2 Measure TrEE required variable.
4 Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include <Guid/ImageAuthentication.h>
17 #include <IndustryStandard/UefiTcgPlatform.h>
18 #include <Protocol/TrEEProtocol.h>
20 #include <Library/UefiBootServicesTableLib.h>
21 #include <Library/UefiRuntimeServicesTableLib.h>
22 #include <Library/MemoryAllocationLib.h>
23 #include <Library/BaseMemoryLib.h>
24 #include <Library/DebugLib.h>
25 #include <Library/BaseLib.h>
26 #include <Library/TpmMeasurementLib.h>
33 VARIABLE_TYPE mVariableType
[] = {
34 {EFI_SECURE_BOOT_MODE_NAME
, &gEfiGlobalVariableGuid
},
35 {EFI_PLATFORM_KEY_NAME
, &gEfiGlobalVariableGuid
},
36 {EFI_KEY_EXCHANGE_KEY_NAME
, &gEfiGlobalVariableGuid
},
37 {EFI_IMAGE_SECURITY_DATABASE
, &gEfiImageSecurityDatabaseGuid
},
38 {EFI_IMAGE_SECURITY_DATABASE1
, &gEfiImageSecurityDatabaseGuid
},
39 {EFI_IMAGE_SECURITY_DATABASE2
, &gEfiImageSecurityDatabaseGuid
},
43 // "SecureBoot" may update following PK Del/Add
44 // Cache its value to detect value update
46 UINT8
*mSecureBootVarData
= NULL
;
47 UINTN mSecureBootVarDataSize
= 0;
50 This function will return if this variable is SecureBootPolicy Variable.
52 @param[in] VariableName A Null-terminated string that is the name of the vendor's variable.
53 @param[in] VendorGuid A unique identifier for the vendor.
55 @retval TRUE This is SecureBootPolicy Variable
56 @retval FALSE This is not SecureBootPolicy Variable
59 IsSecureBootPolicyVariable (
60 IN CHAR16
*VariableName
,
61 IN EFI_GUID
*VendorGuid
66 for (Index
= 0; Index
< sizeof(mVariableType
)/sizeof(mVariableType
[0]); Index
++) {
67 if ((StrCmp (VariableName
, mVariableType
[Index
].VariableName
) == 0) &&
68 (CompareGuid (VendorGuid
, mVariableType
[Index
].VendorGuid
))) {
76 Measure and log an EFI variable, and extend the measurement result into a specific PCR.
78 @param[in] VarName A Null-terminated string that is the name of the vendor's variable.
79 @param[in] VendorGuid A unique identifier for the vendor.
80 @param[in] VarData The content of the variable data.
81 @param[in] VarSize The size of the variable data.
83 @retval EFI_SUCCESS Operation completed successfully.
84 @retval EFI_OUT_OF_RESOURCES Out of memory.
85 @retval EFI_DEVICE_ERROR The operation was unsuccessful.
92 IN EFI_GUID
*VendorGuid
,
99 EFI_VARIABLE_DATA_TREE
*VarLog
;
102 ASSERT ((VarSize
== 0 && VarData
== NULL
) || (VarSize
!= 0 && VarData
!= NULL
));
104 VarNameLength
= StrLen (VarName
);
105 VarLogSize
= (UINT32
)(sizeof (*VarLog
) + VarNameLength
* sizeof (*VarName
) + VarSize
106 - sizeof (VarLog
->UnicodeName
) - sizeof (VarLog
->VariableData
));
108 VarLog
= (EFI_VARIABLE_DATA_TREE
*) AllocateZeroPool (VarLogSize
);
109 if (VarLog
== NULL
) {
110 return EFI_OUT_OF_RESOURCES
;
113 CopyMem (&VarLog
->VariableName
, VendorGuid
, sizeof(VarLog
->VariableName
));
114 VarLog
->UnicodeNameLength
= VarNameLength
;
115 VarLog
->VariableDataLength
= VarSize
;
119 VarNameLength
* sizeof (*VarName
)
123 (CHAR16
*)VarLog
->UnicodeName
+ VarNameLength
,
129 DEBUG ((EFI_D_INFO
, "AuthVariableDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN
)7, (UINTN
)EV_EFI_VARIABLE_AUTHORITY
));
130 DEBUG ((EFI_D_INFO
, "VariableName - %s, VendorGuid - %g)\n", VarName
, VendorGuid
));
132 Status
= TpmMeasureAndLogData (
134 EV_EFI_VARIABLE_DRIVER_CONFIG
,
145 Returns the status whether get the variable success. The function retrieves
146 variable through the UEFI Runtime Service GetVariable(). The
147 returned buffer is allocated using AllocatePool(). The caller is responsible
148 for freeing this buffer with FreePool().
150 This API is only invoked in boot time. It may NOT be invoked at runtime.
152 @param[in] Name The pointer to a Null-terminated Unicode string.
153 @param[in] Guid The pointer to an EFI_GUID structure
154 @param[out] Value The buffer point saved the variable info.
155 @param[out] Size The buffer size of the variable.
157 @return EFI_OUT_OF_RESOURCES Allocate buffer failed.
158 @return EFI_SUCCESS Find the specified variable.
159 @return Others Errors Return errors from call to gRT->GetVariable.
163 InternalGetVariable (
164 IN CONST CHAR16
*Name
,
165 IN CONST EFI_GUID
*Guid
,
174 // Try to get the variable size.
182 Status
= gRT
->GetVariable ((CHAR16
*) Name
, (EFI_GUID
*) Guid
, NULL
, &BufferSize
, *Value
);
183 if (Status
!= EFI_BUFFER_TOO_SMALL
) {
188 // Allocate buffer to get the variable.
190 *Value
= AllocatePool (BufferSize
);
191 ASSERT (*Value
!= NULL
);
192 if (*Value
== NULL
) {
193 return EFI_OUT_OF_RESOURCES
;
197 // Get the variable data.
199 Status
= gRT
->GetVariable ((CHAR16
*) Name
, (EFI_GUID
*) Guid
, NULL
, &BufferSize
, *Value
);
200 if (EFI_ERROR (Status
)) {
213 SecureBoot Hook for SetVariable.
215 @param[in] VariableName Name of Variable to be found.
216 @param[in] VendorGuid Variable vendor GUID.
222 IN CHAR16
*VariableName
,
223 IN EFI_GUID
*VendorGuid
227 UINTN VariableDataSize
;
230 if (!IsSecureBootPolicyVariable (VariableName
, VendorGuid
)) {
235 // We should NOT use Data and DataSize here,because it may include signature,
236 // or is just partial with append attributes, or is deleted.
237 // We should GetVariable again, to get full variable content.
239 Status
= InternalGetVariable (
245 if (EFI_ERROR (Status
)) {
247 VariableDataSize
= 0;
250 Status
= MeasureVariable (
256 DEBUG ((EFI_D_INFO
, "MeasureBootPolicyVariable - %r\n", Status
));
258 if (VariableData
!= NULL
) {
259 FreePool (VariableData
);
263 // "SecureBoot" is 8bit & read-only. It can only be changed according to PK update
265 if ((StrCmp (VariableName
, EFI_PLATFORM_KEY_NAME
) == 0) &&
266 CompareGuid (VendorGuid
, &gEfiGlobalVariableGuid
)) {
267 Status
= InternalGetVariable (
268 EFI_SECURE_BOOT_MODE_NAME
,
269 &gEfiGlobalVariableGuid
,
273 if (EFI_ERROR (Status
)) {
278 // If PK update is successful. "SecureBoot" shall always exist ever since variable write service is ready
280 ASSERT(mSecureBootVarData
!= NULL
);
282 if (CompareMem(mSecureBootVarData
, VariableData
, VariableDataSize
) != 0) {
283 FreePool(mSecureBootVarData
);
284 mSecureBootVarData
= VariableData
;
285 mSecureBootVarDataSize
= VariableDataSize
;
287 DEBUG((DEBUG_INFO
, "%s variable updated according to PK change. Remeasure the value!\n", EFI_SECURE_BOOT_MODE_NAME
));
288 Status
= MeasureVariable (
289 EFI_SECURE_BOOT_MODE_NAME
,
290 &gEfiGlobalVariableGuid
,
292 mSecureBootVarDataSize
294 DEBUG ((DEBUG_INFO
, "MeasureBootPolicyVariable - %r\n", Status
));
297 // "SecureBoot" variable is not changed
299 FreePool(VariableData
);
307 Some Secure Boot Policy Variable may update following other variable changes(SecureBoot follows PK change, etc).
308 Record their initial State when variable write service is ready.
313 RecordSecureBootPolicyVarData(
320 // Record initial "SecureBoot" variable value.
321 // It is used to detect SecureBoot variable change in SecureBootHook.
323 Status
= InternalGetVariable (
324 EFI_SECURE_BOOT_MODE_NAME
,
325 &gEfiGlobalVariableGuid
,
326 (VOID
**)&mSecureBootVarData
,
327 &mSecureBootVarDataSize
329 if (EFI_ERROR(Status
)) {
331 // Read could fail when Auth Variable solution is not supported
333 DEBUG((DEBUG_INFO
, "RecordSecureBootPolicyVarData GetVariable %s Status %x\n", EFI_SECURE_BOOT_MODE_NAME
, Status
));