From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id AD56E94122C for ; Tue, 14 May 2024 08:16:29 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=CESiiEX+lXSWhHmzHgy1HGlapNEu19PYQbd9CaJNtVY=; c=relaxed/simple; d=groups.io; h=Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Received-SPF:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20240206; t=1715674587; v=1; b=PA49J4JO7GB3hbSGrSsyUAw57qPtjtc3wCGHvGGDV/Bolx/rxTLrxnvAIeu+KzwrNUbckGCr hca7AzI6R5cdA4mmNprdA6gaHT0whEkBaLHfpl7Yp0g/Y6jTEb7060Bf8O5DqImD0T14dXbWwdy H/ivKWVAeSzi174RdxDmbQS+bPTaszmy/nh0oqfTI02UBR03riepnggM1StPW8Rwu913VsKTjI/ Z7xLBvLbB4ZvAkoJVxUx0lxm5TdcLtPvvkuwed+EoeIugLPPd/omtVqzg+mkp4s5OWZsE78LgWf SfDjy7WRrSk2ZE0Xok1A3tm8H8sLCcRixvqoR7bKuIuzQ== X-Received: by 127.0.0.2 with SMTP id 8iLaYY7687511x5kmG2vxnQQ; Tue, 14 May 2024 01:16:27 -0700 X-Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.64]) by mx.groups.io with SMTP id smtpd.web11.10154.1715674580368491515 for ; Tue, 14 May 2024 01:16:20 -0700 X-Received: from DM6PR07CA0049.namprd07.prod.outlook.com (2603:10b6:5:74::26) by MW6PR12MB8833.namprd12.prod.outlook.com (2603:10b6:303:23f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.55; Tue, 14 May 2024 08:16:17 +0000 X-Received: from DS1PEPF00017094.namprd03.prod.outlook.com (2603:10b6:5:74:cafe::5d) by DM6PR07CA0049.outlook.office365.com (2603:10b6:5:74::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.25 via Frontend Transport; Tue, 14 May 2024 08:16:17 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C X-Received: from SATLEXMB03.amd.com (165.204.84.17) by DS1PEPF00017094.mail.protection.outlook.com (10.167.17.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7587.21 via Frontend Transport; Tue, 14 May 2024 08:16:17 +0000 X-Received: from SATLEXMB04.amd.com (10.181.40.145) by SATLEXMB03.amd.com (10.181.40.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 14 May 2024 03:16:16 -0500 X-Received: from BLR-LAB-SFW01.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Tue, 14 May 2024 03:16:15 -0500 From: "Abdul Lateef Attar via groups.io" To: CC: Abdul Lateef Attar , Abner Chang , Paul Grimes Subject: [edk2-devel] [PATCH 6/6] AmdPlatformPkg: Adds SecureBootDefaultKeysInit driver Date: Tue, 14 May 2024 13:45:48 +0530 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Received-SPF: None (SATLEXMB03.amd.com: AbdulLateef.Attar@amd.com does not designate permitted sender hosts) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS1PEPF00017094:EE_|MW6PR12MB8833:EE_ X-MS-Office365-Filtering-Correlation-Id: b98dbf70-789e-4a20-9409-08dc73ee2152 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?wbIZuEQuEHP2nzoPo5C3x4swFDcNkJ6fUojbJe+STNike6lzMZdcvBXpKVOb?= =?us-ascii?Q?KgcV4UYibdPQAmlrjb7X20NsO8OUexLFEClWuwS3BrO6La+7QOxTFiI3WLh9?= =?us-ascii?Q?ht7p2RsUjzcXpyF4YnxCFR8woQRTbaDTVkqyTz0bl3gY4bha6WTnQxrRb1M0?= =?us-ascii?Q?fiiQDViKvufYhpOu7fLF5NSgxJQloSTB4ycZt2EhgaFHjzJKuiFMfYUimt/S?= =?us-ascii?Q?QLp5OTLp7dM/zrBCbi1UaLBpA1G7oD1nCOAuES90KNgnpJHSnG8jNEUjDCB6?= =?us-ascii?Q?s99gUA38zcl6k8TlUHVcZVPMJk9H4P0dDCsx2pJU0uTPJhNeeW46ahaCo1ez?= =?us-ascii?Q?WMa7Lp4JJg2u98lmQinindrBz1bIDX9gLPogdoNO3lDesi5JzJCxbePKL5Dp?= =?us-ascii?Q?0Le+001U0mU6s7enKUOSPcGMd3U8NHaw1USNSNmZYOULRanIylcxz2OfUB4A?= =?us-ascii?Q?eYvFhiFwt8zZ8Nr+dZwvfAFeY8TShS9mmeUmrk4nPG3gXjK098tp5rUdAD5w?= =?us-ascii?Q?d6rKaBxlc22h2ZPJLAeHNydejmUsryfCPkt8tRo9dgLmrwQlRG6fLL1iLksZ?= =?us-ascii?Q?AmVv2tDCgAqmYo5yyGkPKKSDQICOhbe2/VVLllj+OplxcItAKC4pDtAkSuuH?= =?us-ascii?Q?XD3uwIn0NfI4W4XN2Snlgt0lNIohiP1bbzsH2pAw9LPs4eOSmma6bOXtGZ5B?= =?us-ascii?Q?gBZdDsaJSbAa8CCxQyV7E13R+0+lMznUIO1uPFRZhslIZK52S30F/rfKZa02?= =?us-ascii?Q?0bhS9asp08xW4AprBfHJZEHB+9f8lVTSgl9BGJN+I1T2KzKct1SrK16bfsm3?= =?us-ascii?Q?o3hkLjMvuW9NZ/bX215OCg6uGrn0qPk3at76jncT/V4X++X4hQRHq5S5V1QH?= =?us-ascii?Q?7JgNy97o1A+LkiipGaoTiz0B8YZsa400dTHNCJQ8ZapNSYaQtlS9zx4WY3qc?= =?us-ascii?Q?F87U0pryYk1fo0jvXR1Ax3QsPToUC40HDfIO9JK9tTKOSj44suJlOZqe5BRh?= =?us-ascii?Q?EWIdaZoqsmLmEWCjH13DfZ4gI2h8ain4YPoh3qR1DC/g7+os53+T4URAmY/N?= =?us-ascii?Q?2qnWR36795gmjoUMhxtbjadigZIh8FTR/vEpQztW95/Tq937H9fhHy5gC2VO?= =?us-ascii?Q?4/v3xU7fOws3zrXjKSkBJeB9WXKb8nKZCuEbOOYRbWtF0xxm8hyL6jIy4qTe?= =?us-ascii?Q?IkDDyutPMPFvW6aWluRxsQ1qK/n5VuE9uCBa3a+6cMMe3Gvyz+YYPjCtu7Qb?= =?us-ascii?Q?hrzqGkauYHZ9aN4DcOhmLm7ki4W0vDlpeBpeR1sAieHQD2ZzkfXnjLd4lTkw?= =?us-ascii?Q?0Y0v4vs+E4Ldq1It0OY68f8HH9wtj/sK4l6ecDhtKIl5y4R/huqVNUqQR6bz?= =?us-ascii?Q?1NI67R2GjQ7OMTHvjKy88Y6aImuJ?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 May 2024 08:16:17.6988 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b98dbf70-789e-4a20-9409-08dc73ee2152 X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB03.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017094.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR12MB8833 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 14 May 2024 01:16:20 -0700 Resent-From: AbdulLateef.Attar@amd.com Reply-To: devel@edk2.groups.io,AbdulLateef.Attar@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: CiAKbQa9x57Wd3Wg4dHbRAc9x7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=PA49J4JO; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io Adds SecureBootDefaultKeysInit driver to enroll secure boot default keys. Cc: Abner Chang Cc: Paul Grimes Signed-off-by: Abdul Lateef Attar --- .../AMD/AmdPlatformPkg/AmdPlatformPkg.dsc | 12 + .../SecureBootDefaultKeysInit.c | 645 ++++++++++++++++++ .../SecureBootDefaultKeysInit.inf | 49 ++ 3 files changed, 706 insertions(+) create mode 100644 Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/Secure= BootDefaultKeysInit/SecureBootDefaultKeysInit.c create mode 100644 Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/Secure= BootDefaultKeysInit/SecureBootDefaultKeysInit.inf diff --git a/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc b/Platform/AMD/= AmdPlatformPkg/AmdPlatformPkg.dsc index 3d13c9e41d..40ed5ea07c 100644 --- a/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc +++ b/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc @@ -25,17 +25,28 @@ =20 [LibraryClasses.Common] AlwaysFalseDepexLib|AmdPlatformPkg/Library/BaseAlwaysFalseDepexLib/BaseA= lwaysFalseDepexLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf BaseLib|MdePkg/Library/BaseLib/BaseLib.inf BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf SerialPortLib|MdePkg/Library/BaseSerialPortLibNull/BaseSerialPortLibNull= .inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat= e.inf UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBoo= tServicesTableLib.inf UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry= Point.inf UefiLib|MdePkg/Library/UefiLib/UefiLib.inf UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/U= efiRuntimeServicesTableLib.inf + !if $(TARGET) =3D=3D RELEASE DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf !else @@ -51,6 +62,7 @@ AmdPlatformPkg/Library/BaseAlwaysFalseDepexLib/BaseAlwaysFalseDepexLib.i= nf AmdPlatformPkg/Library/DxePlatformSocLib/DxePlatformSocLibNull.inf AmdPlatformPkg/Library/SimulatorSerialPortLibPort80/SimulatorSerialPortL= ibPort80.inf + AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKeysInit/SecureBoot= DefaultKeysInit.inf AmdPlatformPkg/Universal/HiiConfigRouting/AmdConfigRouting.inf AmdPlatformPkg/Universal/LogoDxe/JpegLogoDxe.inf = # Server platform JPEG logo driver AmdPlatformPkg/Universal/LogoDxe/LogoDxe.inf = # Server platfrom Bitmap logo driver diff --git a/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDef= aultKeysInit/SecureBootDefaultKeysInit.c b/Platform/AMD/AmdPlatformPkg/Univ= ersal/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c new file mode 100644 index 0000000000..071bfe5b68 --- /dev/null +++ b/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKey= sInit/SecureBootDefaultKeysInit.c @@ -0,0 +1,645 @@ +/** @file + This driver init default Secure Boot variables + + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021, ARM Ltd. All rights reserved.
+ Copyright (c) 2021, Semihalf All rights reserved.
+ Copyright (c) 2021, Ampere Computing LLC. All rights reserved.
+ Copyright (C) 2023 - 2024 Advanced Micro Devices, Inc. All rights reserv= ed. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + Set PKDefault Variable. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + + @retval EFI_SUCCESS PKDefault is set successfully. + +**/ +EFI_STATUS +SetPkDefault ( + IN UINT8 *X509Data, + IN UINTN X509DataSize + ) +{ + EFI_STATUS Status; + UINT32 Attr; + UINTN DataSize; + EFI_SIGNATURE_LIST *PkCert; + EFI_SIGNATURE_DATA *PkCertData; + + PkCert =3D NULL; + + // + // Allocate space for PK certificate list and initialize it. + // Create PK database entry with SignatureHeaderSize equals 0. + // + PkCert =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool ( + sizeof (EFI_SIGNATURE_LIST) + sizeof (E= FI_SIGNATURE_DATA) - 1 + + X509DataSize + ); + if (PkCert =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + goto ON_EXIT; + } + + PkCert->SignatureListSize =3D (UINT32)(sizeof (EFI_SIGNATURE_LIST) + + sizeof (EFI_SIGNATURE_DATA) - 1 + + X509DataSize); + PkCert->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1= + X509DataSize); + PkCert->SignatureHeaderSize =3D 0; + CopyGuid (&PkCert->SignatureType, &gEfiCertX509Guid); + PkCertData =3D (EFI_SIGNATURE_DATA *)((UINTN)PkCert + + sizeof (EFI_SIGNATURE_LIST) + + PkCert->SignatureHeaderSize); + CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid); + // + // Fill the PK database with PKpub data from X509 certificate file. + // + CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize); + + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCE= SS; + DataSize =3D PkCert->SignatureListSize; + + Status =3D gRT->SetVariable ( + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + Attr, + DataSize, + PkCert + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (PkCert !=3D NULL) { + FreePool (PkCert); + } + + return Status; +} + +/** + Set KDKDefault Variable. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + + @retval EFI_SUCCESS KEKDefault is set successfully. + +**/ +EFI_STATUS +SetKekDefault ( + IN UINT8 *X509Data, + IN UINTN X509DataSize + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_DATA *KEKSigData; + EFI_SIGNATURE_LIST *KekSigList; + UINTN DataSize; + UINTN KekSigListSize; + UINT32 Attr; + + KekSigList =3D NULL; + KekSigListSize =3D 0; + DataSize =3D 0; + KEKSigData =3D NULL; + + KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_D= ATA) - 1 + X509DataSize; + KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSiz= e); + if (KekSigList =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + goto ON_EXIT; + } + + // + // Fill Certificate Database parameters. + // + KekSigList->SignatureListSize =3D (UINT32)KekSigListSize; + KekSigList->SignatureHeaderSize =3D 0; + KekSigList->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA)= - 1 + X509DataSize); + CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); + + KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_= SIGNATURE_LIST)); + CopyGuid (&KEKSigData->SignatureOwner, &gEfiGlobalVariableGuid); + CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize); + + // + // Check if KEK been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new kek to original variable + // + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + Status =3D gRT->GetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of KEK: %r\n", __func__= , Status)); + goto ON_EXIT; + } + + Status =3D gRT->SetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + Attr, + KekSigListSize, + KekSigList + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (KekSigList !=3D NULL) { + FreePool (KekSigList); + } + + return Status; +} + +/** + Checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 f= ormat + + @param[in] Data Data. + @param[in] DataSize Data size. + + @retval TRUE The content is EFI_VARIABLE_AUTHENTICAT= ION_2 format. + @retval FALSE The content is NOT a EFI_VARIABLE_AUTHE= NTICATION_2 format. + +**/ +BOOLEAN +IsAuthentication2Format ( + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; + BOOLEAN IsAuth2Format; + + IsAuth2Format =3D FALSE; + + Auth2 =3D (EFI_VARIABLE_AUTHENTICATION_2 *)Data; + if (Auth2->AuthInfo.Hdr.wCertificateType !=3D WIN_CERT_TYPE_EFI_GUID) { + goto ON_EXIT; + } + + if (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) { + IsAuth2Format =3D TRUE; + } + +ON_EXIT: + + return IsAuth2Format; +} + +/** + Set signature database with the data of EFI_VARIABLE_AUTHENTICATION_2 fo= rmat. + + @param[in] AuthData AUTHENTICATION_2 data. + @param[in] AuthDataSize AUTHENTICATION_2 data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + + @retval EFI_SUCCESS New signature is set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported command. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetAuthentication2ToSigDb ( + IN UINT8 *AuthData, + IN UINTN AuthDataSize, + IN CHAR16 *VariableName + ) +{ + EFI_STATUS Status; + UINTN DataSize; + UINT32 Attr; + UINT8 *Data; + + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + // + // Check if SigDB variable has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + DataSize =3D 0; + Status =3D gRT->GetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of signature database: = %r\n", __func__, Status)); + return Status; + } + + // + // Ignore AUTHENTICATION_2 region. Only the actual certificate is needed= . + // + DataSize =3D AuthDataSize - ((EFI_VARIABLE_AUTHENTICATION_2 *)AuthData)-= >AuthInfo.Hdr.dwLength - sizeof (EFI_TIME); + Data =3D AuthData + (AuthDataSize - DataSize); + + Status =3D gRT->SetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + Attr, + DataSize, + Data + ); + + DEBUG ((DEBUG_INFO, "Set AUTH_2 data to Var:%s Status: %x\n", VariableNa= me, Status)); + return Status; +} + +/** + + Set signature database with the data of X509 format. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + @param[in] SignatureOwnerGuid Guid of the signature owner. + + @retval EFI_SUCCESS New X509 is enrolled successfully. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetX509ToSigDb ( + IN UINT8 *X509Data, + IN UINTN X509DataSize, + IN CHAR16 *VariableName, + IN EFI_GUID *SignatureOwnerGuid + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_LIST *SigDBCert; + EFI_SIGNATURE_DATA *SigDBCertData; + VOID *Data; + UINTN DataSize; + UINTN SigDBSize; + UINT32 Attr; + + SigDBSize =3D 0; + DataSize =3D 0; + SigDBCert =3D NULL; + SigDBCertData =3D NULL; + Data =3D NULL; + + SigDBSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) = - 1 + X509DataSize; + + Data =3D AllocateZeroPool (SigDBSize); + if (Data =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot allocate memory: %r\n", __func__, Sta= tus)); + goto ON_EXIT; + } + + // + // Fill Certificate Database parameters. + // + SigDBCert =3D (EFI_SIGNATURE_LIST *)Data; + SigDBCert->SignatureListSize =3D (UINT32)SigDBSize; + SigDBCert->SignatureHeaderSize =3D 0; + SigDBCert->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA) = - 1 + X509DataSize); + CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid); + + SigDBCertData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)SigDBCert + sizeof (EF= I_SIGNATURE_LIST)); + CopyGuid (&SigDBCertData->SignatureOwner, SignatureOwnerGuid); + CopyMem ((UINT8 *)(SigDBCertData->SignatureData), X509Data, X509DataSize= ); + + // + // Check if signature database entry has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + Status =3D gRT->GetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + goto ON_EXIT; + } + + Status =3D gRT->SetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + Attr, + SigDBSize, + Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot set signature database: %r\n", __func= __, Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (Data !=3D NULL) { + FreePool (Data); + } + + return Status; +} + +/** + + Set signature database. + + @param[in] Data Data. + @param[in] DataSize Data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + @param[in] SignatureOwnerGuid Guid of the signature owner. + + @retval EFI_SUCCESS Signature is set successfully. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetSignatureDatabase ( + IN UINT8 *Data, + IN UINTN DataSize, + IN CHAR16 *VariableName, + IN EFI_GUID *SignatureOwnerGuid + ) +{ + if (IsAuthentication2Format (Data, DataSize)) { + return SetAuthentication2ToSigDb (Data, DataSize, VariableName); + } else { + return SetX509ToSigDb (Data, DataSize, VariableName, SignatureOwnerGui= d); + } +} + +/** Initializes PKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitPkDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_PK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARI= ABLE_NAME)); + + // + // Enroll default PK. + // + Status =3D GetSectionFromFv ( + &gDefaultPKFileGuid, + EFI_SECTION_RAW, + 0, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetPkDefault (Data, DataSize); + } + + return EFI_SUCCESS; +} + +/** Initializes KEKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitKekDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_KEK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultKEKFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetKekDefault (Data, DataSize); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** Initializes dbDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitDbDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DB_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARI= ABLE_NAME)); + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultdbFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetSignatureDatabase (Data, DataSize, EFI_DB_DEFAULT_VARIABLE_NAME, = &gEfiGlobalVariableGuid); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** Initializes dbxDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitDbxDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBX_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VAR= IABLE_NAME)); + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultdbxFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetSignatureDatabase (Data, DataSize, EFI_DBX_DEFAULT_VARIABLE_NAME,= &gEfiGlobalVariableGuid); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** + Initializes default SecureBoot certificates with data from FFS section. + + @param[in] ImageHandle The firmware allocated handle for the EF= I image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS Variable was initialized successfully. +**/ +EFI_STATUS +EFIAPI +SecureBootDefaultKeysInitEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status =3D InitPkDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + return Status; + } + + Status =3D InitKekDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + return Status; + } + + Status =3D InitDbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __func__= , Status)); + return Status; + } + + Status =3D InitDbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbxDefault: %r\n", __func_= _, Status)); + return Status; + } + + return EFI_SUCCESS; +} diff --git a/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDef= aultKeysInit/SecureBootDefaultKeysInit.inf b/Platform/AMD/AmdPlatformPkg/Un= iversal/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf new file mode 100644 index 0000000000..345fbdc6ae --- /dev/null +++ b/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKey= sInit/SecureBootDefaultKeysInit.inf @@ -0,0 +1,49 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# Copyright (C) 2023 - 2024 Advanced Micro Devices, Inc. All rights reser= ved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 1.29 + BASE_NAME =3D SecureBootDefaultKeysInit + FILE_GUID =3D ADB0EEA2-8945-4ADF-94A0-3B0B935B4268 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D SecureBootDefaultKeysInitEntry + +[Sources] + SecureBootDefaultKeysInit.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + DebugLib + DxeServicesLib + SecureBootVariableLib + SecureBootVariableProvisionLib + UefiBootServicesTableLib + UefiDriverEntryPoint + +[Guids] + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultKEKFileGuid + gDefaultPKFileGuid + gEfiCertPkcs7Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid --=20 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118888): https://edk2.groups.io/g/devel/message/118888 Mute This Topic: https://groups.io/mt/106090926/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-