]> git.proxmox.com Git - mirror_edk2.git/blob - OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.h
projects / mirror_edk2.git / blob
? search:


5a5ac12426a92a2c613acaf2ad8ca3ff3c2fc919
[mirror_edk2.git] / OvmfPkg / SecureBootConfigDxe / SecureBootConfigImpl.h
1 /** @file
2 The header file of HII Config Access protocol implementation of SecureBoot
3 configuration module.
4
5 Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef __SECUREBOOT_CONFIG_IMPL_H__
17 #define __SECUREBOOT_CONFIG_IMPL_H__
18
19 #include <Uefi.h>
20
21 #include <Protocol/HiiConfigAccess.h>
22 #include <Protocol/HiiConfigRouting.h>
23 #include <Protocol/SimpleFileSystem.h>
24 #include <Protocol/BlockIo.h>
25 #include <Protocol/DevicePath.h>
26 #include <Protocol/DevicePathToText.h>
27 #include <Protocol/DebugPort.h>
28 #include <Protocol/LoadFile.h>
29
30 #include <Library/BaseLib.h>
31 #include <Library/BaseMemoryLib.h>
32 #include <Library/DebugLib.h>
33 #include <Library/MemoryAllocationLib.h>
34 #include <Library/UefiBootServicesTableLib.h>
35 #include <Library/UefiRuntimeServicesTableLib.h>
36 #include <Library/UefiHiiServicesLib.h>
37 #include <Library/UefiLib.h>
38 #include <Library/HiiLib.h>
39 #include <Library/DevicePathLib.h>
40 #include <Library/PrintLib.h>
41 #include <Library/PlatformSecureLib.h>
42 #include <Library/BaseCryptLib.h>
43 #include <Guid/MdeModuleHii.h>
44 #include <Guid/AuthenticatedVariableFormat.h>
45 #include <Guid/FileSystemVolumeLabelInfo.h>
46 #include <Guid/ImageAuthentication.h>
47 #include <Guid/FileInfo.h>
48
49 #include "SecureBootConfigNvData.h"
50
51 //
52 // Tool generated IFR binary data and String package data
53 //
54 extern UINT8 SecureBootConfigBin[];
55 extern UINT8 SecureBootConfigDxeStrings[];
56
57 //
58 // Shared IFR form update data
59 //
60 extern VOID *mStartOpCodeHandle;
61 extern VOID *mEndOpCodeHandle;
62 extern EFI_IFR_GUID_LABEL *mStartLabel;
63 extern EFI_IFR_GUID_LABEL *mEndLabel;
64
65 #define MAX_CHAR 480
66 #define TWO_BYTE_ENCODE 0x82
67
68 //
69 // SHA-1 digest size in bytes.
70 //
71 #define SHA1_DIGEST_SIZE 20
72 //
73 // SHA-256 digest size in bytes
74 //
75 #define SHA256_DIGEST_SIZE 32
76 //
77 // Set max digest size as SHA256 Output (32 bytes) by far
78 //
79 #define MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
80
81 #define WIN_CERT_UEFI_RSA2048_SIZE 256
82
83 //
84 // Support hash types
85 //
86 #define HASHALG_SHA1 0x00000000
87 #define HASHALG_SHA224 0x00000001
88 #define HASHALG_SHA256 0x00000002
89 #define HASHALG_SHA384 0x00000003
90 #define HASHALG_SHA512 0x00000004
91 #define HASHALG_MAX 0x00000005
92
93
94 #define SECUREBOOT_MENU_OPTION_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'u')
95 #define SECUREBOOT_MENU_ENTRY_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'r')
96
97 typedef struct {
98 EFI_DEVICE_PATH_PROTOCOL Header;
99 EFI_GUID Guid;
100 UINT8 VendorDefinedData[1];
101 } VENDOR_DEVICE_PATH_WITH_DATA;
102
103 typedef struct {
104 EFI_DEVICE_PATH_PROTOCOL Header;
105 UINT16 NetworkProtocol;
106 UINT16 LoginOption;
107 UINT64 Lun;
108 UINT16 TargetPortalGroupTag;
109 CHAR16 TargetName[1];
110 } ISCSI_DEVICE_PATH_WITH_NAME;
111
112 typedef enum _FILE_EXPLORER_DISPLAY_CONTEXT {
113 FileExplorerDisplayFileSystem,
114 FileExplorerDisplayDirectory,
115 FileExplorerDisplayUnknown
116 } FILE_EXPLORER_DISPLAY_CONTEXT;
117
118 typedef enum _FILE_EXPLORER_STATE {
119 FileExplorerStateInActive = 0,
120 FileExplorerStateEnrollPkFile,
121 FileExplorerStateEnrollKekFile,
122 FileExplorerStateEnrollSignatureFileToDb,
123 FileExplorerStateEnrollSignatureFileToDbx,
124 FileExplorerStateUnknown
125 } FILE_EXPLORER_STATE;
126
127 typedef struct {
128 CHAR16 *Str;
129 UINTN Len;
130 UINTN Maxlen;
131 } POOL_PRINT;
132
133 typedef
134 VOID
135 (*DEV_PATH_FUNCTION) (
136 IN OUT POOL_PRINT *Str,
137 IN VOID *DevPath
138 );
139
140 typedef struct {
141 UINT8 Type;
142 UINT8 SubType;
143 DEV_PATH_FUNCTION Function;
144 } DEVICE_PATH_STRING_TABLE;
145
146 typedef struct {
147 UINTN Signature;
148 LIST_ENTRY Head;
149 UINTN MenuNumber;
150 } SECUREBOOT_MENU_OPTION;
151
152 extern SECUREBOOT_MENU_OPTION FsOptionMenu;
153 extern SECUREBOOT_MENU_OPTION DirectoryMenu;
154
155 typedef struct {
156 UINTN Signature;
157 LIST_ENTRY Link;
158 UINTN OptionNumber;
159 UINT16 *DisplayString;
160 UINT16 *HelpString;
161 EFI_STRING_ID DisplayStringToken;
162 EFI_STRING_ID HelpStringToken;
163 VOID *FileContext;
164 } SECUREBOOT_MENU_ENTRY;
165
166 typedef struct {
167 EFI_HANDLE Handle;
168 EFI_DEVICE_PATH_PROTOCOL *DevicePath;
169 EFI_FILE_HANDLE FHandle;
170 UINT16 *FileName;
171 EFI_FILE_SYSTEM_VOLUME_LABEL *Info;
172
173 BOOLEAN IsRoot;
174 BOOLEAN IsDir;
175 BOOLEAN IsRemovableMedia;
176 BOOLEAN IsLoadFile;
177 BOOLEAN IsBootLegacy;
178 } SECUREBOOT_FILE_CONTEXT;
179
180
181 //
182 // We define another format of 5th directory entry: security directory
183 //
184 typedef struct {
185 UINT32 Offset; // Offset of certificate
186 UINT32 SizeOfCert; // size of certificate appended
187 } EFI_IMAGE_SECURITY_DATA_DIRECTORY;
188
189 typedef enum{
190 ImageType_IA32,
191 ImageType_X64
192 } IMAGE_TYPE;
193
194 ///
195 /// HII specific Vendor Device Path definition.
196 ///
197 typedef struct {
198 VENDOR_DEVICE_PATH VendorDevicePath;
199 EFI_DEVICE_PATH_PROTOCOL End;
200 } HII_VENDOR_DEVICE_PATH;
201
202 typedef struct {
203 UINTN Signature;
204
205 EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
206 EFI_HII_HANDLE HiiHandle;
207 EFI_HANDLE DriverHandle;
208
209 FILE_EXPLORER_STATE FeCurrentState;
210 FILE_EXPLORER_DISPLAY_CONTEXT FeDisplayContext;
211
212 SECUREBOOT_MENU_ENTRY *MenuEntry;
213 SECUREBOOT_FILE_CONTEXT *FileContext;
214
215 EFI_GUID *SignatureGUID;
216 } SECUREBOOT_CONFIG_PRIVATE_DATA;
217
218 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
219
220 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
221 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
222
223 //
224 // Cryptograhpic Key Information
225 //
226 #pragma pack(1)
227 typedef struct _CPL_KEY_INFO {
228 UINT32 KeyLengthInBits; // Key Length In Bits
229 UINT32 BlockSize; // Operation Block Size in Bytes
230 UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
231 UINT32 KeyType; // Key Type
232 UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
233 UINT32 Flags; // Additional Key Property Flags
234 } CPL_KEY_INFO;
235 #pragma pack()
236
237
238 /**
239 Retrieves the size, in bytes, of the context buffer required for hash operations.
240
241 @return The size, in bytes, of the context buffer required for hash operations.
242
243 **/
244 typedef
245 EFI_STATUS
246 (EFIAPI *HASH_GET_CONTEXT_SIZE)(
247 VOID
248 );
249
250 /**
251 Initializes user-supplied memory pointed by HashContext as hash context for
252 subsequent use.
253
254 If HashContext is NULL, then ASSERT().
255
256 @param[in, out] HashContext Pointer to Context being initialized.
257
258 @retval TRUE HASH context initialization succeeded.
259 @retval FALSE HASH context initialization failed.
260
261 **/
262 typedef
263 BOOLEAN
264 (EFIAPI *HASH_INIT)(
265 IN OUT VOID *HashContext
266 );
267
268
269 /**
270 Performs digest on a data buffer of the specified length. This function can
271 be called multiple times to compute the digest of long or discontinuous data streams.
272
273 If HashContext is NULL, then ASSERT().
274
275 @param[in, out] HashContext Pointer to the MD5 context.
276 @param[in] Data Pointer to the buffer containing the data to be hashed.
277 @param[in] DataLength Length of Data buffer in bytes.
278
279 @retval TRUE HASH data digest succeeded.
280 @retval FALSE Invalid HASH context. After HashFinal function has been called, the
281 HASH context cannot be reused.
282
283 **/
284 typedef
285 BOOLEAN
286 (EFIAPI *HASH_UPDATE)(
287 IN OUT VOID *HashContext,
288 IN CONST VOID *Data,
289 IN UINTN DataLength
290 );
291
292 /**
293 Completes hash computation and retrieves the digest value into the specified
294 memory. After this function has been called, the context cannot be used again.
295
296 If HashContext is NULL, then ASSERT().
297 If HashValue is NULL, then ASSERT().
298
299 @param[in, out] HashContext Pointer to the MD5 context
300 @param[out] HashValue Pointer to a buffer that receives the HASH digest
301 value (16 bytes).
302
303 @retval TRUE HASH digest computation succeeded.
304 @retval FALSE HASH digest computation failed.
305
306 **/
307 typedef
308 BOOLEAN
309 (EFIAPI *HASH_FINAL)(
310 IN OUT VOID *HashContext,
311 OUT UINT8 *HashValue
312 );
313
314 //
315 // Hash Algorithm Table
316 //
317 typedef struct {
318 CHAR16 *Name; ///< Name for Hash Algorithm
319 UINTN DigestLength; ///< Digest Length
320 UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
321 UINTN OidLength; ///< Length of Hash OID Value
322 HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
323 HASH_INIT HashInit; ///< Pointer to Hash Init function
324 HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
325 HASH_FINAL HashFinal; ///< Pointer to Hash Final function
326 } HASH_TABLE;
327
328 typedef struct {
329 WIN_CERTIFICATE Hdr;
330 UINT8 CertData[1];
331 } WIN_CERTIFICATE_EFI_PKCS;
332
333
334 /**
335 This function publish the SecureBoot configuration Form.
336
337 @param[in, out] PrivateData Points to SecureBoot configuration private data.
338
339 @retval EFI_SUCCESS HII Form is installed successfully.
340 @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
341 @retval Others Other errors as indicated.
342
343 **/
344 EFI_STATUS
345 InstallSecureBootConfigForm (
346 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
347 );
348
349
350 /**
351 This function removes SecureBoot configuration Form.
352
353 @param[in, out] PrivateData Points to SecureBoot configuration private data.
354
355 **/
356 VOID
357 UninstallSecureBootConfigForm (
358 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
359 );
360
361
362 /**
363 This function allows a caller to extract the current configuration for one
364 or more named elements from the target driver.
365
366 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
367 @param[in] Request A null-terminated Unicode string in
368 <ConfigRequest> format.
369 @param[out] Progress On return, points to a character in the Request
370 string. Points to the string's null terminator if
371 request was successful. Points to the most recent
372 '&' before the first failing name/value pair (or
373 the beginning of the string if the failure is in
374 the first name/value pair) if the request was not
375 successful.
376 @param[out] Results A null-terminated Unicode string in
377 <ConfigAltResp> format which has all values filled
378 in for the names in the Request string. String to
379 be allocated by the called function.
380
381 @retval EFI_SUCCESS The Results is filled with the requested values.
382 @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
383 @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
384 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
385 driver.
386
387 **/
388 EFI_STATUS
389 EFIAPI
390 SecureBootExtractConfig (
391 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
392 IN CONST EFI_STRING Request,
393 OUT EFI_STRING *Progress,
394 OUT EFI_STRING *Results
395 );
396
397
398 /**
399 This function processes the results of changes in configuration.
400
401 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
402 @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
403 format.
404 @param[out] Progress A pointer to a string filled in with the offset of
405 the most recent '&' before the first failing
406 name/value pair (or the beginning of the string if
407 the failure is in the first name/value pair) or
408 the terminating NULL if all was successful.
409
410 @retval EFI_SUCCESS The Results is processed successfully.
411 @retval EFI_INVALID_PARAMETER Configuration is NULL.
412 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
413 driver.
414
415 **/
416 EFI_STATUS
417 EFIAPI
418 SecureBootRouteConfig (
419 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
420 IN CONST EFI_STRING Configuration,
421 OUT EFI_STRING *Progress
422 );
423
424
425 /**
426 This function processes the results of changes in configuration.
427
428 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
429 @param[in] Action Specifies the type of action taken by the browser.
430 @param[in] QuestionId A unique value which is sent to the original
431 exporting driver so that it can identify the type
432 of data to expect.
433 @param[in] Type The type of value for the question.
434 @param[in] Value A pointer to the data being sent to the original
435 exporting driver.
436 @param[out] ActionRequest On return, points to the action requested by the
437 callback function.
438
439 @retval EFI_SUCCESS The callback successfully handled the action.
440 @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
441 variable and its data.
442 @retval EFI_DEVICE_ERROR The variable could not be saved.
443 @retval EFI_UNSUPPORTED The specified Action is not supported by the
444 callback.
445
446 **/
447 EFI_STATUS
448 EFIAPI
449 SecureBootCallback (
450 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
451 IN EFI_BROWSER_ACTION Action,
452 IN EFI_QUESTION_ID QuestionId,
453 IN UINT8 Type,
454 IN EFI_IFR_TYPE_VALUE *Value,
455 OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
456 );
457
458
459 /**
460 This function converts an input device structure to a Unicode string.
461
462 @param[in] DevPath A pointer to the device path structure.
463
464 @return A new allocated Unicode string that represents the device path.
465
466 **/
467 CHAR16 *
468 EFIAPI
469 DevicePathToStr (
470 IN EFI_DEVICE_PATH_PROTOCOL *DevPath
471 );
472
473
474 /**
475 Clean up the dynamic opcode at label and form specified by both LabelId.
476
477 @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
478 @param[in] PrivateData Module private data.
479
480 **/
481 VOID
482 CleanUpPage (
483 IN UINT16 LabelId,
484 IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
485 );
486
487
488 /**
489 Update the file explorer page with the refreshed file system.
490
491 @param[in] PrivateData Module private data.
492 @param[in] KeyValue Key value to identify the type of data to expect.
493
494 @retval TRUE Inform the caller to create a callback packet to exit file explorer.
495 @retval FALSE Indicate that there is no need to exit file explorer.
496
497 **/
498 BOOLEAN
499 UpdateFileExplorer (
500 IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
501 IN UINT16 KeyValue
502 );
503
504
505 /**
506 Free resources allocated in Allocate Rountine.
507
508 @param[in, out] MenuOption Menu to be freed
509
510 **/
511 VOID
512 FreeMenu (
513 IN OUT SECUREBOOT_MENU_OPTION *MenuOption
514 );
515
516
517 /**
518 Read file content into BufferPtr, the size of the allocate buffer
519 is *FileSize plus AddtionAllocateSize.
520
521 @param[in] FileHandle The file to be read.
522 @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
523 @param[out] FileSize Size of input file
524 @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
525 In case the buffer need to contain others besides the file content.
526
527 @retval EFI_SUCCESS The file was read into the buffer.
528 @retval EFI_INVALID_PARAMETER A parameter was invalid.
529 @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
530 @retval others Unexpected error.
531
532 **/
533 EFI_STATUS
534 ReadFileContent (
535 IN EFI_FILE_HANDLE FileHandle,
536 IN OUT VOID **BufferPtr,
537 OUT UINTN *FileSize,
538 IN UINTN AddtionAllocateSize
539 );
540
541
542 /**
543 Close an open file handle.
544
545 @param[in] FileHandle The file handle to close.
546
547 **/
548 VOID
549 CloseFile (
550 IN EFI_FILE_HANDLE FileHandle
551 );
552
553
554 /**
555 Converts a nonnegative integer to an octet string of a specified length.
556
557 @param[in] Integer Pointer to the nonnegative integer to be converted
558 @param[in] IntSizeInWords Length of integer buffer in words
559 @param[out] OctetString Converted octet string of the specified length
560 @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
561
562 Returns:
563
564 @retval EFI_SUCCESS Data conversion successfully
565 @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
566
567 **/
568 EFI_STATUS
569 EFIAPI
570 Int2OctStr (
571 IN CONST UINTN *Integer,
572 IN UINTN IntSizeInWords,
573 OUT UINT8 *OctetString,
574 IN UINTN OSSizeInBytes
575 );
576
577
578 /**
579 Convert a String to Guid Value.
580
581 @param[in] Str Specifies the String to be converted.
582 @param[in] StrLen Number of Unicode Characters of String (exclusive \0)
583 @param[out] Guid Return the result Guid value.
584
585 @retval EFI_SUCCESS The operation is finished successfully.
586 @retval EFI_NOT_FOUND Invalid string.
587
588 **/
589 EFI_STATUS
590 StringToGuid (
591 IN CHAR16 *Str,
592 IN UINTN StrLen,
593 OUT EFI_GUID *Guid
594 );
595
596
597 /**
598 Worker function that prints an EFI_GUID into specified Buffer.
599
600 @param[in] Guid Pointer to GUID to print.
601 @param[in] Buffer Buffer to print Guid into.
602 @param[in] BufferSize Size of Buffer.
603
604 @retval Number of characters printed.
605
606 **/
607 UINTN
608 GuidToString (
609 IN EFI_GUID *Guid,
610 IN CHAR16 *Buffer,
611 IN UINTN BufferSize
612 );
613
614 #endif
EFI Development Kit II mirror for PVE