[mirror_edk2.git] / OvmfPkg / EnrollDefaultKeys / EnrollDefaultKeys.c

/** @file\r
  Enroll default PK, KEK, db, dbx.\r
\r
  Copyright (C) 2014-2019, Red Hat, Inc.\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
#include <Guid/AuthenticatedVariableFormat.h>    // gEfiCustomModeEnableGuid\r
#include <Guid/GlobalVariable.h>                 // EFI_SETUP_MODE_NAME\r
#include <Guid/ImageAuthentication.h>            // EFI_IMAGE_SECURITY_DATABASE\r
#include <Guid/MicrosoftVendor.h>                // gMicrosoftVendorGuid\r
#include <Library/BaseMemoryLib.h>               // CopyGuid()\r
#include <Library/DebugLib.h>                    // ASSERT()\r
#include <Library/MemoryAllocationLib.h>         // FreePool()\r
#include <Library/ShellCEntryLib.h>              // ShellAppMain()\r
#include <Library/UefiLib.h>                     // AsciiPrint()\r
#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
\r
#include "EnrollDefaultKeys.h"\r
\r
/**\r
  Enroll a set of certificates in a global variable, overwriting it.\r
\r
  The variable will be rewritten with NV+BS+RT+AT attributes.\r
\r
  @param[in] VariableName  The name of the variable to overwrite.\r
\r
  @param[in] VendorGuid    The namespace (ie. vendor GUID) of the variable to\r
                           overwrite.\r
\r
  @param[in] CertType      The GUID determining the type of all the\r
                           certificates in the set that is passed in. For\r
                           example, gEfiCertX509Guid stands for DER-encoded\r
                           X.509 certificates, while gEfiCertSha256Guid stands\r
                           for SHA256 image hashes.\r
\r
  @param[in] ...           A list of\r
\r
                             IN CONST UINT8    *Cert,\r
                             IN UINTN          CertSize,\r
                             IN CONST EFI_GUID *OwnerGuid\r
\r
                           triplets. If the first component of a triplet is\r
                           NULL, then the other two components are not\r
                           accessed, and processing is terminated. The list of\r
                           certificates is enrolled in the variable specified,\r
                           overwriting it. The OwnerGuid component identifies\r
                           the agent installing the certificate.\r
\r
  @retval EFI_INVALID_PARAMETER  The triplet list is empty (ie. the first Cert\r
                                 value is NULL), or one of the CertSize values\r
                                 is 0, or one of the CertSize values would\r
                                 overflow the accumulated UINT32 data size.\r
\r
  @retval EFI_OUT_OF_RESOURCES   Out of memory while formatting variable\r
                                 payload.\r
\r
  @retval EFI_SUCCESS            Enrollment successful; the variable has been\r
                                 overwritten (or created).\r
\r
  @return                        Error codes from gRT->GetTime() and\r
                                 gRT->SetVariable().\r
**/\r
STATIC\r
EFI_STATUS\r
EFIAPI\r
EnrollListOfCerts (\r
  IN CHAR16   *VariableName,\r
  IN EFI_GUID *VendorGuid,\r
  IN EFI_GUID *CertType,\r
  ...\r
  )\r
{\r
  UINTN            DataSize;\r
  SINGLE_HEADER    *SingleHeader;\r
  REPEATING_HEADER *RepeatingHeader;\r
  VA_LIST          Marker;\r
  CONST UINT8      *Cert;\r
  EFI_STATUS       Status;\r
  UINT8            *Data;\r
  UINT8            *Position;\r
\r
  Status = EFI_SUCCESS;\r
\r
  //\r
  // compute total size first, for UINT32 range check, and allocation\r
  //\r
  DataSize = sizeof *SingleHeader;\r
  VA_START (Marker, CertType);\r
  for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
       Cert != NULL;\r
       Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
    UINTN          CertSize;\r
\r
    CertSize = VA_ARG (Marker, UINTN);\r
    (VOID)VA_ARG (Marker, CONST EFI_GUID *);\r
\r
    if (CertSize == 0 ||\r
        CertSize > MAX_UINT32 - sizeof *RepeatingHeader ||\r
        DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {\r
      Status = EFI_INVALID_PARAMETER;\r
      break;\r
    }\r
    DataSize += sizeof *RepeatingHeader + CertSize;\r
  }\r
  VA_END (Marker);\r
\r
  if (DataSize == sizeof *SingleHeader) {\r
    Status = EFI_INVALID_PARAMETER;\r
  }\r
  if (EFI_ERROR (Status)) {\r
    goto Out;\r
  }\r
\r
  Data = AllocatePool (DataSize);\r
  if (Data == NULL) {\r
    Status = EFI_OUT_OF_RESOURCES;\r
    goto Out;\r
  }\r
\r
  Position = Data;\r
\r
  SingleHeader = (SINGLE_HEADER *)Position;\r
  Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);\r
  if (EFI_ERROR (Status)) {\r
    goto FreeData;\r
  }\r
  SingleHeader->TimeStamp.Pad1       = 0;\r
  SingleHeader->TimeStamp.Nanosecond = 0;\r
  SingleHeader->TimeStamp.TimeZone   = 0;\r
  SingleHeader->TimeStamp.Daylight   = 0;\r
  SingleHeader->TimeStamp.Pad2       = 0;\r
#if 0\r
  SingleHeader->dwLength         = DataSize - sizeof SingleHeader->TimeStamp;\r
#else\r
  //\r
  // This looks like a bug in edk2. According to the UEFI specification,\r
  // dwLength is "The length of the entire certificate, including the length of\r
  // the header, in bytes". That shouldn't stop right after CertType -- it\r
  // should include everything below it.\r
  //\r
  SingleHeader->dwLength         = sizeof *SingleHeader\r
                                     - sizeof SingleHeader->TimeStamp;\r
#endif\r
  SingleHeader->wRevision        = 0x0200;\r
  SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
  CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);\r
  Position += sizeof *SingleHeader;\r
\r
  VA_START (Marker, CertType);\r
  for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
       Cert != NULL;\r
       Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
    UINTN            CertSize;\r
    CONST EFI_GUID   *OwnerGuid;\r
\r
    CertSize  = VA_ARG (Marker, UINTN);\r
    OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);\r
\r
    RepeatingHeader = (REPEATING_HEADER *)Position;\r
    CopyGuid (&RepeatingHeader->SignatureType, CertType);\r
    RepeatingHeader->SignatureListSize   =\r
      (UINT32)(sizeof *RepeatingHeader + CertSize);\r
    RepeatingHeader->SignatureHeaderSize = 0;\r
    RepeatingHeader->SignatureSize       =\r
      (UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);\r
    CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);\r
    Position += sizeof *RepeatingHeader;\r
\r
    CopyMem (Position, Cert, CertSize);\r
    Position += CertSize;\r
  }\r
  VA_END (Marker);\r
\r
  ASSERT (Data + DataSize == Position);\r
\r
  Status = gRT->SetVariable (VariableName, VendorGuid,\r
                  (EFI_VARIABLE_NON_VOLATILE |\r
                   EFI_VARIABLE_BOOTSERVICE_ACCESS |\r
                   EFI_VARIABLE_RUNTIME_ACCESS |\r
                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),\r
                  DataSize, Data);\r
\r
FreeData:\r
  FreePool (Data);\r
\r
Out:\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,\r
      VendorGuid, Status);\r
  }\r
  return Status;\r
}\r
\r
\r
STATIC\r
EFI_STATUS\r
GetExact (\r
  IN CHAR16   *VariableName,\r
  IN EFI_GUID *VendorGuid,\r
  OUT VOID    *Data,\r
  IN UINTN    DataSize,\r
  IN BOOLEAN  AllowMissing\r
  )\r
{\r
  UINTN      Size;\r
  EFI_STATUS Status;\r
\r
  Size = DataSize;\r
  Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);\r
  if (EFI_ERROR (Status)) {\r
    if (Status == EFI_NOT_FOUND && AllowMissing) {\r
      ZeroMem (Data, DataSize);\r
      return EFI_SUCCESS;\r
    }\r
\r
    AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,\r
      VendorGuid, Status);\r
    return Status;\r
  }\r
\r
  if (Size != DataSize) {\r
    AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "\r
      "got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
STATIC\r
EFI_STATUS\r
GetSettings (\r
  OUT SETTINGS *Settings\r
  )\r
{\r
  EFI_STATUS Status;\r
\r
  Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->SetupMode, sizeof Settings->SetupMode, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,\r
             &gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,\r
             sizeof Settings->SecureBootEnable, TRUE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
             &Settings->CustomMode, sizeof Settings->CustomMode, FALSE);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,\r
             &Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);\r
  return Status;\r
}\r
\r
STATIC\r
VOID\r
PrintSettings (\r
  IN CONST SETTINGS *Settings\r
  )\r
{\r
  AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "\r
    "CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,\r
    Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);\r
}\r
\r
\r
INTN\r
EFIAPI\r
ShellAppMain (\r
  IN UINTN  Argc,\r
  IN CHAR16 **Argv\r
  )\r
{\r
  EFI_STATUS Status;\r
  SETTINGS   Settings;\r
\r
  Status = GetSettings (&Settings);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
  PrintSettings (&Settings);\r
\r
  if (Settings.SetupMode != 1) {\r
    AsciiPrint ("error: already in User Mode\n");\r
    return 1;\r
  }\r
\r
  if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {\r
    Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;\r
    Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
                    (EFI_VARIABLE_NON_VOLATILE |\r
                     EFI_VARIABLE_BOOTSERVICE_ACCESS),\r
                    sizeof Settings.CustomMode, &Settings.CustomMode);\r
    if (EFI_ERROR (Status)) {\r
      AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
        &gEfiCustomModeEnableGuid, Status);\r
      return 1;\r
    }\r
  }\r
\r
  Status = EnrollListOfCerts (\r
             EFI_IMAGE_SECURITY_DATABASE,\r
             &gEfiImageSecurityDatabaseGuid,\r
             &gEfiCertX509Guid,\r
             mMicrosoftPca,    mSizeOfMicrosoftPca,    &gMicrosoftVendorGuid,\r
             mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
\r
  Status = EnrollListOfCerts (\r
             EFI_IMAGE_SECURITY_DATABASE1,\r
             &gEfiImageSecurityDatabaseGuid,\r
             &gEfiCertSha256Guid,\r
             mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
\r
  Status = EnrollListOfCerts (\r
             EFI_KEY_EXCHANGE_KEY_NAME,\r
             &gEfiGlobalVariableGuid,\r
             &gEfiCertX509Guid,\r
             mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,\r
             mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
\r
  Status = EnrollListOfCerts (\r
             EFI_PLATFORM_KEY_NAME,\r
             &gEfiGlobalVariableGuid,\r
             &gEfiCertX509Guid,\r
             mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,\r
             NULL);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
\r
  Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;\r
  Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
                  EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  sizeof Settings.CustomMode, &Settings.CustomMode);\r
  if (EFI_ERROR (Status)) {\r
    AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
      &gEfiCustomModeEnableGuid, Status);\r
    return 1;\r
  }\r
\r
  Status = GetSettings (&Settings);\r
  if (EFI_ERROR (Status)) {\r
    return 1;\r
  }\r
  PrintSettings (&Settings);\r
\r
  if (Settings.SetupMode != 0 || Settings.SecureBoot != 1 ||\r
      Settings.SecureBootEnable != 1 || Settings.CustomMode != 0 ||\r
      Settings.VendorKeys != 0) {\r
    AsciiPrint ("error: unexpected\n");\r
    return 1;\r
  }\r
\r
  AsciiPrint ("info: success\n");\r
  return 0;\r
}\r
Commit	Line	Data
b1163623	1	/** @file\r
3defea06	2	Enroll default PK, KEK, db, dbx.\r
b1163623	3	\r
3defea06	4	Copyright (C) 2014-2019, Red Hat, Inc.\r
b1163623	5	\r
3defea06	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
b1163623 LE	7	**/\r
	8	#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid\r
	9	#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME\r
	10	#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE\r
7eeaa758	11	#include <Guid/MicrosoftVendor.h> // gMicrosoftVendorGuid\r
b1163623 LE	12	#include <Library/BaseMemoryLib.h> // CopyGuid()\r
	13	#include <Library/DebugLib.h> // ASSERT()\r
	14	#include <Library/MemoryAllocationLib.h> // FreePool()\r
	15	#include <Library/ShellCEntryLib.h> // ShellAppMain()\r
	16	#include <Library/UefiLib.h> // AsciiPrint()\r
	17	#include <Library/UefiRuntimeServicesTableLib.h> // gRT\r
	18	\r
1c9418fc LE	19	#include "EnrollDefaultKeys.h"\r
1c9418fc LE	20	\r
b1163623 LE	21	/**\r
	22	Enroll a set of certificates in a global variable, overwriting it.\r
	23	\r
	24	The variable will be rewritten with NV+BS+RT+AT attributes.\r
	25	\r
	26	@param[in] VariableName The name of the variable to overwrite.\r
	27	\r
	28	@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable to\r
	29	overwrite.\r
	30	\r
	31	@param[in] CertType The GUID determining the type of all the\r
	32	certificates in the set that is passed in. For\r
	33	example, gEfiCertX509Guid stands for DER-encoded\r
	34	X.509 certificates, while gEfiCertSha256Guid stands\r
	35	for SHA256 image hashes.\r
	36	\r
	37	@param[in] ... A list of\r
	38	\r
	39	IN CONST UINT8 *Cert,\r
	40	IN UINTN CertSize,\r
	41	IN CONST EFI_GUID *OwnerGuid\r
	42	\r
	43	triplets. If the first component of a triplet is\r
	44	NULL, then the other two components are not\r
	45	accessed, and processing is terminated. The list of\r
	46	certificates is enrolled in the variable specified,\r
	47	overwriting it. The OwnerGuid component identifies\r
	48	the agent installing the certificate.\r
	49	\r
	50	@retval EFI_INVALID_PARAMETER The triplet list is empty (ie. the first Cert\r
	51	value is NULL), or one of the CertSize values\r
	52	is 0, or one of the CertSize values would\r
	53	overflow the accumulated UINT32 data size.\r
	54	\r
	55	@retval EFI_OUT_OF_RESOURCES Out of memory while formatting variable\r
	56	payload.\r
	57	\r
	58	@retval EFI_SUCCESS Enrollment successful; the variable has been\r
	59	overwritten (or created).\r
	60	\r
	61	@return Error codes from gRT->GetTime() and\r
	62	gRT->SetVariable().\r
	63	**/\r
	64	STATIC\r
	65	EFI_STATUS\r
	66	EFIAPI\r
	67	EnrollListOfCerts (\r
	68	IN CHAR16 *VariableName,\r
	69	IN EFI_GUID *VendorGuid,\r
	70	IN EFI_GUID *CertType,\r
	71	...\r
	72	)\r
	73	{\r
	74	UINTN DataSize;\r
	75	SINGLE_HEADER *SingleHeader;\r
	76	REPEATING_HEADER *RepeatingHeader;\r
	77	VA_LIST Marker;\r
	78	CONST UINT8 *Cert;\r
	79	EFI_STATUS Status;\r
	80	UINT8 *Data;\r
	81	UINT8 *Position;\r
	82	\r
	83	Status = EFI_SUCCESS;\r
	84	\r
85	//\r
86	// compute total size first, for UINT32 range check, and allocation\r
87	//\r
88	DataSize = sizeof *SingleHeader;\r
89	VA_START (Marker, CertType);\r
90	for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
91	Cert != NULL;\r
92	Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
93	UINTN CertSize;\r
94	\r
95	CertSize = VA_ARG (Marker, UINTN);\r
96	(VOID)VA_ARG (Marker, CONST EFI_GUID *);\r
97	\r
98	if (CertSize == 0 \|\|\r
99	CertSize > MAX_UINT32 - sizeof *RepeatingHeader \|\|\r
100	DataSize > MAX_UINT32 - sizeof *RepeatingHeader - CertSize) {\r
101	Status = EFI_INVALID_PARAMETER;\r
102	break;\r
103	}\r
104	DataSize += sizeof *RepeatingHeader + CertSize;\r
105	}\r
106	VA_END (Marker);\r
107	\r
108	if (DataSize == sizeof *SingleHeader) {\r
109	Status = EFI_INVALID_PARAMETER;\r
110	}\r
111	if (EFI_ERROR (Status)) {\r
112	goto Out;\r
113	}\r
114	\r
115	Data = AllocatePool (DataSize);\r
116	if (Data == NULL) {\r
117	Status = EFI_OUT_OF_RESOURCES;\r
118	goto Out;\r
119	}\r
120	\r
121	Position = Data;\r
122	\r
123	SingleHeader = (SINGLE_HEADER *)Position;\r
124	Status = gRT->GetTime (&SingleHeader->TimeStamp, NULL);\r
125	if (EFI_ERROR (Status)) {\r
126	goto FreeData;\r
127	}\r
128	SingleHeader->TimeStamp.Pad1 = 0;\r
129	SingleHeader->TimeStamp.Nanosecond = 0;\r
130	SingleHeader->TimeStamp.TimeZone = 0;\r
131	SingleHeader->TimeStamp.Daylight = 0;\r
132	SingleHeader->TimeStamp.Pad2 = 0;\r
133	#if 0\r
134	SingleHeader->dwLength = DataSize - sizeof SingleHeader->TimeStamp;\r
135	#else\r
136	//\r
137	// This looks like a bug in edk2. According to the UEFI specification,\r
138	// dwLength is "The length of the entire certificate, including the length of\r
139	// the header, in bytes". That shouldn't stop right after CertType -- it\r
140	// should include everything below it.\r
141	//\r
142	SingleHeader->dwLength = sizeof *SingleHeader\r
143	- sizeof SingleHeader->TimeStamp;\r
144	#endif\r
145	SingleHeader->wRevision = 0x0200;\r
146	SingleHeader->wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
147	CopyGuid (&SingleHeader->CertType, &gEfiCertPkcs7Guid);\r
148	Position += sizeof *SingleHeader;\r
149	\r
150	VA_START (Marker, CertType);\r
151	for (Cert = VA_ARG (Marker, CONST UINT8 *);\r
152	Cert != NULL;\r
153	Cert = VA_ARG (Marker, CONST UINT8 *)) {\r
154	UINTN CertSize;\r
155	CONST EFI_GUID *OwnerGuid;\r
156	\r
157	CertSize = VA_ARG (Marker, UINTN);\r
158	OwnerGuid = VA_ARG (Marker, CONST EFI_GUID *);\r
159	\r
160	RepeatingHeader = (REPEATING_HEADER *)Position;\r
161	CopyGuid (&RepeatingHeader->SignatureType, CertType);\r
162	RepeatingHeader->SignatureListSize =\r
163	(UINT32)(sizeof *RepeatingHeader + CertSize);\r
164	RepeatingHeader->SignatureHeaderSize = 0;\r
165	RepeatingHeader->SignatureSize =\r
166	(UINT32)(sizeof RepeatingHeader->SignatureOwner + CertSize);\r
167	CopyGuid (&RepeatingHeader->SignatureOwner, OwnerGuid);\r
168	Position += sizeof *RepeatingHeader;\r
169	\r
170	CopyMem (Position, Cert, CertSize);\r
171	Position += CertSize;\r
172	}\r
173	VA_END (Marker);\r
174	\r
175	ASSERT (Data + DataSize == Position);\r
176	\r
177	Status = gRT->SetVariable (VariableName, VendorGuid,\r
178	(EFI_VARIABLE_NON_VOLATILE \|\r
179	EFI_VARIABLE_BOOTSERVICE_ACCESS \|\r
180	EFI_VARIABLE_RUNTIME_ACCESS \|\r
181	EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),\r
182	DataSize, Data);\r
183	\r
184	FreeData:\r
185	FreePool (Data);\r
186	\r
187	Out:\r
188	if (EFI_ERROR (Status)) {\r
189	AsciiPrint ("error: %a(\"%s\", %g): %r\n", __FUNCTION__, VariableName,\r
190	VendorGuid, Status);\r
191	}\r
192	return Status;\r
193	}\r
194	\r
195	\r
196	STATIC\r
197	EFI_STATUS\r
b1163623 LE	198	GetExact (\r
	199	IN CHAR16 *VariableName,\r
	200	IN EFI_GUID *VendorGuid,\r
	201	OUT VOID *Data,\r
	202	IN UINTN DataSize,\r
	203	IN BOOLEAN AllowMissing\r
	204	)\r
	205	{\r
	206	UINTN Size;\r
	207	EFI_STATUS Status;\r
	208	\r
	209	Size = DataSize;\r
	210	Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &Size, Data);\r
	211	if (EFI_ERROR (Status)) {\r
	212	if (Status == EFI_NOT_FOUND && AllowMissing) {\r
	213	ZeroMem (Data, DataSize);\r
	214	return EFI_SUCCESS;\r
	215	}\r
	216	\r
	217	AsciiPrint ("error: GetVariable(\"%s\", %g): %r\n", VariableName,\r
	218	VendorGuid, Status);\r
	219	return Status;\r
	220	}\r
	221	\r
	222	if (Size != DataSize) {\r
	223	AsciiPrint ("error: GetVariable(\"%s\", %g): expected size 0x%Lx, "\r
	224	"got 0x%Lx\n", VariableName, VendorGuid, (UINT64)DataSize, (UINT64)Size);\r
	225	return EFI_PROTOCOL_ERROR;\r
	226	}\r
	227	\r
	228	return EFI_SUCCESS;\r
	229	}\r
	230	\r
b1163623 LE	231	STATIC\r
b1163623 LE	232	EFI_STATUS\r
b1163623 LE	233	GetSettings (\r
	234	OUT SETTINGS *Settings\r
	235	)\r
	236	{\r
	237	EFI_STATUS Status;\r
	238	\r
	239	Status = GetExact (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid,\r
	240	&Settings->SetupMode, sizeof Settings->SetupMode, FALSE);\r
	241	if (EFI_ERROR (Status)) {\r
	242	return Status;\r
	243	}\r
	244	\r
	245	Status = GetExact (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid,\r
	246	&Settings->SecureBoot, sizeof Settings->SecureBoot, FALSE);\r
	247	if (EFI_ERROR (Status)) {\r
	248	return Status;\r
	249	}\r
	250	\r
	251	Status = GetExact (EFI_SECURE_BOOT_ENABLE_NAME,\r
	252	&gEfiSecureBootEnableDisableGuid, &Settings->SecureBootEnable,\r
	253	sizeof Settings->SecureBootEnable, TRUE);\r
	254	if (EFI_ERROR (Status)) {\r
	255	return Status;\r
	256	}\r
	257	\r
	258	Status = GetExact (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
	259	&Settings->CustomMode, sizeof Settings->CustomMode, FALSE);\r
	260	if (EFI_ERROR (Status)) {\r
	261	return Status;\r
	262	}\r
	263	\r
	264	Status = GetExact (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,\r
	265	&Settings->VendorKeys, sizeof Settings->VendorKeys, FALSE);\r
	266	return Status;\r
	267	}\r
	268	\r
	269	STATIC\r
	270	VOID\r
b1163623 LE	271	PrintSettings (\r
	272	IN CONST SETTINGS *Settings\r
	273	)\r
	274	{\r
	275	AsciiPrint ("info: SetupMode=%d SecureBoot=%d SecureBootEnable=%d "\r
	276	"CustomMode=%d VendorKeys=%d\n", Settings->SetupMode, Settings->SecureBoot,\r
	277	Settings->SecureBootEnable, Settings->CustomMode, Settings->VendorKeys);\r
	278	}\r
	279	\r
	280	\r
	281	INTN\r
	282	EFIAPI\r
	283	ShellAppMain (\r
	284	IN UINTN Argc,\r
	285	IN CHAR16 **Argv\r
	286	)\r
	287	{\r
	288	EFI_STATUS Status;\r
	289	SETTINGS Settings;\r
	290	\r
	291	Status = GetSettings (&Settings);\r
	292	if (EFI_ERROR (Status)) {\r
	293	return 1;\r
	294	}\r
	295	PrintSettings (&Settings);\r
	296	\r
	297	if (Settings.SetupMode != 1) {\r
	298	AsciiPrint ("error: already in User Mode\n");\r
	299	return 1;\r
	300	}\r
	301	\r
	302	if (Settings.CustomMode != CUSTOM_SECURE_BOOT_MODE) {\r
	303	Settings.CustomMode = CUSTOM_SECURE_BOOT_MODE;\r
	304	Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
	305	(EFI_VARIABLE_NON_VOLATILE \|\r
	306	EFI_VARIABLE_BOOTSERVICE_ACCESS),\r
	307	sizeof Settings.CustomMode, &Settings.CustomMode);\r
	308	if (EFI_ERROR (Status)) {\r
	309	AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
	310	&gEfiCustomModeEnableGuid, Status);\r
	311	return 1;\r
	312	}\r
	313	}\r
	314	\r
	315	Status = EnrollListOfCerts (\r
	316	EFI_IMAGE_SECURITY_DATABASE,\r
	317	&gEfiImageSecurityDatabaseGuid,\r
	318	&gEfiCertX509Guid,\r
7eeaa758 LE	319	mMicrosoftPca, mSizeOfMicrosoftPca, &gMicrosoftVendorGuid,\r
7eeaa758 LE	320	mMicrosoftUefiCa, mSizeOfMicrosoftUefiCa, &gMicrosoftVendorGuid,\r
b1163623 LE	321	NULL);\r
	322	if (EFI_ERROR (Status)) {\r
	323	return 1;\r
	324	}\r
	325	\r
	326	Status = EnrollListOfCerts (\r
	327	EFI_IMAGE_SECURITY_DATABASE1,\r
	328	&gEfiImageSecurityDatabaseGuid,\r
	329	&gEfiCertSha256Guid,\r
a79b115a	330	mSha256OfDevNull, mSizeOfSha256OfDevNull, &gEfiCallerIdGuid,\r
b1163623 LE	331	NULL);\r
	332	if (EFI_ERROR (Status)) {\r
	333	return 1;\r
	334	}\r
	335	\r
	336	Status = EnrollListOfCerts (\r
	337	EFI_KEY_EXCHANGE_KEY_NAME,\r
	338	&gEfiGlobalVariableGuid,\r
	339	&gEfiCertX509Guid,\r
a79b115a	340	mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiCallerIdGuid,\r
7eeaa758	341	mMicrosoftKek, mSizeOfMicrosoftKek, &gMicrosoftVendorGuid,\r
b1163623 LE	342	NULL);\r
	343	if (EFI_ERROR (Status)) {\r
	344	return 1;\r
	345	}\r
	346	\r
	347	Status = EnrollListOfCerts (\r
	348	EFI_PLATFORM_KEY_NAME,\r
	349	&gEfiGlobalVariableGuid,\r
	350	&gEfiCertX509Guid,\r
a79b115a	351	mRedHatPkKek1, mSizeOfRedHatPkKek1, &gEfiGlobalVariableGuid,\r
b1163623 LE	352	NULL);\r
	353	if (EFI_ERROR (Status)) {\r
	354	return 1;\r
	355	}\r
	356	\r
	357	Settings.CustomMode = STANDARD_SECURE_BOOT_MODE;\r
	358	Status = gRT->SetVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid,\r
	359	EFI_VARIABLE_NON_VOLATILE \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	360	sizeof Settings.CustomMode, &Settings.CustomMode);\r
	361	if (EFI_ERROR (Status)) {\r
	362	AsciiPrint ("error: SetVariable(\"%s\", %g): %r\n", EFI_CUSTOM_MODE_NAME,\r
	363	&gEfiCustomModeEnableGuid, Status);\r
	364	return 1;\r
	365	}\r
	366	\r
	367	Status = GetSettings (&Settings);\r
	368	if (EFI_ERROR (Status)) {\r
	369	return 1;\r
	370	}\r
	371	PrintSettings (&Settings);\r
	372	\r
	373	if (Settings.SetupMode != 0 \|\| Settings.SecureBoot != 1 \|\|\r
	374	Settings.SecureBootEnable != 1 \|\| Settings.CustomMode != 0 \|\|\r
	375	Settings.VendorKeys != 0) {\r
	376	AsciiPrint ("error: unexpected\n");\r
	377	return 1;\r
	378	}\r
	379	\r
	380	AsciiPrint ("info: success\n");\r
	381	return 0;\r
	382	}\r