[mirror_edk2.git] / OvmfPkg / Library / TlsAuthConfigLib / TlsAuthConfigLib.c

/** @file\r
\r
  A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile\r
  variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe\r
  (which is a UEFI_DRIVER) consume them.\r
\r
  Copyright (C) 2013, 2015, 2018, Red Hat, Inc.\r
  Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>\r
\r
  This program and the accompanying materials are licensed and made available\r
  under the terms and conditions of the BSD License which accompanies this\r
  distribution. The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT\r
  WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include <Uefi/UefiBaseType.h>\r
#include <Uefi/UefiSpec.h>\r
\r
#include <Guid/HttpTlsCipherList.h>\r
#include <Guid/TlsAuthentication.h>\r
\r
#include <Library/BaseLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/QemuFwCfgLib.h>\r
#include <Library/UefiRuntimeServicesTableLib.h>\r
\r
/**\r
  Read the list of trusted CA certificates from the fw_cfg file\r
  "etc/edk2/https/cacerts", and store it to\r
  gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.\r
\r
  The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.\r
**/\r
STATIC\r
VOID\r
SetCaCerts (\r
  VOID\r
  )\r
{\r
  EFI_STATUS           Status;\r
  FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;\r
  UINTN                HttpsCaCertsSize;\r
  VOID                 *HttpsCaCerts;\r
\r
  Status = QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem,\r
             &HttpsCaCertsSize);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching CA cert list\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    return;\r
  }\r
\r
  //\r
  // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This\r
  // serves two purposes:\r
  //\r
  // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we\r
  //     cannot make it volatile without deleting it first.\r
  //\r
  // (b) If we fail to recreate the variable later, deleting the current one is\r
  //     still justified if the fw_cfg file exists. Emptying the set of trusted\r
  //     CA certificates will fail HTTPS boot, which is better than trusting\r
  //     any certificate that's possibly missing from the fw_cfg file.\r
  //\r
  Status = gRT->SetVariable (\r
                  EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r
                  &gEfiTlsCaCertificateGuid,       // VendorGuid\r
                  0,                               // Attributes\r
                  0,                               // DataSize\r
                  NULL                             // Data\r
                  );\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    //\r
    // This is fatal.\r
    //\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r
      gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r
      EFI_TLS_CA_CERTIFICATE_VARIABLE));\r
    ASSERT_EFI_ERROR (Status);\r
    CpuDeadLoop ();\r
  }\r
\r
  if (HttpsCaCertsSize == 0) {\r
    DEBUG ((DEBUG_VERBOSE, "%a:%a: applied empty CA cert list\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    return;\r
  }\r
\r
  HttpsCaCerts = AllocatePool (HttpsCaCertsSize);\r
  if (HttpsCaCerts == NULL) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCaCerts\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    return;\r
  }\r
\r
  QemuFwCfgSelectItem (HttpsCaCertsItem);\r
  QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);\r
\r
  Status = gRT->SetVariable (\r
                  EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r
                  &gEfiTlsCaCertificateGuid,       // VendorGuid\r
                  EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes\r
                  HttpsCaCertsSize,                // DataSize\r
                  HttpsCaCerts                     // Data\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\": %r\n",\r
      gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r
      EFI_TLS_CA_CERTIFICATE_VARIABLE, Status));\r
    goto FreeHttpsCaCerts;\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "%a:%a: stored CA cert list (%Lu byte(s))\n",\r
    gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));\r
\r
FreeHttpsCaCerts:\r
  FreePool (HttpsCaCerts);\r
}\r
\r
/**\r
  Read the list of trusted cipher suites from the fw_cfg file\r
  "etc/edk2/https/ciphers", and store it to\r
  gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.\r
\r
  The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the\r
  list is processed by the latter.\r
**/\r
STATIC\r
VOID\r
SetCipherSuites (\r
  VOID\r
  )\r
{\r
  EFI_STATUS           Status;\r
  FIRMWARE_CONFIG_ITEM HttpsCiphersItem;\r
  UINTN                HttpsCiphersSize;\r
  VOID                 *HttpsCiphers;\r
\r
  Status = QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersItem,\r
             &HttpsCiphersSize);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    return;\r
  }\r
  //\r
  // From this point on, any failure is fatal. An ordered cipher preference\r
  // list is available from QEMU, thus we cannot let the firmware attempt HTTPS\r
  // boot with either pre-existent or non-existent preferences. An empty set of\r
  // cipher suites does not fail HTTPS boot automatically; the default cipher\r
  // suite preferences would take effect, and we must prevent that.\r
  //\r
  // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If\r
  // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot\r
  // make it volatile without deleting it first.\r
  //\r
  Status = gRT->SetVariable (\r
                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName\r
                  &gEdkiiHttpTlsCipherListGuid,        // VendorGuid\r
                  0,                                   // Attributes\r
                  0,                                   // DataSize\r
                  NULL                                 // Data\r
                  );\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r
      gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,\r
      EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));\r
    goto Done;\r
  }\r
\r
  if (HttpsCiphersSize == 0) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    Status = EFI_INVALID_PARAMETER;\r
    goto Done;\r
  }\r
\r
  HttpsCiphers = AllocatePool (HttpsCiphersSize);\r
  if (HttpsCiphers == NULL) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n",\r
      gEfiCallerBaseName, __FUNCTION__));\r
    Status = EFI_OUT_OF_RESOURCES;\r
    goto Done;\r
  }\r
\r
  QemuFwCfgSelectItem (HttpsCiphersItem);\r
  QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers);\r
\r
  Status = gRT->SetVariable (\r
                  EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName\r
                  &gEdkiiHttpTlsCipherListGuid,        // VendorGuid\r
                  EFI_VARIABLE_BOOTSERVICE_ACCESS,     // Attributes\r
                  HttpsCiphersSize,                    // DataSize\r
                  HttpsCiphers                         // Data\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n",\r
      gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,\r
      EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));\r
    goto FreeHttpsCiphers;\r
  }\r
\r
  DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s))\n",\r
    gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize));\r
\r
FreeHttpsCiphers:\r
  FreePool (HttpsCiphers);\r
\r
Done:\r
  if (EFI_ERROR (Status)) {\r
    ASSERT_EFI_ERROR (Status);\r
    CpuDeadLoop ();\r
  }\r
}\r
\r
RETURN_STATUS\r
EFIAPI\r
TlsAuthConfigInit (\r
  VOID\r
  )\r
{\r
  SetCaCerts ();\r
  SetCipherSuites ();\r
\r
  return RETURN_SUCCESS;\r
}\r
Commit	Line	Data
9c7d0d49 LE	1	/** @file\r
	2	\r
	3	A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile\r
	4	variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe\r
	5	(which is a UEFI_DRIVER) consume them.\r
	6	\r
	7	Copyright (C) 2013, 2015, 2018, Red Hat, Inc.\r
	8	Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>\r
	9	\r
	10	This program and the accompanying materials are licensed and made available\r
	11	under the terms and conditions of the BSD License which accompanies this\r
	12	distribution. The full text of the license may be found at\r
	13	http://opensource.org/licenses/bsd-license.php\r
	14	\r
	15	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT\r
	16	WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	17	\r
	18	**/\r
	19	\r
	20	#include <Uefi/UefiBaseType.h>\r
	21	#include <Uefi/UefiSpec.h>\r
	22	\r
ba9c8a8c	23	#include <Guid/HttpTlsCipherList.h>\r
9c7d0d49 LE	24	#include <Guid/TlsAuthentication.h>\r
	25	\r
	26	#include <Library/BaseLib.h>\r
	27	#include <Library/DebugLib.h>\r
	28	#include <Library/MemoryAllocationLib.h>\r
	29	#include <Library/QemuFwCfgLib.h>\r
	30	#include <Library/UefiRuntimeServicesTableLib.h>\r
	31	\r
	32	/**\r
	33	Read the list of trusted CA certificates from the fw_cfg file\r
	34	"etc/edk2/https/cacerts", and store it to\r
	35	gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.\r
	36	\r
	37	The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.\r
	38	**/\r
	39	STATIC\r
	40	VOID\r
	41	SetCaCerts (\r
	42	VOID\r
	43	)\r
	44	{\r
	45	EFI_STATUS Status;\r
	46	FIRMWARE_CONFIG_ITEM HttpsCaCertsItem;\r
	47	UINTN HttpsCaCertsSize;\r
	48	VOID *HttpsCaCerts;\r
	49	\r
	50	Status = QemuFwCfgFindFile ("etc/edk2/https/cacerts", &HttpsCaCertsItem,\r
	51	&HttpsCaCertsSize);\r
	52	if (EFI_ERROR (Status)) {\r
	53	DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching CA cert list\n",\r
	54	gEfiCallerBaseName, __FUNCTION__));\r
	55	return;\r
	56	}\r
	57	\r
	58	//\r
	59	// Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This\r
	60	// serves two purposes:\r
	61	//\r
	62	// (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we\r
	63	// cannot make it volatile without deleting it first.\r
	64	//\r
	65	// (b) If we fail to recreate the variable later, deleting the current one is\r
	66	// still justified if the fw_cfg file exists. Emptying the set of trusted\r
	67	// CA certificates will fail HTTPS boot, which is better than trusting\r
	68	// any certificate that's possibly missing from the fw_cfg file.\r
	69	//\r
	70	Status = gRT->SetVariable (\r
	71	EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r
	72	&gEfiTlsCaCertificateGuid, // VendorGuid\r
	73	0, // Attributes\r
	74	0, // DataSize\r
	75	NULL // Data\r
	76	);\r
	77	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	78	//\r
	79	// This is fatal.\r
	80	//\r
	81	DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r
	82	gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r
	83	EFI_TLS_CA_CERTIFICATE_VARIABLE));\r
	84	ASSERT_EFI_ERROR (Status);\r
	85	CpuDeadLoop ();\r
	86	}\r
	87	\r
88	if (HttpsCaCertsSize == 0) {\r
89	DEBUG ((DEBUG_VERBOSE, "%a:%a: applied empty CA cert list\n",\r
90	gEfiCallerBaseName, __FUNCTION__));\r
91	return;\r
92	}\r
93	\r
94	HttpsCaCerts = AllocatePool (HttpsCaCertsSize);\r
95	if (HttpsCaCerts == NULL) {\r
96	DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCaCerts\n",\r
97	gEfiCallerBaseName, __FUNCTION__));\r
98	return;\r
99	}\r
100	\r
101	QemuFwCfgSelectItem (HttpsCaCertsItem);\r
102	QemuFwCfgReadBytes (HttpsCaCertsSize, HttpsCaCerts);\r
103	\r
104	Status = gRT->SetVariable (\r
105	EFI_TLS_CA_CERTIFICATE_VARIABLE, // VariableName\r
106	&gEfiTlsCaCertificateGuid, // VendorGuid\r
107	EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes\r
108	HttpsCaCertsSize, // DataSize\r
109	HttpsCaCerts // Data\r
110	);\r
111	if (EFI_ERROR (Status)) {\r
112	DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\": %r\n",\r
113	gEfiCallerBaseName, __FUNCTION__, &gEfiTlsCaCertificateGuid,\r
114	EFI_TLS_CA_CERTIFICATE_VARIABLE, Status));\r
115	goto FreeHttpsCaCerts;\r
116	}\r
117	\r
118	DEBUG ((DEBUG_VERBOSE, "%a:%a: stored CA cert list (%Lu byte(s))\n",\r
119	gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));\r
120	\r
121	FreeHttpsCaCerts:\r
122	FreePool (HttpsCaCerts);\r
123	}\r
124	\r
ba9c8a8c LE	125	/**\r
	126	Read the list of trusted cipher suites from the fw_cfg file\r
	127	"etc/edk2/https/ciphers", and store it to\r
	128	gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.\r
	129	\r
	130	The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the\r
	131	list is processed by the latter.\r
	132	**/\r
	133	STATIC\r
	134	VOID\r
	135	SetCipherSuites (\r
	136	VOID\r
	137	)\r
	138	{\r
	139	EFI_STATUS Status;\r
	140	FIRMWARE_CONFIG_ITEM HttpsCiphersItem;\r
	141	UINTN HttpsCiphersSize;\r
	142	VOID *HttpsCiphers;\r
	143	\r
	144	Status = QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersItem,\r
	145	&HttpsCiphersSize);\r
	146	if (EFI_ERROR (Status)) {\r
	147	DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n",\r
	148	gEfiCallerBaseName, __FUNCTION__));\r
	149	return;\r
	150	}\r
	151	//\r
	152	// From this point on, any failure is fatal. An ordered cipher preference\r
	153	// list is available from QEMU, thus we cannot let the firmware attempt HTTPS\r
	154	// boot with either pre-existent or non-existent preferences. An empty set of\r
	155	// cipher suites does not fail HTTPS boot automatically; the default cipher\r
	156	// suite preferences would take effect, and we must prevent that.\r
	157	//\r
	158	// Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If\r
	159	// the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot\r
	160	// make it volatile without deleting it first.\r
	161	//\r
	162	Status = gRT->SetVariable (\r
	163	EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName\r
	164	&gEdkiiHttpTlsCipherListGuid, // VendorGuid\r
	165	0, // Attributes\r
	166	0, // DataSize\r
	167	NULL // Data\r
	168	);\r
	169	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	170	DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",\r
	171	gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,\r
	172	EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));\r
	173	goto Done;\r
	174	}\r
	175	\r
	176	if (HttpsCiphersSize == 0) {\r
	177	DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n",\r
	178	gEfiCallerBaseName, __FUNCTION__));\r
	179	Status = EFI_INVALID_PARAMETER;\r
	180	goto Done;\r
	181	}\r
	182	\r
	183	HttpsCiphers = AllocatePool (HttpsCiphersSize);\r
	184	if (HttpsCiphers == NULL) {\r
	185	DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n",\r
	186	gEfiCallerBaseName, __FUNCTION__));\r
	187	Status = EFI_OUT_OF_RESOURCES;\r
	188	goto Done;\r
189	}\r
190	\r
191	QemuFwCfgSelectItem (HttpsCiphersItem);\r
192	QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers);\r
193	\r
194	Status = gRT->SetVariable (\r
195	EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName\r
196	&gEdkiiHttpTlsCipherListGuid, // VendorGuid\r
197	EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes\r
198	HttpsCiphersSize, // DataSize\r
199	HttpsCiphers // Data\r
200	);\r
201	if (EFI_ERROR (Status)) {\r
202	DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n",\r
203	gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,\r
204	EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));\r
205	goto FreeHttpsCiphers;\r
206	}\r
207	\r
208	DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s))\n",\r
209	gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize));\r
210	\r
211	FreeHttpsCiphers:\r
212	FreePool (HttpsCiphers);\r
213	\r
214	Done:\r
215	if (EFI_ERROR (Status)) {\r
216	ASSERT_EFI_ERROR (Status);\r
217	CpuDeadLoop ();\r
218	}\r
219	}\r
220	\r
9c7d0d49 LE	221	RETURN_STATUS\r
	222	EFIAPI\r
	223	TlsAuthConfigInit (\r
	224	VOID\r
	225	)\r
	226	{\r
	227	SetCaCerts ();\r
ba9c8a8c	228	SetCipherSuites ();\r
9c7d0d49 LE	229	\r
	230	return RETURN_SUCCESS;\r
	231	}\r