[mirror_edk2.git] / SecurityPkg / Library / SecureBootVariableProvisionLib / SecureBootVariableProvisionLib.c

/** @file\r
  This library provides functions to set/clear Secure Boot\r
  keys and databases.\r
\r
  Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
  (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
  Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
  Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
**/\r
#include <Guid/GlobalVariable.h>\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/ImageAuthentication.h>\r
#include <Library/BaseLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/DebugLib.h>\r
#include <Library/UefiLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Library/UefiRuntimeServicesTableLib.h>\r
#include <Library/SecureBootVariableLib.h>\r
#include <Library/SecureBootVariableProvisionLib.h>\r
\r
/**\r
  Enroll a key/certificate based on a default variable.\r
\r
  @param[in] VariableName        The name of the key/database.\r
  @param[in] DefaultName         The name of the default variable.\r
  @param[in] VendorGuid          The namespace (ie. vendor GUID) of the variable\r
\r
  @retval EFI_OUT_OF_RESOURCES   Out of memory while allocating AuthHeader.\r
  @retval EFI_SUCCESS            Successful enrollment.\r
  @return                        Error codes from GetTime () and SetVariable ().\r
**/\r
STATIC\r
EFI_STATUS\r
EnrollFromDefault (\r
  IN CHAR16    *VariableName,\r
  IN CHAR16    *DefaultName,\r
  IN EFI_GUID  *VendorGuid\r
  )\r
{\r
  VOID        *Data;\r
  UINTN       DataSize;\r
  EFI_STATUS  Status;\r
\r
  Status = EFI_SUCCESS;\r
\r
  DataSize = 0;\r
  Status   = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));\r
    return Status;\r
  }\r
\r
  CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));\r
    return Status;\r
  }\r
\r
  //\r
  // Allocate memory for auth variable\r
  //\r
  Status = gRT->SetVariable (\r
                  VariableName,\r
                  VendorGuid,\r
                  (EFI_VARIABLE_NON_VOLATILE |\r
                   EFI_VARIABLE_BOOTSERVICE_ACCESS |\r
                   EFI_VARIABLE_RUNTIME_ACCESS |\r
                   EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),\r
                  DataSize,\r
                  Data\r
                  );\r
\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((\r
      DEBUG_ERROR,\r
      "error: %a (\"%s\", %g): %r\n",\r
      __FUNCTION__,\r
      VariableName,\r
      VendorGuid,\r
      Status\r
      ));\r
  }\r
\r
  if (Data != NULL) {\r
    FreePool (Data);\r
  }\r
\r
  return Status;\r
}\r
\r
/** Initializes PKDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitPKDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_PK_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes KEKDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitKEKDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_KEK_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DB_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbxDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbxDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DBX_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return Status;\r
}\r
\r
/** Initializes dbtDefault variable with data from FFS section.\r
\r
  @retval  EFI_SUCCESS           Variable was initialized successfully.\r
  @retval  EFI_UNSUPPORTED       Variable already exists.\r
**/\r
EFI_STATUS\r
SecureBootInitDbtDefault (\r
  IN VOID\r
  )\r
{\r
  EFI_SIGNATURE_LIST  *EfiSig;\r
  UINTN               SigListsSize;\r
  EFI_STATUS          Status;\r
  UINT8               *Data;\r
  UINTN               DataSize;\r
\r
  //\r
  // Check if variable exists, if so do not change it\r
  //\r
  Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
  if (Status == EFI_SUCCESS) {\r
    DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
    FreePool (Data);\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
    return Status;\r
  }\r
\r
  //\r
  // Variable does not exist, can be initialized\r
  //\r
  DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
\r
  Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  Status = gRT->SetVariable (\r
                  EFI_DBT_DEFAULT_VARIABLE_NAME,\r
                  &gEfiGlobalVariableGuid,\r
                  EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
                  SigListsSize,\r
                  (VOID *)EfiSig\r
                  );\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
  }\r
\r
  FreePool (EfiSig);\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Sets the content of the 'db' variable based on 'dbDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE,\r
             EFI_DB_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbxFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE1,\r
             EFI_DBX_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollDbtFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_IMAGE_SECURITY_DATABASE2,\r
             EFI_DBT_DEFAULT_VARIABLE_NAME,\r
             &gEfiImageSecurityDatabaseGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollKEKFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_KEY_EXCHANGE_KEY_NAME,\r
             EFI_KEK_DEFAULT_VARIABLE_NAME,\r
             &gEfiGlobalVariableGuid\r
             );\r
\r
  return Status;\r
}\r
\r
/**\r
  Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
\r
  @retval EFI_OUT_OF_RESOURCES      If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
                                    while VendorGuid is NULL.\r
  @retval other                     Errors from GetVariable2 (), GetTime () and SetVariable ()\r
**/\r
EFI_STATUS\r
EFIAPI\r
EnrollPKFromDefault (\r
  VOID\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  Status = EnrollFromDefault (\r
             EFI_PLATFORM_KEY_NAME,\r
             EFI_PK_DEFAULT_VARIABLE_NAME,\r
             &gEfiGlobalVariableGuid\r
             );\r
\r
  return Status;\r
}\r
Commit	Line	Data
97326596 GB	1	/** @file\r
	2	This library provides functions to set/clear Secure Boot\r
	3	keys and databases.\r
	4	\r
	5	Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>\r
	6	(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>\r
	7	Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>\r
	8	Copyright (c) 2021, Semihalf All rights reserved.<BR>\r
	9	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	10	**/\r
	11	#include <Guid/GlobalVariable.h>\r
	12	#include <Guid/AuthenticatedVariableFormat.h>\r
	13	#include <Guid/ImageAuthentication.h>\r
	14	#include <Library/BaseLib.h>\r
	15	#include <Library/BaseMemoryLib.h>\r
	16	#include <Library/DebugLib.h>\r
	17	#include <Library/UefiLib.h>\r
	18	#include <Library/MemoryAllocationLib.h>\r
	19	#include <Library/UefiRuntimeServicesTableLib.h>\r
	20	#include <Library/SecureBootVariableLib.h>\r
	21	#include <Library/SecureBootVariableProvisionLib.h>\r
	22	\r
	23	/**\r
	24	Enroll a key/certificate based on a default variable.\r
	25	\r
	26	@param[in] VariableName The name of the key/database.\r
	27	@param[in] DefaultName The name of the default variable.\r
	28	@param[in] VendorGuid The namespace (ie. vendor GUID) of the variable\r
	29	\r
	30	@retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.\r
	31	@retval EFI_SUCCESS Successful enrollment.\r
	32	@return Error codes from GetTime () and SetVariable ().\r
	33	**/\r
	34	STATIC\r
	35	EFI_STATUS\r
	36	EnrollFromDefault (\r
c411b485 MK	37	IN CHAR16 *VariableName,\r
	38	IN CHAR16 *DefaultName,\r
	39	IN EFI_GUID *VendorGuid\r
97326596 GB	40	)\r
97326596 GB	41	{\r
c411b485	42	VOID *Data;\r
97326596 GB	43	UINTN DataSize;\r
	44	EFI_STATUS Status;\r
	45	\r
	46	Status = EFI_SUCCESS;\r
	47	\r
	48	DataSize = 0;\r
c411b485	49	Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);\r
97326596	50	if (EFI_ERROR (Status)) {\r
c411b485 MK	51	DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));\r
c411b485 MK	52	return Status;\r
97326596 GB	53	}\r
	54	\r
	55	CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);\r
	56	if (EFI_ERROR (Status)) {\r
	57	DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));\r
	58	return Status;\r
	59	}\r
	60	\r
	61	//\r
	62	// Allocate memory for auth variable\r
	63	//\r
	64	Status = gRT->SetVariable (\r
	65	VariableName,\r
	66	VendorGuid,\r
	67	(EFI_VARIABLE_NON_VOLATILE \|\r
	68	EFI_VARIABLE_BOOTSERVICE_ACCESS \|\r
	69	EFI_VARIABLE_RUNTIME_ACCESS \|\r
	70	EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),\r
	71	DataSize,\r
	72	Data\r
	73	);\r
	74	\r
	75	if (EFI_ERROR (Status)) {\r
c411b485 MK	76	DEBUG ((\r
	77	DEBUG_ERROR,\r
	78	"error: %a (\"%s\", %g): %r\n",\r
	79	__FUNCTION__,\r
	80	VariableName,\r
	81	VendorGuid,\r
	82	Status\r
	83	));\r
97326596 GB	84	}\r
	85	\r
	86	if (Data != NULL) {\r
	87	FreePool (Data);\r
	88	}\r
	89	\r
	90	return Status;\r
	91	}\r
	92	\r
	93	/** Initializes PKDefault variable with data from FFS section.\r
	94	\r
	95	@retval EFI_SUCCESS Variable was initialized successfully.\r
	96	@retval EFI_UNSUPPORTED Variable already exists.\r
	97	**/\r
	98	EFI_STATUS\r
	99	SecureBootInitPKDefault (\r
	100	IN VOID\r
	101	)\r
	102	{\r
c411b485	103	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	104	UINTN SigListsSize;\r
	105	EFI_STATUS Status;\r
	106	UINT8 *Data;\r
	107	UINTN DataSize;\r
	108	\r
	109	//\r
	110	// Check if variable exists, if so do not change it\r
	111	//\r
c411b485	112	Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	113	if (Status == EFI_SUCCESS) {\r
	114	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	115	FreePool (Data);\r
	116	return EFI_UNSUPPORTED;\r
	117	}\r
	118	\r
	119	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	120	return Status;\r
	121	}\r
	122	\r
	123	//\r
	124	// Variable does not exist, can be initialized\r
	125	//\r
	126	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	127	\r
	128	Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);\r
	129	if (EFI_ERROR (Status)) {\r
	130	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	131	return Status;\r
	132	}\r
	133	\r
	134	Status = gRT->SetVariable (\r
	135	EFI_PK_DEFAULT_VARIABLE_NAME,\r
	136	&gEfiGlobalVariableGuid,\r
	137	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	138	SigListsSize,\r
	139	(VOID *)EfiSig\r
	140	);\r
	141	if (EFI_ERROR (Status)) {\r
	142	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));\r
	143	}\r
	144	\r
	145	FreePool (EfiSig);\r
	146	\r
	147	return Status;\r
	148	}\r
	149	\r
	150	/** Initializes KEKDefault variable with data from FFS section.\r
	151	\r
	152	@retval EFI_SUCCESS Variable was initialized successfully.\r
	153	@retval EFI_UNSUPPORTED Variable already exists.\r
	154	**/\r
	155	EFI_STATUS\r
	156	SecureBootInitKEKDefault (\r
	157	IN VOID\r
	158	)\r
	159	{\r
c411b485	160	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	161	UINTN SigListsSize;\r
97326596 GB	162	EFI_STATUS Status;\r
c411b485	163	UINT8 *Data;\r
97326596 GB	164	UINTN DataSize;\r
	165	\r
	166	//\r
	167	// Check if variable exists, if so do not change it\r
	168	//\r
c411b485	169	Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	170	if (Status == EFI_SUCCESS) {\r
	171	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	172	FreePool (Data);\r
	173	return EFI_UNSUPPORTED;\r
	174	}\r
	175	\r
	176	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	177	return Status;\r
	178	}\r
	179	\r
	180	//\r
	181	// Variable does not exist, can be initialized\r
	182	//\r
	183	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	184	\r
	185	Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);\r
	186	if (EFI_ERROR (Status)) {\r
	187	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	188	return Status;\r
	189	}\r
	190	\r
97326596 GB	191	Status = gRT->SetVariable (\r
	192	EFI_KEK_DEFAULT_VARIABLE_NAME,\r
	193	&gEfiGlobalVariableGuid,\r
	194	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	195	SigListsSize,\r
	196	(VOID *)EfiSig\r
	197	);\r
	198	if (EFI_ERROR (Status)) {\r
	199	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));\r
	200	}\r
	201	\r
	202	FreePool (EfiSig);\r
	203	\r
	204	return Status;\r
	205	}\r
	206	\r
	207	/** Initializes dbDefault variable with data from FFS section.\r
	208	\r
	209	@retval EFI_SUCCESS Variable was initialized successfully.\r
	210	@retval EFI_UNSUPPORTED Variable already exists.\r
	211	**/\r
	212	EFI_STATUS\r
	213	SecureBootInitDbDefault (\r
	214	IN VOID\r
	215	)\r
	216	{\r
c411b485	217	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	218	UINTN SigListsSize;\r
97326596 GB	219	EFI_STATUS Status;\r
c411b485	220	UINT8 *Data;\r
97326596 GB	221	UINTN DataSize;\r
97326596 GB	222	\r
c411b485	223	Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	224	if (Status == EFI_SUCCESS) {\r
	225	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
	226	FreePool (Data);\r
	227	return EFI_UNSUPPORTED;\r
	228	}\r
	229	\r
	230	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	231	return Status;\r
	232	}\r
	233	\r
	234	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
	235	\r
	236	Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);\r
	237	if (EFI_ERROR (Status)) {\r
c411b485	238	return Status;\r
97326596 GB	239	}\r
	240	\r
	241	Status = gRT->SetVariable (\r
	242	EFI_DB_DEFAULT_VARIABLE_NAME,\r
	243	&gEfiGlobalVariableGuid,\r
	244	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	245	SigListsSize,\r
	246	(VOID *)EfiSig\r
	247	);\r
	248	if (EFI_ERROR (Status)) {\r
c411b485	249	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));\r
97326596 GB	250	}\r
	251	\r
	252	FreePool (EfiSig);\r
	253	\r
	254	return Status;\r
	255	}\r
	256	\r
	257	/** Initializes dbxDefault variable with data from FFS section.\r
	258	\r
	259	@retval EFI_SUCCESS Variable was initialized successfully.\r
	260	@retval EFI_UNSUPPORTED Variable already exists.\r
	261	**/\r
	262	EFI_STATUS\r
	263	SecureBootInitDbxDefault (\r
	264	IN VOID\r
	265	)\r
	266	{\r
c411b485	267	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	268	UINTN SigListsSize;\r
97326596 GB	269	EFI_STATUS Status;\r
c411b485	270	UINT8 *Data;\r
97326596 GB	271	UINTN DataSize;\r
	272	\r
	273	//\r
	274	// Check if variable exists, if so do not change it\r
	275	//\r
c411b485	276	Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	277	if (Status == EFI_SUCCESS) {\r
	278	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	279	FreePool (Data);\r
	280	return EFI_UNSUPPORTED;\r
	281	}\r
	282	\r
	283	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	284	return Status;\r
	285	}\r
	286	\r
	287	//\r
	288	// Variable does not exist, can be initialized\r
	289	//\r
	290	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	291	\r
	292	Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);\r
	293	if (EFI_ERROR (Status)) {\r
	294	DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	295	return Status;\r
	296	}\r
	297	\r
	298	Status = gRT->SetVariable (\r
	299	EFI_DBX_DEFAULT_VARIABLE_NAME,\r
	300	&gEfiGlobalVariableGuid,\r
	301	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	302	SigListsSize,\r
	303	(VOID *)EfiSig\r
	304	);\r
	305	if (EFI_ERROR (Status)) {\r
	306	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));\r
	307	}\r
	308	\r
	309	FreePool (EfiSig);\r
	310	\r
	311	return Status;\r
	312	}\r
	313	\r
	314	/** Initializes dbtDefault variable with data from FFS section.\r
	315	\r
	316	@retval EFI_SUCCESS Variable was initialized successfully.\r
	317	@retval EFI_UNSUPPORTED Variable already exists.\r
	318	**/\r
	319	EFI_STATUS\r
	320	SecureBootInitDbtDefault (\r
	321	IN VOID\r
	322	)\r
	323	{\r
c411b485	324	EFI_SIGNATURE_LIST *EfiSig;\r
97326596 GB	325	UINTN SigListsSize;\r
97326596 GB	326	EFI_STATUS Status;\r
c411b485	327	UINT8 *Data;\r
97326596 GB	328	UINTN DataSize;\r
	329	\r
	330	//\r
	331	// Check if variable exists, if so do not change it\r
	332	//\r
c411b485	333	Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);\r
97326596 GB	334	if (Status == EFI_SUCCESS) {\r
	335	DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	336	FreePool (Data);\r
	337	return EFI_UNSUPPORTED;\r
	338	}\r
	339	\r
	340	if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {\r
	341	return Status;\r
	342	}\r
	343	\r
	344	//\r
	345	// Variable does not exist, can be initialized\r
	346	//\r
	347	DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	348	\r
	349	Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);\r
	350	if (EFI_ERROR (Status)) {\r
c411b485	351	return Status;\r
97326596 GB	352	}\r
	353	\r
	354	Status = gRT->SetVariable (\r
	355	EFI_DBT_DEFAULT_VARIABLE_NAME,\r
	356	&gEfiGlobalVariableGuid,\r
	357	EFI_VARIABLE_RUNTIME_ACCESS \| EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
	358	SigListsSize,\r
	359	(VOID *)EfiSig\r
	360	);\r
	361	if (EFI_ERROR (Status)) {\r
	362	DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));\r
	363	}\r
	364	\r
	365	FreePool (EfiSig);\r
	366	\r
	367	return EFI_SUCCESS;\r
	368	}\r
	369	\r
	370	/**\r
	371	Sets the content of the 'db' variable based on 'dbDefault' variable content.\r
	372	\r
	373	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	374	while VendorGuid is NULL.\r
	375	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	376	**/\r
	377	EFI_STATUS\r
	378	EFIAPI\r
	379	EnrollDbFromDefault (\r
	380	VOID\r
c411b485	381	)\r
97326596	382	{\r
c411b485	383	EFI_STATUS Status;\r
97326596 GB	384	\r
	385	Status = EnrollFromDefault (\r
	386	EFI_IMAGE_SECURITY_DATABASE,\r
	387	EFI_DB_DEFAULT_VARIABLE_NAME,\r
	388	&gEfiImageSecurityDatabaseGuid\r
	389	);\r
	390	\r
	391	return Status;\r
	392	}\r
	393	\r
	394	/**\r
	395	Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.\r
	396	\r
	397	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	398	while VendorGuid is NULL.\r
	399	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	400	**/\r
	401	EFI_STATUS\r
	402	EFIAPI\r
	403	EnrollDbxFromDefault (\r
	404	VOID\r
c411b485	405	)\r
97326596	406	{\r
c411b485	407	EFI_STATUS Status;\r
97326596 GB	408	\r
	409	Status = EnrollFromDefault (\r
	410	EFI_IMAGE_SECURITY_DATABASE1,\r
	411	EFI_DBX_DEFAULT_VARIABLE_NAME,\r
	412	&gEfiImageSecurityDatabaseGuid\r
	413	);\r
	414	\r
	415	return Status;\r
	416	}\r
	417	\r
	418	/**\r
	419	Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.\r
	420	\r
	421	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	422	while VendorGuid is NULL.\r
	423	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	424	**/\r
	425	EFI_STATUS\r
	426	EFIAPI\r
	427	EnrollDbtFromDefault (\r
	428	VOID\r
c411b485	429	)\r
97326596	430	{\r
c411b485	431	EFI_STATUS Status;\r
97326596 GB	432	\r
	433	Status = EnrollFromDefault (\r
	434	EFI_IMAGE_SECURITY_DATABASE2,\r
	435	EFI_DBT_DEFAULT_VARIABLE_NAME,\r
c411b485 MK	436	&gEfiImageSecurityDatabaseGuid\r
c411b485 MK	437	);\r
97326596 GB	438	\r
	439	return Status;\r
	440	}\r
	441	\r
	442	/**\r
	443	Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
	444	\r
	445	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	446	while VendorGuid is NULL.\r
	447	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	448	**/\r
	449	EFI_STATUS\r
	450	EFIAPI\r
	451	EnrollKEKFromDefault (\r
	452	VOID\r
c411b485	453	)\r
97326596	454	{\r
c411b485	455	EFI_STATUS Status;\r
97326596 GB	456	\r
	457	Status = EnrollFromDefault (\r
	458	EFI_KEY_EXCHANGE_KEY_NAME,\r
	459	EFI_KEK_DEFAULT_VARIABLE_NAME,\r
	460	&gEfiGlobalVariableGuid\r
	461	);\r
	462	\r
	463	return Status;\r
	464	}\r
	465	\r
	466	/**\r
	467	Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.\r
	468	\r
	469	@retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails\r
	470	while VendorGuid is NULL.\r
	471	@retval other Errors from GetVariable2 (), GetTime () and SetVariable ()\r
	472	**/\r
	473	EFI_STATUS\r
	474	EFIAPI\r
	475	EnrollPKFromDefault (\r
	476	VOID\r
c411b485	477	)\r
97326596	478	{\r
c411b485	479	EFI_STATUS Status;\r
97326596 GB	480	\r
	481	Status = EnrollFromDefault (\r
	482	EFI_PLATFORM_KEY_NAME,\r
	483	EFI_PK_DEFAULT_VARIABLE_NAME,\r
	484	&gEfiGlobalVariableGuid\r
	485	);\r
	486	\r
	487	return Status;\r
	488	}\r