)\r
{\r
EFI_STATUS Status;\r
- VARIABLE_POINTER_TRACK PkVariable;\r
- EFI_SIGNATURE_LIST *OldPkList;\r
- EFI_SIGNATURE_DATA *OldPkData;\r
- EFI_VARIABLE_AUTHENTICATION *CertData;\r
- BOOLEAN TimeBase;\r
BOOLEAN Del;\r
UINT8 *Payload;\r
UINTN PayloadSize;\r
- UINT64 MonotonicCount;\r
- EFI_TIME *TimeStamp;\r
\r
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {\r
+ if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 || \r
+ (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {\r
//\r
- // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute.\r
+ // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based\r
+ // authenticated variable.\r
//\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
-\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute means time-based X509 Cert PK.\r
- //\r
- TimeBase = TRUE;\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute means counter-based RSA-2048 Cert PK.\r
- //\r
- TimeBase = FALSE;\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (TimeBase) {\r
- //\r
- // Verify against X509 Cert PK.\r
- //\r
- Del = FALSE;\r
- Status = VerifyTimeBasedPayload (\r
- VariableName,\r
- VendorGuid,\r
- Data,\r
- DataSize,\r
- Variable,\r
- Attributes,\r
- AuthVarTypePk,\r
- &Del\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If delete PK in user mode, need change to setup mode.\r
- //\r
- if (Del && IsPk) {\r
- Status = UpdatePlatformMode (SETUP_MODE);\r
- }\r
- }\r
- return Status;\r
- } else {\r
- //\r
- // Verify against RSA2048 Cert PK.\r
- //\r
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;\r
- if ((Variable->CurrPtr != NULL) && (CertData->MonotonicCount <= Variable->CurrPtr->MonotonicCount)) {\r
- //\r
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.\r
- //\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
+ //\r
+ // Verify against X509 Cert PK.\r
+ //\r
+ Del = FALSE;\r
+ Status = VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypePk,\r
+ &Del\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
//\r
- // Get platform key from variable.\r
+ // If delete PK in user mode, need change to setup mode.\r
//\r
- Status = FindVariable (\r
- EFI_PLATFORM_KEY_NAME,\r
- &gEfiGlobalVariableGuid,\r
- &PkVariable,\r
- &mVariableModuleGlobal->VariableGlobal,\r
- FALSE\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- OldPkList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
- OldPkData = (EFI_SIGNATURE_DATA *) ((UINT8 *) OldPkList + sizeof (EFI_SIGNATURE_LIST) + OldPkList->SignatureHeaderSize);\r
- Status = VerifyCounterBasedPayload (Data, DataSize, OldPkData->SignatureData);\r
- if (!EFI_ERROR (Status)) {\r
- Status = CheckSignatureListFormat(\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- \r
- Status = UpdateVariable (\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE,\r
- Attributes,\r
- 0,\r
- CertData->MonotonicCount,\r
- Variable,\r
- NULL\r
- );\r
-\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If delete PK in user mode, need change to setup mode.\r
- //\r
- if ((DataSize == AUTHINFO_SIZE) && IsPk) {\r
- Status = UpdatePlatformMode (SETUP_MODE);\r
- }\r
- }\r
+ if (Del && IsPk) {\r
+ Status = UpdatePlatformMode (SETUP_MODE);\r
}\r
}\r
+ return Status;\r
} else {\r
//\r
// Process PK or KEK in Setup mode or Custom Secure Boot mode.\r
//\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp;\r
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
- PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based Authentication descriptor.\r
- //\r
- MonotonicCount = ((EFI_VARIABLE_AUTHENTICATION *) Data)->MonotonicCount;\r
- TimeStamp = NULL;\r
- Payload = (UINT8*) Data + AUTHINFO_SIZE;\r
- PayloadSize = DataSize - AUTHINFO_SIZE;\r
- } else {\r
- //\r
- // No Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = NULL;\r
- Payload = Data;\r
- PayloadSize = DataSize;\r
- }\r
+ Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
+ PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
\r
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);\r
if (EFI_ERROR (Status)) {\r
PayloadSize,\r
Attributes,\r
0,\r
- MonotonicCount,\r
+ 0,\r
Variable,\r
- TimeStamp\r
+ &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
\r
if (IsPk) {\r
)\r
{\r
EFI_STATUS Status;\r
- VARIABLE_POINTER_TRACK KekVariable;\r
- EFI_SIGNATURE_LIST *KekList;\r
- EFI_SIGNATURE_DATA *KekItem;\r
- UINT32 KekCount;\r
- EFI_VARIABLE_AUTHENTICATION *CertData;\r
- EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;\r
- BOOLEAN IsFound;\r
- UINT32 Index;\r
- UINT32 KekDataSize;\r
UINT8 *Payload;\r
UINTN PayloadSize;\r
- UINT64 MonotonicCount;\r
- EFI_TIME *TimeStamp;\r
\r
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {\r
+ if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||\r
+ (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {\r
//\r
- // DB and DBX should set EFI_VARIABLE_NON_VOLATILE attribute.\r
+ // DB and DBX should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based\r
+ // authenticated variable.\r
//\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
Status = EFI_SUCCESS;\r
if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
- if (((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) &&\r
- ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0)){\r
- //\r
- // In user mode, should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or\r
- // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute.\r
- //\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based, verify against X509 Cert KEK.\r
- //\r
- return VerifyTimeBasedPayload (\r
- VariableName,\r
- VendorGuid,\r
- Data,\r
- DataSize,\r
- Variable,\r
- Attributes,\r
- AuthVarTypeKek,\r
- NULL\r
- );\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based, verify against RSA2048 Cert KEK.\r
- //\r
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;\r
- CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData);\r
- if ((Variable->CurrPtr != NULL) && (CertData->MonotonicCount <= Variable->CurrPtr->MonotonicCount)) {\r
- //\r
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.\r
- //\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
- //\r
- // Get KEK database from variable.\r
- //\r
- Status = FindVariable (\r
- EFI_KEY_EXCHANGE_KEY_NAME,\r
- &gEfiGlobalVariableGuid,\r
- &KekVariable,\r
- &mVariableModuleGlobal->VariableGlobal,\r
- FALSE\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- KekDataSize = KekVariable.CurrPtr->DataSize;\r
- KekList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (KekVariable.CurrPtr);\r
-\r
- //\r
- // Enumerate all Kek items in this list to verify the variable certificate data.\r
- // If anyone is authenticated successfully, it means the variable is correct!\r
- //\r
- IsFound = FALSE;\r
- while ((KekDataSize > 0) && (KekDataSize >= KekList->SignatureListSize)) {\r
- if (CompareGuid (&KekList->SignatureType, &gEfiCertRsa2048Guid)) {\r
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekList + sizeof (EFI_SIGNATURE_LIST) + KekList->SignatureHeaderSize);\r
- KekCount = (KekList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - KekList->SignatureHeaderSize) / KekList->SignatureSize;\r
- for (Index = 0; Index < KekCount; Index++) {\r
- if (CompareMem (KekItem->SignatureData, CertBlock->PublicKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) {\r
- IsFound = TRUE;\r
- break;\r
- }\r
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekItem + KekList->SignatureSize);\r
- }\r
- }\r
- KekDataSize -= KekList->SignatureListSize;\r
- KekList = (EFI_SIGNATURE_LIST *) ((UINT8 *) KekList + KekList->SignatureListSize);\r
- }\r
-\r
- if (!IsFound) {\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
-\r
- Status = VerifyCounterBasedPayload (Data, DataSize, CertBlock->PublicKey);\r
- if (!EFI_ERROR (Status)) {\r
- Status = UpdateVariable (\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE,\r
- Attributes,\r
- 0,\r
- CertData->MonotonicCount,\r
- Variable,\r
- NULL\r
- );\r
- }\r
- }\r
+ //\r
+ // Time-based, verify against X509 Cert KEK.\r
+ //\r
+ return VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypeKek,\r
+ NULL\r
+ );\r
} else {\r
//\r
// If in setup mode or custom secure boot mode, no authentication needed.\r
//\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp;\r
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
- PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based Authentication descriptor.\r
- //\r
- MonotonicCount = ((EFI_VARIABLE_AUTHENTICATION *) Data)->MonotonicCount;\r
- TimeStamp = NULL;\r
- Payload = (UINT8*) Data + AUTHINFO_SIZE;\r
- PayloadSize = DataSize - AUTHINFO_SIZE;\r
- } else {\r
- //\r
- // No Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = NULL;\r
- Payload = Data;\r
- PayloadSize = DataSize;\r
- }\r
+ Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
+ PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
\r
Status = UpdateVariable (\r
VariableName,\r
PayloadSize,\r
Attributes,\r
0,\r
- MonotonicCount,\r
+ 0,\r
Variable,\r
- TimeStamp\r
+ &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
}\r
\r