3 A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile
4 variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe
5 (which is a UEFI_DRIVER) consume them.
7 Copyright (C) 2013, 2015, 2018, Red Hat, Inc.
8 Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>
10 This program and the accompanying materials are licensed and made available
11 under the terms and conditions of the BSD License which accompanies this
12 distribution. The full text of the license may be found at
13 http://opensource.org/licenses/bsd-license.php
15 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
16 WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
20 #include <Uefi/UefiBaseType.h>
21 #include <Uefi/UefiSpec.h>
23 #include <Guid/TlsAuthentication.h>
25 #include <Library/BaseLib.h>
26 #include <Library/DebugLib.h>
27 #include <Library/MemoryAllocationLib.h>
28 #include <Library/QemuFwCfgLib.h>
29 #include <Library/UefiRuntimeServicesTableLib.h>
32 Read the list of trusted CA certificates from the fw_cfg file
33 "etc/edk2/https/cacerts", and store it to
34 gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.
36 The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.
45 FIRMWARE_CONFIG_ITEM HttpsCaCertsItem
;
46 UINTN HttpsCaCertsSize
;
49 Status
= QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem
,
51 if (EFI_ERROR (Status
)) {
52 DEBUG ((DEBUG_VERBOSE
, "%a:%a: not touching CA cert list\n",
53 gEfiCallerBaseName
, __FUNCTION__
));
58 // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This
59 // serves two purposes:
61 // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we
62 // cannot make it volatile without deleting it first.
64 // (b) If we fail to recreate the variable later, deleting the current one is
65 // still justified if the fw_cfg file exists. Emptying the set of trusted
66 // CA certificates will fail HTTPS boot, which is better than trusting
67 // any certificate that's possibly missing from the fw_cfg file.
69 Status
= gRT
->SetVariable (
70 EFI_TLS_CA_CERTIFICATE_VARIABLE
, // VariableName
71 &gEfiTlsCaCertificateGuid
, // VendorGuid
76 if (EFI_ERROR (Status
) && (Status
!= EFI_NOT_FOUND
)) {
80 DEBUG ((DEBUG_ERROR
, "%a:%a: failed to delete %g:\"%s\"\n",
81 gEfiCallerBaseName
, __FUNCTION__
, &gEfiTlsCaCertificateGuid
,
82 EFI_TLS_CA_CERTIFICATE_VARIABLE
));
83 ASSERT_EFI_ERROR (Status
);
87 if (HttpsCaCertsSize
== 0) {
88 DEBUG ((DEBUG_VERBOSE
, "%a:%a: applied empty CA cert list\n",
89 gEfiCallerBaseName
, __FUNCTION__
));
93 HttpsCaCerts
= AllocatePool (HttpsCaCertsSize
);
94 if (HttpsCaCerts
== NULL
) {
95 DEBUG ((DEBUG_ERROR
, "%a:%a: failed to allocate HttpsCaCerts\n",
96 gEfiCallerBaseName
, __FUNCTION__
));
100 QemuFwCfgSelectItem (HttpsCaCertsItem
);
101 QemuFwCfgReadBytes (HttpsCaCertsSize
, HttpsCaCerts
);
103 Status
= gRT
->SetVariable (
104 EFI_TLS_CA_CERTIFICATE_VARIABLE
, // VariableName
105 &gEfiTlsCaCertificateGuid
, // VendorGuid
106 EFI_VARIABLE_BOOTSERVICE_ACCESS
, // Attributes
107 HttpsCaCertsSize
, // DataSize
110 if (EFI_ERROR (Status
)) {
111 DEBUG ((DEBUG_ERROR
, "%a:%a: failed to set %g:\"%s\": %r\n",
112 gEfiCallerBaseName
, __FUNCTION__
, &gEfiTlsCaCertificateGuid
,
113 EFI_TLS_CA_CERTIFICATE_VARIABLE
, Status
));
114 goto FreeHttpsCaCerts
;
117 DEBUG ((DEBUG_VERBOSE
, "%a:%a: stored CA cert list (%Lu byte(s))\n",
118 gEfiCallerBaseName
, __FUNCTION__
, (UINT64
)HttpsCaCertsSize
));
121 FreePool (HttpsCaCerts
);
132 return RETURN_SUCCESS
;