From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 06414941010 for ; Wed, 15 May 2024 03:52:35 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=wlZUhfcUagEy4SNkjB/JzGfxDODcQDC2DqYvpL969c0=; c=relaxed/simple; d=groups.io; h=Received-SPF:From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Received-SPF:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type; s=20240206; t=1715745154; v=1; b=D5UiG5JTG/rveJT8AI6arLijH9q1vz6yIQeoGSqq5T18HYSLJzTYUNKzro0IJCew8ZgZCVIo ElMlC/Yg1BW6PvgrmROmE+3s3tvGLEaLwE6mZkji/6k+af8JBLvdXOhEi1JwAOCBd4FVxUSw2oJ hppAfSg+j4UnsIm/JFsP9Y57vfXJM2XGnVl7QxJog4SCBKnX8UT1Jp8ksTgp5UUpsCGNuMOI7tA 2U2/0jm91FICdtwEr8I91m6a/aPjEO0YMXOauislS/bfqWHOcOowT/2RoatxQXi9eFebi/g1gX+ HnVtHAPs9NTzStAPpqJYSbNyu3c/NlTKB7GBr9HMZEvkg== X-Received: by 127.0.0.2 with SMTP id fC2QYY7687511xl8AkxbBnTu; Tue, 14 May 2024 20:52:34 -0700 X-Received: from NAM10-DM6-obe.outbound.protection.outlook.com (NAM10-DM6-obe.outbound.protection.outlook.com [40.107.93.40]) by mx.groups.io with SMTP id smtpd.web10.6407.1715745153694120337 for ; Tue, 14 May 2024 20:52:33 -0700 X-Received: from DS7PR03CA0092.namprd03.prod.outlook.com (2603:10b6:5:3b7::7) by SJ0PR12MB6757.namprd12.prod.outlook.com (2603:10b6:a03:449::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.46; Wed, 15 May 2024 03:52:29 +0000 X-Received: from DS3PEPF0000C37B.namprd04.prod.outlook.com (2603:10b6:5:3b7:cafe::93) by DS7PR03CA0092.outlook.office365.com (2603:10b6:5:3b7::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.26 via Frontend Transport; Wed, 15 May 2024 03:52:29 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17) smtp.mailfrom=amd.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amd.com; Received-SPF: Pass (protection.outlook.com: domain of amd.com designates 165.204.84.17 as permitted sender) receiver=protection.outlook.com; client-ip=165.204.84.17; helo=SATLEXMB03.amd.com; pr=C X-Received: from SATLEXMB03.amd.com (165.204.84.17) by DS3PEPF0000C37B.mail.protection.outlook.com (10.167.23.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.7587.21 via Frontend Transport; Wed, 15 May 2024 03:52:29 +0000 X-Received: from SATLEXMB05.amd.com (10.181.40.146) by SATLEXMB03.amd.com (10.181.40.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 14 May 2024 22:52:02 -0500 X-Received: from SATLEXMB04.amd.com (10.181.40.145) by SATLEXMB05.amd.com (10.181.40.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 14 May 2024 22:52:02 -0500 X-Received: from BLR-LAB-SFW01.amd.com (10.180.168.240) by SATLEXMB04.amd.com (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35 via Frontend Transport; Tue, 14 May 2024 22:52:00 -0500 From: "Abdul Lateef Attar via groups.io" To: CC: Abdul Lateef Attar , Abner Chang , Paul Grimes Subject: [edk2-devel] [RESEND 6/7] AmdPlatformPkg: Adds SecureBootDefaultKeysInit driver Date: Wed, 15 May 2024 09:20:24 +0530 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Received-SPF: None (SATLEXMB05.amd.com: AbdulLateef.Attar@amd.com does not designate permitted sender hosts) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS3PEPF0000C37B:EE_|SJ0PR12MB6757:EE_ X-MS-Office365-Filtering-Correlation-Id: f4c6cc97-1b2f-4bc1-6ec6-08dc7492711a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?Ka3uGI1V23fb+7+4dPlm4e2gbjh3z6uHtLp101cktXUQtAVRORjErLGjLueQ?= =?us-ascii?Q?AP85gChXtL8q21U7SQSedwEg9N4mGNQKt9tCc6irYWOBoHY0s/RUMVFhdoce?= =?us-ascii?Q?DNKjfJ4RNqiBmC2qAlpxgl92k7l+O3pPbjX7A8IajHLCQNhYkyuMnlClgu5+?= =?us-ascii?Q?/tm76Hblz8sKIMYXHKPXzm6axz4/lAhxpEmMxqt5Lhp00nlmviDG212qjqao?= =?us-ascii?Q?t4T30tH/pkh1PV1kqRwV3A+c2BcpQfF2KUrjGra6Tbsu319W6eeLRr6MZhN5?= =?us-ascii?Q?P4NJOMxHXMjqb/xiXnJ+n8ZKapxeFVRWb/w1mAGoPlOXxZHhiRI5HFqplAab?= =?us-ascii?Q?8OiEJEAOe27aPXhngu1QCJSX3Ms71ekKZmohu9iutF88wqsKhhXvz6h/yDBA?= =?us-ascii?Q?ekFflUfXjS4FIbljRd9uQQJ/G9adWd8nHDPs7DDscJ8JwDYM2fyNWG3kRQbY?= =?us-ascii?Q?liiDzn42oZFYJkvjgBe9P83crblTKdp0EONXJpD2tQlLGDA81LmccdhzDCoz?= =?us-ascii?Q?6hYgWhDtcYL0IE89SUoUeoS0RKIrWnkeTV49KKa9Lm3PcRnoFUn61e+M2PS/?= =?us-ascii?Q?hotNq5e6ruWzsYD+lYe1zFwOLrUJ4SIvdUEr6N6gCUXbtMNKH0+1d+PLi5VU?= =?us-ascii?Q?wyICQGkVf47Ck6NOXx2o5Ju4WJJrZFcGKCdiFQgYhpRDBqTT1sPq6kEDDba5?= =?us-ascii?Q?6CNLM2X6c73wDM6D4iD88Kr6eBRJ3UuFMt5f4OlceGQFwIfoEwqd6kZ1hrlb?= =?us-ascii?Q?BBT+0XngHZrvgxemj6SNubAA++FK/Nqci7GyD1uWPI7ayKHMd9xq9+BeRJ9V?= =?us-ascii?Q?oLGPYxb1odKWS/N/y4x1ovDNd2IA0K7soKufHW/dh5TXvSc0HSYCr85uiKZf?= =?us-ascii?Q?9YKUhpFxenG9vh0Yu+wKArsze/cNBVwp9+s9McB0qnngFotGPwqyKYlAQIKT?= =?us-ascii?Q?7ezh2wVaUYej9vvB1u7AzRQyVDKiYv11OifiUmQoyEHz7k+OXxKhU8pS4mvP?= =?us-ascii?Q?DMoVYTBGMunypoH3hCEZyuwrSsFiDdc6+EKZ3PG8cYBTn83RTxw44qYrjuGX?= =?us-ascii?Q?v0+rTOAGR4DlM9VngNRmghcIZbvoJGn/6Ytqx7sN4GL8CuWvceCUPYv1f356?= =?us-ascii?Q?8H3wo1PeJ3N0QoZ06ZehCCE+tBSy1tZqByJ1HQK+hB8MHKHbLmuUBvsSOioU?= =?us-ascii?Q?eMUmvyGc7+8iNHSNeZmEZKfC7exxQ0o4wvUOl32ue3Y9qVFmgCqPTa5bXRYz?= =?us-ascii?Q?2e7YLbrFzr9RiLNXnMUUQXghwOT+QwZdzQdr+GKzhYAAhYGT2RNcoM0mHCfR?= =?us-ascii?Q?kM7umCuXkHCJxCLberBEgEvFIcrjZ8jpduB6BE0oXuZ1PnrKxbWn7v2tSrmr?= =?us-ascii?Q?flVbln10b/XCPi3JH/TyxwBAYBek?= X-OriginatorOrg: amd.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 May 2024 03:52:29.0591 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: f4c6cc97-1b2f-4bc1-6ec6-08dc7492711a X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB03.amd.com] X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF0000C37B.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR12MB6757 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Tue, 14 May 2024 20:52:33 -0700 Resent-From: AbdulLateef.Attar@amd.com Reply-To: devel@edk2.groups.io,AbdulLateef.Attar@amd.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: QXYINLckeUdi74zDWwpZq9wJx7686176AA= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=D5UiG5JT; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io Adds SecureBootDefaultKeysInit driver to enroll secure boot default keys. Cc: Abner Chang Cc: Paul Grimes Signed-off-by: Abdul Lateef Attar --- .../AMD/AmdPlatformPkg/AmdPlatformPkg.dsc | 12 + .../SecureBootDefaultKeysInit.c | 645 ++++++++++++++++++ .../SecureBootDefaultKeysInit.inf | 49 ++ 3 files changed, 706 insertions(+) create mode 100644 Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/Secure= BootDefaultKeysInit/SecureBootDefaultKeysInit.c create mode 100644 Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/Secure= BootDefaultKeysInit/SecureBootDefaultKeysInit.inf diff --git a/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc b/Platform/AMD/= AmdPlatformPkg/AmdPlatformPkg.dsc index 3d13c9e41d..40ed5ea07c 100644 --- a/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc +++ b/Platform/AMD/AmdPlatformPkg/AmdPlatformPkg.dsc @@ -25,17 +25,28 @@ =20 [LibraryClasses.Common] AlwaysFalseDepexLib|AmdPlatformPkg/Library/BaseAlwaysFalseDepexLib/BaseA= lwaysFalseDepexLib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf BaseLib|MdePkg/Library/BaseLib/BaseLib.inf BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD= ebugPrintErrorLevelLib.inf DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + RngLib|MdePkg/Library/BaseRngLib/BaseRngLib.inf + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf SerialPortLib|MdePkg/Library/BaseSerialPortLibNull/BaseSerialPortLibNull= .inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat= e.inf UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBoo= tServicesTableLib.inf UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry= Point.inf UefiLib|MdePkg/Library/UefiLib/UefiLib.inf UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/U= efiRuntimeServicesTableLib.inf + !if $(TARGET) =3D=3D RELEASE DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf !else @@ -51,6 +62,7 @@ AmdPlatformPkg/Library/BaseAlwaysFalseDepexLib/BaseAlwaysFalseDepexLib.i= nf AmdPlatformPkg/Library/DxePlatformSocLib/DxePlatformSocLibNull.inf AmdPlatformPkg/Library/SimulatorSerialPortLibPort80/SimulatorSerialPortL= ibPort80.inf + AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKeysInit/SecureBoot= DefaultKeysInit.inf AmdPlatformPkg/Universal/HiiConfigRouting/AmdConfigRouting.inf AmdPlatformPkg/Universal/LogoDxe/JpegLogoDxe.inf = # Server platform JPEG logo driver AmdPlatformPkg/Universal/LogoDxe/LogoDxe.inf = # Server platfrom Bitmap logo driver diff --git a/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDef= aultKeysInit/SecureBootDefaultKeysInit.c b/Platform/AMD/AmdPlatformPkg/Univ= ersal/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.c new file mode 100644 index 0000000000..071bfe5b68 --- /dev/null +++ b/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKey= sInit/SecureBootDefaultKeysInit.c @@ -0,0 +1,645 @@ +/** @file + This driver init default Secure Boot variables + + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.
+ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
+ Copyright (c) 2021, ARM Ltd. All rights reserved.
+ Copyright (c) 2021, Semihalf All rights reserved.
+ Copyright (c) 2021, Ampere Computing LLC. All rights reserved.
+ Copyright (C) 2023 - 2024 Advanced Micro Devices, Inc. All rights reserv= ed. + + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + Set PKDefault Variable. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + + @retval EFI_SUCCESS PKDefault is set successfully. + +**/ +EFI_STATUS +SetPkDefault ( + IN UINT8 *X509Data, + IN UINTN X509DataSize + ) +{ + EFI_STATUS Status; + UINT32 Attr; + UINTN DataSize; + EFI_SIGNATURE_LIST *PkCert; + EFI_SIGNATURE_DATA *PkCertData; + + PkCert =3D NULL; + + // + // Allocate space for PK certificate list and initialize it. + // Create PK database entry with SignatureHeaderSize equals 0. + // + PkCert =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool ( + sizeof (EFI_SIGNATURE_LIST) + sizeof (E= FI_SIGNATURE_DATA) - 1 + + X509DataSize + ); + if (PkCert =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + goto ON_EXIT; + } + + PkCert->SignatureListSize =3D (UINT32)(sizeof (EFI_SIGNATURE_LIST) + + sizeof (EFI_SIGNATURE_DATA) - 1 + + X509DataSize); + PkCert->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA) - 1= + X509DataSize); + PkCert->SignatureHeaderSize =3D 0; + CopyGuid (&PkCert->SignatureType, &gEfiCertX509Guid); + PkCertData =3D (EFI_SIGNATURE_DATA *)((UINTN)PkCert + + sizeof (EFI_SIGNATURE_LIST) + + PkCert->SignatureHeaderSize); + CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid); + // + // Fill the PK database with PKpub data from X509 certificate file. + // + CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize); + + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCE= SS; + DataSize =3D PkCert->SignatureListSize; + + Status =3D gRT->SetVariable ( + EFI_PK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + Attr, + DataSize, + PkCert + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (PkCert !=3D NULL) { + FreePool (PkCert); + } + + return Status; +} + +/** + Set KDKDefault Variable. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + + @retval EFI_SUCCESS KEKDefault is set successfully. + +**/ +EFI_STATUS +SetKekDefault ( + IN UINT8 *X509Data, + IN UINTN X509DataSize + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_DATA *KEKSigData; + EFI_SIGNATURE_LIST *KekSigList; + UINTN DataSize; + UINTN KekSigListSize; + UINT32 Attr; + + KekSigList =3D NULL; + KekSigListSize =3D 0; + DataSize =3D 0; + KEKSigData =3D NULL; + + KekSigListSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_D= ATA) - 1 + X509DataSize; + KekSigList =3D (EFI_SIGNATURE_LIST *)AllocateZeroPool (KekSigListSiz= e); + if (KekSigList =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + goto ON_EXIT; + } + + // + // Fill Certificate Database parameters. + // + KekSigList->SignatureListSize =3D (UINT32)KekSigListSize; + KekSigList->SignatureHeaderSize =3D 0; + KekSigList->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA)= - 1 + X509DataSize); + CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid); + + KEKSigData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)KekSigList + sizeof (EFI_= SIGNATURE_LIST)); + CopyGuid (&KEKSigData->SignatureOwner, &gEfiGlobalVariableGuid); + CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize); + + // + // Check if KEK been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new kek to original variable + // + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + Status =3D gRT->GetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of KEK: %r\n", __func__= , Status)); + goto ON_EXIT; + } + + Status =3D gRT->SetVariable ( + EFI_KEK_DEFAULT_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + Attr, + KekSigListSize, + KekSigList + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (KekSigList !=3D NULL) { + FreePool (KekSigList); + } + + return Status; +} + +/** + Checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 f= ormat + + @param[in] Data Data. + @param[in] DataSize Data size. + + @retval TRUE The content is EFI_VARIABLE_AUTHENTICAT= ION_2 format. + @retval FALSE The content is NOT a EFI_VARIABLE_AUTHE= NTICATION_2 format. + +**/ +BOOLEAN +IsAuthentication2Format ( + IN UINT8 *Data, + IN UINTN DataSize + ) +{ + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; + BOOLEAN IsAuth2Format; + + IsAuth2Format =3D FALSE; + + Auth2 =3D (EFI_VARIABLE_AUTHENTICATION_2 *)Data; + if (Auth2->AuthInfo.Hdr.wCertificateType !=3D WIN_CERT_TYPE_EFI_GUID) { + goto ON_EXIT; + } + + if (CompareGuid (&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) { + IsAuth2Format =3D TRUE; + } + +ON_EXIT: + + return IsAuth2Format; +} + +/** + Set signature database with the data of EFI_VARIABLE_AUTHENTICATION_2 fo= rmat. + + @param[in] AuthData AUTHENTICATION_2 data. + @param[in] AuthDataSize AUTHENTICATION_2 data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + + @retval EFI_SUCCESS New signature is set successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported command. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetAuthentication2ToSigDb ( + IN UINT8 *AuthData, + IN UINTN AuthDataSize, + IN CHAR16 *VariableName + ) +{ + EFI_STATUS Status; + UINTN DataSize; + UINT32 Attr; + UINT8 *Data; + + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + // + // Check if SigDB variable has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + DataSize =3D 0; + Status =3D gRT->GetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + DEBUG ((DEBUG_ERROR, "%a: Cannot get the value of signature database: = %r\n", __func__, Status)); + return Status; + } + + // + // Ignore AUTHENTICATION_2 region. Only the actual certificate is needed= . + // + DataSize =3D AuthDataSize - ((EFI_VARIABLE_AUTHENTICATION_2 *)AuthData)-= >AuthInfo.Hdr.dwLength - sizeof (EFI_TIME); + Data =3D AuthData + (AuthDataSize - DataSize); + + Status =3D gRT->SetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + Attr, + DataSize, + Data + ); + + DEBUG ((DEBUG_INFO, "Set AUTH_2 data to Var:%s Status: %x\n", VariableNa= me, Status)); + return Status; +} + +/** + + Set signature database with the data of X509 format. + + @param[in] X509Data X509 Certificate data. + @param[in] X509DataSize X509 Certificate data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + @param[in] SignatureOwnerGuid Guid of the signature owner. + + @retval EFI_SUCCESS New X509 is enrolled successfully. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetX509ToSigDb ( + IN UINT8 *X509Data, + IN UINTN X509DataSize, + IN CHAR16 *VariableName, + IN EFI_GUID *SignatureOwnerGuid + ) +{ + EFI_STATUS Status; + EFI_SIGNATURE_LIST *SigDBCert; + EFI_SIGNATURE_DATA *SigDBCertData; + VOID *Data; + UINTN DataSize; + UINTN SigDBSize; + UINT32 Attr; + + SigDBSize =3D 0; + DataSize =3D 0; + SigDBCert =3D NULL; + SigDBCertData =3D NULL; + Data =3D NULL; + + SigDBSize =3D sizeof (EFI_SIGNATURE_LIST) + sizeof (EFI_SIGNATURE_DATA) = - 1 + X509DataSize; + + Data =3D AllocateZeroPool (SigDBSize); + if (Data =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + DEBUG ((DEBUG_ERROR, "%a: Cannot allocate memory: %r\n", __func__, Sta= tus)); + goto ON_EXIT; + } + + // + // Fill Certificate Database parameters. + // + SigDBCert =3D (EFI_SIGNATURE_LIST *)Data; + SigDBCert->SignatureListSize =3D (UINT32)SigDBSize; + SigDBCert->SignatureHeaderSize =3D 0; + SigDBCert->SignatureSize =3D (UINT32)(sizeof (EFI_SIGNATURE_DATA) = - 1 + X509DataSize); + CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid); + + SigDBCertData =3D (EFI_SIGNATURE_DATA *)((UINT8 *)SigDBCert + sizeof (EF= I_SIGNATURE_LIST)); + CopyGuid (&SigDBCertData->SignatureOwner, SignatureOwnerGuid); + CopyMem ((UINT8 *)(SigDBCertData->SignatureData), X509Data, X509DataSize= ); + + // + // Check if signature database entry has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + Attr =3D EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS; + + Status =3D gRT->GetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + goto ON_EXIT; + } + + Status =3D gRT->SetVariable ( + VariableName, + &gEfiGlobalVariableGuid, + Attr, + SigDBSize, + Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot set signature database: %r\n", __func= __, Status)); + goto ON_EXIT; + } + +ON_EXIT: + + if (Data !=3D NULL) { + FreePool (Data); + } + + return Status; +} + +/** + + Set signature database. + + @param[in] Data Data. + @param[in] DataSize Data size. + @param[in] VariableName Variable name of signature database, mu= st be + EFI_DB_DEFAULT_VARIABLE_NAME or EFI_DBX= _DEFAULT_VARIABLE_NAME or EFI_DBT_DEFAULT_VARIABLE_NAME. + @param[in] SignatureOwnerGuid Guid of the signature owner. + + @retval EFI_SUCCESS Signature is set successfully. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS +SetSignatureDatabase ( + IN UINT8 *Data, + IN UINTN DataSize, + IN CHAR16 *VariableName, + IN EFI_GUID *SignatureOwnerGuid + ) +{ + if (IsAuthentication2Format (Data, DataSize)) { + return SetAuthentication2ToSigDb (Data, DataSize, VariableName); + } else { + return SetX509ToSigDb (Data, DataSize, VariableName, SignatureOwnerGui= d); + } +} + +/** Initializes PKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitPkDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_PK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARI= ABLE_NAME)); + + // + // Enroll default PK. + // + Status =3D GetSectionFromFv ( + &gDefaultPKFileGuid, + EFI_SECTION_RAW, + 0, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetPkDefault (Data, DataSize); + } + + return EFI_SUCCESS; +} + +/** Initializes KEKDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitKekDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_KEK_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultKEKFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetKekDefault (Data, DataSize); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** Initializes dbDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitDbDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + Status =3D GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariab= leGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DB_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARI= ABLE_NAME)); + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultdbFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetSignatureDatabase (Data, DataSize, EFI_DB_DEFAULT_VARIABLE_NAME, = &gEfiGlobalVariableGuid); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** Initializes dbxDefault variable with data from FFS section. + + @retval EFI_SUCCESS Variable was initialized successfully. + @retval EFI_UNSUPPORTED Variable already exists. +**/ +EFI_STATUS +InitDbxDefault ( + IN VOID + ) +{ + EFI_STATUS Status; + UINTN Index; + UINT8 *Data; + UINTN DataSize; + + // + // Check if variable exists, if so do not change it + // + Status =3D GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVaria= bleGuid, (VOID **)&Data, &DataSize); + if (Status =3D=3D EFI_SUCCESS) { + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EF= I_DBX_DEFAULT_VARIABLE_NAME)); + FreePool (Data); + return EFI_UNSUPPORTED; + } + + // + // Variable does not exist, can be initialized + // + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VAR= IABLE_NAME)); + + Index =3D 0; + do { + Status =3D GetSectionFromFv ( + &gDefaultdbxFileGuid, + EFI_SECTION_RAW, + Index, + (VOID **)&Data, + &DataSize + ); + if (!EFI_ERROR (Status)) { + SetSignatureDatabase (Data, DataSize, EFI_DBX_DEFAULT_VARIABLE_NAME,= &gEfiGlobalVariableGuid); + Index++; + } + } while (Status =3D=3D EFI_SUCCESS); + + return EFI_SUCCESS; +} + +/** + Initializes default SecureBoot certificates with data from FFS section. + + @param[in] ImageHandle The firmware allocated handle for the EF= I image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS Variable was initialized successfully. +**/ +EFI_STATUS +EFIAPI +SecureBootDefaultKeysInitEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + Status =3D InitPkDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize PKDefault: %r\n", __func__= , Status)); + return Status; + } + + Status =3D InitKekDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize KEKDefault: %r\n", __func_= _, Status)); + return Status; + } + + Status =3D InitDbDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbDefault: %r\n", __func__= , Status)); + return Status; + } + + Status =3D InitDbxDefault (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a: Cannot initialize dbxDefault: %r\n", __func_= _, Status)); + return Status; + } + + return EFI_SUCCESS; +} diff --git a/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDef= aultKeysInit/SecureBootDefaultKeysInit.inf b/Platform/AMD/AmdPlatformPkg/Un= iversal/SecureBoot/SecureBootDefaultKeysInit/SecureBootDefaultKeysInit.inf new file mode 100644 index 0000000000..345fbdc6ae --- /dev/null +++ b/Platform/AMD/AmdPlatformPkg/Universal/SecureBoot/SecureBootDefaultKey= sInit/SecureBootDefaultKeysInit.inf @@ -0,0 +1,49 @@ +## @file +# Initializes Secure Boot default keys +# +# Copyright (c) 2021, ARM Ltd. All rights reserved.
+# Copyright (c) 2021, Semihalf All rights reserved.
+# Copyright (C) 2023 - 2024 Advanced Micro Devices, Inc. All rights reser= ved. +# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 1.29 + BASE_NAME =3D SecureBootDefaultKeysInit + FILE_GUID =3D ADB0EEA2-8945-4ADF-94A0-3B0B935B4268 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D SecureBootDefaultKeysInitEntry + +[Sources] + SecureBootDefaultKeysInit.c + +[Packages] + MdeModulePkg/MdeModulePkg.dec + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + DebugLib + DxeServicesLib + SecureBootVariableLib + SecureBootVariableProvisionLib + UefiBootServicesTableLib + UefiDriverEntryPoint + +[Guids] + gDefaultdbFileGuid + gDefaultdbxFileGuid + gDefaultKEKFileGuid + gDefaultPKFileGuid + gEfiCertPkcs7Guid + gEfiCertX509Guid + gEfiCustomModeEnableGuid + gEfiImageSecurityDatabaseGuid + gEfiSecureBootEnableDisableGuid + +[Depex] + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid --=20 2.34.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118907): https://edk2.groups.io/g/devel/message/118907 Mute This Topic: https://groups.io/mt/106108338/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-