[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.h

/** @file\r
  The internal header file includes the common header files, defines\r
  internal structure and functions used by AuthService module.\r
\r
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#ifndef _AUTHSERVICE_H_\r
#define _AUTHSERVICE_H_\r
\r
#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256\r
#define EFI_CERT_TYPE_RSA2048_SIZE        256\r
\r
///\r
/// Size of AuthInfo prior to the data payload.\r
///\r
#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \\r
                       (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \\r
                       sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))\r
\r
#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \\r
                                  (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)\r
\r
#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \\r
                                       (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))\r
\r
///\r
/// "AuthVarKeyDatabase" variable for the Public Key store.\r
///\r
#define AUTHVAR_KEYDB_NAME      L"AuthVarKeyDatabase"\r
#define AUTHVAR_KEYDB_NAME_SIZE 38\r
\r
///\r
/// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.\r
///\r
#define MAX_KEYDB_SIZE  (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)\r
#define MAX_KEY_NUM     (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)\r
\r
///\r
/// Struct to record signature requirement defined by UEFI spec.\r
/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.\r
///\r
typedef struct {\r
  EFI_GUID    SigType;\r
  // Expected SignatureHeader size in Bytes.\r
  UINT32      SigHeaderSize;\r
  // Expected SignatureData size in Bytes.\r
  UINT32      SigDataSize;\r
} EFI_SIGNATURE_ITEM;\r
\r
typedef enum {\r
  AuthVarTypePk,\r
  AuthVarTypeKek,\r
  AuthVarTypePriv\r
} AUTHVAR_TYPE;\r
\r
#pragma pack(1)\r
typedef struct {\r
  EFI_GUID    VendorGuid;\r
  UINT32      CertNodeSize;\r
  UINT32      NameSize;\r
  UINT32      CertDataSize;\r
  /// CHAR16  VariableName[NameSize];\r
  /// UINT8   CertData[CertDataSize];\r
} AUTH_CERT_DB_DATA;\r
#pragma pack()\r
\r
/**\r
  Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
\r
  Caution: This function may receive untrusted input.\r
  This function may be invoked in SMM mode, and datasize and data are external input.\r
  This function will do basic validation, before parse the data.\r
  This function will parse the authentication carefully to avoid security issues, like\r
  buffer overflow, integer overflow.\r
  This function will check attribute carefully to avoid authentication bypass.\r
\r
  @param[in]  VariableName                Name of Variable to be found.\r
  @param[in]  VendorGuid                  Variable vendor GUID.\r
\r
  @param[in]  Data                        Data pointer.\r
  @param[in]  DataSize                    Size of Data found. If size is less than the\r
                                          data, this value contains the required size.\r
  @param[in]  Variable                    The variable information which is used to keep track of variable usage.\r
  @param[in]  Attributes                  Attribute value of the variable.\r
\r
  @return EFI_INVALID_PARAMETER           Invalid parameter\r
  @return EFI_WRITE_PROTECTED             Variable is write-protected and needs authentication with\r
                                          EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.\r
  @return EFI_SECURITY_VIOLATION          The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\r
                                          set, but the AuthInfo does NOT pass the validation\r
                                          check carried out by the firmware.\r
  @return EFI_SUCCESS                     Variable is not write-protected, or passed validation successfully.\r
\r
**/\r
EFI_STATUS\r
ProcessVariable (\r
  IN     CHAR16                             *VariableName,\r
  IN     EFI_GUID                           *VendorGuid,\r
  IN     VOID                               *Data,\r
  IN     UINTN                              DataSize,\r
  IN     VARIABLE_POINTER_TRACK             *Variable,\r
  IN     UINT32                             Attributes\r
  );\r
\r
/**\r
  Update platform mode.\r
\r
  @param[in]      Mode                    SETUP_MODE or USER_MODE.\r
\r
  @return EFI_INVALID_PARAMETER           Invalid parameter.\r
  @return EFI_SUCCESS                     Update platform mode successfully.\r
\r
**/\r
EFI_STATUS\r
UpdatePlatformMode (\r
  IN  UINT32                    Mode\r
  );\r
\r
/**\r
  Initializes for authenticated varibale service.\r
\r
  @retval EFI_SUCCESS           Function successfully executed.\r
  @retval EFI_OUT_OF_RESOURCES  Fail to allocate enough memory resource.\r
\r
**/\r
EFI_STATUS\r
AutenticatedVariableServiceInitialize (\r
  VOID\r
  );\r
\r
/**\r
  Initializes for cryptlib service before use, include register algrithm and allocate scratch.\r
\r
**/\r
VOID\r
CryptLibraryInitialize (\r
  VOID\r
  );\r
\r
/**\r
  Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.\r
\r
  @param[in]  VariableName                Name of Variable to be check.\r
  @param[in]  VendorGuid                  Variable vendor GUID.\r
  @param[in]  Data                        Point to the variable data to be checked.\r
  @param[in]  DataSize                    Size of Data.\r
\r
  @return EFI_INVALID_PARAMETER           Invalid signature list format.\r
  @return EFI_SUCCESS                     Passed signature list format check successfully.\r
  \r
**/\r
EFI_STATUS\r
CheckSignatureListFormat(\r
  IN  CHAR16                    *VariableName,\r
  IN  EFI_GUID                  *VendorGuid,\r
  IN  VOID                      *Data,\r
  IN  UINTN                     DataSize\r
  );\r
\r
/**\r
  Process variable with platform key for verification.\r
\r
  Caution: This function may receive untrusted input.\r
  This function may be invoked in SMM mode, and datasize and data are external input.\r
  This function will do basic validation, before parse the data.\r
  This function will parse the authentication carefully to avoid security issues, like\r
  buffer overflow, integer overflow.\r
  This function will check attribute carefully to avoid authentication bypass.\r
\r
  @param[in]  VariableName                Name of Variable to be found.\r
  @param[in]  VendorGuid                  Variable vendor GUID.\r
  @param[in]  Data                        Data pointer.\r
  @param[in]  DataSize                    Size of Data found. If size is less than the\r
                                          data, this value contains the required size.\r
  @param[in]  Variable                    The variable information which is used to keep track of variable usage.\r
  @param[in]  Attributes                  Attribute value of the variable.\r
  @param[in]  IsPk                        Indicate whether it is to process pk.\r
\r
  @return EFI_INVALID_PARAMETER           Invalid parameter\r
  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation\r
                                          check carried out by the firmware.\r
  @return EFI_SUCCESS                     Variable passed validation successfully.\r
\r
**/\r
EFI_STATUS\r
ProcessVarWithPk (\r
  IN  CHAR16                    *VariableName,\r
  IN  EFI_GUID                  *VendorGuid,\r
  IN  VOID                      *Data,\r
  IN  UINTN                     DataSize,\r
  IN  VARIABLE_POINTER_TRACK    *Variable,\r
  IN  UINT32                    Attributes OPTIONAL,\r
  IN  BOOLEAN                   IsPk\r
  );\r
\r
/**\r
  Process variable with key exchange key for verification.\r
\r
  Caution: This function may receive untrusted input.\r
  This function may be invoked in SMM mode, and datasize and data are external input.\r
  This function will do basic validation, before parse the data.\r
  This function will parse the authentication carefully to avoid security issues, like\r
  buffer overflow, integer overflow.\r
  This function will check attribute carefully to avoid authentication bypass.\r
\r
  @param[in]  VariableName                Name of Variable to be found.\r
  @param[in]  VendorGuid                  Variable vendor GUID.\r
  @param[in]  Data                        Data pointer.\r
  @param[in]  DataSize                    Size of Data found. If size is less than the\r
                                          data, this value contains the required size.\r
  @param[in]  Variable                    The variable information that is used to keep track of variable usage.\r
  @param[in]  Attributes                  Attribute value of the variable.\r
\r
  @return EFI_INVALID_PARAMETER           Invalid parameter.\r
  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation\r
                                          check carried out by the firmware.\r
  @return EFI_SUCCESS                     Variable passed validation successfully.\r
\r
**/\r
EFI_STATUS\r
ProcessVarWithKek (\r
  IN  CHAR16                    *VariableName,\r
  IN  EFI_GUID                  *VendorGuid,\r
  IN  VOID                      *Data,\r
  IN  UINTN                     DataSize,\r
  IN  VARIABLE_POINTER_TRACK    *Variable,\r
  IN  UINT32                    Attributes OPTIONAL\r
  );\r
\r
/**\r
  Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA\r
  will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA\r
  will be ignored.\r
\r
  @param[in, out]  Data            Pointer to original EFI_SIGNATURE_LIST.\r
  @param[in]       DataSize        Size of Data buffer.\r
  @param[in]       NewData         Pointer to new EFI_SIGNATURE_LIST to be appended.\r
  @param[in]       NewDataSize     Size of NewData buffer.\r
\r
  @return Size of the merged buffer.\r
\r
**/\r
UINTN\r
AppendSignatureList (\r
  IN  OUT VOID            *Data,\r
  IN  UINTN               DataSize,\r
  IN  VOID                *NewData,\r
  IN  UINTN               NewDataSize\r
  );\r
\r
/**\r
  Compare two EFI_TIME data.\r
\r
\r
  @param FirstTime           A pointer to the first EFI_TIME data.\r
  @param SecondTime          A pointer to the second EFI_TIME data.\r
\r
  @retval  TRUE              The FirstTime is not later than the SecondTime.\r
  @retval  FALSE             The FirstTime is later than the SecondTime.\r
\r
**/\r
BOOLEAN\r
CompareTimeStamp (\r
  IN EFI_TIME               *FirstTime,\r
  IN EFI_TIME               *SecondTime\r
  );\r
\r
\r
/**\r
  Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
\r
  Caution: This function may receive untrusted input.\r
  This function may be invoked in SMM mode, and datasize and data are external input.\r
  This function will do basic validation, before parse the data.\r
  This function will parse the authentication carefully to avoid security issues, like\r
  buffer overflow, integer overflow.\r
\r
  @param[in]  VariableName                Name of Variable to be found.\r
  @param[in]  VendorGuid                  Variable vendor GUID.\r
  @param[in]  Data                        Data pointer.\r
  @param[in]  DataSize                    Size of Data found. If size is less than the\r
                                          data, this value contains the required size.\r
  @param[in]  Variable                    The variable information which is used to keep track of variable usage.\r
  @param[in]  Attributes                  Attribute value of the variable.\r
  @param[in]  AuthVarType                 Verify against PK or KEK database or private database.\r
  @param[out] VarDel                      Delete the variable or not.\r
\r
  @retval EFI_INVALID_PARAMETER           Invalid parameter.\r
  @retval EFI_SECURITY_VIOLATION          The variable does NOT pass the validation\r
                                          check carried out by the firmware.\r
  @retval EFI_OUT_OF_RESOURCES            Failed to process variable due to lack\r
                                          of resources.\r
  @retval EFI_SUCCESS                     Variable pass validation successfully.\r
\r
**/\r
EFI_STATUS\r
VerifyTimeBasedPayload (\r
  IN     CHAR16                             *VariableName,\r
  IN     EFI_GUID                           *VendorGuid,\r
  IN     VOID                               *Data,\r
  IN     UINTN                              DataSize,\r
  IN     VARIABLE_POINTER_TRACK             *Variable,\r
  IN     UINT32                             Attributes,\r
  IN     AUTHVAR_TYPE                       AuthVarType,\r
  OUT    BOOLEAN                            *VarDel\r
  );\r
\r
extern UINT8  mPubKeyStore[MAX_KEYDB_SIZE];\r
extern UINT32 mPubKeyNumber;\r
extern VOID   *mHashCtx;\r
extern VOID   *mStorageArea;\r
extern UINT8  *mSerializationRuntimeBuffer;\r
\r
#endif\r
Commit	Line	Data
0c18794e	1	/** @file\r
	2	The internal header file includes the common header files, defines\r
	3	internal structure and functions used by AuthService module.\r
	4	\r
ed47ae02	5	Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
2d3fb919	6	This program and the accompanying materials\r
	7	are licensed and made available under the terms and conditions of the BSD License\r
	8	which accompanies this distribution. The full text of the license may be found at\r
0c18794e	9	http://opensource.org/licenses/bsd-license.php\r
0c18794e	10	\r
2d3fb919	11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
0c18794e	12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	13	\r
	14	**/\r
	15	\r
	16	#ifndef _AUTHSERVICE_H_\r
	17	#define _AUTHSERVICE_H_\r
	18	\r
	19	#define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256\r
	20	#define EFI_CERT_TYPE_RSA2048_SIZE 256\r
	21	\r
	22	///\r
2d3fb919	23	/// Size of AuthInfo prior to the data payload.\r
0c18794e	24	///\r
2d3fb919	25	#define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \\r
	26	(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \\r
	27	sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))\r
	28	\r
	29	#define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \\r
	30	(UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)\r
	31	\r
	32	#define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \\r
	33	(OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))\r
0c18794e	34	\r
	35	///\r
	36	/// "AuthVarKeyDatabase" variable for the Public Key store.\r
	37	///\r
	38	#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"\r
	39	#define AUTHVAR_KEYDB_NAME_SIZE 38\r
	40	\r
	41	///\r
	42	/// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.\r
	43	///\r
	44	#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)\r
	45	#define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)\r
	46	\r
d912bad7	47	///\r
	48	/// Struct to record signature requirement defined by UEFI spec.\r
	49	/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.\r
	50	///\r
	51	typedef struct {\r
	52	EFI_GUID SigType;\r
	53	// Expected SignatureHeader size in Bytes.\r
	54	UINT32 SigHeaderSize;\r
	55	// Expected SignatureData size in Bytes.\r
	56	UINT32 SigDataSize;\r
	57	} EFI_SIGNATURE_ITEM;\r
0c18794e	58	\r
ed47ae02	59	typedef enum {\r
	60	AuthVarTypePk,\r
	61	AuthVarTypeKek,\r
	62	AuthVarTypePriv\r
	63	} AUTHVAR_TYPE;\r
	64	\r
	65	#pragma pack(1)\r
	66	typedef struct {\r
	67	EFI_GUID VendorGuid;\r
	68	UINT32 CertNodeSize;\r
	69	UINT32 NameSize;\r
	70	UINT32 CertDataSize;\r
	71	/// CHAR16 VariableName[NameSize];\r
	72	/// UINT8 CertData[CertDataSize];\r
	73	} AUTH_CERT_DB_DATA;\r
	74	#pragma pack()\r
	75	\r
0c18794e	76	/**\r
	77	Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
	78	\r
dc204d5a JY	79	Caution: This function may receive untrusted input.\r
	80	This function may be invoked in SMM mode, and datasize and data are external input.\r
	81	This function will do basic validation, before parse the data.\r
	82	This function will parse the authentication carefully to avoid security issues, like\r
	83	buffer overflow, integer overflow.\r
	84	This function will check attribute carefully to avoid authentication bypass.\r
	85	\r
0c18794e	86	@param[in] VariableName Name of Variable to be found.\r
	87	@param[in] VendorGuid Variable vendor GUID.\r
	88	\r
	89	@param[in] Data Data pointer.\r
	90	@param[in] DataSize Size of Data found. If size is less than the\r
	91	data, this value contains the required size.\r
	92	@param[in] Variable The variable information which is used to keep track of variable usage.\r
	93	@param[in] Attributes Attribute value of the variable.\r
	94	\r
	95	@return EFI_INVALID_PARAMETER Invalid parameter\r
	96	@return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with\r
	97	EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.\r
	98	@return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\r
2d3fb919	99	set, but the AuthInfo does NOT pass the validation\r
2d3fb919	100	check carried out by the firmware.\r
0c18794e	101	@return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.\r
	102	\r
	103	**/\r
	104	EFI_STATUS\r
	105	ProcessVariable (\r
	106	IN CHAR16 *VariableName,\r
	107	IN EFI_GUID *VendorGuid,\r
	108	IN VOID *Data,\r
	109	IN UINTN DataSize,\r
	110	IN VARIABLE_POINTER_TRACK *Variable,\r
	111	IN UINT32 Attributes\r
	112	);\r
	113	\r
2d3fb919	114	/**\r
	115	Update platform mode.\r
	116	\r
	117	@param[in] Mode SETUP_MODE or USER_MODE.\r
	118	\r
	119	@return EFI_INVALID_PARAMETER Invalid parameter.\r
	120	@return EFI_SUCCESS Update platform mode successfully.\r
	121	\r
	122	**/\r
	123	EFI_STATUS\r
	124	UpdatePlatformMode (\r
	125	IN UINT32 Mode\r
	126	);\r
	127	\r
0c18794e	128	/**\r
	129	Initializes for authenticated varibale service.\r
	130	\r
	131	@retval EFI_SUCCESS Function successfully executed.\r
	132	@retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.\r
	133	\r
	134	**/\r
	135	EFI_STATUS\r
	136	AutenticatedVariableServiceInitialize (\r
	137	VOID\r
	138	);\r
	139	\r
	140	/**\r
	141	Initializes for cryptlib service before use, include register algrithm and allocate scratch.\r
	142	\r
	143	**/\r
	144	VOID\r
	145	CryptLibraryInitialize (\r
	146	VOID\r
	147	);\r
	148	\r
d912bad7	149	/**\r
	150	Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.\r
	151	\r
	152	@param[in] VariableName Name of Variable to be check.\r
	153	@param[in] VendorGuid Variable vendor GUID.\r
	154	@param[in] Data Point to the variable data to be checked.\r
	155	@param[in] DataSize Size of Data.\r
	156	\r
	157	@return EFI_INVALID_PARAMETER Invalid signature list format.\r
	158	@return EFI_SUCCESS Passed signature list format check successfully.\r
	159	\r
	160	**/\r
	161	EFI_STATUS\r
	162	CheckSignatureListFormat(\r
	163	IN CHAR16 *VariableName,\r
	164	IN EFI_GUID *VendorGuid,\r
	165	IN VOID *Data,\r
	166	IN UINTN DataSize\r
	167	);\r
	168	\r
0c18794e	169	/**\r
	170	Process variable with platform key for verification.\r
	171	\r
dc204d5a JY	172	Caution: This function may receive untrusted input.\r
	173	This function may be invoked in SMM mode, and datasize and data are external input.\r
	174	This function will do basic validation, before parse the data.\r
	175	This function will parse the authentication carefully to avoid security issues, like\r
	176	buffer overflow, integer overflow.\r
	177	This function will check attribute carefully to avoid authentication bypass.\r
	178	\r
0c18794e	179	@param[in] VariableName Name of Variable to be found.\r
	180	@param[in] VendorGuid Variable vendor GUID.\r
	181	@param[in] Data Data pointer.\r
	182	@param[in] DataSize Size of Data found. If size is less than the\r
	183	data, this value contains the required size.\r
	184	@param[in] Variable The variable information which is used to keep track of variable usage.\r
	185	@param[in] Attributes Attribute value of the variable.\r
	186	@param[in] IsPk Indicate whether it is to process pk.\r
	187	\r
	188	@return EFI_INVALID_PARAMETER Invalid parameter\r
2d3fb919	189	@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation\r
2d3fb919	190	check carried out by the firmware.\r
0c18794e	191	@return EFI_SUCCESS Variable passed validation successfully.\r
	192	\r
	193	**/\r
	194	EFI_STATUS\r
	195	ProcessVarWithPk (\r
	196	IN CHAR16 *VariableName,\r
	197	IN EFI_GUID *VendorGuid,\r
	198	IN VOID *Data,\r
	199	IN UINTN DataSize,\r
	200	IN VARIABLE_POINTER_TRACK *Variable,\r
	201	IN UINT32 Attributes OPTIONAL,\r
	202	IN BOOLEAN IsPk\r
	203	);\r
	204	\r
	205	/**\r
	206	Process variable with key exchange key for verification.\r
	207	\r
dc204d5a JY	208	Caution: This function may receive untrusted input.\r
	209	This function may be invoked in SMM mode, and datasize and data are external input.\r
	210	This function will do basic validation, before parse the data.\r
	211	This function will parse the authentication carefully to avoid security issues, like\r
	212	buffer overflow, integer overflow.\r
	213	This function will check attribute carefully to avoid authentication bypass.\r
	214	\r
0c18794e	215	@param[in] VariableName Name of Variable to be found.\r
	216	@param[in] VendorGuid Variable vendor GUID.\r
	217	@param[in] Data Data pointer.\r
	218	@param[in] DataSize Size of Data found. If size is less than the\r
	219	data, this value contains the required size.\r
	220	@param[in] Variable The variable information that is used to keep track of variable usage.\r
	221	@param[in] Attributes Attribute value of the variable.\r
	222	\r
	223	@return EFI_INVALID_PARAMETER Invalid parameter.\r
2d3fb919	224	@return EFI_SECURITY_VIOLATION The variable does NOT pass the validation\r
2d3fb919	225	check carried out by the firmware.\r
0c18794e	226	@return EFI_SUCCESS Variable passed validation successfully.\r
	227	\r
	228	**/\r
	229	EFI_STATUS\r
	230	ProcessVarWithKek (\r
	231	IN CHAR16 *VariableName,\r
	232	IN EFI_GUID *VendorGuid,\r
	233	IN VOID *Data,\r
	234	IN UINTN DataSize,\r
	235	IN VARIABLE_POINTER_TRACK *Variable,\r
	236	IN UINT32 Attributes OPTIONAL\r
	237	);\r
	238	\r
2d3fb919	239	/**\r
	240	Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA\r
	241	will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA\r
	242	will be ignored.\r
	243	\r
	244	@param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.\r
	245	@param[in] DataSize Size of Data buffer.\r
	246	@param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.\r
	247	@param[in] NewDataSize Size of NewData buffer.\r
	248	\r
	249	@return Size of the merged buffer.\r
	250	\r
	251	**/\r
	252	UINTN\r
	253	AppendSignatureList (\r
	254	IN OUT VOID *Data,\r
	255	IN UINTN DataSize,\r
	256	IN VOID *NewData,\r
	257	IN UINTN NewDataSize\r
	258	);\r
	259	\r
0c18794e	260	/**\r
	261	Compare two EFI_TIME data.\r
	262	\r
	263	\r
	264	@param FirstTime A pointer to the first EFI_TIME data.\r
	265	@param SecondTime A pointer to the second EFI_TIME data.\r
	266	\r
	267	@retval TRUE The FirstTime is not later than the SecondTime.\r
	268	@retval FALSE The FirstTime is later than the SecondTime.\r
	269	\r
	270	**/\r
	271	BOOLEAN\r
	272	CompareTimeStamp (\r
	273	IN EFI_TIME *FirstTime,\r
	274	IN EFI_TIME *SecondTime\r
	275	);\r
	276	\r
	277	\r
	278	/**\r
	279	Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
	280	\r
dc204d5a JY	281	Caution: This function may receive untrusted input.\r
	282	This function may be invoked in SMM mode, and datasize and data are external input.\r
	283	This function will do basic validation, before parse the data.\r
	284	This function will parse the authentication carefully to avoid security issues, like\r
	285	buffer overflow, integer overflow.\r
	286	\r
0c18794e	287	@param[in] VariableName Name of Variable to be found.\r
	288	@param[in] VendorGuid Variable vendor GUID.\r
	289	@param[in] Data Data pointer.\r
	290	@param[in] DataSize Size of Data found. If size is less than the\r
	291	data, this value contains the required size.\r
	292	@param[in] Variable The variable information which is used to keep track of variable usage.\r
	293	@param[in] Attributes Attribute value of the variable.\r
ed47ae02	294	@param[in] AuthVarType Verify against PK or KEK database or private database.\r
0c18794e	295	@param[out] VarDel Delete the variable or not.\r
	296	\r
	297	@retval EFI_INVALID_PARAMETER Invalid parameter.\r
2d3fb919	298	@retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation\r
2d3fb919	299	check carried out by the firmware.\r
0c18794e	300	@retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack\r
	301	of resources.\r
	302	@retval EFI_SUCCESS Variable pass validation successfully.\r
	303	\r
	304	**/\r
	305	EFI_STATUS\r
	306	VerifyTimeBasedPayload (\r
	307	IN CHAR16 *VariableName,\r
	308	IN EFI_GUID *VendorGuid,\r
	309	IN VOID *Data,\r
	310	IN UINTN DataSize,\r
	311	IN VARIABLE_POINTER_TRACK *Variable,\r
	312	IN UINT32 Attributes,\r
ed47ae02	313	IN AUTHVAR_TYPE AuthVarType,\r
0c18794e	314	OUT BOOLEAN *VarDel\r
	315	);\r
	316	\r
	317	extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];\r
	318	extern UINT32 mPubKeyNumber;\r
	319	extern VOID *mHashCtx;\r
	320	extern VOID *mStorageArea;\r
2d3fb919	321	extern UINT8 *mSerializationRuntimeBuffer;\r
2d3fb919	322	\r
0c18794e	323	#endif\r