[mirror_edk2.git] / SecurityPkg / EnrollFromDefaultKeysApp / EnrollFromDefaultKeysApp.c

/** @file\r
  Enroll default PK, KEK, db, dbx.\r
\r
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
\r
#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid\r
#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME\r
#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE\r
#include <Library/BaseLib.h>                     // GUID_STRING_LENGTH\r
#include <Library/BaseMemoryLib.h>               // CopyGuid()\r
#include <Library/DebugLib.h>                    // ASSERT()\r
#include <Library/MemoryAllocationLib.h>         // FreePool()\r
#include <Library/PrintLib.h>                    // AsciiSPrint()\r
#include <Library/UefiBootServicesTableLib.h>    // gBS\r
#include <Library/UefiLib.h>                     // AsciiPrint()\r
#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
#include <Uefi/UefiMultiPhase.h>\r
#include <UefiSecureBoot.h>\r
#include <Library/SecureBootVariableLib.h>\r
#include <Library/SecureBootVariableProvisionLib.h>\r
\r
/**\r
  Entry point function of this shell application.\r
  @param[in] ImageHandle    The firmware allocated handle for the EFI image.\r
  @param[in] SystemTable    A pointer to the EFI System Table.\r
\r
  @retval 0       The entry point is executed successfully.\r
  @retval other   Some error occurs when executing this entry point.\r
**/\r
EFI_STATUS\r
EFIAPI\r
UefiMain (\r
  IN EFI_HANDLE        ImageHandle,\r
  IN EFI_SYSTEM_TABLE  *SystemTable\r
  )\r
{\r
  EFI_STATUS  Status;\r
  UINT8       SetupMode;\r
\r
  Status = GetSetupMode (&SetupMode);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r
    return 1;\r
  }\r
\r
  if (SetupMode == USER_MODE) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r
    return 1;\r
  }\r
\r
  Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r
    return 1;\r
  }\r
\r
  Status = EnrollDbFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r
    goto error;\r
  }\r
\r
  Status = EnrollDbxFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r
  }\r
\r
  Status = EnrollDbtFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r
  }\r
\r
  Status = EnrollKEKFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r
    goto cleardbs;\r
  }\r
\r
  Status = EnrollPKFromDefault ();\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r
    goto clearKEK;\r
  }\r
\r
  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint (\r
      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
      "Please do it manually, otherwise system can be easily compromised\n"\r
      );\r
  }\r
\r
  return 0;\r
\r
clearKEK:\r
  DeleteKEK ();\r
\r
cleardbs:\r
  DeleteDbt ();\r
  DeleteDbx ();\r
  DeleteDb ();\r
\r
error:\r
  Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint (\r
      "EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
      "Please do it manually, otherwise system can be easily compromised\n"\r
      );\r
  }\r
\r
  return 1;\r
}\r
Commit	Line	Data
19107590 GB	1	/** @file\r
	2	Enroll default PK, KEK, db, dbx.\r
	3	\r
	4	Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
	5	Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
	6	\r
	7	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	8	**/\r
	9	\r
	10	#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid\r
	11	#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME\r
	12	#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE\r
	13	#include <Library/BaseLib.h> // GUID_STRING_LENGTH\r
	14	#include <Library/BaseMemoryLib.h> // CopyGuid()\r
	15	#include <Library/DebugLib.h> // ASSERT()\r
	16	#include <Library/MemoryAllocationLib.h> // FreePool()\r
	17	#include <Library/PrintLib.h> // AsciiSPrint()\r
	18	#include <Library/UefiBootServicesTableLib.h> // gBS\r
	19	#include <Library/UefiLib.h> // AsciiPrint()\r
	20	#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
	21	#include <Uefi/UefiMultiPhase.h>\r
d2a0f379	22	#include <UefiSecureBoot.h>\r
19107590 GB	23	#include <Library/SecureBootVariableLib.h>\r
	24	#include <Library/SecureBootVariableProvisionLib.h>\r
	25	\r
	26	/**\r
	27	Entry point function of this shell application.\r
	28	@param[in] ImageHandle The firmware allocated handle for the EFI image.\r
	29	@param[in] SystemTable A pointer to the EFI System Table.\r
	30	\r
	31	@retval 0 The entry point is executed successfully.\r
	32	@retval other Some error occurs when executing this entry point.\r
	33	**/\r
	34	EFI_STATUS\r
	35	EFIAPI\r
	36	UefiMain (\r
	37	IN EFI_HANDLE ImageHandle,\r
	38	IN EFI_SYSTEM_TABLE *SystemTable\r
	39	)\r
	40	{\r
c411b485 MK	41	EFI_STATUS Status;\r
c411b485 MK	42	UINT8 SetupMode;\r
19107590 GB	43	\r
	44	Status = GetSetupMode (&SetupMode);\r
	45	if (EFI_ERROR (Status)) {\r
	46	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);\r
	47	return 1;\r
	48	}\r
	49	\r
	50	if (SetupMode == USER_MODE) {\r
	51	AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");\r
	52	return 1;\r
	53	}\r
	54	\r
	55	Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
	56	if (EFI_ERROR (Status)) {\r
	57	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);\r
	58	return 1;\r
	59	}\r
	60	\r
	61	Status = EnrollDbFromDefault ();\r
	62	if (EFI_ERROR (Status)) {\r
	63	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);\r
	64	goto error;\r
	65	}\r
	66	\r
	67	Status = EnrollDbxFromDefault ();\r
	68	if (EFI_ERROR (Status)) {\r
	69	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);\r
	70	}\r
	71	\r
	72	Status = EnrollDbtFromDefault ();\r
	73	if (EFI_ERROR (Status)) {\r
	74	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);\r
	75	}\r
	76	\r
	77	Status = EnrollKEKFromDefault ();\r
	78	if (EFI_ERROR (Status)) {\r
	79	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);\r
	80	goto cleardbs;\r
	81	}\r
	82	\r
	83	Status = EnrollPKFromDefault ();\r
	84	if (EFI_ERROR (Status)) {\r
	85	AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);\r
	86	goto clearKEK;\r
	87	}\r
	88	\r
	89	Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
	90	if (EFI_ERROR (Status)) {\r
	91	AsciiPrint (\r
	92	"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
	93	"Please do it manually, otherwise system can be easily compromised\n"\r
	94	);\r
	95	}\r
c411b485	96	\r
19107590 GB	97	return 0;\r
	98	\r
	99	clearKEK:\r
	100	DeleteKEK ();\r
	101	\r
	102	cleardbs:\r
	103	DeleteDbt ();\r
	104	DeleteDbx ();\r
	105	DeleteDb ();\r
	106	\r
	107	error:\r
	108	Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);\r
	109	if (EFI_ERROR (Status)) {\r
	110	AsciiPrint (\r
	111	"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"\r
	112	"Please do it manually, otherwise system can be easily compromised\n"\r
	113	);\r
	114	}\r
	115	\r
	116	return 1;\r
	117	}\r