[mirror_edk2.git] / SecurityPkg / EnrollFromDefaultKeysApp / EnrollFromDefaultKeysApp.c

/** @file\r
  Enroll default PK, KEK, db, dbx.\r
\r
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
\r
#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid\r
#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME\r
#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE\r
#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH\r
#include <Library/BaseMemoryLib.h>               // CopyGuid()\r
#include <Library/DebugLib.h>                    // ASSERT()\r
#include <Library/MemoryAllocationLib.h>         // FreePool()\r
#include <Library/PrintLib.h>                    // AsciiSPrint()\r
#include <Library/UefiBootServicesTableLib.h>    // gBS\r
#include <Library/UefiLib.h>                     // AsciiPrint()\r
#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
#include <Uefi/UefiMultiPhase.h>\r
#include <Library/SecureBootVariableLib.h>\r
#include <Library/SecureBootVariableProvisionLib.h>\r
\r
/**\r
  Entry point function of this shell application.\r
  @param[in] ImageHandle    The firmware allocated handle for the EFI image.\r
  @param[in] SystemTable    A pointer to the EFI System Table.\r
\r
  @retval 0       The entry point is executed successfully.\r
  @retval other   Some error occurs when executing this entry point.\r
**/\r
EFI_STATUS\r
EFIAPI\r
UefiMain (\r
  IN EFI_HANDLE        ImageHandle,\r
  IN EFI_SYSTEM_TABLE  *SystemTable\r
  )\r
{\r
  EFI_STATUS Status;\r
  UINT8      SetupMode;\r
\r
  Status = GetSetupMode (&SetupMode);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r
    return 1;\r
  }\r
\r
  if (SetupMode == USER_MODE) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r
    return 1;\r
  }\r
\r
  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r
    return 1;\r
  }\r
\r
  Status = EnrollDbFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r
    goto error;\r
  }\r
\r
  Status = EnrollDbxFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r
  }\r
\r
  Status = EnrollDbtFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r
  }\r
\r
  Status = EnrollKEKFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r
    goto cleardbs;\r
  }\r
\r
  Status = EnrollPKFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r
    goto clearKEK;\r
  }\r
\r
  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint (\r
      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
      "Please do it manually, otherwise system can be easily compromised\n"\r
      );\r
  }\r
  return 0;\r
\r
clearKEK:\r
  DeleteKEK ();\r
\r
cleardbs:\r
  DeleteDbt ();\r
  DeleteDbx ();\r
  DeleteDb ();\r
\r
error:\r
  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint (\r
      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
      "Please do it manually, otherwise system can be easily compromised\n"\r
      );\r
  }\r
\r
  return 1;\r
}\r
Commit	Line	Data
19107590 GB	1	/** @file\r
	2	Enroll default PK, KEK, db, dbx.\r
	3	\r
	4	Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
	5	Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
	6	\r
	7	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	8	**/\r
	9	\r
	10	#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid\r
	11	#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME\r
	12	#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE\r
	13	#include <Library/BaseLib.h> // GUID_STRING_LENGTH\r
	14	#include <Library/BaseMemoryLib.h> // CopyGuid()\r
	15	#include <Library/DebugLib.h> // ASSERT()\r
	16	#include <Library/MemoryAllocationLib.h> // FreePool()\r
	17	#include <Library/PrintLib.h> // AsciiSPrint()\r
	18	#include <Library/UefiBootServicesTableLib.h> // gBS\r
	19	#include <Library/UefiLib.h> // AsciiPrint()\r
	20	#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
	21	#include <Uefi/UefiMultiPhase.h>\r
	22	#include <Library/SecureBootVariableLib.h>\r
	23	#include <Library/SecureBootVariableProvisionLib.h>\r
	24	\r
	25	/**\r
	26	Entry point function of this shell application.\r
	27	@param[in] ImageHandle The firmware allocated handle for the EFI image.\r
	28	@param[in] SystemTable A pointer to the EFI System Table.\r
	29	\r
	30	@retval 0 The entry point is executed successfully.\r
	31	@retval other Some error occurs when executing this entry point.\r
	32	**/\r
	33	EFI_STATUS\r
	34	EFIAPI\r
	35	UefiMain (\r
	36	IN EFI_HANDLE ImageHandle,\r
	37	IN EFI_SYSTEM_TABLE *SystemTable\r
	38	)\r
	39	{\r
	40	EFI_STATUS Status;\r
	41	UINT8 SetupMode;\r
	42	\r
	43	Status = GetSetupMode (&SetupMode);\r
	44	if (EFI_ERROR (Status)) {\r
	45	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r
	46	return 1;\r
	47	}\r
	48	\r
	49	if (SetupMode == USER_MODE) {\r
	50	AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r
	51	return 1;\r
	52	}\r
	53	\r
	54	Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
	55	if (EFI_ERROR (Status)) {\r
	56	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r
	57	return 1;\r
	58	}\r
	59	\r
	60	Status = EnrollDbFromDefault ();\r
	61	if (EFI_ERROR (Status)) {\r
	62	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r
	63	goto error;\r
	64	}\r
65	\r
66	Status = EnrollDbxFromDefault ();\r
67	if (EFI_ERROR (Status)) {\r
68	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r
69	}\r
70	\r
71	Status = EnrollDbtFromDefault ();\r
72	if (EFI_ERROR (Status)) {\r
73	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r
74	}\r
75	\r
76	Status = EnrollKEKFromDefault ();\r
77	if (EFI_ERROR (Status)) {\r
78	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r
79	goto cleardbs;\r
80	}\r
81	\r
82	Status = EnrollPKFromDefault ();\r
83	if (EFI_ERROR (Status)) {\r
84	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r
85	goto clearKEK;\r
86	}\r
87	\r
88	Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
89	if (EFI_ERROR (Status)) {\r
90	AsciiPrint (\r
91	"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
92	"Please do it manually, otherwise system can be easily compromised\n"\r
93	);\r
94	}\r
95	return 0;\r
96	\r
97	clearKEK:\r
98	DeleteKEK ();\r
99	\r
100	cleardbs:\r
101	DeleteDbt ();\r
102	DeleteDbx ();\r
103	DeleteDb ();\r
104	\r
105	error:\r
106	Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
107	if (EFI_ERROR (Status)) {\r
108	AsciiPrint (\r
109	"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
110	"Please do it manually, otherwise system can be easily compromised\n"\r
111	);\r
112	}\r
113	\r
114	return 1;\r
115	}\r