[mirror_edk2.git] / MdePkg / Include / Guid / ImageAuthentication.h

/** @file\r
  Image signature database are defined for the signed image validation.\r
\r
  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
  @par Revision Reference:\r
  GUIDs defined in UEFI 2.5 spec.\r
**/\r
\r
#ifndef __IMAGE_AUTHTICATION_H__\r
#define __IMAGE_AUTHTICATION_H__\r
\r
#include <Guid/GlobalVariable.h>\r
#include <Protocol/Hash.h>\r
\r
#define EFI_IMAGE_SECURITY_DATABASE_GUID \\r
  { \\r
    0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \\r
  }\r
\r
///\r
/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the authorized signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE  L"db"\r
///\r
/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the forbidden signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE1  L"dbx"\r
///\r
/// Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the timestamp signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE2  L"dbt"\r
\r
#define SECURE_BOOT_MODE_ENABLE   1\r
#define SECURE_BOOT_MODE_DISABLE  0\r
\r
#define SETUP_MODE  1\r
#define USER_MODE   0\r
\r
// ***********************************************************************\r
// Signature Database\r
// ***********************************************************************\r
///\r
/// The format of a signature database.\r
///\r
#pragma pack(1)\r
\r
typedef struct {\r
  ///\r
  /// An identifier which identifies the agent which added the signature to the list.\r
  ///\r
  EFI_GUID    SignatureOwner;\r
  ///\r
  /// The format of the signature is defined by the SignatureType.\r
  ///\r
  UINT8       SignatureData[1];\r
} EFI_SIGNATURE_DATA;\r
\r
typedef struct {\r
  ///\r
  /// Type of the signature. GUID signature types are defined in below.\r
  ///\r
  EFI_GUID    SignatureType;\r
  ///\r
  /// Total size of the signature list, including this header.\r
  ///\r
  UINT32      SignatureListSize;\r
  ///\r
  /// Size of the signature header which precedes the array of signatures.\r
  ///\r
  UINT32      SignatureHeaderSize;\r
  ///\r
  /// Size of each signature.\r
  ///\r
  UINT32      SignatureSize;\r
  ///\r
  /// Header before the array of signatures. The format of this header is specified\r
  /// by the SignatureType.\r
  /// UINT8           SignatureHeader[SignatureHeaderSize];\r
  ///\r
  /// An array of signatures. Each signature is SignatureSize bytes in length.\r
  /// EFI_SIGNATURE_DATA Signatures[][SignatureSize];\r
  ///\r
} EFI_SIGNATURE_LIST;\r
\r
typedef struct {\r
  ///\r
  /// The SHA256 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA256_HASH    ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME           TimeOfRevocation;\r
} EFI_CERT_X509_SHA256;\r
\r
typedef struct {\r
  ///\r
  /// The SHA384 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA384_HASH    ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME           TimeOfRevocation;\r
} EFI_CERT_X509_SHA384;\r
\r
typedef struct {\r
  ///\r
  /// The SHA512 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA512_HASH    ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME           TimeOfRevocation;\r
} EFI_CERT_X509_SHA512;\r
\r
#pragma pack()\r
\r
///\r
/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 32 bytes.\r
///\r
#define EFI_CERT_SHA256_GUID \\r
  { \\r
    0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \\r
  }\r
\r
///\r
/// This identifies a signature containing an RSA-2048 key. The key (only the modulus\r
/// since the public key exponent is known to be 0x10001) shall be stored in big-endian\r
/// order.\r
/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size\r
/// of SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_GUID \\r
  { \\r
    0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \\r
  }\r
\r
///\r
/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The\r
/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA256_GUID \\r
  { \\r
    0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-1 hash.  The SignatureSize shall always\r
/// be 16 (size of SignatureOwner component) + 20 bytes.\r
///\r
#define EFI_CERT_SHA1_GUID \\r
  { \\r
    0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \\r
  }\r
\r
///\r
/// TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash.  The\r
/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA1_GUID \\r
  { \\r
    0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \\r
  }\r
\r
///\r
/// This identifies a signature based on an X.509 certificate. If the signature is an X.509\r
/// certificate then verification of the signature of an image should validate the public\r
/// key certificate in the image using certificate path verification, up to this X.509\r
/// certificate as a trusted root.  The SignatureHeader size shall always be 0. The\r
/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) +\r
/// the size of the certificate itself.\r
/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.\r
///\r
#define EFI_CERT_X509_GUID \\r
  { \\r
    0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-224 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 28 bytes.\r
///\r
#define EFI_CERT_SHA224_GUID \\r
  { \\r
    0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-384 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 48 bytes.\r
///\r
#define EFI_CERT_SHA384_GUID \\r
  { \\r
    0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-512 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 64 bytes.\r
///\r
#define EFI_CERT_SHA512_GUID \\r
  { \\r
    0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA256 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 48 bytes for an EFI_CERT_X509_SHA256 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA256_GUID \\r
  { \\r
    0x3bd2a492, 0x96c0, 0x4079, {0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA384 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 64 bytes for an EFI_CERT_X509_SHA384 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA384_GUID \\r
  { \\r
    0x7076876e, 0x80c2, 0x4ee6, {0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA512 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 80 bytes for an EFI_CERT_X509_SHA512 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA512_GUID \\r
  { \\r
    0x446dbf63, 0x2502, 0x4cda, {0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \\r
  }\r
\r
///\r
/// This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315]\r
/// SignedData value.\r
///\r
#define EFI_CERT_TYPE_PKCS7_GUID \\r
  { \\r
    0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \\r
  }\r
\r
// ***********************************************************************\r
// Image Execution Information Table Definition\r
// ***********************************************************************\r
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;\r
\r
#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007\r
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED       0x00000000\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004\r
#define EFI_IMAGE_EXECUTION_POLICY_FAILED       0x00000005\r
#define EFI_IMAGE_EXECUTION_INITIALIZED         0x00000008\r
\r
//\r
// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table\r
// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID.\r
//\r
typedef struct {\r
  ///\r
  /// Describes the action taken by the firmware regarding this image.\r
  ///\r
  EFI_IMAGE_EXECUTION_ACTION    Action;\r
  ///\r
  /// Size of all of the entire structure.\r
  ///\r
  UINT32                        InfoSize;\r
  ///\r
  /// If this image was a UEFI device driver (for option ROM, for example) this is the\r
  /// null-terminated, user-friendly name for the device. If the image was for an application,\r
  /// then this is the name of the application. If this cannot be determined, then a simple\r
  /// NULL character should be put in this position.\r
  /// CHAR16                    Name[];\r
  ///\r
\r
  ///\r
  /// For device drivers, this is the device path of the device for which this device driver\r
  /// was intended. In some cases, the driver itself may be stored as part of the system\r
  /// firmware, but this field should record the device's path, not the firmware path. For\r
  /// applications, this is the device path of the application. If this cannot be determined,\r
  /// a simple end-of-path device node should be put in this position.\r
  /// EFI_DEVICE_PATH_PROTOCOL  DevicePath;\r
  ///\r
\r
  ///\r
  /// Zero or more image signatures. If the image contained no signatures,\r
  /// then this field is empty.\r
  /// EFI_SIGNATURE_LIST            Signature;\r
  ///\r
} EFI_IMAGE_EXECUTION_INFO;\r
\r
typedef struct {\r
  ///\r
  /// Number of EFI_IMAGE_EXECUTION_INFO structures.\r
  ///\r
  UINTN    NumberOfImages;\r
  ///\r
  /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.\r
  ///\r
  // EFI_IMAGE_EXECUTION_INFO  InformationInfo[]\r
} EFI_IMAGE_EXECUTION_INFO_TABLE;\r
\r
extern EFI_GUID  gEfiImageSecurityDatabaseGuid;\r
extern EFI_GUID  gEfiCertSha256Guid;\r
extern EFI_GUID  gEfiCertRsa2048Guid;\r
extern EFI_GUID  gEfiCertRsa2048Sha256Guid;\r
extern EFI_GUID  gEfiCertSha1Guid;\r
extern EFI_GUID  gEfiCertRsa2048Sha1Guid;\r
extern EFI_GUID  gEfiCertX509Guid;\r
extern EFI_GUID  gEfiCertSha224Guid;\r
extern EFI_GUID  gEfiCertSha384Guid;\r
extern EFI_GUID  gEfiCertSha512Guid;\r
extern EFI_GUID  gEfiCertX509Sha256Guid;\r
extern EFI_GUID  gEfiCertX509Sha384Guid;\r
extern EFI_GUID  gEfiCertX509Sha512Guid;\r
extern EFI_GUID  gEfiCertPkcs7Guid;\r
\r
#endif\r
Commit	Line	Data
bd86cb02	1	/** @file\r
6675a21f	2	Image signature database are defined for the signed image validation.\r
bd86cb02	3	\r
9095d37b	4	Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
9344f092	5	SPDX-License-Identifier: BSD-2-Clause-Patent\r
bd86cb02 LG	6	\r
bd86cb02 LG	7	@par Revision Reference:\r
686f0c7b	8	GUIDs defined in UEFI 2.5 spec.\r
bd86cb02 LG	9	**/\r
	10	\r
	11	#ifndef __IMAGE_AUTHTICATION_H__\r
	12	#define __IMAGE_AUTHTICATION_H__\r
	13	\r
	14	#include <Guid/GlobalVariable.h>\r
20333c6d	15	#include <Protocol/Hash.h>\r
bd86cb02 LG	16	\r
	17	#define EFI_IMAGE_SECURITY_DATABASE_GUID \\r
	18	{ \\r
	19	0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \\r
	20	}\r
	21	\r
	22	///\r
20333c6d	23	/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
bd86cb02 LG	24	/// for the authorized signature database.\r
bd86cb02 LG	25	///\r
2f88bd3a	26	#define EFI_IMAGE_SECURITY_DATABASE L"db"\r
bd86cb02	27	///\r
20333c6d	28	/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
bd86cb02 LG	29	/// for the forbidden signature database.\r
bd86cb02 LG	30	///\r
2f88bd3a	31	#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx"\r
20333c6d QL	32	///\r
	33	/// Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
	34	/// for the timestamp signature database.\r
	35	///\r
2f88bd3a	36	#define EFI_IMAGE_SECURITY_DATABASE2 L"dbt"\r
6675a21f	37	\r
2f88bd3a MK	38	#define SECURE_BOOT_MODE_ENABLE 1\r
2f88bd3a MK	39	#define SECURE_BOOT_MODE_DISABLE 0\r
4b11f72e	40	\r
2f88bd3a MK	41	#define SETUP_MODE 1\r
2f88bd3a MK	42	#define USER_MODE 0\r
ab0eecec	43	\r
2f88bd3a	44	// ***********************************************************************\r
bd86cb02	45	// Signature Database\r
2f88bd3a	46	// ***********************************************************************\r
bd86cb02	47	///\r
20333c6d	48	/// The format of a signature database.\r
bd86cb02 LG	49	///\r
	50	#pragma pack(1)\r
	51	\r
	52	typedef struct {\r
	53	///\r
	54	/// An identifier which identifies the agent which added the signature to the list.\r
	55	///\r
2f88bd3a	56	EFI_GUID SignatureOwner;\r
bd86cb02 LG	57	///\r
	58	/// The format of the signature is defined by the SignatureType.\r
	59	///\r
2f88bd3a	60	UINT8 SignatureData[1];\r
bd86cb02 LG	61	} EFI_SIGNATURE_DATA;\r
	62	\r
	63	typedef struct {\r
	64	///\r
	65	/// Type of the signature. GUID signature types are defined in below.\r
	66	///\r
2f88bd3a	67	EFI_GUID SignatureType;\r
bd86cb02 LG	68	///\r
	69	/// Total size of the signature list, including this header.\r
	70	///\r
2f88bd3a	71	UINT32 SignatureListSize;\r
bd86cb02 LG	72	///\r
	73	/// Size of the signature header which precedes the array of signatures.\r
	74	///\r
2f88bd3a	75	UINT32 SignatureHeaderSize;\r
bd86cb02 LG	76	///\r
	77	/// Size of each signature.\r
	78	///\r
2f88bd3a	79	UINT32 SignatureSize;\r
bd86cb02	80	///\r
20333c6d	81	/// Header before the array of signatures. The format of this header is specified\r
bd86cb02 LG	82	/// by the SignatureType.\r
	83	/// UINT8 SignatureHeader[SignatureHeaderSize];\r
	84	///\r
20333c6d	85	/// An array of signatures. Each signature is SignatureSize bytes in length.\r
bd86cb02 LG	86	/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];\r
	87	///\r
	88	} EFI_SIGNATURE_LIST;\r
	89	\r
20333c6d QL	90	typedef struct {\r
	91	///\r
	92	/// The SHA256 hash of an X.509 certificate's To-Be-Signed contents.\r
	93	///\r
2f88bd3a	94	EFI_SHA256_HASH ToBeSignedHash;\r
20333c6d QL	95	///\r
	96	/// The time that the certificate shall be considered to be revoked.\r
	97	///\r
2f88bd3a	98	EFI_TIME TimeOfRevocation;\r
20333c6d QL	99	} EFI_CERT_X509_SHA256;\r
	100	\r
	101	typedef struct {\r
	102	///\r
	103	/// The SHA384 hash of an X.509 certificate's To-Be-Signed contents.\r
	104	///\r
2f88bd3a	105	EFI_SHA384_HASH ToBeSignedHash;\r
20333c6d QL	106	///\r
	107	/// The time that the certificate shall be considered to be revoked.\r
	108	///\r
2f88bd3a	109	EFI_TIME TimeOfRevocation;\r
20333c6d QL	110	} EFI_CERT_X509_SHA384;\r
	111	\r
	112	typedef struct {\r
	113	///\r
	114	/// The SHA512 hash of an X.509 certificate's To-Be-Signed contents.\r
	115	///\r
2f88bd3a	116	EFI_SHA512_HASH ToBeSignedHash;\r
20333c6d QL	117	///\r
	118	/// The time that the certificate shall be considered to be revoked.\r
	119	///\r
2f88bd3a	120	EFI_TIME TimeOfRevocation;\r
20333c6d QL	121	} EFI_CERT_X509_SHA512;\r
20333c6d QL	122	\r
bd86cb02 LG	123	#pragma pack()\r
	124	\r
	125	///\r
f704fc85	126	/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size shall\r
	127	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	128	/// 32 bytes.\r
bd86cb02 LG	129	///\r
	130	#define EFI_CERT_SHA256_GUID \\r
	131	{ \\r
	132	0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \\r
	133	}\r
	134	\r
	135	///\r
f704fc85	136	/// This identifies a signature containing an RSA-2048 key. The key (only the modulus\r
	137	/// since the public key exponent is known to be 0x10001) shall be stored in big-endian\r
	138	/// order.\r
20333c6d	139	/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size\r
6048a5b0	140	/// of SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	141	///\r
	142	#define EFI_CERT_RSA2048_GUID \\r
	143	{ \\r
	144	0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \\r
	145	}\r
	146	\r
	147	///\r
20333c6d QL	148	/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The\r
20333c6d QL	149	/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
6048a5b0	150	/// SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	151	///\r
	152	#define EFI_CERT_RSA2048_SHA256_GUID \\r
	153	{ \\r
	154	0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \\r
	155	}\r
	156	\r
	157	///\r
f704fc85	158	/// This identifies a signature containing a SHA-1 hash. The SignatureSize shall always\r
6048a5b0	159	/// be 16 (size of SignatureOwner component) + 20 bytes.\r
bd86cb02 LG	160	///\r
	161	#define EFI_CERT_SHA1_GUID \\r
	162	{ \\r
	163	0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \\r
	164	}\r
	165	\r
	166	///\r
20333c6d QL	167	/// TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The\r
20333c6d QL	168	/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
6048a5b0	169	/// SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	170	///\r
	171	#define EFI_CERT_RSA2048_SHA1_GUID \\r
	172	{ \\r
	173	0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \\r
	174	}\r
	175	\r
	176	///\r
f704fc85	177	/// This identifies a signature based on an X.509 certificate. If the signature is an X.509\r
20333c6d QL	178	/// certificate then verification of the signature of an image should validate the public\r
20333c6d QL	179	/// key certificate in the image using certificate path verification, up to this X.509\r
f704fc85	180	/// certificate as a trusted root. The SignatureHeader size shall always be 0. The\r
20333c6d QL	181	/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) +\r
20333c6d QL	182	/// the size of the certificate itself.\r
f704fc85	183	/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.\r
bd86cb02	184	///\r
f704fc85	185	#define EFI_CERT_X509_GUID \\r
bd86cb02 LG	186	{ \\r
	187	0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \\r
	188	}\r
	189	\r
f704fc85	190	///\r
	191	/// This identifies a signature containing a SHA-224 hash. The SignatureHeader size shall\r
	192	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	193	/// 28 bytes.\r
	194	///\r
	195	#define EFI_CERT_SHA224_GUID \\r
	196	{ \\r
	197	0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \\r
	198	}\r
	199	\r
	200	///\r
	201	/// This identifies a signature containing a SHA-384 hash. The SignatureHeader size shall\r
	202	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	203	/// 48 bytes.\r
	204	///\r
	205	#define EFI_CERT_SHA384_GUID \\r
	206	{ \\r
	207	0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \\r
20333c6d	208	}\r
f704fc85	209	\r
	210	///\r
	211	/// This identifies a signature containing a SHA-512 hash. The SignatureHeader size shall\r
	212	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	213	/// 64 bytes.\r
	214	///\r
	215	#define EFI_CERT_SHA512_GUID \\r
	216	{ \\r
	217	0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \\r
	218	}\r
ab0eecec	219	\r
20333c6d QL	220	///\r
	221	/// This identifies a signature containing the SHA256 hash of an X.509 certificate's\r
	222	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	223	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	224	/// + 48 bytes for an EFI_CERT_X509_SHA256 structure. If the TimeOfRevocation is non-zero,\r
	225	/// the certificate should be considered to be revoked from that time and onwards, and\r
	226	/// otherwise the certificate shall be considered to always be revoked.\r
	227	///\r
	228	#define EFI_CERT_X509_SHA256_GUID \\r
	229	{ \\r
	230	0x3bd2a492, 0x96c0, 0x4079, {0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \\r
	231	}\r
	232	\r
	233	///\r
	234	/// This identifies a signature containing the SHA384 hash of an X.509 certificate's\r
	235	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	236	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	237	/// + 64 bytes for an EFI_CERT_X509_SHA384 structure. If the TimeOfRevocation is non-zero,\r
	238	/// the certificate should be considered to be revoked from that time and onwards, and\r
	239	/// otherwise the certificate shall be considered to always be revoked.\r
	240	///\r
	241	#define EFI_CERT_X509_SHA384_GUID \\r
	242	{ \\r
	243	0x7076876e, 0x80c2, 0x4ee6, {0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \\r
	244	}\r
	245	\r
	246	///\r
	247	/// This identifies a signature containing the SHA512 hash of an X.509 certificate's\r
	248	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	249	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	250	/// + 80 bytes for an EFI_CERT_X509_SHA512 structure. If the TimeOfRevocation is non-zero,\r
	251	/// the certificate should be considered to be revoked from that time and onwards, and\r
	252	/// otherwise the certificate shall be considered to always be revoked.\r
	253	///\r
	254	#define EFI_CERT_X509_SHA512_GUID \\r
	255	{ \\r
	256	0x446dbf63, 0x2502, 0x4cda, {0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \\r
	257	}\r
	258	\r
ab0eecec	259	///\r
	260	/// This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315]\r
	261	/// SignedData value.\r
	262	///\r
	263	#define EFI_CERT_TYPE_PKCS7_GUID \\r
	264	{ \\r
	265	0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \\r
	266	}\r
20333c6d	267	\r
2f88bd3a	268	// ***********************************************************************\r
bd86cb02	269	// Image Execution Information Table Definition\r
2f88bd3a	270	// ***********************************************************************\r
bd86cb02 LG	271	typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;\r
bd86cb02 LG	272	\r
20333c6d	273	#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007\r
3f275826 LG	274	#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000\r
	275	#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001\r
	276	#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002\r
	277	#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003\r
	278	#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004\r
	279	#define EFI_IMAGE_EXECUTION_POLICY_FAILED 0x00000005\r
	280	#define EFI_IMAGE_EXECUTION_INITIALIZED 0x00000008\r
bd86cb02 LG	281	\r
bd86cb02 LG	282	//\r
20333c6d	283	// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table\r
bd86cb02 LG	284	// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID.\r
	285	//\r
	286	typedef struct {\r
	287	///\r
	288	/// Describes the action taken by the firmware regarding this image.\r
	289	///\r
60bd4ccd	290	EFI_IMAGE_EXECUTION_ACTION Action;\r
bd86cb02 LG	291	///\r
	292	/// Size of all of the entire structure.\r
	293	///\r
	294	UINT32 InfoSize;\r
	295	///\r
20333c6d QL	296	/// If this image was a UEFI device driver (for option ROM, for example) this is the\r
	297	/// null-terminated, user-friendly name for the device. If the image was for an application,\r
	298	/// then this is the name of the application. If this cannot be determined, then a simple\r
bd86cb02 LG	299	/// NULL character should be put in this position.\r
	300	/// CHAR16 Name[];\r
	301	///\r
	302	\r
	303	///\r
20333c6d QL	304	/// For device drivers, this is the device path of the device for which this device driver\r
	305	/// was intended. In some cases, the driver itself may be stored as part of the system\r
	306	/// firmware, but this field should record the device's path, not the firmware path. For\r
	307	/// applications, this is the device path of the application. If this cannot be determined,\r
bd86cb02 LG	308	/// a simple end-of-path device node should be put in this position.\r
	309	/// EFI_DEVICE_PATH_PROTOCOL DevicePath;\r
	310	///\r
	311	\r
bd86cb02	312	///\r
20333c6d	313	/// Zero or more image signatures. If the image contained no signatures,\r
bd86cb02	314	/// then this field is empty.\r
686f0c7b	315	/// EFI_SIGNATURE_LIST Signature;\r
9095d37b	316	///\r
bd86cb02 LG	317	} EFI_IMAGE_EXECUTION_INFO;\r
bd86cb02 LG	318	\r
a1e98f78 LG	319	typedef struct {\r
	320	///\r
	321	/// Number of EFI_IMAGE_EXECUTION_INFO structures.\r
	322	///\r
2f88bd3a	323	UINTN NumberOfImages;\r
a1e98f78 LG	324	///\r
	325	/// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.\r
	326	///\r
20333c6d	327	// EFI_IMAGE_EXECUTION_INFO InformationInfo[]\r
a1e98f78 LG	328	} EFI_IMAGE_EXECUTION_INFO_TABLE;\r
a1e98f78 LG	329	\r
2f88bd3a MK	330	extern EFI_GUID gEfiImageSecurityDatabaseGuid;\r
	331	extern EFI_GUID gEfiCertSha256Guid;\r
	332	extern EFI_GUID gEfiCertRsa2048Guid;\r
	333	extern EFI_GUID gEfiCertRsa2048Sha256Guid;\r
	334	extern EFI_GUID gEfiCertSha1Guid;\r
	335	extern EFI_GUID gEfiCertRsa2048Sha1Guid;\r
	336	extern EFI_GUID gEfiCertX509Guid;\r
	337	extern EFI_GUID gEfiCertSha224Guid;\r
	338	extern EFI_GUID gEfiCertSha384Guid;\r
	339	extern EFI_GUID gEfiCertSha512Guid;\r
	340	extern EFI_GUID gEfiCertX509Sha256Guid;\r
	341	extern EFI_GUID gEfiCertX509Sha384Guid;\r
	342	extern EFI_GUID gEfiCertX509Sha512Guid;\r
	343	extern EFI_GUID gEfiCertPkcs7Guid;\r
bd86cb02	344	\r
543cc44e	345	#endif\r