3 A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile
4 variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe
5 (which is a UEFI_DRIVER) consume them.
7 Copyright (C) 2013, 2015, 2018, Red Hat, Inc.
8 Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>
10 SPDX-License-Identifier: BSD-2-Clause-Patent
14 #include <Uefi/UefiBaseType.h>
15 #include <Uefi/UefiSpec.h>
17 #include <Guid/HttpTlsCipherList.h>
18 #include <Guid/TlsAuthentication.h>
20 #include <Library/BaseLib.h>
21 #include <Library/DebugLib.h>
22 #include <Library/MemoryAllocationLib.h>
23 #include <Library/QemuFwCfgLib.h>
24 #include <Library/UefiRuntimeServicesTableLib.h>
27 Read the list of trusted CA certificates from the fw_cfg file
28 "etc/edk2/https/cacerts", and store it to
29 gEfiTlsCaCertificateGuid:EFI_TLS_CA_CERTIFICATE_VARIABLE.
31 The contents are validated (for well-formedness) by NetworkPkg/HttpDxe.
40 FIRMWARE_CONFIG_ITEM HttpsCaCertsItem
;
41 UINTN HttpsCaCertsSize
;
44 Status
= QemuFwCfgFindFile (
45 "etc/edk2/https/cacerts",
49 if (EFI_ERROR (Status
)) {
52 "%a:%a: not touching CA cert list\n",
60 // Delete the current EFI_TLS_CA_CERTIFICATE_VARIABLE if it exists. This
61 // serves two purposes:
63 // (a) If the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we
64 // cannot make it volatile without deleting it first.
66 // (b) If we fail to recreate the variable later, deleting the current one is
67 // still justified if the fw_cfg file exists. Emptying the set of trusted
68 // CA certificates will fail HTTPS boot, which is better than trusting
69 // any certificate that's possibly missing from the fw_cfg file.
71 Status
= gRT
->SetVariable (
72 EFI_TLS_CA_CERTIFICATE_VARIABLE
, // VariableName
73 &gEfiTlsCaCertificateGuid
, // VendorGuid
78 if (EFI_ERROR (Status
) && (Status
!= EFI_NOT_FOUND
)) {
84 "%a:%a: failed to delete %g:\"%s\"\n",
87 &gEfiTlsCaCertificateGuid
,
88 EFI_TLS_CA_CERTIFICATE_VARIABLE
90 ASSERT_EFI_ERROR (Status
);
94 if (HttpsCaCertsSize
== 0) {
97 "%a:%a: applied empty CA cert list\n",
104 HttpsCaCerts
= AllocatePool (HttpsCaCertsSize
);
105 if (HttpsCaCerts
== NULL
) {
108 "%a:%a: failed to allocate HttpsCaCerts\n",
115 QemuFwCfgSelectItem (HttpsCaCertsItem
);
116 QemuFwCfgReadBytes (HttpsCaCertsSize
, HttpsCaCerts
);
118 Status
= gRT
->SetVariable (
119 EFI_TLS_CA_CERTIFICATE_VARIABLE
, // VariableName
120 &gEfiTlsCaCertificateGuid
, // VendorGuid
121 EFI_VARIABLE_BOOTSERVICE_ACCESS
, // Attributes
122 HttpsCaCertsSize
, // DataSize
125 if (EFI_ERROR (Status
)) {
128 "%a:%a: failed to set %g:\"%s\": %r\n",
131 &gEfiTlsCaCertificateGuid
,
132 EFI_TLS_CA_CERTIFICATE_VARIABLE
,
135 goto FreeHttpsCaCerts
;
140 "%a:%a: stored CA cert list (%Lu byte(s))\n",
143 (UINT64
)HttpsCaCertsSize
147 FreePool (HttpsCaCerts
);
151 Read the list of trusted cipher suites from the fw_cfg file
152 "etc/edk2/https/ciphers", and store it to
153 gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
155 The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the
156 list is processed by the latter.
165 FIRMWARE_CONFIG_ITEM HttpsCiphersItem
;
166 UINTN HttpsCiphersSize
;
169 Status
= QemuFwCfgFindFile (
170 "etc/edk2/https/ciphers",
174 if (EFI_ERROR (Status
)) {
177 "%a:%a: not touching cipher suites\n",
185 // From this point on, any failure is fatal. An ordered cipher preference
186 // list is available from QEMU, thus we cannot let the firmware attempt HTTPS
187 // boot with either pre-existent or non-existent preferences. An empty set of
188 // cipher suites does not fail HTTPS boot automatically; the default cipher
189 // suite preferences would take effect, and we must prevent that.
191 // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If
192 // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot
193 // make it volatile without deleting it first.
195 Status
= gRT
->SetVariable (
196 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
, // VariableName
197 &gEdkiiHttpTlsCipherListGuid
, // VendorGuid
202 if (EFI_ERROR (Status
) && (Status
!= EFI_NOT_FOUND
)) {
205 "%a:%a: failed to delete %g:\"%s\"\n",
208 &gEdkiiHttpTlsCipherListGuid
,
209 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
214 if (HttpsCiphersSize
== 0) {
217 "%a:%a: list of cipher suites must not be empty\n",
221 Status
= EFI_INVALID_PARAMETER
;
225 HttpsCiphers
= AllocatePool (HttpsCiphersSize
);
226 if (HttpsCiphers
== NULL
) {
229 "%a:%a: failed to allocate HttpsCiphers\n",
233 Status
= EFI_OUT_OF_RESOURCES
;
237 QemuFwCfgSelectItem (HttpsCiphersItem
);
238 QemuFwCfgReadBytes (HttpsCiphersSize
, HttpsCiphers
);
240 Status
= gRT
->SetVariable (
241 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
, // VariableName
242 &gEdkiiHttpTlsCipherListGuid
, // VendorGuid
243 EFI_VARIABLE_BOOTSERVICE_ACCESS
, // Attributes
244 HttpsCiphersSize
, // DataSize
247 if (EFI_ERROR (Status
)) {
250 "%a:%a: failed to set %g:\"%s\"\n",
253 &gEdkiiHttpTlsCipherListGuid
,
254 EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE
256 goto FreeHttpsCiphers
;
261 "%a:%a: stored list of cipher suites (%Lu byte(s))\n",
264 (UINT64
)HttpsCiphersSize
268 FreePool (HttpsCiphers
);
271 if (EFI_ERROR (Status
)) {
272 ASSERT_EFI_ERROR (Status
);
286 return RETURN_SUCCESS
;