2 Measure TCG required variable.
4 Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.<BR>
5 SPDX-License-Identifier: BSD-2-Clause-Patent
10 #include <Guid/ImageAuthentication.h>
11 #include <IndustryStandard/UefiTcgPlatform.h>
13 #include <Library/UefiBootServicesTableLib.h>
14 #include <Library/UefiRuntimeServicesTableLib.h>
15 #include <Library/MemoryAllocationLib.h>
16 #include <Library/BaseMemoryLib.h>
17 #include <Library/DebugLib.h>
18 #include <Library/BaseLib.h>
19 #include <Library/TpmMeasurementLib.h>
21 #include "PrivilegePolymorphic.h"
28 VARIABLE_TYPE mVariableType
[] = {
29 { EFI_SECURE_BOOT_MODE_NAME
, &gEfiGlobalVariableGuid
},
30 { EFI_PLATFORM_KEY_NAME
, &gEfiGlobalVariableGuid
},
31 { EFI_KEY_EXCHANGE_KEY_NAME
, &gEfiGlobalVariableGuid
},
32 { EFI_IMAGE_SECURITY_DATABASE
, &gEfiImageSecurityDatabaseGuid
},
33 { EFI_IMAGE_SECURITY_DATABASE1
, &gEfiImageSecurityDatabaseGuid
},
34 { EFI_IMAGE_SECURITY_DATABASE2
, &gEfiImageSecurityDatabaseGuid
},
38 // "SecureBoot" may update following PK Del/Add
39 // Cache its value to detect value update
41 UINT8
*mSecureBootVarData
= NULL
;
42 UINTN mSecureBootVarDataSize
= 0;
45 This function will return if this variable is SecureBootPolicy Variable.
47 @param[in] VariableName A Null-terminated string that is the name of the vendor's variable.
48 @param[in] VendorGuid A unique identifier for the vendor.
50 @retval TRUE This is SecureBootPolicy Variable
51 @retval FALSE This is not SecureBootPolicy Variable
54 IsSecureBootPolicyVariable (
55 IN CHAR16
*VariableName
,
56 IN EFI_GUID
*VendorGuid
61 for (Index
= 0; Index
< sizeof (mVariableType
)/sizeof (mVariableType
[0]); Index
++) {
62 if ((StrCmp (VariableName
, mVariableType
[Index
].VariableName
) == 0) &&
63 (CompareGuid (VendorGuid
, mVariableType
[Index
].VendorGuid
)))
73 Measure and log an EFI variable, and extend the measurement result into a specific PCR.
75 @param[in] VarName A Null-terminated string that is the name of the vendor's variable.
76 @param[in] VendorGuid A unique identifier for the vendor.
77 @param[in] VarData The content of the variable data.
78 @param[in] VarSize The size of the variable data.
80 @retval EFI_SUCCESS Operation completed successfully.
81 @retval EFI_OUT_OF_RESOURCES Out of memory.
82 @retval EFI_DEVICE_ERROR The operation was unsuccessful.
89 IN EFI_GUID
*VendorGuid
,
96 UEFI_VARIABLE_DATA
*VarLog
;
99 ASSERT ((VarSize
== 0 && VarData
== NULL
) || (VarSize
!= 0 && VarData
!= NULL
));
101 VarNameLength
= StrLen (VarName
);
102 VarLogSize
= (UINT32
)(sizeof (*VarLog
) + VarNameLength
* sizeof (*VarName
) + VarSize
103 - sizeof (VarLog
->UnicodeName
) - sizeof (VarLog
->VariableData
));
105 VarLog
= (UEFI_VARIABLE_DATA
*)AllocateZeroPool (VarLogSize
);
106 if (VarLog
== NULL
) {
107 return EFI_OUT_OF_RESOURCES
;
110 CopyMem (&VarLog
->VariableName
, VendorGuid
, sizeof (VarLog
->VariableName
));
111 VarLog
->UnicodeNameLength
= VarNameLength
;
112 VarLog
->VariableDataLength
= VarSize
;
116 VarNameLength
* sizeof (*VarName
)
120 (CHAR16
*)VarLog
->UnicodeName
+ VarNameLength
,
126 DEBUG ((DEBUG_INFO
, "VariableDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN
)7, (UINTN
)EV_EFI_VARIABLE_DRIVER_CONFIG
));
127 DEBUG ((DEBUG_INFO
, "VariableName - %s, VendorGuid - %g)\n", VarName
, VendorGuid
));
129 Status
= TpmMeasureAndLogData (
131 EV_EFI_VARIABLE_DRIVER_CONFIG
,
142 Returns the status whether get the variable success. The function retrieves
143 variable through the UEFI Runtime Service GetVariable(). The
144 returned buffer is allocated using AllocatePool(). The caller is responsible
145 for freeing this buffer with FreePool().
147 This API is only invoked in boot time. It may NOT be invoked at runtime.
149 @param[in] Name The pointer to a Null-terminated Unicode string.
150 @param[in] Guid The pointer to an EFI_GUID structure
151 @param[out] Value The buffer point saved the variable info.
152 @param[out] Size The buffer size of the variable.
154 @return EFI_OUT_OF_RESOURCES Allocate buffer failed.
155 @return EFI_SUCCESS Find the specified variable.
156 @return Others Errors Return errors from call to gRT->GetVariable.
160 InternalGetVariable (
161 IN CONST CHAR16
*Name
,
162 IN CONST EFI_GUID
*Guid
,
171 // Try to get the variable size.
179 Status
= gRT
->GetVariable ((CHAR16
*)Name
, (EFI_GUID
*)Guid
, NULL
, &BufferSize
, *Value
);
180 if (Status
!= EFI_BUFFER_TOO_SMALL
) {
185 // Allocate buffer to get the variable.
187 *Value
= AllocatePool (BufferSize
);
188 ASSERT (*Value
!= NULL
);
189 if (*Value
== NULL
) {
190 return EFI_OUT_OF_RESOURCES
;
194 // Get the variable data.
196 Status
= gRT
->GetVariable ((CHAR16
*)Name
, (EFI_GUID
*)Guid
, NULL
, &BufferSize
, *Value
);
197 if (EFI_ERROR (Status
)) {
210 SecureBoot Hook for SetVariable.
212 @param[in] VariableName Name of Variable to be found.
213 @param[in] VendorGuid Variable vendor GUID.
219 IN CHAR16
*VariableName
,
220 IN EFI_GUID
*VendorGuid
224 UINTN VariableDataSize
;
227 if (!IsSecureBootPolicyVariable (VariableName
, VendorGuid
)) {
232 // We should NOT use Data and DataSize here,because it may include signature,
233 // or is just partial with append attributes, or is deleted.
234 // We should GetVariable again, to get full variable content.
236 Status
= InternalGetVariable (
242 if (EFI_ERROR (Status
)) {
244 // Measure DBT only if present and not empty
246 if ((StrCmp (VariableName
, EFI_IMAGE_SECURITY_DATABASE2
) == 0) &&
247 CompareGuid (VendorGuid
, &gEfiImageSecurityDatabaseGuid
))
249 DEBUG ((DEBUG_INFO
, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2
));
253 VariableDataSize
= 0;
257 Status
= MeasureVariable (
263 DEBUG ((DEBUG_INFO
, "MeasureBootPolicyVariable - %r\n", Status
));
265 if (VariableData
!= NULL
) {
266 FreePool (VariableData
);
270 // "SecureBoot" is 8bit & read-only. It can only be changed according to PK update
272 if ((StrCmp (VariableName
, EFI_PLATFORM_KEY_NAME
) == 0) &&
273 CompareGuid (VendorGuid
, &gEfiGlobalVariableGuid
))
275 Status
= InternalGetVariable (
276 EFI_SECURE_BOOT_MODE_NAME
,
277 &gEfiGlobalVariableGuid
,
281 if (EFI_ERROR (Status
)) {
286 // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready
288 ASSERT (mSecureBootVarData
!= NULL
);
290 if (CompareMem (mSecureBootVarData
, VariableData
, VariableDataSize
) != 0) {
291 FreePool (mSecureBootVarData
);
292 mSecureBootVarData
= VariableData
;
293 mSecureBootVarDataSize
= VariableDataSize
;
295 DEBUG ((DEBUG_INFO
, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME
));
296 Status
= MeasureVariable (
297 EFI_SECURE_BOOT_MODE_NAME
,
298 &gEfiGlobalVariableGuid
,
300 mSecureBootVarDataSize
302 DEBUG ((DEBUG_INFO
, "MeasureBootPolicyVariable - %r\n", Status
));
305 // "SecureBoot" variable is not changed
307 FreePool (VariableData
);
315 Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).
316 Record their initial State when variable write service is ready.
321 RecordSecureBootPolicyVarData (
328 // Record initial "SecureBoot" variable value.
329 // It is used to detect SecureBoot variable change in SecureBootHook.
331 Status
= InternalGetVariable (
332 EFI_SECURE_BOOT_MODE_NAME
,
333 &gEfiGlobalVariableGuid
,
334 (VOID
**)&mSecureBootVarData
,
335 &mSecureBootVarDataSize
337 if (EFI_ERROR (Status
)) {
339 // Read could fail when Auth Variable solution is not supported
341 DEBUG ((DEBUG_INFO
, "RecordSecureBootPolicyVarData GetVariable %s Status %x\n", EFI_SECURE_BOOT_MODE_NAME
, Status
));