Measure TCG required variable.\r
\r
Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.<BR>\r
-This program and the accompanying materials\r
-are licensed and made available under the terms and conditions of the BSD License\r
-which accompanies this distribution. The full text of the license may be found at\r
-http://opensource.org/licenses/bsd-license.php\r
-\r
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <Library/BaseLib.h>\r
#include <Library/TpmMeasurementLib.h>\r
\r
+#include "PrivilegePolymorphic.h"\r
+\r
typedef struct {\r
- CHAR16 *VariableName;\r
- EFI_GUID *VendorGuid;\r
+ CHAR16 *VariableName;\r
+ EFI_GUID *VendorGuid;\r
} VARIABLE_TYPE;\r
\r
VARIABLE_TYPE mVariableType[] = {\r
- {EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid},\r
- {EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid},\r
- {EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid},\r
- {EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid},\r
- {EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid},\r
- {EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid},\r
+ { EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid },\r
+ { EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid },\r
+ { EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid },\r
+ { EFI_IMAGE_SECURITY_DATABASE, &gEfiImageSecurityDatabaseGuid },\r
+ { EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid },\r
+ { EFI_IMAGE_SECURITY_DATABASE2, &gEfiImageSecurityDatabaseGuid },\r
};\r
\r
//\r
// "SecureBoot" may update following PK Del/Add\r
// Cache its value to detect value update\r
//\r
-UINT8 *mSecureBootVarData = NULL;\r
-UINTN mSecureBootVarDataSize = 0;\r
+UINT8 *mSecureBootVarData = NULL;\r
+UINTN mSecureBootVarDataSize = 0;\r
\r
/**\r
This function will return if this variable is SecureBootPolicy Variable.\r
**/\r
BOOLEAN\r
IsSecureBootPolicyVariable (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid\r
+ IN CHAR16 *VariableName,\r
+ IN EFI_GUID *VendorGuid\r
)\r
{\r
- UINTN Index;\r
+ UINTN Index;\r
\r
- for (Index = 0; Index < sizeof(mVariableType)/sizeof(mVariableType[0]); Index++) {\r
+ for (Index = 0; Index < sizeof (mVariableType)/sizeof (mVariableType[0]); Index++) {\r
if ((StrCmp (VariableName, mVariableType[Index].VariableName) == 0) &&\r
- (CompareGuid (VendorGuid, mVariableType[Index].VendorGuid))) {\r
+ (CompareGuid (VendorGuid, mVariableType[Index].VendorGuid)))\r
+ {\r
return TRUE;\r
}\r
}\r
+\r
return FALSE;\r
}\r
\r
EFI_STATUS\r
EFIAPI\r
MeasureVariable (\r
- IN CHAR16 *VarName,\r
- IN EFI_GUID *VendorGuid,\r
- IN VOID *VarData,\r
- IN UINTN VarSize\r
+ IN CHAR16 *VarName,\r
+ IN EFI_GUID *VendorGuid,\r
+ IN VOID *VarData,\r
+ IN UINTN VarSize\r
)\r
{\r
- EFI_STATUS Status;\r
- UINTN VarNameLength;\r
- UEFI_VARIABLE_DATA *VarLog;\r
- UINT32 VarLogSize;\r
+ EFI_STATUS Status;\r
+ UINTN VarNameLength;\r
+ UEFI_VARIABLE_DATA *VarLog;\r
+ UINT32 VarLogSize;\r
\r
ASSERT ((VarSize == 0 && VarData == NULL) || (VarSize != 0 && VarData != NULL));\r
\r
- VarNameLength = StrLen (VarName);\r
- VarLogSize = (UINT32)(sizeof (*VarLog) + VarNameLength * sizeof (*VarName) + VarSize\r
- - sizeof (VarLog->UnicodeName) - sizeof (VarLog->VariableData));\r
+ VarNameLength = StrLen (VarName);\r
+ VarLogSize = (UINT32)(sizeof (*VarLog) + VarNameLength * sizeof (*VarName) + VarSize\r
+ - sizeof (VarLog->UnicodeName) - sizeof (VarLog->VariableData));\r
\r
- VarLog = (UEFI_VARIABLE_DATA *) AllocateZeroPool (VarLogSize);\r
+ VarLog = (UEFI_VARIABLE_DATA *)AllocateZeroPool (VarLogSize);\r
if (VarLog == NULL) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
\r
- CopyMem (&VarLog->VariableName, VendorGuid, sizeof(VarLog->VariableName));\r
+ CopyMem (&VarLog->VariableName, VendorGuid, sizeof (VarLog->VariableName));\r
VarLog->UnicodeNameLength = VarNameLength;\r
VarLog->VariableDataLength = VarSize;\r
CopyMem (\r
- VarLog->UnicodeName,\r
- VarName,\r
- VarNameLength * sizeof (*VarName)\r
- );\r
+ VarLog->UnicodeName,\r
+ VarName,\r
+ VarNameLength * sizeof (*VarName)\r
+ );\r
if (VarSize != 0) {\r
CopyMem (\r
- (CHAR16 *)VarLog->UnicodeName + VarNameLength,\r
- VarData,\r
- VarSize\r
- );\r
+ (CHAR16 *)VarLog->UnicodeName + VarNameLength,\r
+ VarData,\r
+ VarSize\r
+ );\r
}\r
\r
- DEBUG ((EFI_D_INFO, "AuthVariableDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_AUTHORITY));\r
- DEBUG ((EFI_D_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, VendorGuid));\r
+ DEBUG ((DEBUG_INFO, "VariableDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_DRIVER_CONFIG));\r
+ DEBUG ((DEBUG_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, VendorGuid));\r
\r
Status = TpmMeasureAndLogData (\r
7,\r
BufferSize = 0;\r
*Value = NULL;\r
if (Size != NULL) {\r
- *Size = 0;\r
+ *Size = 0;\r
}\r
\r
- Status = gRT->GetVariable ((CHAR16 *) Name, (EFI_GUID *) Guid, NULL, &BufferSize, *Value);\r
+ Status = gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, NULL, &BufferSize, *Value);\r
if (Status != EFI_BUFFER_TOO_SMALL) {\r
return Status;\r
}\r
//\r
// Get the variable data.\r
//\r
- Status = gRT->GetVariable ((CHAR16 *) Name, (EFI_GUID *) Guid, NULL, &BufferSize, *Value);\r
+ Status = gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, NULL, &BufferSize, *Value);\r
if (EFI_ERROR (Status)) {\r
- FreePool(*Value);\r
+ FreePool (*Value);\r
*Value = NULL;\r
}\r
\r
VOID\r
EFIAPI\r
SecureBootHook (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid\r
+ IN CHAR16 *VariableName,\r
+ IN EFI_GUID *VendorGuid\r
)\r
{\r
- EFI_STATUS Status;\r
- UINTN VariableDataSize;\r
- VOID *VariableData;\r
+ EFI_STATUS Status;\r
+ UINTN VariableDataSize;\r
+ VOID *VariableData;\r
\r
if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {\r
- return ;\r
+ return;\r
}\r
\r
//\r
//\r
// Measure DBT only if present and not empty\r
//\r
- if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0 &&\r
- CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid)) {\r
- DEBUG((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2));\r
+ if ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) &&\r
+ CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid))\r
+ {\r
+ DEBUG ((DEBUG_INFO, "Skip measuring variable %s since it's deleted\n", EFI_IMAGE_SECURITY_DATABASE2));\r
return;\r
} else {\r
VariableData = NULL;\r
VariableData,\r
VariableDataSize\r
);\r
- DEBUG ((EFI_D_INFO, "MeasureBootPolicyVariable - %r\n", Status));\r
+ DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));\r
\r
if (VariableData != NULL) {\r
FreePool (VariableData);\r
// "SecureBoot" is 8bit & read-only. It can only be changed according to PK update\r
//\r
if ((StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0) &&\r
- CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {\r
- Status = InternalGetVariable (\r
- EFI_SECURE_BOOT_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- &VariableData,\r
- &VariableDataSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return;\r
- }\r
-\r
- //\r
- // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready\r
- //\r
- ASSERT(mSecureBootVarData != NULL);\r
-\r
- if (CompareMem(mSecureBootVarData, VariableData, VariableDataSize) != 0) {\r
- FreePool(mSecureBootVarData);\r
- mSecureBootVarData = VariableData;\r
- mSecureBootVarDataSize = VariableDataSize;\r
-\r
- DEBUG((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));\r
- Status = MeasureVariable (\r
- EFI_SECURE_BOOT_MODE_NAME,\r
- &gEfiGlobalVariableGuid,\r
- mSecureBootVarData,\r
- mSecureBootVarDataSize\r
- );\r
- DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));\r
- } else {\r
- //\r
- // "SecureBoot" variable is not changed\r
- //\r
- FreePool(VariableData);\r
- }\r
+ CompareGuid (VendorGuid, &gEfiGlobalVariableGuid))\r
+ {\r
+ Status = InternalGetVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &VariableData,\r
+ &VariableDataSize\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return;\r
+ }\r
+\r
+ //\r
+ // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready\r
+ //\r
+ ASSERT (mSecureBootVarData != NULL);\r
+\r
+ if (CompareMem (mSecureBootVarData, VariableData, VariableDataSize) != 0) {\r
+ FreePool (mSecureBootVarData);\r
+ mSecureBootVarData = VariableData;\r
+ mSecureBootVarDataSize = VariableDataSize;\r
+\r
+ DEBUG ((DEBUG_INFO, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME));\r
+ Status = MeasureVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ mSecureBootVarData,\r
+ mSecureBootVarDataSize\r
+ );\r
+ DEBUG ((DEBUG_INFO, "MeasureBootPolicyVariable - %r\n", Status));\r
+ } else {\r
+ //\r
+ // "SecureBoot" variable is not changed\r
+ //\r
+ FreePool (VariableData);\r
+ }\r
}\r
\r
- return ;\r
+ return;\r
}\r
\r
/**\r
**/\r
VOID\r
EFIAPI\r
-RecordSecureBootPolicyVarData(\r
+RecordSecureBootPolicyVarData (\r
VOID\r
)\r
{\r
- EFI_STATUS Status;\r
+ EFI_STATUS Status;\r
\r
//\r
// Record initial "SecureBoot" variable value.\r
(VOID **)&mSecureBootVarData,\r
&mSecureBootVarDataSize\r
);\r
- if (EFI_ERROR(Status)) {\r
+ if (EFI_ERROR (Status)) {\r
//\r
// Read could fail when Auth Variable solution is not supported\r
//\r
- DEBUG((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s Status %x\n", EFI_SECURE_BOOT_MODE_NAME, Status));\r
+ DEBUG ((DEBUG_INFO, "RecordSecureBootPolicyVarData GetVariable %s Status %x\n", EFI_SECURE_BOOT_MODE_NAME, Status));\r
}\r
}\r