projects / mirror_edk2.git / blame
| Commit | Line | Data |
|---|---|---|
| 9c7d0d49 LE |
1 | /** @file\r |
| 2 | \r | |
| 3 | A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile\r | |
| 4 | variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe\r | |
| 5 | (which is a UEFI_DRIVER) consume them.\r | |
| 6 | \r | |
| 7 | Copyright (C) 2013, 2015, 2018, Red Hat, Inc.\r | |
| 8 | Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>\r | |
| 9 | \r | |
| 10 | This program and the accompanying materials are licensed and made available\r | |
| 11 | under the terms and conditions of the BSD License which accompanies this\r | |
| 12 | distribution. The full text of the license may be found at\r | |
| 13 | http://opensource.org/licenses/bsd-license.php\r | |
| 14 | \r | |
| 15 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT\r | |
| 16 | WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
| 17 | \r | |
| 18 | **/\r | |
| 19 | \r | |
| 20 | #include <Uefi/UefiBaseType.h>\r | |
| 21 | #include <Uefi/UefiSpec.h>\r | |
| 22 | \r | |
| 23 | #include <Guid/TlsAuthentication.h>\r | |
| 24 | \r | |
| 25 | #include <Library/BaseLib.h>\r | |
| 26 | #include <Library/DebugLib.h>\r | |
| 27 | #include <Library/MemoryAllocationLib.h>\r | |
| 28 | #include <Library/QemuFwCfgLib.h>\r | |
| 29 | #include <Library/UefiRuntimeServicesTableLib.h>\r | |
| 30 | \r | |
| 31 | /**\r | |
| 32 | Read the list of trusted CA certificates from the fw_cfg file\r | |
| 33 | "etc/edk2/https/cacerts", and store it to\r | |
| 34 | gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.\r | |
| 35 | \r | |
| 36 | The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.\r | |
| 37 | **/\r | |
| 38 | STATIC\r | |
| 39 | VOID\r | |
| 40 | SetCaCerts (\r | |
| 41 | VOID\r | |
| 42 | )\r | |
| 43 | {\r | |
| 44 | EFI_STATUS Status;\r | |
| 45 | FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;\r | |
| 46 | UINTN HttpsCaCertsSize;\r | |
| 47 | VOID *HttpsCaCerts;\r | |
| 48 | \r | |
| 49 | Status = QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem,\r | |
| 50 | &HttpsCaCertsSize);\r | |
| 51 | if (EFI_ERROR (Status)) {\r | |
| 52 | DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching CA cert list\n",\r | |
| 53 | gEfiCallerBaseName, __FUNCTION__));\r | |
| 54 | return;\r | |
| 55 | }\r | |
| 56 | \r | |
| 57 | //\r | |
| 58 | // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This\r | |
| 59 | // serves two purposes:\r | |
| 60 | //\r | |
| 61 | // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we\r | |
| 62 | // cannot make it volatile without deleting it first.\r | |
| 63 | //\r | |
| 64 | // (b) If we fail to recreate the variable later, deleting the current one is\r | |
| 65 | // still justified if the fw_cfg file exists. Emptying the set of trusted\r | |
| 66 | // CA certificates will fail HTTPS boot, which is better than trusting\r | |
| 67 | // any certificate that's possibly missing from the fw_cfg file.\r | |
| 68 | //\r | |
| 69 | Status = gRT->SetVariable (\r | |
| 70 | EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r | |
| 71 | &gEfiTlsCaCertificateGuid, // VendorGuid\r | |
| 72 | 0, // Attributes\r | |
| 73 | 0, // DataSize\r | |
| 74 | NULL // Data\r | |
| 75 | );\r | |
| 76 | if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r | |
| 77 | //\r | |
| 78 | // This is fatal.\r | |
| 79 | //\r | |
| 80 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r | |
| 81 | gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r | |
| 82 | EFI_TLS_CA_CERTIFICATE_VARIABLE));\r | |
| 83 | ASSERT_EFI_ERROR (Status);\r | |
| 84 | CpuDeadLoop ();\r | |
| 85 | }\r | |
| 86 | \r | |
| 87 | if (HttpsCaCertsSize == 0) {\r | |
| 88 | DEBUG ((DEBUG_VERBOSE, "%a:%a: applied empty CA cert list\n",\r | |
| 89 | gEfiCallerBaseName, __FUNCTION__));\r | |
| 90 | return;\r | |
| 91 | }\r | |
| 92 | \r | |
| 93 | HttpsCaCerts = AllocatePool (HttpsCaCertsSize);\r | |
| 94 | if (HttpsCaCerts == NULL) {\r | |
| 95 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCaCerts\n",\r | |
| 96 | gEfiCallerBaseName, __FUNCTION__));\r | |
| 97 | return;\r | |
| 98 | }\r | |
| 99 | \r | |
| 100 | QemuFwCfgSelectItem (HttpsCaCertsItem);\r | |
| 101 | QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);\r | |
| 102 | \r | |
| 103 | Status = gRT->SetVariable (\r | |
| 104 | EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r | |
| 105 | &gEfiTlsCaCertificateGuid, // VendorGuid\r | |
| 106 | EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes\r | |
| 107 | HttpsCaCertsSize, // DataSize\r | |
| 108 | HttpsCaCerts // Data\r | |
| 109 | );\r | |
| 110 | if (EFI_ERROR (Status)) {\r | |
| 111 | DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\": %r\n",\r | |
| 112 | gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r | |
| 113 | EFI_TLS_CA_CERTIFICATE_VARIABLE, Status));\r | |
| 114 | goto FreeHttpsCaCerts;\r | |
| 115 | }\r | |
| 116 | \r | |
| 117 | DEBUG ((DEBUG_VERBOSE, "%a:%a: stored CA cert list (%Lu byte(s))\n",\r | |
| 118 | gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));\r | |
| 119 | \r | |
| 120 | FreeHttpsCaCerts:\r | |
| 121 | FreePool (HttpsCaCerts);\r | |
| 122 | }\r | |
| 123 | \r | |
| 124 | RETURN_STATUS\r | |
| 125 | EFIAPI\r | |
| 126 | TlsAuthConfigInit (\r | |
| 127 | VOID\r | |
| 128 | )\r | |
| 129 | {\r | |
| 130 | SetCaCerts ();\r | |
| 131 | \r | |
| 132 | return RETURN_SUCCESS;\r | |
| 133 | }\r |