[mirror_edk2.git] / MdePkg / Include / Guid / ImageAuthentication.h

/** @file\r
  Image signature database are defined for the signed image validation.\r
\r
  Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
  This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD License\r
  which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
  @par Revision Reference:\r
  GUIDs defined in UEFI 2.5 spec.\r
**/\r
\r
#ifndef __IMAGE_AUTHTICATION_H__\r
#define __IMAGE_AUTHTICATION_H__\r
\r
#include <Guid/GlobalVariable.h>\r
#include <Protocol/Hash.h>\r
\r
#define EFI_IMAGE_SECURITY_DATABASE_GUID \\r
  { \\r
    0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \\r
  }\r
\r
///\r
/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the authorized signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE       L"db"\r
///\r
/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the forbidden signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE1      L"dbx"\r
///\r
/// Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
/// for the timestamp signature database.\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE2      L"dbt"\r
\r
#define SECURE_BOOT_MODE_ENABLE           1\r
#define SECURE_BOOT_MODE_DISABLE          0\r
///\r
/// Depricated value definition for SetupMode variable \r
///\r
#define SETUP_MODE                        1\r
#define USER_MODE                         0\r
///\r
/// Value definition for SetupMode/DeployedMode/AuditMode variable\r
///\r
#define SETUP_MODE_ENABLE                 1\r
#define SETUP_MODE_DISABLE                0\r
#define DEPLOYED_MODE_ENABLE              1\r
#define DEPLOYED_MODE_DISABLE             0\r
#define AUDIT_MODE_ENABLE                 1\r
#define AUDIT_MODE_DISABLE                0\r
\r
//***********************************************************************\r
// Signature Database\r
//***********************************************************************\r
///\r
/// The format of a signature database.\r
///\r
#pragma pack(1)\r
\r
typedef struct {\r
  ///\r
  /// An identifier which identifies the agent which added the signature to the list.\r
  ///\r
  EFI_GUID          SignatureOwner;\r
  ///\r
  /// The format of the signature is defined by the SignatureType.\r
  ///\r
  UINT8             SignatureData[1];\r
} EFI_SIGNATURE_DATA;\r
\r
typedef struct {\r
  ///\r
  /// Type of the signature. GUID signature types are defined in below.\r
  ///\r
  EFI_GUID            SignatureType;\r
  ///\r
  /// Total size of the signature list, including this header.\r
  ///\r
  UINT32              SignatureListSize;\r
  ///\r
  /// Size of the signature header which precedes the array of signatures.\r
  ///\r
  UINT32              SignatureHeaderSize;\r
  ///\r
  /// Size of each signature.\r
  ///\r
  UINT32              SignatureSize;\r
  ///\r
  /// Header before the array of signatures. The format of this header is specified\r
  /// by the SignatureType.\r
  /// UINT8           SignatureHeader[SignatureHeaderSize];\r
  ///\r
  /// An array of signatures. Each signature is SignatureSize bytes in length.\r
  /// EFI_SIGNATURE_DATA Signatures[][SignatureSize];\r
  ///\r
} EFI_SIGNATURE_LIST;\r
\r
typedef struct {\r
  ///\r
  /// The SHA256 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA256_HASH     ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME            TimeOfRevocation;\r
} EFI_CERT_X509_SHA256;\r
\r
typedef struct {\r
  ///\r
  /// The SHA384 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA384_HASH     ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME            TimeOfRevocation;\r
} EFI_CERT_X509_SHA384;\r
\r
typedef struct {\r
  ///\r
  /// The SHA512 hash of an X.509 certificate's To-Be-Signed contents.\r
  ///\r
  EFI_SHA512_HASH     ToBeSignedHash;\r
  ///\r
  /// The time that the certificate shall be considered to be revoked.\r
  ///\r
  EFI_TIME            TimeOfRevocation;\r
} EFI_CERT_X509_SHA512;\r
\r
#pragma pack()\r
\r
///\r
/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 32 bytes.\r
///\r
#define EFI_CERT_SHA256_GUID \\r
  { \\r
    0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \\r
  }\r
\r
///\r
/// This identifies a signature containing an RSA-2048 key. The key (only the modulus\r
/// since the public key exponent is known to be 0x10001) shall be stored in big-endian\r
/// order.\r
/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size\r
/// of SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_GUID \\r
  { \\r
    0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \\r
  }\r
\r
///\r
/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash.  The\r
/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA256_GUID \\r
  { \\r
    0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-1 hash.  The SignatureSize shall always\r
/// be 16 (size of SignatureOwner component) + 20 bytes.\r
///\r
#define EFI_CERT_SHA1_GUID \\r
  { \\r
    0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \\r
  }\r
\r
///\r
/// TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash.  The\r
/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA1_GUID \\r
  { \\r
    0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \\r
  }\r
\r
///\r
/// This identifies a signature based on an X.509 certificate. If the signature is an X.509\r
/// certificate then verification of the signature of an image should validate the public\r
/// key certificate in the image using certificate path verification, up to this X.509\r
/// certificate as a trusted root.  The SignatureHeader size shall always be 0. The\r
/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) +\r
/// the size of the certificate itself.\r
/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.\r
///\r
#define EFI_CERT_X509_GUID \\r
  { \\r
    0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-224 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 28 bytes.\r
///\r
#define EFI_CERT_SHA224_GUID \\r
  { \\r
    0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-384 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 48 bytes.\r
///\r
#define EFI_CERT_SHA384_GUID \\r
  { \\r
    0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \\r
  }\r
\r
///\r
/// This identifies a signature containing a SHA-512 hash. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
/// 64 bytes.\r
///\r
#define EFI_CERT_SHA512_GUID \\r
  { \\r
    0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA256 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 48 bytes for an EFI_CERT_X509_SHA256 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA256_GUID \\r
  { \\r
    0x3bd2a492, 0x96c0, 0x4079, {0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA384 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 64 bytes for an EFI_CERT_X509_SHA384 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA384_GUID \\r
  { \\r
    0x7076876e, 0x80c2, 0x4ee6, {0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \\r
  }\r
\r
///\r
/// This identifies a signature containing the SHA512 hash of an X.509 certificate's\r
/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
/// + 80 bytes for an EFI_CERT_X509_SHA512 structure. If the TimeOfRevocation is non-zero,\r
/// the certificate should be considered to be revoked from that time and onwards, and\r
/// otherwise the certificate shall be considered to always be revoked.\r
///\r
#define EFI_CERT_X509_SHA512_GUID \\r
  { \\r
    0x446dbf63, 0x2502, 0x4cda, {0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \\r
  }\r
\r
///\r
/// This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315]\r
/// SignedData value.\r
///\r
#define EFI_CERT_TYPE_PKCS7_GUID \\r
  { \\r
    0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \\r
  }\r
\r
//***********************************************************************\r
// Image Execution Information Table Definition\r
//***********************************************************************\r
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;\r
\r
#define EFI_IMAGE_EXECUTION_AUTHENTICATION      0x00000007\r
#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED       0x00000000\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED     0x00000001\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED     0x00000002\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND  0x00000003\r
#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND      0x00000004\r
#define EFI_IMAGE_EXECUTION_POLICY_FAILED       0x00000005\r
#define EFI_IMAGE_EXECUTION_INITIALIZED         0x00000008\r
\r
//\r
// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table\r
// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID.\r
//\r
typedef struct {\r
  ///\r
  /// Describes the action taken by the firmware regarding this image.\r
  ///\r
  EFI_IMAGE_EXECUTION_ACTION    Action;\r
  ///\r
  /// Size of all of the entire structure.\r
  ///\r
  UINT32                        InfoSize;\r
  ///\r
  /// If this image was a UEFI device driver (for option ROM, for example) this is the\r
  /// null-terminated, user-friendly name for the device. If the image was for an application,\r
  /// then this is the name of the application. If this cannot be determined, then a simple\r
  /// NULL character should be put in this position.\r
  /// CHAR16                    Name[];\r
  ///\r
\r
  ///\r
  /// For device drivers, this is the device path of the device for which this device driver\r
  /// was intended. In some cases, the driver itself may be stored as part of the system\r
  /// firmware, but this field should record the device's path, not the firmware path. For\r
  /// applications, this is the device path of the application. If this cannot be determined,\r
  /// a simple end-of-path device node should be put in this position.\r
  /// EFI_DEVICE_PATH_PROTOCOL  DevicePath;\r
  ///\r
\r
  ///\r
  /// Zero or more image signatures. If the image contained no signatures,\r
  /// then this field is empty.\r
  /// EFI_SIGNATURE_LIST            Signature;\r
  /// \r
} EFI_IMAGE_EXECUTION_INFO;\r
\r
\r
typedef struct {\r
  ///\r
  /// Number of EFI_IMAGE_EXECUTION_INFO structures.\r
  ///\r
  UINTN                     NumberOfImages;\r
  ///\r
  /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.\r
  ///\r
  // EFI_IMAGE_EXECUTION_INFO  InformationInfo[]\r
} EFI_IMAGE_EXECUTION_INFO_TABLE;\r
\r
extern EFI_GUID gEfiImageSecurityDatabaseGuid;\r
extern EFI_GUID gEfiCertSha256Guid;\r
extern EFI_GUID gEfiCertRsa2048Guid;\r
extern EFI_GUID gEfiCertRsa2048Sha256Guid;\r
extern EFI_GUID gEfiCertSha1Guid;\r
extern EFI_GUID gEfiCertRsa2048Sha1Guid;\r
extern EFI_GUID gEfiCertX509Guid;\r
extern EFI_GUID gEfiCertSha224Guid;\r
extern EFI_GUID gEfiCertSha384Guid;\r
extern EFI_GUID gEfiCertSha512Guid;\r
extern EFI_GUID gEfiCertX509Sha256Guid;\r
extern EFI_GUID gEfiCertX509Sha384Guid;\r
extern EFI_GUID gEfiCertX509Sha512Guid;\r
extern EFI_GUID gEfiCertPkcs7Guid;\r
\r
#endif\r
Commit	Line	Data
bd86cb02	1	/** @file\r
6675a21f	2	Image signature database are defined for the signed image validation.\r
bd86cb02	3	\r
686f0c7b	4	Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
20333c6d QL	5	This program and the accompanying materials\r
	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
bd86cb02	9	\r
20333c6d QL	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
20333c6d QL	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
bd86cb02 LG	12	\r
bd86cb02 LG	13	@par Revision Reference:\r
686f0c7b	14	GUIDs defined in UEFI 2.5 spec.\r
bd86cb02 LG	15	**/\r
	16	\r
	17	#ifndef __IMAGE_AUTHTICATION_H__\r
	18	#define __IMAGE_AUTHTICATION_H__\r
	19	\r
	20	#include <Guid/GlobalVariable.h>\r
20333c6d	21	#include <Protocol/Hash.h>\r
bd86cb02 LG	22	\r
	23	#define EFI_IMAGE_SECURITY_DATABASE_GUID \\r
	24	{ \\r
	25	0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f } \\r
	26	}\r
	27	\r
	28	///\r
20333c6d	29	/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
bd86cb02 LG	30	/// for the authorized signature database.\r
	31	///\r
	32	#define EFI_IMAGE_SECURITY_DATABASE L"db"\r
	33	///\r
20333c6d	34	/// Varialbe name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
bd86cb02 LG	35	/// for the forbidden signature database.\r
	36	///\r
	37	#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx"\r
20333c6d QL	38	///\r
	39	/// Variable name with guid EFI_IMAGE_SECURITY_DATABASE_GUID\r
	40	/// for the timestamp signature database.\r
	41	///\r
	42	#define EFI_IMAGE_SECURITY_DATABASE2 L"dbt"\r
6675a21f	43	\r
ab0eecec	44	#define SECURE_BOOT_MODE_ENABLE 1\r
ab0eecec	45	#define SECURE_BOOT_MODE_DISABLE 0\r
faec4992 CZ	46	///\r
	47	/// Depricated value definition for SetupMode variable \r
	48	///\r
	49	#define SETUP_MODE 1\r
	50	#define USER_MODE 0\r
	51	///\r
	52	/// Value definition for SetupMode/DeployedMode/AuditMode variable\r
	53	///\r
79e7b647 CZ	54	#define SETUP_MODE_ENABLE 1\r
	55	#define SETUP_MODE_DISABLE 0\r
	56	#define DEPLOYED_MODE_ENABLE 1\r
	57	#define DEPLOYED_MODE_DISABLE 0\r
	58	#define AUDIT_MODE_ENABLE 1\r
	59	#define AUDIT_MODE_DISABLE 0\r
ab0eecec	60	\r
bd86cb02 LG	61	//***********************************************************************\r
	62	// Signature Database\r
	63	//***********************************************************************\r
	64	///\r
20333c6d	65	/// The format of a signature database.\r
bd86cb02 LG	66	///\r
	67	#pragma pack(1)\r
	68	\r
	69	typedef struct {\r
	70	///\r
	71	/// An identifier which identifies the agent which added the signature to the list.\r
	72	///\r
60bd4ccd	73	EFI_GUID SignatureOwner;\r
bd86cb02 LG	74	///\r
	75	/// The format of the signature is defined by the SignatureType.\r
	76	///\r
60bd4ccd	77	UINT8 SignatureData[1];\r
bd86cb02 LG	78	} EFI_SIGNATURE_DATA;\r
	79	\r
	80	typedef struct {\r
	81	///\r
	82	/// Type of the signature. GUID signature types are defined in below.\r
	83	///\r
60bd4ccd	84	EFI_GUID SignatureType;\r
bd86cb02 LG	85	///\r
	86	/// Total size of the signature list, including this header.\r
	87	///\r
60bd4ccd	88	UINT32 SignatureListSize;\r
bd86cb02 LG	89	///\r
	90	/// Size of the signature header which precedes the array of signatures.\r
	91	///\r
60bd4ccd	92	UINT32 SignatureHeaderSize;\r
bd86cb02 LG	93	///\r
	94	/// Size of each signature.\r
	95	///\r
20333c6d	96	UINT32 SignatureSize;\r
bd86cb02	97	///\r
20333c6d	98	/// Header before the array of signatures. The format of this header is specified\r
bd86cb02 LG	99	/// by the SignatureType.\r
	100	/// UINT8 SignatureHeader[SignatureHeaderSize];\r
	101	///\r
20333c6d	102	/// An array of signatures. Each signature is SignatureSize bytes in length.\r
bd86cb02 LG	103	/// EFI_SIGNATURE_DATA Signatures[][SignatureSize];\r
	104	///\r
	105	} EFI_SIGNATURE_LIST;\r
	106	\r
20333c6d QL	107	typedef struct {\r
	108	///\r
	109	/// The SHA256 hash of an X.509 certificate's To-Be-Signed contents.\r
	110	///\r
	111	EFI_SHA256_HASH ToBeSignedHash;\r
	112	///\r
	113	/// The time that the certificate shall be considered to be revoked.\r
	114	///\r
	115	EFI_TIME TimeOfRevocation;\r
	116	} EFI_CERT_X509_SHA256;\r
	117	\r
	118	typedef struct {\r
	119	///\r
	120	/// The SHA384 hash of an X.509 certificate's To-Be-Signed contents.\r
	121	///\r
	122	EFI_SHA384_HASH ToBeSignedHash;\r
	123	///\r
	124	/// The time that the certificate shall be considered to be revoked.\r
	125	///\r
	126	EFI_TIME TimeOfRevocation;\r
	127	} EFI_CERT_X509_SHA384;\r
	128	\r
	129	typedef struct {\r
	130	///\r
	131	/// The SHA512 hash of an X.509 certificate's To-Be-Signed contents.\r
	132	///\r
	133	EFI_SHA512_HASH ToBeSignedHash;\r
	134	///\r
	135	/// The time that the certificate shall be considered to be revoked.\r
	136	///\r
	137	EFI_TIME TimeOfRevocation;\r
	138	} EFI_CERT_X509_SHA512;\r
	139	\r
bd86cb02 LG	140	#pragma pack()\r
	141	\r
	142	///\r
f704fc85	143	/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size shall\r
	144	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	145	/// 32 bytes.\r
bd86cb02 LG	146	///\r
	147	#define EFI_CERT_SHA256_GUID \\r
	148	{ \\r
	149	0xc1c41626, 0x504c, 0x4092, {0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28} \\r
	150	}\r
	151	\r
	152	///\r
f704fc85	153	/// This identifies a signature containing an RSA-2048 key. The key (only the modulus\r
	154	/// since the public key exponent is known to be 0x10001) shall be stored in big-endian\r
	155	/// order.\r
20333c6d	156	/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size\r
6048a5b0	157	/// of SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	158	///\r
	159	#define EFI_CERT_RSA2048_GUID \\r
	160	{ \\r
	161	0x3c5766e8, 0x269c, 0x4e34, {0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6} \\r
	162	}\r
	163	\r
	164	///\r
20333c6d QL	165	/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The\r
20333c6d QL	166	/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
6048a5b0	167	/// SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	168	///\r
	169	#define EFI_CERT_RSA2048_SHA256_GUID \\r
	170	{ \\r
	171	0xe2b36190, 0x879b, 0x4a3d, {0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84} \\r
	172	}\r
	173	\r
	174	///\r
f704fc85	175	/// This identifies a signature containing a SHA-1 hash. The SignatureSize shall always\r
6048a5b0	176	/// be 16 (size of SignatureOwner component) + 20 bytes.\r
bd86cb02 LG	177	///\r
	178	#define EFI_CERT_SHA1_GUID \\r
	179	{ \\r
	180	0x826ca512, 0xcf10, 0x4ac9, {0xb1, 0x87, 0xbe, 0x1, 0x49, 0x66, 0x31, 0xbd} \\r
	181	}\r
	182	\r
	183	///\r
20333c6d QL	184	/// TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The\r
20333c6d QL	185	/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of\r
6048a5b0	186	/// SignatureOwner component) + 256 bytes.\r
bd86cb02 LG	187	///\r
	188	#define EFI_CERT_RSA2048_SHA1_GUID \\r
	189	{ \\r
	190	0x67f8444f, 0x8743, 0x48f1, {0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80} \\r
	191	}\r
	192	\r
	193	///\r
f704fc85	194	/// This identifies a signature based on an X.509 certificate. If the signature is an X.509\r
20333c6d QL	195	/// certificate then verification of the signature of an image should validate the public\r
20333c6d QL	196	/// key certificate in the image using certificate path verification, up to this X.509\r
f704fc85	197	/// certificate as a trusted root. The SignatureHeader size shall always be 0. The\r
20333c6d QL	198	/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) +\r
20333c6d QL	199	/// the size of the certificate itself.\r
f704fc85	200	/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.\r
bd86cb02	201	///\r
f704fc85	202	#define EFI_CERT_X509_GUID \\r
bd86cb02 LG	203	{ \\r
	204	0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \\r
	205	}\r
	206	\r
f704fc85	207	///\r
	208	/// This identifies a signature containing a SHA-224 hash. The SignatureHeader size shall\r
	209	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	210	/// 28 bytes.\r
	211	///\r
	212	#define EFI_CERT_SHA224_GUID \\r
	213	{ \\r
	214	0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \\r
	215	}\r
	216	\r
	217	///\r
	218	/// This identifies a signature containing a SHA-384 hash. The SignatureHeader size shall\r
	219	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	220	/// 48 bytes.\r
	221	///\r
	222	#define EFI_CERT_SHA384_GUID \\r
	223	{ \\r
	224	0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \\r
20333c6d	225	}\r
f704fc85	226	\r
	227	///\r
	228	/// This identifies a signature containing a SHA-512 hash. The SignatureHeader size shall\r
	229	/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
	230	/// 64 bytes.\r
	231	///\r
	232	#define EFI_CERT_SHA512_GUID \\r
	233	{ \\r
	234	0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \\r
	235	}\r
ab0eecec	236	\r
20333c6d QL	237	///\r
	238	/// This identifies a signature containing the SHA256 hash of an X.509 certificate's\r
	239	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	240	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	241	/// + 48 bytes for an EFI_CERT_X509_SHA256 structure. If the TimeOfRevocation is non-zero,\r
	242	/// the certificate should be considered to be revoked from that time and onwards, and\r
	243	/// otherwise the certificate shall be considered to always be revoked.\r
	244	///\r
	245	#define EFI_CERT_X509_SHA256_GUID \\r
	246	{ \\r
	247	0x3bd2a492, 0x96c0, 0x4079, {0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed } \\r
	248	}\r
	249	\r
	250	///\r
	251	/// This identifies a signature containing the SHA384 hash of an X.509 certificate's\r
	252	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	253	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	254	/// + 64 bytes for an EFI_CERT_X509_SHA384 structure. If the TimeOfRevocation is non-zero,\r
	255	/// the certificate should be considered to be revoked from that time and onwards, and\r
	256	/// otherwise the certificate shall be considered to always be revoked.\r
	257	///\r
	258	#define EFI_CERT_X509_SHA384_GUID \\r
	259	{ \\r
	260	0x7076876e, 0x80c2, 0x4ee6, {0xaa, 0xd2, 0x28, 0xb3, 0x49, 0xa6, 0x86, 0x5b } \\r
	261	}\r
	262	\r
	263	///\r
	264	/// This identifies a signature containing the SHA512 hash of an X.509 certificate's\r
	265	/// To-Be-Signed contents, and a time of revocation. The SignatureHeader size shall\r
	266	/// always be 0. The SignatureSize shall always be 16 (size of the SignatureOwner component)\r
	267	/// + 80 bytes for an EFI_CERT_X509_SHA512 structure. If the TimeOfRevocation is non-zero,\r
	268	/// the certificate should be considered to be revoked from that time and onwards, and\r
	269	/// otherwise the certificate shall be considered to always be revoked.\r
	270	///\r
	271	#define EFI_CERT_X509_SHA512_GUID \\r
	272	{ \\r
	273	0x446dbf63, 0x2502, 0x4cda, {0xbc, 0xfa, 0x24, 0x65, 0xd2, 0xb0, 0xfe, 0x9d } \\r
	274	}\r
	275	\r
ab0eecec	276	///\r
	277	/// This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315]\r
	278	/// SignedData value.\r
	279	///\r
	280	#define EFI_CERT_TYPE_PKCS7_GUID \\r
	281	{ \\r
	282	0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \\r
	283	}\r
20333c6d	284	\r
bd86cb02 LG	285	//***********************************************************************\r
	286	// Image Execution Information Table Definition\r
	287	//***********************************************************************\r
	288	typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;\r
	289	\r
20333c6d	290	#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007\r
3f275826 LG	291	#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000\r
	292	#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001\r
	293	#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002\r
	294	#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003\r
	295	#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004\r
	296	#define EFI_IMAGE_EXECUTION_POLICY_FAILED 0x00000005\r
	297	#define EFI_IMAGE_EXECUTION_INITIALIZED 0x00000008\r
bd86cb02 LG	298	\r
bd86cb02 LG	299	//\r
20333c6d	300	// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table\r
bd86cb02 LG	301	// and assigned the GUID EFI_IMAGE_SECURITY_DATABASE_GUID.\r
	302	//\r
	303	typedef struct {\r
	304	///\r
	305	/// Describes the action taken by the firmware regarding this image.\r
	306	///\r
60bd4ccd	307	EFI_IMAGE_EXECUTION_ACTION Action;\r
bd86cb02 LG	308	///\r
	309	/// Size of all of the entire structure.\r
	310	///\r
	311	UINT32 InfoSize;\r
	312	///\r
20333c6d QL	313	/// If this image was a UEFI device driver (for option ROM, for example) this is the\r
	314	/// null-terminated, user-friendly name for the device. If the image was for an application,\r
	315	/// then this is the name of the application. If this cannot be determined, then a simple\r
bd86cb02 LG	316	/// NULL character should be put in this position.\r
	317	/// CHAR16 Name[];\r
	318	///\r
	319	\r
	320	///\r
20333c6d QL	321	/// For device drivers, this is the device path of the device for which this device driver\r
	322	/// was intended. In some cases, the driver itself may be stored as part of the system\r
	323	/// firmware, but this field should record the device's path, not the firmware path. For\r
	324	/// applications, this is the device path of the application. If this cannot be determined,\r
bd86cb02 LG	325	/// a simple end-of-path device node should be put in this position.\r
	326	/// EFI_DEVICE_PATH_PROTOCOL DevicePath;\r
	327	///\r
	328	\r
bd86cb02	329	///\r
20333c6d	330	/// Zero or more image signatures. If the image contained no signatures,\r
bd86cb02	331	/// then this field is empty.\r
686f0c7b LG	332	/// EFI_SIGNATURE_LIST Signature;\r
686f0c7b LG	333	/// \r
bd86cb02 LG	334	} EFI_IMAGE_EXECUTION_INFO;\r
bd86cb02 LG	335	\r
a1e98f78 LG	336	\r
	337	typedef struct {\r
	338	///\r
	339	/// Number of EFI_IMAGE_EXECUTION_INFO structures.\r
	340	///\r
20333c6d	341	UINTN NumberOfImages;\r
a1e98f78 LG	342	///\r
	343	/// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.\r
	344	///\r
20333c6d	345	// EFI_IMAGE_EXECUTION_INFO InformationInfo[]\r
a1e98f78 LG	346	} EFI_IMAGE_EXECUTION_INFO_TABLE;\r
a1e98f78 LG	347	\r
bd86cb02 LG	348	extern EFI_GUID gEfiImageSecurityDatabaseGuid;\r
bd86cb02 LG	349	extern EFI_GUID gEfiCertSha256Guid;\r
20333c6d	350	extern EFI_GUID gEfiCertRsa2048Guid;\r
bd86cb02 LG	351	extern EFI_GUID gEfiCertRsa2048Sha256Guid;\r
	352	extern EFI_GUID gEfiCertSha1Guid;\r
	353	extern EFI_GUID gEfiCertRsa2048Sha1Guid;\r
	354	extern EFI_GUID gEfiCertX509Guid;\r
05c82e51 SZ	355	extern EFI_GUID gEfiCertSha224Guid;\r
	356	extern EFI_GUID gEfiCertSha384Guid;\r
	357	extern EFI_GUID gEfiCertSha512Guid;\r
20333c6d QL	358	extern EFI_GUID gEfiCertX509Sha256Guid;\r
	359	extern EFI_GUID gEfiCertX509Sha384Guid;\r
	360	extern EFI_GUID gEfiCertX509Sha512Guid;\r
ab0eecec	361	extern EFI_GUID gEfiCertPkcs7Guid;\r
bd86cb02	362	\r
543cc44e	363	#endif\r