[edk2-devel] [PATCH v8 02/11] SecurityPkg: Create library for enrolling Secure Boot variables.
Grzegorz Bernacki
gjb at semihalf.com
Tue Aug 24 12:26:26 UTC 2021
Hi Patrick,
Yes, I tested the dbx enrollment, but with my own data. Please let me
try that dbx.
thanks,
greg
wt., 24 sie 2021 o 14:22 Patrick Rudolph
<patrick.rudolph at 9elements.com> napisał(a):
>
> Hi Grzegorz,
> I tried this patch, but I cannot enroll the DBX downloaded from here:
> https://uefi.org/revocationlistfile
>
> Is it even possible with current code? Did you test DBX enrollment as well using the revocation list file?
>
> Regards,
> Patrick
>
> On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki <gjb at semihalf.com> wrote:
>>
>> This commits add library, which consist functions to
>> enrolll Secure Boot keys and initialize Secure Boot
>> default variables. Some of the functions was moved
>> from SecureBootConfigImpl.c file.
>>
>> Signed-off-by: Grzegorz Bernacki <gjb at semihalf.com>
>> Reviewed-by: Sunny Wang <sunny.wang at arm.com>
>> Reviewed-by: Jiewen Yao <Jiewen.yao at intel.com>
>> ---
>> SecurityPkg/SecurityPkg.dec | 4 +
>> SecurityPkg/SecurityPkg.dsc | 1 +
>> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf | 80 ++++
>> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h | 134 ++++++
>> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c | 482 ++++++++++++++++++++
>> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni | 16 +
>> 6 files changed, 717 insertions(+)
>> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>> create mode 100644 SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
>> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
>> create mode 100644 SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>>
>> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
>> index 8f3710e59f..e30c39f321 100644
>> --- a/SecurityPkg/SecurityPkg.dec
>> +++ b/SecurityPkg/SecurityPkg.dec
>> @@ -91,6 +91,10 @@
>> ## @libraryclass Provides helper functions related to creation/removal Secure Boot variables.
>> #
>> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h
>> +
>> + ## @libraryclass Provides support to enroll Secure Boot keys.
>> + #
>> + SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
>> [Guids]
>> ## Security package token space guid.
>> # Include/Guid/SecurityPkgTokenSpace.h
>> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
>> index 854f250625..99c227dad2 100644
>> --- a/SecurityPkg/SecurityPkg.dsc
>> +++ b/SecurityPkg/SecurityPkg.dsc
>> @@ -71,6 +71,7 @@
>> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
>> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
>> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
>> + SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>>
>> [LibraryClasses.ARM]
>> #
>> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>> new file mode 100644
>> index 0000000000..a09abd29ce
>> --- /dev/null
>> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
>> @@ -0,0 +1,80 @@
>> +## @file
>> +# Provides initialization of Secure Boot keys and databases.
>> +#
>> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
>> +# Copyright (c) 2021, Semihalf All rights reserved.<BR>
>> +#
>> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>> +#
>> +##
>> +
>> +[Defines]
>> + INF_VERSION = 0x00010005
>> + BASE_NAME = SecureBootVariableLib
>> + MODULE_UNI_FILE = SecureBootVariableLib.uni
>> + FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183
>> + MODULE_TYPE = DXE_DRIVER
>> + VERSION_STRING = 1.0
>> + LIBRARY_CLASS = SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
>> +
>> +#
>> +# The following information is for reference only and not required by the build tools.
>> +#
>> +# VALID_ARCHITECTURES = IA32 X64 AARCH64
>> +#
>> +
>> +[Sources]
>> + SecureBootVariableProvisionLib.c
>> +
>> +[Packages]
>> + MdePkg/MdePkg.dec
>> + MdeModulePkg/MdeModulePkg.dec
>> + SecurityPkg/SecurityPkg.dec
>> + CryptoPkg/CryptoPkg.dec
>> +
>> +[LibraryClasses]
>> + BaseLib
>> + BaseMemoryLib
>> + DebugLib
>> + MemoryAllocationLib
>> + BaseCryptLib
>> + DxeServicesLib
>> + SecureBootVariableLib
>> +
>> +[Guids]
>> + ## CONSUMES ## Variable:L"SetupMode"
>> + ## PRODUCES ## Variable:L"SetupMode"
>> + ## CONSUMES ## Variable:L"SecureBoot"
>> + ## PRODUCES ## Variable:L"SecureBoot"
>> + ## PRODUCES ## Variable:L"PK"
>> + ## PRODUCES ## Variable:L"KEK"
>> + ## CONSUMES ## Variable:L"PKDefault"
>> + ## CONSUMES ## Variable:L"KEKDefault"
>> + ## CONSUMES ## Variable:L"dbDefault"
>> + ## CONSUMES ## Variable:L"dbxDefault"
>> + ## CONSUMES ## Variable:L"dbtDefault"
>> + gEfiGlobalVariableGuid
>> +
>> + ## SOMETIMES_CONSUMES ## Variable:L"DB"
>> + ## SOMETIMES_CONSUMES ## Variable:L"DBX"
>> + ## SOMETIMES_CONSUMES ## Variable:L"DBT"
>> + gEfiImageSecurityDatabaseGuid
>> +
>> + ## CONSUMES ## Variable:L"SecureBootEnable"
>> + ## PRODUCES ## Variable:L"SecureBootEnable"
>> + gEfiSecureBootEnableDisableGuid
>> +
>> + ## CONSUMES ## Variable:L"CustomMode"
>> + ## PRODUCES ## Variable:L"CustomMode"
>> + gEfiCustomModeEnableGuid
>> +
>> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
>> + gEfiCertX509Guid ## CONSUMES
>> + gEfiCertPkcs7Guid ## CONSUMES
>> +
>> + gDefaultPKFileGuid
>> + gDefaultKEKFileGuid
>> + gDefaultdbFileGuid
>> + gDefaultdbxFileGuid
>> + gDefaultdbtFileGuid
>> +
>> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
>> new file mode 100644
>> index 0000000000..ba8009b5cd
>> --- /dev/null
>> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h
>> @@ -0,0 +1,134 @@
>> +/** @file
>> + Provides a functions to enroll keys based on default values.
>> +
>> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
>> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
>> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
>> +Copyright (c) 2021, Semihalf All rights reserved.<BR>
>> +SPDX-License-Identifier: BSD-2-Clause-Patent
>> +
>> +**/
>> +
>> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
>> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_
>> +
>> +/**
>> + Sets the content of the 'db' variable based on 'dbDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()
>> +--*/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbFromDefault (
>> + VOID
>> +);
>> +
>> +/**
>> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()
>> +--*/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbxFromDefault (
>> + VOID
>> +);
>> +
>> +/**
>> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()
>> +--*/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbtFromDefault (
>> + VOID
>> +);
>> +
>> +/**
>> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()
>> +--*/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollKEKFromDefault (
>> + VOID
>> +);
>> +
>> +/**
>> + Sets the content of the 'PK' variable based on 'PKDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2(), GetTime() and SetVariable()
>> +--*/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollPKFromDefault (
>> + VOID
>> +);
>> +
>> +/**
>> + Initializes PKDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +--*/
>> +EFI_STATUS
>> +SecureBootInitPKDefault (
>> + IN VOID
>> + );
>> +
>> +/**
>> + Initializes KEKDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +--*/
>> +EFI_STATUS
>> +SecureBootInitKEKDefault (
>> + IN VOID
>> + );
>> +
>> +/**
>> + Initializes dbDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +--*/
>> +EFI_STATUS
>> +SecureBootInitDbDefault (
>> + IN VOID
>> + );
>> +
>> +/**
>> + Initializes dbtDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +--*/
>> +EFI_STATUS
>> +SecureBootInitDbtDefault (
>> + IN VOID
>> + );
>> +
>> +/**
>> + Initializes dbxDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +--*/
>> +EFI_STATUS
>> +SecureBootInitDbxDefault (
>> + IN VOID
>> + );
>> +#endif
>> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
>> new file mode 100644
>> index 0000000000..848f7ce929
>> --- /dev/null
>> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
>> @@ -0,0 +1,482 @@
>> +/** @file
>> + This library provides functions to set/clear Secure Boot
>> + keys and databases.
>> +
>> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
>> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
>> + Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
>> + Copyright (c) 2021, Semihalf All rights reserved.<BR>
>> + SPDX-License-Identifier: BSD-2-Clause-Patent
>> +**/
>> +#include <Guid/GlobalVariable.h>
>> +#include <Guid/AuthenticatedVariableFormat.h>
>> +#include <Guid/ImageAuthentication.h>
>> +#include <Library/BaseLib.h>
>> +#include <Library/BaseMemoryLib.h>
>> +#include <Library/DebugLib.h>
>> +#include <Library/UefiLib.h>
>> +#include <Library/MemoryAllocationLib.h>
>> +#include <Library/UefiRuntimeServicesTableLib.h>
>> +#include <Library/SecureBootVariableLib.h>
>> +#include <Library/SecureBootVariableProvisionLib.h>
>> +
>> +/**
>> + Enroll a key/certificate based on a default variable.
>> +
>> + @param[in] VariableName The name of the key/database.
>> + @param[in] DefaultName The name of the default variable.
>> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable
>> +
>> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.
>> + @retval EFI_SUCCESS Successful enrollment.
>> + @return Error codes from GetTime () and SetVariable ().
>> +**/
>> +STATIC
>> +EFI_STATUS
>> +EnrollFromDefault (
>> + IN CHAR16 *VariableName,
>> + IN CHAR16 *DefaultName,
>> + IN EFI_GUID *VendorGuid
>> + )
>> +{
>> + VOID *Data;
>> + UINTN DataSize;
>> + EFI_STATUS Status;
>> +
>> + Status = EFI_SUCCESS;
>> +
>> + DataSize = 0;
>> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
>> + return Status;
>> + }
>> +
>> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
>> + return Status;
>> + }
>> +
>> + //
>> + // Allocate memory for auth variable
>> + //
>> + Status = gRT->SetVariable (
>> + VariableName,
>> + VendorGuid,
>> + (EFI_VARIABLE_NON_VOLATILE |
>> + EFI_VARIABLE_BOOTSERVICE_ACCESS |
>> + EFI_VARIABLE_RUNTIME_ACCESS |
>> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
>> + DataSize,
>> + Data
>> + );
>> +
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, VariableName,
>> + VendorGuid, Status));
>> + }
>> +
>> + if (Data != NULL) {
>> + FreePool (Data);
>> + }
>> +
>> + return Status;
>> +}
>> +
>> +/** Initializes PKDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +**/
>> +EFI_STATUS
>> +SecureBootInitPKDefault (
>> + IN VOID
>> + )
>> +{
>> + EFI_SIGNATURE_LIST *EfiSig;
>> + UINTN SigListsSize;
>> + EFI_STATUS Status;
>> + UINT8 *Data;
>> + UINTN DataSize;
>> +
>> + //
>> + // Check if variable exists, if so do not change it
>> + //
>> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
>> + if (Status == EFI_SUCCESS) {
>> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
>> + FreePool (Data);
>> + return EFI_UNSUPPORTED;
>> + }
>> +
>> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
>> + return Status;
>> + }
>> +
>> + //
>> + // Variable does not exist, can be initialized
>> + //
>> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
>> +
>> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
>> + return Status;
>> + }
>> +
>> + Status = gRT->SetVariable (
>> + EFI_PK_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid,
>> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>> + SigListsSize,
>> + (VOID *)EfiSig
>> + );
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
>> + }
>> +
>> + FreePool (EfiSig);
>> +
>> + return Status;
>> +}
>> +
>> +/** Initializes KEKDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +**/
>> +EFI_STATUS
>> +SecureBootInitKEKDefault (
>> + IN VOID
>> + )
>> +{
>> + EFI_SIGNATURE_LIST *EfiSig;
>> + UINTN SigListsSize;
>> + EFI_STATUS Status;
>> + UINT8 *Data;
>> + UINTN DataSize;
>> +
>> + //
>> + // Check if variable exists, if so do not change it
>> + //
>> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
>> + if (Status == EFI_SUCCESS) {
>> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
>> + FreePool (Data);
>> + return EFI_UNSUPPORTED;
>> + }
>> +
>> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
>> + return Status;
>> + }
>> +
>> + //
>> + // Variable does not exist, can be initialized
>> + //
>> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
>> +
>> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
>> + return Status;
>> + }
>> +
>> +
>> + Status = gRT->SetVariable (
>> + EFI_KEK_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid,
>> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>> + SigListsSize,
>> + (VOID *)EfiSig
>> + );
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
>> + }
>> +
>> + FreePool (EfiSig);
>> +
>> + return Status;
>> +}
>> +
>> +/** Initializes dbDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +**/
>> +EFI_STATUS
>> +SecureBootInitDbDefault (
>> + IN VOID
>> + )
>> +{
>> + EFI_SIGNATURE_LIST *EfiSig;
>> + UINTN SigListsSize;
>> + EFI_STATUS Status;
>> + UINT8 *Data;
>> + UINTN DataSize;
>> +
>> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
>> + if (Status == EFI_SUCCESS) {
>> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
>> + FreePool (Data);
>> + return EFI_UNSUPPORTED;
>> + }
>> +
>> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
>> + return Status;
>> + }
>> +
>> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
>> +
>> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
>> + if (EFI_ERROR (Status)) {
>> + return Status;
>> + }
>> +
>> + Status = gRT->SetVariable (
>> + EFI_DB_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid,
>> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>> + SigListsSize,
>> + (VOID *)EfiSig
>> + );
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
>> + }
>> +
>> + FreePool (EfiSig);
>> +
>> + return Status;
>> +}
>> +
>> +/** Initializes dbxDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +**/
>> +EFI_STATUS
>> +SecureBootInitDbxDefault (
>> + IN VOID
>> + )
>> +{
>> + EFI_SIGNATURE_LIST *EfiSig;
>> + UINTN SigListsSize;
>> + EFI_STATUS Status;
>> + UINT8 *Data;
>> + UINTN DataSize;
>> +
>> + //
>> + // Check if variable exists, if so do not change it
>> + //
>> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
>> + if (Status == EFI_SUCCESS) {
>> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
>> + FreePool (Data);
>> + return EFI_UNSUPPORTED;
>> + }
>> +
>> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
>> + return Status;
>> + }
>> +
>> + //
>> + // Variable does not exist, can be initialized
>> + //
>> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
>> +
>> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
>> + return Status;
>> + }
>> +
>> + Status = gRT->SetVariable (
>> + EFI_DBX_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid,
>> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>> + SigListsSize,
>> + (VOID *)EfiSig
>> + );
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
>> + }
>> +
>> + FreePool (EfiSig);
>> +
>> + return Status;
>> +}
>> +
>> +/** Initializes dbtDefault variable with data from FFS section.
>> +
>> + @retval EFI_SUCCESS Variable was initialized successfully.
>> + @retval EFI_UNSUPPORTED Variable already exists.
>> +**/
>> +EFI_STATUS
>> +SecureBootInitDbtDefault (
>> + IN VOID
>> + )
>> +{
>> + EFI_SIGNATURE_LIST *EfiSig;
>> + UINTN SigListsSize;
>> + EFI_STATUS Status;
>> + UINT8 *Data;
>> + UINTN DataSize;
>> +
>> + //
>> + // Check if variable exists, if so do not change it
>> + //
>> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
>> + if (Status == EFI_SUCCESS) {
>> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
>> + FreePool (Data);
>> + return EFI_UNSUPPORTED;
>> + }
>> +
>> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
>> + return Status;
>> + }
>> +
>> + //
>> + // Variable does not exist, can be initialized
>> + //
>> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
>> +
>> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
>> + if (EFI_ERROR (Status)) {
>> + return Status;
>> + }
>> +
>> + Status = gRT->SetVariable (
>> + EFI_DBT_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid,
>> + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
>> + SigListsSize,
>> + (VOID *)EfiSig
>> + );
>> + if (EFI_ERROR (Status)) {
>> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
>> + }
>> +
>> + FreePool (EfiSig);
>> +
>> + return EFI_SUCCESS;
>> +}
>> +
>> +/**
>> + Sets the content of the 'db' variable based on 'dbDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
>> +**/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbFromDefault (
>> + VOID
>> +)
>> +{
>> + EFI_STATUS Status;
>> +
>> + Status = EnrollFromDefault (
>> + EFI_IMAGE_SECURITY_DATABASE,
>> + EFI_DB_DEFAULT_VARIABLE_NAME,
>> + &gEfiImageSecurityDatabaseGuid
>> + );
>> +
>> + return Status;
>> +}
>> +
>> +/**
>> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
>> +**/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbxFromDefault (
>> + VOID
>> +)
>> +{
>> + EFI_STATUS Status;
>> +
>> + Status = EnrollFromDefault (
>> + EFI_IMAGE_SECURITY_DATABASE1,
>> + EFI_DBX_DEFAULT_VARIABLE_NAME,
>> + &gEfiImageSecurityDatabaseGuid
>> + );
>> +
>> + return Status;
>> +}
>> +
>> +/**
>> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
>> +**/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollDbtFromDefault (
>> + VOID
>> +)
>> +{
>> + EFI_STATUS Status;
>> +
>> + Status = EnrollFromDefault (
>> + EFI_IMAGE_SECURITY_DATABASE2,
>> + EFI_DBT_DEFAULT_VARIABLE_NAME,
>> + &gEfiImageSecurityDatabaseGuid);
>> +
>> + return Status;
>> +}
>> +
>> +/**
>> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
>> +**/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollKEKFromDefault (
>> + VOID
>> +)
>> +{
>> + EFI_STATUS Status;
>> +
>> + Status = EnrollFromDefault (
>> + EFI_KEY_EXCHANGE_KEY_NAME,
>> + EFI_KEK_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid
>> + );
>> +
>> + return Status;
>> +}
>> +
>> +/**
>> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
>> +
>> + @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
>> + while VendorGuid is NULL.
>> + @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
>> +**/
>> +EFI_STATUS
>> +EFIAPI
>> +EnrollPKFromDefault (
>> + VOID
>> +)
>> +{
>> + EFI_STATUS Status;
>> +
>> + Status = EnrollFromDefault (
>> + EFI_PLATFORM_KEY_NAME,
>> + EFI_PK_DEFAULT_VARIABLE_NAME,
>> + &gEfiGlobalVariableGuid
>> + );
>> +
>> + return Status;
>> +}
>> diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>> new file mode 100644
>> index 0000000000..68d928ef30
>> --- /dev/null
>> +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni
>> @@ -0,0 +1,16 @@
>> +// /** @file
>> +//
>> +// Provides initialization of Secure Boot keys and databases.
>> +//
>> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
>> +// Copyright (c) 2021, Semihalf All rights reserved.<BR>
>> +//
>> +// SPDX-License-Identifier: BSD-2-Clause-Patent
>> +//
>> +// **/
>> +
>> +
>> +#string STR_MODULE_ABSTRACT #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."
>> +
>> +#string STR_MODULE_DESCRIPTION #language en-US "Provides functions to initialize PK, KEK and databases based on default variables."
>> +
>> --
>> 2.25.1
>>
>>
>>
>>
>>
>>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79767): https://edk2.groups.io/g/devel/message/79767
Mute This Topic: https://groups.io/mt/84608356/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list