]>
Commit | Line | Data |
---|---|---|
19107590 GB |
1 | /** @file\r |
2 | Enroll default PK, KEK, db, dbx.\r | |
3 | \r | |
4 | Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r | |
5 | Copyright (c) 2021, Semihalf All rights reserved.<BR>\r | |
6 | \r | |
7 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
8 | **/\r | |
9 | \r | |
10 | #include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid\r | |
11 | #include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME\r | |
12 | #include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE\r | |
13 | #include <Library/BaseLib.h> // GUID_STRING_LENGTH\r | |
14 | #include <Library/BaseMemoryLib.h> // CopyGuid()\r | |
15 | #include <Library/DebugLib.h> // ASSERT()\r | |
16 | #include <Library/MemoryAllocationLib.h> // FreePool()\r | |
17 | #include <Library/PrintLib.h> // AsciiSPrint()\r | |
18 | #include <Library/UefiBootServicesTableLib.h> // gBS\r | |
19 | #include <Library/UefiLib.h> // AsciiPrint()\r | |
20 | #include <Library/UefiRuntimeServicesTableLib.h> // gRT\r | |
21 | #include <Uefi/UefiMultiPhase.h>\r | |
22 | #include <Library/SecureBootVariableLib.h>\r | |
23 | #include <Library/SecureBootVariableProvisionLib.h>\r | |
24 | \r | |
25 | /**\r | |
26 | Entry point function of this shell application.\r | |
27 | @param[in] ImageHandle The firmware allocated handle for the EFI image.\r | |
28 | @param[in] SystemTable A pointer to the EFI System Table.\r | |
29 | \r | |
30 | @retval 0 The entry point is executed successfully.\r | |
31 | @retval other Some error occurs when executing this entry point.\r | |
32 | **/\r | |
33 | EFI_STATUS\r | |
34 | EFIAPI\r | |
35 | UefiMain (\r | |
36 | IN EFI_HANDLE ImageHandle,\r | |
37 | IN EFI_SYSTEM_TABLE *SystemTable\r | |
38 | )\r | |
39 | {\r | |
40 | EFI_STATUS Status;\r | |
41 | UINT8 SetupMode;\r | |
42 | \r | |
43 | Status = GetSetupMode (&SetupMode);\r | |
44 | if (EFI_ERROR (Status)) {\r | |
45 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r | |
46 | return 1;\r | |
47 | }\r | |
48 | \r | |
49 | if (SetupMode == USER_MODE) {\r | |
50 | AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r | |
51 | return 1;\r | |
52 | }\r | |
53 | \r | |
54 | Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r | |
55 | if (EFI_ERROR (Status)) {\r | |
56 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r | |
57 | return 1;\r | |
58 | }\r | |
59 | \r | |
60 | Status = EnrollDbFromDefault ();\r | |
61 | if (EFI_ERROR (Status)) {\r | |
62 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r | |
63 | goto error;\r | |
64 | }\r | |
65 | \r | |
66 | Status = EnrollDbxFromDefault ();\r | |
67 | if (EFI_ERROR (Status)) {\r | |
68 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r | |
69 | }\r | |
70 | \r | |
71 | Status = EnrollDbtFromDefault ();\r | |
72 | if (EFI_ERROR (Status)) {\r | |
73 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r | |
74 | }\r | |
75 | \r | |
76 | Status = EnrollKEKFromDefault ();\r | |
77 | if (EFI_ERROR (Status)) {\r | |
78 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r | |
79 | goto cleardbs;\r | |
80 | }\r | |
81 | \r | |
82 | Status = EnrollPKFromDefault ();\r | |
83 | if (EFI_ERROR (Status)) {\r | |
84 | AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r | |
85 | goto clearKEK;\r | |
86 | }\r | |
87 | \r | |
88 | Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r | |
89 | if (EFI_ERROR (Status)) {\r | |
90 | AsciiPrint (\r | |
91 | "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r | |
92 | "Please do it manually, otherwise system can be easily compromised\n"\r | |
93 | );\r | |
94 | }\r | |
95 | return 0;\r | |
96 | \r | |
97 | clearKEK:\r | |
98 | DeleteKEK ();\r | |
99 | \r | |
100 | cleardbs:\r | |
101 | DeleteDbt ();\r | |
102 | DeleteDbx ();\r | |
103 | DeleteDb ();\r | |
104 | \r | |
105 | error:\r | |
106 | Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r | |
107 | if (EFI_ERROR (Status)) {\r | |
108 | AsciiPrint (\r | |
109 | "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r | |
110 | "Please do it manually, otherwise system can be easily compromised\n"\r | |
111 | );\r | |
112 | }\r | |
113 | \r | |
114 | return 1;\r | |
115 | }\r |