[efi-boot-shim.git] / lib / configtable.c

// SPDX-License-Identifier: BSD-2-Clause-Patent
/*
 * Copyright 2013 <James.Bottomley@HansenPartnership.com>
 *
 * read some platform configuration tables
 */
#include "shim.h"

void *
configtable_get_table(EFI_GUID *guid)
{
	unsigned int i;

	for (i = 0; i < ST->NumberOfTableEntries; i++) {
		EFI_CONFIGURATION_TABLE *CT = &ST->ConfigurationTable[i];

		if (CompareGuid(guid, &CT->VendorGuid) == 0) {
			return CT->VendorTable;
		}
	}
	return NULL;
}

EFI_IMAGE_EXECUTION_INFO_TABLE *
configtable_get_image_table(void)
{
	return configtable_get_table(&SIG_DB);
}

EFI_IMAGE_EXECUTION_INFO *
configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
{
	EFI_IMAGE_EXECUTION_INFO_TABLE *t = configtable_get_image_table();

	if (!t)
		return NULL;

	int entries = t->NumberOfImages;
	EFI_IMAGE_EXECUTION_INFO *e = t->InformationInfo;

	int i;
	for (i = 0; i < entries; i++) {
#ifdef DEBUG_CONFIG
		console_print(L"InfoSize = %d  Action = %d\n", e->InfoSize, e->Action);

		/* print what we have for debugging */
		UINT8 *d = (UINT8 *)e; // + sizeof(UINT32)*2;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
		d += 16;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
		d += 16;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
		d += 16;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
		d += 16;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
		d += 16;
		console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
		      d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
#endif
		CHAR16 *name = (CHAR16 *)(e->Data);
		int skip = 0;

		/* There's a bug in a lot of EFI platforms and they forget to
		 * put the name here.  The only real way of detecting it is to
		 * look for either a UC16 NULL or ASCII as UC16 */
		if (name[0] == '\0' || (e->Data[1] == 0 && e->Data[3] == 0)) {
			skip = StrSize(name);
#ifdef DEBUG_CONFIG
			console_print(L"FOUND NAME %s (%d)\n", name, skip);
#endif
		}
		EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)(e->Data + skip), *dpn = dp;
		if (dp->Type == 0 || dp->Type > 6 || dp->SubType == 0
		    || ((unsigned)((dp->Length[1] << 8) + dp->Length[0]) > e->InfoSize)) {
			/* Parse error, table corrupt, bail */
			console_print(L"Image Execution Information table corrupt\n");
			break;
		}

		UINTN Size;
		DevicePathInstance(&dpn, &Size);
#ifdef DEBUG_CONFIG
		console_print(L"Path: %s\n", DevicePathToStr(dp));
		console_print(L"Device Path Size %d\n", Size);
#endif
		if (Size > e->InfoSize) {
			/* parse error; the platform obviously has a
			 * corrupted image table; bail */
			console_print(L"Image Execution Information table corrupt\n");
			break;
		}

		if (CompareMem(dp, (void *)DevicePath, Size) == 0) {
#ifdef DEBUG_CONFIG
			console_print(L"***FOUND\n");
			console_get_keystroke();
#endif
			return e;
		}
		e = (EFI_IMAGE_EXECUTION_INFO *)((UINT8 *)e + e->InfoSize);
	}

#ifdef DEBUG_CONFIG
	console_print(L"***NOT FOUND\n");
	console_get_keystroke();
#endif

	return NULL;
}

int
configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath)
{
	EFI_IMAGE_EXECUTION_INFO *e = configtable_find_image(DevicePath);

	/* Image may not be in DB if it gets executed successfully If it is,
	 * and EFI_IMAGE_EXECUTION_INITIALIZED is not set, then the image
	 * isn't authenticated.  If there's no signature, usually
	 * EFI_IMAGE_EXECUTION_AUTH_UNTESTED is set, if the hash is in dbx,
	 * EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND is returned, and if the key is
	 * in dbx, EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED is returned*/

	if (e && (e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND
		  || e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED)) {
		/* this means the images signing key is in dbx */
#ifdef DEBUG_CONFIG
		console_print(L"SIGNATURE IS IN DBX, FORBIDDING EXECUTION\n");
#endif
		return 1;
	}

	return 0;
}
Commit	Line	Data
031e5cce	1	// SPDX-License-Identifier: BSD-2-Clause-Patent
17857eb8 MG	2	/*
	3	* Copyright 2013 <James.Bottomley@HansenPartnership.com>
	4	*
17857eb8 MG	5	* read some platform configuration tables
17857eb8 MG	6	*/
f892ac66	7	#include "shim.h"
17857eb8 MG	8
	9	void *
	10	configtable_get_table(EFI_GUID *guid)
	11	{
1f23ecc3	12	unsigned int i;
17857eb8 MG	13
	14	for (i = 0; i < ST->NumberOfTableEntries; i++) {
	15	EFI_CONFIGURATION_TABLE *CT = &ST->ConfigurationTable[i];
	16
	17	if (CompareGuid(guid, &CT->VendorGuid) == 0) {
	18	return CT->VendorTable;
	19	}
	20	}
	21	return NULL;
	22	}
	23
	24	EFI_IMAGE_EXECUTION_INFO_TABLE *
	25	configtable_get_image_table(void)
	26	{
	27	return configtable_get_table(&SIG_DB);
	28	}
	29
	30	EFI_IMAGE_EXECUTION_INFO *
	31	configtable_find_image(const EFI_DEVICE_PATH *DevicePath)
	32	{
	33	EFI_IMAGE_EXECUTION_INFO_TABLE *t = configtable_get_image_table();
	34
	35	if (!t)
	36	return NULL;
	37
	38	int entries = t->NumberOfImages;
	39	EFI_IMAGE_EXECUTION_INFO *e = t->InformationInfo;
	40
	41	int i;
	42	for (i = 0; i < entries; i++) {
	43	#ifdef DEBUG_CONFIG
f892ac66	44	console_print(L"InfoSize = %d Action = %d\n", e->InfoSize, e->Action);
17857eb8 MG	45
	46	/* print what we have for debugging */
	47	UINT8 d = (UINT8 )e; // + sizeof(UINT32)*2;
f892ac66	48	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	49	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8	50	d += 16;
f892ac66	51	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	52	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8	53	d += 16;
f892ac66	54	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	55	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8	56	d += 16;
f892ac66	57	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	58	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8	59	d += 16;
f892ac66	60	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	61	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8	62	d += 16;
f892ac66	63	console_print(L"Data: %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n",
031e5cce	64	d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7], d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
17857eb8 MG	65	#endif
	66	CHAR16 name = (CHAR16 )(e->Data);
	67	int skip = 0;
	68
	69	/* There's a bug in a lot of EFI platforms and they forget to
	70	* put the name here. The only real way of detecting it is to
	71	* look for either a UC16 NULL or ASCII as UC16 */
	72	if (name[0] == '\0' \|\| (e->Data[1] == 0 && e->Data[3] == 0)) {
	73	skip = StrSize(name);
	74	#ifdef DEBUG_CONFIG
f892ac66	75	console_print(L"FOUND NAME %s (%d)\n", name, skip);
17857eb8 MG	76	#endif
	77	}
	78	EFI_DEVICE_PATH dp = (EFI_DEVICE_PATH )(e->Data + skip), *dpn = dp;
	79	if (dp->Type == 0 \|\| dp->Type > 6 \|\| dp->SubType == 0
1f23ecc3	80	\|\| ((unsigned)((dp->Length[1] << 8) + dp->Length[0]) > e->InfoSize)) {
17857eb8	81	/* Parse error, table corrupt, bail */
f892ac66	82	console_print(L"Image Execution Information table corrupt\n");
17857eb8 MG	83	break;
	84	}
	85
	86	UINTN Size;
	87	DevicePathInstance(&dpn, &Size);
	88	#ifdef DEBUG_CONFIG
f892ac66 MTL	89	console_print(L"Path: %s\n", DevicePathToStr(dp));
f892ac66 MTL	90	console_print(L"Device Path Size %d\n", Size);
17857eb8 MG	91	#endif
17857eb8 MG	92	if (Size > e->InfoSize) {
031e5cce	93	/* parse error; the platform obviously has a
17857eb8	94	* corrupted image table; bail */
f892ac66	95	console_print(L"Image Execution Information table corrupt\n");
17857eb8 MG	96	break;
17857eb8 MG	97	}
031e5cce	98
aed556c4	99	if (CompareMem(dp, (void *)DevicePath, Size) == 0) {
17857eb8	100	#ifdef DEBUG_CONFIG
f892ac66	101	console_print(L"***FOUND\n");
17857eb8 MG	102	console_get_keystroke();
	103	#endif
	104	return e;
	105	}
	106	e = (EFI_IMAGE_EXECUTION_INFO )((UINT8 )e + e->InfoSize);
	107	}
	108
	109	#ifdef DEBUG_CONFIG
f892ac66	110	console_print(L"***NOT FOUND\n");
17857eb8 MG	111	console_get_keystroke();
	112	#endif
	113
	114	return NULL;
	115	}
	116
	117	int
	118	configtable_image_is_forbidden(const EFI_DEVICE_PATH *DevicePath)
	119	{
	120	EFI_IMAGE_EXECUTION_INFO *e = configtable_find_image(DevicePath);
	121
	122	/* Image may not be in DB if it gets executed successfully If it is,
	123	* and EFI_IMAGE_EXECUTION_INITIALIZED is not set, then the image
	124	* isn't authenticated. If there's no signature, usually
	125	* EFI_IMAGE_EXECUTION_AUTH_UNTESTED is set, if the hash is in dbx,
	126	* EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND is returned, and if the key is
	127	* in dbx, EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED is returned*/
	128
	129	if (e && (e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND
	130	\|\| e->Action == EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED)) {
	131	/* this means the images signing key is in dbx */
	132	#ifdef DEBUG_CONFIG
f892ac66	133	console_print(L"SIGNATURE IS IN DBX, FORBIDDING EXECUTION\n");
17857eb8 MG	134	#endif
	135	return 1;
	136	}
	137
	138	return 0;
	139	}