1 // SPDX-License-Identifier: BSD-2-Clause-Patent
3 #ifndef SHIM_EFIAUTHENTICATED_H
4 #define SHIM_EFIAUTHENTICATED_H
8 /***********************************************************************
10 ***********************************************************************/
12 * The format of a signature database.
18 * An identifier which identifies the agent which added the signature to
21 EFI_GUID SignatureOwner
;
23 * The format of the signature is defined by the SignatureType.
25 UINT8 SignatureData
[1];
30 * Type of the signature. GUID signature types are defined below.
32 EFI_GUID SignatureType
;
34 * Total size of the signature list, including this header.
36 UINT32 SignatureListSize
;
38 * Size of the signature header which precedes the array of signatures.
40 UINT32 SignatureHeaderSize
;
42 * Size of each signature.
46 * Header before the array of signatures. The format of this header is
47 * specified by the SignatureType.
49 //UINT8 SignatureHeader[SignatureHeaderSize];
51 * An array of signatures. Each signature is SignatureSize bytes in length.
53 //EFI_SIGNATURE_DATA Signatures[][SignatureSize];
59 * WIN_CERTIFICATE.wCertificateType
61 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
62 #define WIN_CERT_TYPE_EFI_PKCS115 0x0EF0
63 #define WIN_CERT_TYPE_EFI_GUID 0x0EF1
66 * WIN_CERTIFICATE_UEFI_GUID.CertData
72 } EFI_CERT_BLOCK_RSA_2048_SHA256
;
75 * Certificate which encapsulates a GUID-specific digital signature
79 * This is the standard WIN_CERTIFICATE header, where wCertificateType is
80 * set to WIN_CERT_TYPE_UEFI_GUID.
84 * This is the unique id which determines the format of the CertData.
88 * The following is the certificate data. The format of the data is
89 * determined by the CertType. If CertType is
90 * EFI_CERT_TYPE_RSA2048_SHA256_GUID, the CertData will be
91 * EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
94 } WIN_CERTIFICATE_UEFI_GUID
;
97 * Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
99 * The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
100 * WIN_CERTIFICATE and encapsulate the information needed to implement the
101 * RSASSA-PKCS1-v1_5 digital signature algorithm as specified in RFC2437.
105 * This is the standard WIN_CERTIFICATE header, where
106 * wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
110 * This is the hashing algorithm which was performed on the UEFI
111 * executable when creating the digital signature.
113 EFI_GUID HashAlgorithm
;
115 * The following is the actual digital signature. The size of the
116 * signature is the same size as the key (1024-bit key is 128 bytes)
117 * and can be determined by subtracting the length of the other parts
118 * of this header from the total length of the certificate as found
122 } WIN_CERTIFICATE_EFI_PKCS1_15
;
125 * Attributes of Authenticated Variable
127 #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010
128 #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x00000020
129 #define EFI_VARIABLE_APPEND_WRITE 0x00000040
132 * AuthInfo is a WIN_CERTIFICATE using the wCertificateType
133 * WIN_CERTIFICATE_UEFI_GUID and the CertType
134 * EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
135 * authenticated access, then the Data buffer should begin with an
136 * authentication descriptor prior to the data payload and DataSize should
137 * reflect the the data.and descriptor size. The caller shall digest the
138 * Monotonic Count value and the associated data for the variable update
139 * using the SHA-256 1-way hash algorithm. The ensuing the 32-byte digest
140 * will be signed using the private key associated w/ the public/private
141 * 2048-bit RSA key-pair. The WIN_CERTIFICATE shall be used to describe the
142 * signature of the Variable data *Data. In addition, the signature will also
143 * include the MonotonicCount value to guard against replay attacks.
147 * Included in the signature of AuthInfo.Used to ensure freshness/no
148 * replay. Incremented during each "Write" access.
150 UINT64 MonotonicCount
;
152 * Provides the authorization for the variable access. It is a
153 * signature across the variable data and the Monotonic Count value.
154 * Caller uses Private key that is associated with a public key that
155 * has been provisioned via the key exchange.
157 WIN_CERTIFICATE_UEFI_GUID AuthInfo
;
158 } EFI_VARIABLE_AUTHENTICATION
;
161 * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
162 * set, then the Data buffer shall begin with an instance of a complete (and
163 * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall
164 * be followed by the new variable value and DataSize shall reflect the
165 * combined size of the descriptor and the new variable value. The
166 * authentication descriptor is not part of the variable data and is not
167 * returned by subsequent calls to GetVariable().
171 * For the TimeStamp value, components Pad1, Nanosecond, TimeZone,
172 * Daylight and Pad2 shall be set to 0. This means that the time
173 * shall always be expressed in GMT.
177 * Only a CertType of EFI_CERT_TYPE_PKCS7_GUID is accepted.
179 WIN_CERTIFICATE_UEFI_GUID AuthInfo
;
180 } EFI_VARIABLE_AUTHENTICATION_2
;
183 * Size of AuthInfo prior to the data payload.
185 #define AUTHINFO_SIZE ((offsetof(EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
186 (offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
187 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
189 #define AUTHINFO2_SIZE(VarAuth2) ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
190 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
192 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
193 (offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)))
195 #endif /* SHIM_EFIAUTHENTICATED_H */