Status =3D=3D EFI_SUCCESS) { > + RsaPubKey =3D NULL; > + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALS= E) { > + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION_= _, > KeyIndex)); > + if (EfiSig !=3D NULL) { > + FreePool(EfiSig); > + } > + FreePool(Buffer); > + return EFI_INVALID_PARAMETER; > + } > + > + Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); > + > + // > + // Concatenate lists if more than one section found > + // > + if (KeyIndex =3D=3D 0) { > + EfiSig =3D TmpEfiSig; > + *SigListsSize =3D TmpEfiSig->SignatureListSize; > + } else { > + ConcatenateSigList (EfiSig, TmpEfiSig, &TmpEfiSig2, SigListsSize= ); > + FreePool (EfiSig); > + FreePool (TmpEfiSig); > + EfiSig =3D TmpEfiSig2; > + } > + > + KeyIndex++; > + FreePool (Buffer); > + } if (Status =3D=3D EFI_NOT_FOUND) { > + break; > + } > + }; > + > + if (KeyIndex =3D=3D 0) { > + return EFI_NOT_FOUND; > + } > + > + *SigListOut =3D EfiSig; > + > + return EFI_SUCCESS; > +} > + > +/** > + Create a time based data payload by concatenating the > EFI_VARIABLE_AUTHENTICATION_2 > + descriptor with the input data. NO authentication is required in this = function. > + > + @param[in, out] DataSize On input, the size of Data buffer in = bytes. > + On output, the size of data returned = in Data > + buffer in bytes. > + @param[in, out] Data On input, Pointer to data buffer to b= e wrapped > or > + pointer to NULL to wrap an empty payl= oad. > + On output, Pointer to the new payload= date buffer allocated > from pool, > + it's caller's responsibility to free = the memory when finish > using it. > + > + @retval EFI_SUCCESS Create time based payload successfull= y. > + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources > to create time based payload. > + @retval EFI_INVALID_PARAMETER The parameter is invalid. > + @retval Others Unexpected error happens. > + > +--*/ > +EFI_STATUS > +CreateTimeBasedPayload ( > + IN OUT UINTN *DataSize, > + IN OUT UINT8 **Data > + ) > +{ > + EFI_STATUS Status; > + UINT8 *NewData; > + UINT8 *Payload; > + UINTN PayloadSize; > + EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; > + UINTN DescriptorSize; > + EFI_TIME Time; > + > + if (Data =3D=3D NULL || DataSize =3D=3D NULL) { > + return EFI_INVALID_PARAMETER; > + } > + > + // > + // In Setup mode or Custom mode, the variable does not need to be sign= ed > but the > + // parameters to the SetVariable() call still need to be prepared as > authenticated > + // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor > without certificate > + // data in it. > + // > + Payload =3D *Data; > + PayloadSize =3D *DataSize; > + > + DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthIn= fo) > + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); > + NewData =3D (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize); > + if (NewData =3D=3D NULL) { > + return EFI_OUT_OF_RESOURCES; > + } > + > + if ((Payload !=3D NULL) && (PayloadSize !=3D 0)) { > + CopyMem (NewData + DescriptorSize, Payload, PayloadSize); > + } > + > + DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData); > + > + ZeroMem (&Time, sizeof (EFI_TIME)); > + Status =3D gRT->GetTime (&Time, NULL); > + if (EFI_ERROR (Status)) { > + FreePool(NewData); > + return Status; > + } > + Time.Pad1 =3D 0; > + Time.Nanosecond =3D 0; > + Time.TimeZone =3D 0; > + Time.Daylight =3D 0; > + Time.Pad2 =3D 0; > + CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); > + > + DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF > (WIN_CERTIFICATE_UEFI_GUID, CertData); > + DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; > + DescriptorData->AuthInfo.Hdr.wCertificateType =3D > WIN_CERT_TYPE_EFI_GUID; > + CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid); > + > + if (Payload !=3D NULL) { > + FreePool(Payload); > + } > + > + *DataSize =3D DescriptorSize + PayloadSize; > + *Data =3D NewData; > + return EFI_SUCCESS; > +} > + > +/** > + Internal helper function to delete a Variable given its name and GUID,= NO > authentication > + required. > + > + @param[in] VariableName Name of the Variable. > + @param[in] VendorGuid GUID of the Variable. > + > + @retval EFI_SUCCESS Variable deleted successfully. > + @retval Others The driver failed to start the device= . > + > +--*/ > +EFI_STATUS > +DeleteVariable ( > + IN CHAR16 *VariableName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + EFI_STATUS Status; > + VOID* Variable; > + UINT8 *Data; > + UINTN DataSize; > + UINT32 Attr; > + > + GetVariable2 (VariableName, VendorGuid, &Variable, NULL); > + if (Variable =3D=3D NULL) { > + return EFI_SUCCESS; > + } > + FreePool (Variable); > + > + Data =3D NULL; > + DataSize =3D 0; > + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS > + | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; > + > + Status =3D CreateTimeBasedPayload (&DataSize, &Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + Attr, > + DataSize, > + Data > + ); > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + return Status; > +} > + > +/** > + > + Set the platform secure boot mode into "Custom" or "Standard" mode. > + > + @param[in] SecureBootMode New secure boot mode: > STANDARD_SECURE_BOOT_MODE or > + CUSTOM_SECURE_BOOT_MODE. > + > + @return EFI_SUCCESS The platform has switched to the sp= ecial mode > successfully. > + @return other Fail to operate the secure boot mod= e. > + > +--*/ > +EFI_STATUS > +SetSecureBootMode ( > + IN UINT8 SecureBootMode > + ) > +{ > + return gRT->SetVariable ( > + EFI_CUSTOM_MODE_NAME, > + &gEfiCustomModeEnableGuid, > + EFI_VARIABLE_NON_VOLATILE | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + sizeof (UINT8), > + &SecureBootMode > + ); > +} > + > + > +/** > + Enroll a key/certificate based on a default variable. > + > + @param[in] VariableName The name of the key/database. > + @param[in] DefaultName The name of the default variable. > + @param[in] VendorGuid The namespace (ie. vendor GUID) of the > variable > + > + > + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating > AuthHeader. > + @retval EFI_SUCCESS Successful enrollment. > + @return Error codes from GetTime () and SetVari= able (). > +--*/ > +STATIC > +EFI_STATUS > +EnrollFromDefault ( > + IN CHAR16 *VariableName, > + IN CHAR16 *DefaultName, > + IN EFI_GUID *VendorGuid > + ) > +{ > + VOID *Data; > + UINTN DataSize; > + EFI_STATUS Status; > + > + Status =3D EFI_SUCCESS; > + > + DataSize =3D 0; > + Status =3D GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, > &DataSize); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultNam= e, > Status)); > + return Status; > + } > + > + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > Status)); > + return Status; > + } > + > + // > + // Allocate memory for auth variable > + // > + Status =3D gRT->SetVariable ( > + VariableName, > + VendorGuid, > + (EFI_VARIABLE_NON_VOLATILE | > + EFI_VARIABLE_BOOTSERVICE_ACCESS | > + EFI_VARIABLE_RUNTIME_ACCESS | > + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > + DataSize, > + Data > + ); > + > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, > VariableName, > + VendorGuid, Status)); > + } > + > + if (Data !=3D NULL) { > + FreePool (Data); > + } > + > + return Status; > +} > + > +/** Initializes PKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitPKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &E= fiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_PK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes KEKDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitKEKDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &= EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + > + Status =3D gRT->SetVariable ( > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_KEK_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &E= fiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DB_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbxDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbxDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &= EfiSig); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBX_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return Status; > +} > + > +/** Initializes dbtDefault variable with data from FFS section. > + > + > + @retval EFI_SUCCESS Variable was initialized successfully. > + @retval EFI_UNSUPPORTED Variable already exists. > +--*/ > +EFI_STATUS > +SecureBootInitdbtDefault ( > + IN VOID > + ) > +{ > + EFI_SIGNATURE_LIST *EfiSig; > + UINTN SigListsSize; > + EFI_STATUS Status; > + UINT8 *Data; > + UINTN DataSize; > + > + // > + // Check if variable exists, if so do not change it > + // > + Status =3D GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, > &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > + if (Status =3D=3D EFI_SUCCESS) { > + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + FreePool (Data); > + return EFI_UNSUPPORTED; > + } > + > + if (EFI_ERROR (Status) && (Status !=3D EFI_NOT_FOUND)) { > + return Status; > + } > + > + // > + // Variable does not exist, can be initialized > + // > + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + > + Status =3D SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &= EfiSig); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D gRT->SetVariable ( > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid, > + EFI_VARIABLE_RUNTIME_ACCESS | > EFI_VARIABLE_BOOTSERVICE_ACCESS, > + SigListsSize, > + (VOID *)EfiSig > + ); > + if (EFI_ERROR (Status)) { > + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > EFI_DBT_DEFAULT_VARIABLE_NAME)); > + } > + > + FreePool (EfiSig); > + > + return EFI_SUCCESS; > +} > + > +/** > + Fetches the value of SetupMode variable. > + > + @param[out] SetupMode Pointer to UINT8 for SetupMode outpu= t > + > + @retval other Retval from GetVariable. > +--*/ > +EFI_STATUS > +EFIAPI > +GetSetupMode ( > + OUT UINT8 *SetupMode > +) > +{ > + UINTN Size; > + EFI_STATUS Status; > + > + Size =3D sizeof (*SetupMode); > + Status =3D gRT->GetVariable ( > + EFI_SETUP_MODE_NAME, > + &gEfiGlobalVariableGuid, > + NULL, > + &Size, > + SetupMode > + ); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + Sets the content of the 'db' variable based on 'dbDefault' variable co= ntent. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE, > + EFI_DB_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'db' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDb ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbx' variable based on 'dbxDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbxFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE1, > + EFI_DBX_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbx' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbx ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE1, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'dbt' variable based on 'dbtDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollDbtFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_IMAGE_SECURITY_DATABASE2, > + EFI_DBT_DEFAULT_VARIABLE_NAME, > + &gEfiImageSecurityDatabaseGuid); > + > + return Status; > +} > + > +/** > + Clears the content of the 'dbt' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteDbt ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_IMAGE_SECURITY_DATABASE2, > + &gEfiImageSecurityDatabaseGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollKEKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + EFI_KEK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Clears the content of the 'KEK' variable. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +DeleteKEK ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D DeleteVariable ( > + EFI_KEY_EXCHANGE_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Sets the content of the 'KEK' variable based on 'KEKDefault' variable = content. > + > + @retval EFI_OUT_OF_RESOURCES If memory allocation for > EFI_VARIABLE_AUTHENTICATION_2 fails > + while VendorGuid is NULL. > + @retval other Errors from GetVariable2 (), GetTime= () and > SetVariable () > +--*/ > +EFI_STATUS > +EFIAPI > +EnrollPKFromDefault ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D EnrollFromDefault ( > + EFI_PLATFORM_KEY_NAME, > + EFI_PK_DEFAULT_VARIABLE_NAME, > + &gEfiGlobalVariableGuid > + ); > + > + return Status; > +} > + > +/** > + Remove the PK variable. > + > + @retval EFI_SUCCESS Delete PK successfully. > + @retval Others Could not allow to delete PK. > + > +--*/ > +EFI_STATUS > +EFIAPI > +DeletePlatformKey ( > + VOID > +) > +{ > + EFI_STATUS Status; > + > + Status =3D SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE); > + if (EFI_ERROR (Status)) { > + return Status; > + } > + > + Status =3D DeleteVariable ( > + EFI_PLATFORM_KEY_NAME, > + &gEfiGlobalVariableGuid > + ); > + return Status; > +} > diff --git > a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > new file mode 100644 > index 0000000000..2c51e4db53 > --- /dev/null > +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.uni > @@ -0,0 +1,16 @@ > +// /** @file > +// > +// Provides initialization of Secure Boot keys and databases. > +// > +// Copyright (c) 2021, ARM Ltd. All rights reserved.
> +// Copyright (c) 2021, Semihalf All rights reserved.
> +// > +// SPDX-License-Identifier: BSD-2-Clause-Patent > +// > +// **/ > + > + > +#string STR_MODULE_ABSTRACT #language en-US "Provides functi= on to > initialize PK, KEK and databases based on default variables." > + > +#string STR_MODULE_DESCRIPTION #language en-US "Provides functi= on > to initialize PK, KEK and databases based on default variables." > + > -- > 2.25.1