include/efiauthenticated.h

   1 // SPDX-License-Identifier: BSD-2-Clause-Patent
   2
   3 #ifndef SHIM_EFIAUTHENTICATED_H
   4 #define SHIM_EFIAUTHENTICATED_H
   5
   6 #include "wincert.h"
   7
   8 /***********************************************************************
   9  * Signature Database
  10  ***********************************************************************/
  11 /*
  12  * The format of a signature database.
  13  */
  14 #pragma pack(1)
  15
  16 typedef struct {
  17         /*
  18          * An identifier which identifies the agent which added the signature to
  19          * the list.
  20          */
  21         EFI_GUID SignatureOwner;
  22         /*
  23          * The format of the signature is defined by the SignatureType.
  24          */
  25         UINT8 SignatureData[1];
  26 } EFI_SIGNATURE_DATA;
  27
  28 typedef struct {
  29         /*
  30          * Type of the signature. GUID signature types are defined below.
  31          */
  32         EFI_GUID SignatureType;
  33         /*
  34          * Total size of the signature list, including this header.
  35          */
  36         UINT32 SignatureListSize;
  37         /*
  38          * Size of the signature header which precedes the array of signatures.
  39          */
  40         UINT32 SignatureHeaderSize;
  41         /*
  42          * Size of each signature.
  43          */
  44         UINT32 SignatureSize;
  45         /*
  46          * Header before the array of signatures. The format of this header is
  47          * specified by the SignatureType.
  48          */
  49         //UINT8 SignatureHeader[SignatureHeaderSize];
  50         /*
  51          * An array of signatures. Each signature is SignatureSize bytes in length.
  52          */
  53         //EFI_SIGNATURE_DATA Signatures[][SignatureSize];
  54 } EFI_SIGNATURE_LIST;
  55
  56 #pragma pack()
  57
  58 /*
  59  * WIN_CERTIFICATE.wCertificateType
  60  */
  61 #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
  62 #define WIN_CERT_TYPE_EFI_PKCS115      0x0EF0
  63 #define WIN_CERT_TYPE_EFI_GUID         0x0EF1
  64
  65 /*
  66  * WIN_CERTIFICATE_UEFI_GUID.CertData
  67  */
  68 typedef struct {
  69         EFI_GUID HashType;
  70         UINT8 PublicKey[256];
  71         UINT8 Signature[256];
  72 } EFI_CERT_BLOCK_RSA_2048_SHA256;
  73
  74 /*
  75  * Certificate which encapsulates a GUID-specific digital signature
  76  */
  77 typedef struct {
  78         /*
  79          * This is the standard WIN_CERTIFICATE header, where wCertificateType is
  80          * set to WIN_CERT_TYPE_UEFI_GUID.
  81          */
  82         WIN_CERTIFICATE Hdr;
  83         /*
  84          * This is the unique id which determines the format of the CertData.
  85          */
  86         EFI_GUID CertType;
  87         /*
  88          * The following is the certificate data. The format of the data is
  89          * determined by the CertType.  If CertType is
  90          * EFI_CERT_TYPE_RSA2048_SHA256_GUID, the CertData will be
  91          * EFI_CERT_BLOCK_RSA_2048_SHA256 structure.
  92          */
  93         UINT8 CertData[1];
  94 } WIN_CERTIFICATE_UEFI_GUID;
  95
  96 /*
  97  * Certificate which encapsulates the RSASSA_PKCS1-v1_5 digital signature.
  98  *
  99  * The WIN_CERTIFICATE_UEFI_PKCS1_15 structure is derived from
 100  * WIN_CERTIFICATE and encapsulate the information needed to implement the
 101  * RSASSA-PKCS1-v1_5 digital signature algorithm as specified in RFC2437.
 102  */
 103 typedef struct {
 104         /*
 105          * This is the standard WIN_CERTIFICATE header, where
 106          * wCertificateType is set to WIN_CERT_TYPE_UEFI_PKCS1_15.
 107          */
 108         WIN_CERTIFICATE Hdr;
 109         /*
 110          * This is the hashing algorithm which was performed on the UEFI
 111          * executable when creating the digital signature.
 112          */
 113         EFI_GUID HashAlgorithm;
 114         /*
 115          * The following is the actual digital signature. The size of the
 116          * signature is the same size as the key (1024-bit key is 128 bytes)
 117          * and can be determined by subtracting the length of the other parts
 118          * of this header from the total length of the certificate as found
 119          * in Hdr.dwLength.
 120          */
 121         //UINT8 Signature[];
 122 } WIN_CERTIFICATE_EFI_PKCS1_15;
 123
 124 /*
 125  * Attributes of Authenticated Variable
 126  */
 127 #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS              0x00000010
 128 #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS   0x00000020
 129 #define EFI_VARIABLE_APPEND_WRITE                            0x00000040
 130
 131 /*
 132  * AuthInfo is a WIN_CERTIFICATE using the wCertificateType
 133  * WIN_CERTIFICATE_UEFI_GUID and the CertType
 134  * EFI_CERT_TYPE_RSA2048_SHA256_GUID. If the attribute specifies
 135  * authenticated access, then the Data buffer should begin with an
 136  * authentication descriptor prior to the data payload and DataSize should
 137  * reflect the the data.and descriptor size. The caller shall digest the
 138  * Monotonic Count value and the associated data for the variable update
 139  * using the SHA-256 1-way hash algorithm.  The ensuing the 32-byte digest
 140  * will be signed using the private key associated w/ the public/private
 141  * 2048-bit RSA key-pair. The WIN_CERTIFICATE shall be used to describe the
 142  * signature of the Variable data *Data. In addition, the signature will also
 143  * include the MonotonicCount value to guard against replay attacks.
 144  */
 145 typedef struct {
 146         /*
 147          * Included in the signature of AuthInfo.Used to ensure freshness/no
 148          * replay. Incremented during each "Write" access.
 149          */
 150         UINT64 MonotonicCount;
 151         /*
 152          * Provides the authorization for the variable access. It is a
 153          * signature across the variable data and the  Monotonic Count value.
 154          * Caller uses Private key that is associated with a public key that
 155          * has been provisioned via the key exchange.
 156          */
 157         WIN_CERTIFICATE_UEFI_GUID AuthInfo;
 158 } EFI_VARIABLE_AUTHENTICATION;
 159
 160 /*
 161  * When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
 162  * set, then the Data buffer shall begin with an instance of a complete (and
 163  * serialized) EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall
 164  * be followed by the new variable value and DataSize shall reflect the
 165  * combined size of the descriptor and the new variable value. The
 166  * authentication descriptor is not part of the variable data and is not
 167  * returned by subsequent calls to GetVariable().
 168  */
 169 typedef struct {
 170         /*
 171          * For the TimeStamp value, components Pad1, Nanosecond, TimeZone,
 172          * Daylight and Pad2 shall be set to 0. This means that the time
 173          * shall always be expressed in GMT.
 174          */
 175         EFI_TIME TimeStamp;
 176         /*
 177          * Only a CertType of  EFI_CERT_TYPE_PKCS7_GUID is accepted.
 178          */
 179         WIN_CERTIFICATE_UEFI_GUID AuthInfo;
 180 } EFI_VARIABLE_AUTHENTICATION_2;
 181
 182 /*
 183  * Size of AuthInfo prior to the data payload.
 184  */
 185 #define AUTHINFO_SIZE ((offsetof(EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
 186                        (offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
 187                        sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
 188
 189 #define AUTHINFO2_SIZE(VarAuth2) ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
 190                                   (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
 191
 192 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((offsetof(EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
 193                                        (offsetof(WIN_CERTIFICATE_UEFI_GUID, CertData)))
 194
 195 #endif /* SHIM_EFIAUTHENTICATED_H */