]>
Commit | Line | Data |
---|---|---|
9c7d0d49 LE |
1 | /** @file\r |
2 | \r | |
3 | A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile\r | |
4 | variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe\r | |
5 | (which is a UEFI_DRIVER) consume them.\r | |
6 | \r | |
7 | Copyright (C) 2013, 2015, 2018, Red Hat, Inc.\r | |
8 | Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>\r | |
9 | \r | |
10 | This program and the accompanying materials are licensed and made available\r | |
11 | under the terms and conditions of the BSD License which accompanies this\r | |
12 | distribution. The full text of the license may be found at\r | |
13 | http://opensource.org/licenses/bsd-license.php\r | |
14 | \r | |
15 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT\r | |
16 | WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
17 | \r | |
18 | **/\r | |
19 | \r | |
20 | #include <Uefi/UefiBaseType.h>\r | |
21 | #include <Uefi/UefiSpec.h>\r | |
22 | \r | |
23 | #include <Guid/TlsAuthentication.h>\r | |
24 | \r | |
25 | #include <Library/BaseLib.h>\r | |
26 | #include <Library/DebugLib.h>\r | |
27 | #include <Library/MemoryAllocationLib.h>\r | |
28 | #include <Library/QemuFwCfgLib.h>\r | |
29 | #include <Library/UefiRuntimeServicesTableLib.h>\r | |
30 | \r | |
31 | /**\r | |
32 | Read the list of trusted CA certificates from the fw_cfg file\r | |
33 | "etc/edk2/https/cacerts", and store it to\r | |
34 | gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.\r | |
35 | \r | |
36 | The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.\r | |
37 | **/\r | |
38 | STATIC\r | |
39 | VOID\r | |
40 | SetCaCerts (\r | |
41 | VOID\r | |
42 | )\r | |
43 | {\r | |
44 | EFI_STATUS Status;\r | |
45 | FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;\r | |
46 | UINTN HttpsCaCertsSize;\r | |
47 | VOID *HttpsCaCerts;\r | |
48 | \r | |
49 | Status = QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem,\r | |
50 | &HttpsCaCertsSize);\r | |
51 | if (EFI_ERROR (Status)) {\r | |
52 | DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching CA cert list\n",\r | |
53 | gEfiCallerBaseName, __FUNCTION__));\r | |
54 | return;\r | |
55 | }\r | |
56 | \r | |
57 | //\r | |
58 | // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This\r | |
59 | // serves two purposes:\r | |
60 | //\r | |
61 | // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we\r | |
62 | // cannot make it volatile without deleting it first.\r | |
63 | //\r | |
64 | // (b) If we fail to recreate the variable later, deleting the current one is\r | |
65 | // still justified if the fw_cfg file exists. Emptying the set of trusted\r | |
66 | // CA certificates will fail HTTPS boot, which is better than trusting\r | |
67 | // any certificate that's possibly missing from the fw_cfg file.\r | |
68 | //\r | |
69 | Status = gRT->SetVariable (\r | |
70 | EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r | |
71 | &gEfiTlsCaCertificateGuid, // VendorGuid\r | |
72 | 0, // Attributes\r | |
73 | 0, // DataSize\r | |
74 | NULL // Data\r | |
75 | );\r | |
76 | if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r | |
77 | //\r | |
78 | // This is fatal.\r | |
79 | //\r | |
80 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r | |
81 | gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r | |
82 | EFI_TLS_CA_CERTIFICATE_VARIABLE));\r | |
83 | ASSERT_EFI_ERROR (Status);\r | |
84 | CpuDeadLoop ();\r | |
85 | }\r | |
86 | \r | |
87 | if (HttpsCaCertsSize == 0) {\r | |
88 | DEBUG ((DEBUG_VERBOSE, "%a:%a: applied empty CA cert list\n",\r | |
89 | gEfiCallerBaseName, __FUNCTION__));\r | |
90 | return;\r | |
91 | }\r | |
92 | \r | |
93 | HttpsCaCerts = AllocatePool (HttpsCaCertsSize);\r | |
94 | if (HttpsCaCerts == NULL) {\r | |
95 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCaCerts\n",\r | |
96 | gEfiCallerBaseName, __FUNCTION__));\r | |
97 | return;\r | |
98 | }\r | |
99 | \r | |
100 | QemuFwCfgSelectItem (HttpsCaCertsItem);\r | |
101 | QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);\r | |
102 | \r | |
103 | Status = gRT->SetVariable (\r | |
104 | EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r | |
105 | &gEfiTlsCaCertificateGuid, // VendorGuid\r | |
106 | EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes\r | |
107 | HttpsCaCertsSize, // DataSize\r | |
108 | HttpsCaCerts // Data\r | |
109 | );\r | |
110 | if (EFI_ERROR (Status)) {\r | |
111 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\": %r\n",\r | |
112 | gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r | |
113 | EFI_TLS_CA_CERTIFICATE_VARIABLE, Status));\r | |
114 | goto FreeHttpsCaCerts;\r | |
115 | }\r | |
116 | \r | |
117 | DEBUG ((DEBUG_VERBOSE, "%a:%a: stored CA cert list (%Lu byte(s))\n",\r | |
118 | gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));\r | |
119 | \r | |
120 | FreeHttpsCaCerts:\r | |
121 | FreePool (HttpsCaCerts);\r | |
122 | }\r | |
123 | \r | |
124 | RETURN_STATUS\r | |
125 | EFIAPI\r | |
126 | TlsAuthConfigInit (\r | |
127 | VOID\r | |
128 | )\r | |
129 | {\r | |
130 | SetCaCerts ();\r | |
131 | \r | |
132 | return RETURN_SUCCESS;\r | |
133 | }\r |