]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/AuthVariableLib/AuthService.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Replace BSD License with BSD+Patent License
[mirror_edk2.git] / SecurityPkg / Library / AuthVariableLib / AuthService.c
1 /** @file
2 Implement authentication services for the authenticated variables.
3
4 Caution: This module requires additional review when modified.
5 This driver will have external input - variable data. It may be input in SMM mode.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
8 Variable attribute should also be checked to avoid authentication bypass.
9 The whole SMM authentication variable design relies on the integrity of flash part and SMM.
10 which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory
11 may not be modified without authorization. If platform fails to protect these resources,
12 the authentication service provided in this driver will be broken, and the behavior is undefined.
13
14 ProcessVarWithPk(), ProcessVarWithKek() and ProcessVariable() are the function to do
15 variable authentication.
16
17 VerifyTimeBasedPayloadAndUpdate() and VerifyCounterBasedPayload() are sub function to do verification.
18 They will do basic validation for authentication data structure, then call crypto library
19 to verify the signature.
20
21 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
22 SPDX-License-Identifier: BSD-2-Clause-Patent
23
24 **/
25
26 #include "AuthServiceInternal.h"
27
28 //
29 // Public Exponent of RSA Key.
30 //
31 CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 };
32
33 CONST UINT8 mSha256OidValue[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01 };
34
35 //
36 // Requirement for different signature type which have been defined in UEFI spec.
37 // These data are used to perform SignatureList format check while setting PK/KEK variable.
38 //
39 EFI_SIGNATURE_ITEM mSupportSigItem[] = {
40 //{SigType, SigHeaderSize, SigDataSize }
41 {EFI_CERT_SHA256_GUID, 0, 32 },
42 {EFI_CERT_RSA2048_GUID, 0, 256 },
43 {EFI_CERT_RSA2048_SHA256_GUID, 0, 256 },
44 {EFI_CERT_SHA1_GUID, 0, 20 },
45 {EFI_CERT_RSA2048_SHA1_GUID, 0, 256 },
46 {EFI_CERT_X509_GUID, 0, ((UINT32) ~0)},
47 {EFI_CERT_SHA224_GUID, 0, 28 },
48 {EFI_CERT_SHA384_GUID, 0, 48 },
49 {EFI_CERT_SHA512_GUID, 0, 64 },
50 {EFI_CERT_X509_SHA256_GUID, 0, 48 },
51 {EFI_CERT_X509_SHA384_GUID, 0, 64 },
52 {EFI_CERT_X509_SHA512_GUID, 0, 80 }
53 };
54
55 /**
56 Finds variable in storage blocks of volatile and non-volatile storage areas.
57
58 This code finds variable in storage blocks of volatile and non-volatile storage areas.
59 If VariableName is an empty string, then we just return the first
60 qualified variable without comparing VariableName and VendorGuid.
61
62 @param[in] VariableName Name of the variable to be found.
63 @param[in] VendorGuid Variable vendor GUID to be found.
64 @param[out] Data Pointer to data address.
65 @param[out] DataSize Pointer to data size.
66
67 @retval EFI_INVALID_PARAMETER If VariableName is not an empty string,
68 while VendorGuid is NULL.
69 @retval EFI_SUCCESS Variable successfully found.
70 @retval EFI_NOT_FOUND Variable not found
71
72 **/
73 EFI_STATUS
74 AuthServiceInternalFindVariable (
75 IN CHAR16 *VariableName,
76 IN EFI_GUID *VendorGuid,
77 OUT VOID **Data,
78 OUT UINTN *DataSize
79 )
80 {
81 EFI_STATUS Status;
82 AUTH_VARIABLE_INFO AuthVariableInfo;
83
84 ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
85 Status = mAuthVarLibContextIn->FindVariable (
86 VariableName,
87 VendorGuid,
88 &AuthVariableInfo
89 );
90 *Data = AuthVariableInfo.Data;
91 *DataSize = AuthVariableInfo.DataSize;
92 return Status;
93 }
94
95 /**
96 Update the variable region with Variable information.
97
98 @param[in] VariableName Name of variable.
99 @param[in] VendorGuid Guid of variable.
100 @param[in] Data Data pointer.
101 @param[in] DataSize Size of Data.
102 @param[in] Attributes Attribute value of the variable.
103
104 @retval EFI_SUCCESS The update operation is success.
105 @retval EFI_INVALID_PARAMETER Invalid parameter.
106 @retval EFI_WRITE_PROTECTED Variable is write-protected.
107 @retval EFI_OUT_OF_RESOURCES There is not enough resource.
108
109 **/
110 EFI_STATUS
111 AuthServiceInternalUpdateVariable (
112 IN CHAR16 *VariableName,
113 IN EFI_GUID *VendorGuid,
114 IN VOID *Data,
115 IN UINTN DataSize,
116 IN UINT32 Attributes
117 )
118 {
119 AUTH_VARIABLE_INFO AuthVariableInfo;
120
121 ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
122 AuthVariableInfo.VariableName = VariableName;
123 AuthVariableInfo.VendorGuid = VendorGuid;
124 AuthVariableInfo.Data = Data;
125 AuthVariableInfo.DataSize = DataSize;
126 AuthVariableInfo.Attributes = Attributes;
127
128 return mAuthVarLibContextIn->UpdateVariable (
129 &AuthVariableInfo
130 );
131 }
132
133 /**
134 Update the variable region with Variable information.
135
136 @param[in] VariableName Name of variable.
137 @param[in] VendorGuid Guid of variable.
138 @param[in] Data Data pointer.
139 @param[in] DataSize Size of Data.
140 @param[in] Attributes Attribute value of the variable.
141 @param[in] TimeStamp Value of associated TimeStamp.
142
143 @retval EFI_SUCCESS The update operation is success.
144 @retval EFI_INVALID_PARAMETER Invalid parameter.
145 @retval EFI_WRITE_PROTECTED Variable is write-protected.
146 @retval EFI_OUT_OF_RESOURCES There is not enough resource.
147
148 **/
149 EFI_STATUS
150 AuthServiceInternalUpdateVariableWithTimeStamp (
151 IN CHAR16 *VariableName,
152 IN EFI_GUID *VendorGuid,
153 IN VOID *Data,
154 IN UINTN DataSize,
155 IN UINT32 Attributes,
156 IN EFI_TIME *TimeStamp
157 )
158 {
159 EFI_STATUS FindStatus;
160 VOID *OrgData;
161 UINTN OrgDataSize;
162 AUTH_VARIABLE_INFO AuthVariableInfo;
163
164 FindStatus = AuthServiceInternalFindVariable (
165 VariableName,
166 VendorGuid,
167 &OrgData,
168 &OrgDataSize
169 );
170
171 //
172 // EFI_VARIABLE_APPEND_WRITE attribute only effects for existing variable
173 //
174 if (!EFI_ERROR (FindStatus) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) != 0)) {
175 if ((CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
176 ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
177 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0))) ||
178 (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0))) {
179 //
180 // For variables with formatted as EFI_SIGNATURE_LIST, the driver shall not perform an append of
181 // EFI_SIGNATURE_DATA values that are already part of the existing variable value.
182 //
183 FilterSignatureList (
184 OrgData,
185 OrgDataSize,
186 Data,
187 &DataSize
188 );
189 }
190 }
191
192 ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
193 AuthVariableInfo.VariableName = VariableName;
194 AuthVariableInfo.VendorGuid = VendorGuid;
195 AuthVariableInfo.Data = Data;
196 AuthVariableInfo.DataSize = DataSize;
197 AuthVariableInfo.Attributes = Attributes;
198 AuthVariableInfo.TimeStamp = TimeStamp;
199 return mAuthVarLibContextIn->UpdateVariable (
200 &AuthVariableInfo
201 );
202 }
203
204 /**
205 Determine whether this operation needs a physical present user.
206
207 @param[in] VariableName Name of the Variable.
208 @param[in] VendorGuid GUID of the Variable.
209
210 @retval TRUE This variable is protected, only a physical present user could set this variable.
211 @retval FALSE This variable is not protected.
212
213 **/
214 BOOLEAN
215 NeedPhysicallyPresent(
216 IN CHAR16 *VariableName,
217 IN EFI_GUID *VendorGuid
218 )
219 {
220 if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
221 || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
222 return TRUE;
223 }
224
225 return FALSE;
226 }
227
228 /**
229 Determine whether the platform is operating in Custom Secure Boot mode.
230
231 @retval TRUE The platform is operating in Custom mode.
232 @retval FALSE The platform is operating in Standard mode.
233
234 **/
235 BOOLEAN
236 InCustomMode (
237 VOID
238 )
239 {
240 EFI_STATUS Status;
241 VOID *Data;
242 UINTN DataSize;
243
244 Status = AuthServiceInternalFindVariable (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, &Data, &DataSize);
245 if (!EFI_ERROR (Status) && (*(UINT8 *) Data == CUSTOM_SECURE_BOOT_MODE)) {
246 return TRUE;
247 }
248
249 return FALSE;
250 }
251
252 /**
253 Update platform mode.
254
255 @param[in] Mode SETUP_MODE or USER_MODE.
256
257 @return EFI_INVALID_PARAMETER Invalid parameter.
258 @return EFI_SUCCESS Update platform mode successfully.
259
260 **/
261 EFI_STATUS
262 UpdatePlatformMode (
263 IN UINT32 Mode
264 )
265 {
266 EFI_STATUS Status;
267 VOID *Data;
268 UINTN DataSize;
269 UINT8 SecureBootMode;
270 UINT8 SecureBootEnable;
271 UINTN VariableDataSize;
272
273 Status = AuthServiceInternalFindVariable (
274 EFI_SETUP_MODE_NAME,
275 &gEfiGlobalVariableGuid,
276 &Data,
277 &DataSize
278 );
279 if (EFI_ERROR (Status)) {
280 return Status;
281 }
282
283 //
284 // Update the value of SetupMode variable by a simple mem copy, this could avoid possible
285 // variable storage reclaim at runtime.
286 //
287 mPlatformMode = (UINT8) Mode;
288 CopyMem (Data, &mPlatformMode, sizeof(UINT8));
289
290 if (mAuthVarLibContextIn->AtRuntime ()) {
291 //
292 // SecureBoot Variable indicates whether the platform firmware is operating
293 // in Secure boot mode (1) or not (0), so we should not change SecureBoot
294 // Variable in runtime.
295 //
296 return Status;
297 }
298
299 //
300 // Check "SecureBoot" variable's existence.
301 // If it doesn't exist, firmware has no capability to perform driver signing verification,
302 // then set "SecureBoot" to 0.
303 //
304 Status = AuthServiceInternalFindVariable (
305 EFI_SECURE_BOOT_MODE_NAME,
306 &gEfiGlobalVariableGuid,
307 &Data,
308 &DataSize
309 );
310 //
311 // If "SecureBoot" variable exists, then check "SetupMode" variable update.
312 // If "SetupMode" variable is USER_MODE, "SecureBoot" variable is set to 1.
313 // If "SetupMode" variable is SETUP_MODE, "SecureBoot" variable is set to 0.
314 //
315 if (EFI_ERROR (Status)) {
316 SecureBootMode = SECURE_BOOT_MODE_DISABLE;
317 } else {
318 if (mPlatformMode == USER_MODE) {
319 SecureBootMode = SECURE_BOOT_MODE_ENABLE;
320 } else if (mPlatformMode == SETUP_MODE) {
321 SecureBootMode = SECURE_BOOT_MODE_DISABLE;
322 } else {
323 return EFI_NOT_FOUND;
324 }
325 }
326
327 Status = AuthServiceInternalUpdateVariable (
328 EFI_SECURE_BOOT_MODE_NAME,
329 &gEfiGlobalVariableGuid,
330 &SecureBootMode,
331 sizeof(UINT8),
332 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
333 );
334 if (EFI_ERROR (Status)) {
335 return Status;
336 }
337
338 //
339 // Check "SecureBootEnable" variable's existence. It can enable/disable secure boot feature.
340 //
341 Status = AuthServiceInternalFindVariable (
342 EFI_SECURE_BOOT_ENABLE_NAME,
343 &gEfiSecureBootEnableDisableGuid,
344 &Data,
345 &DataSize
346 );
347
348 if (SecureBootMode == SECURE_BOOT_MODE_ENABLE) {
349 //
350 // Create the "SecureBootEnable" variable as secure boot is enabled.
351 //
352 SecureBootEnable = SECURE_BOOT_ENABLE;
353 VariableDataSize = sizeof (SecureBootEnable);
354 } else {
355 //
356 // Delete the "SecureBootEnable" variable if this variable exist as "SecureBoot"
357 // variable is not in secure boot state.
358 //
359 if (EFI_ERROR (Status)) {
360 return EFI_SUCCESS;
361 }
362 SecureBootEnable = SECURE_BOOT_DISABLE;
363 VariableDataSize = 0;
364 }
365
366 Status = AuthServiceInternalUpdateVariable (
367 EFI_SECURE_BOOT_ENABLE_NAME,
368 &gEfiSecureBootEnableDisableGuid,
369 &SecureBootEnable,
370 VariableDataSize,
371 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
372 );
373 return Status;
374 }
375
376 /**
377 Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx/dbt variable.
378
379 @param[in] VariableName Name of Variable to be check.
380 @param[in] VendorGuid Variable vendor GUID.
381 @param[in] Data Point to the variable data to be checked.
382 @param[in] DataSize Size of Data.
383
384 @return EFI_INVALID_PARAMETER Invalid signature list format.
385 @return EFI_SUCCESS Passed signature list format check successfully.
386
387 **/
388 EFI_STATUS
389 CheckSignatureListFormat(
390 IN CHAR16 *VariableName,
391 IN EFI_GUID *VendorGuid,
392 IN VOID *Data,
393 IN UINTN DataSize
394 )
395 {
396 EFI_SIGNATURE_LIST *SigList;
397 UINTN SigDataSize;
398 UINT32 Index;
399 UINT32 SigCount;
400 BOOLEAN IsPk;
401 VOID *RsaContext;
402 EFI_SIGNATURE_DATA *CertData;
403 UINTN CertLen;
404
405 if (DataSize == 0) {
406 return EFI_SUCCESS;
407 }
408
409 ASSERT (VariableName != NULL && VendorGuid != NULL && Data != NULL);
410
411 if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
412 IsPk = TRUE;
413 } else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) ||
414 (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
415 ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
416 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0)))) {
417 IsPk = FALSE;
418 } else {
419 return EFI_SUCCESS;
420 }
421
422 SigCount = 0;
423 SigList = (EFI_SIGNATURE_LIST *) Data;
424 SigDataSize = DataSize;
425 RsaContext = NULL;
426
427 //
428 // Walk throuth the input signature list and check the data format.
429 // If any signature is incorrectly formed, the whole check will fail.
430 //
431 while ((SigDataSize > 0) && (SigDataSize >= SigList->SignatureListSize)) {
432 for (Index = 0; Index < (sizeof (mSupportSigItem) / sizeof (EFI_SIGNATURE_ITEM)); Index++ ) {
433 if (CompareGuid (&SigList->SignatureType, &mSupportSigItem[Index].SigType)) {
434 //
435 // The value of SignatureSize should always be 16 (size of SignatureOwner
436 // component) add the data length according to signature type.
437 //
438 if (mSupportSigItem[Index].SigDataSize != ((UINT32) ~0) &&
439 (SigList->SignatureSize - sizeof (EFI_GUID)) != mSupportSigItem[Index].SigDataSize) {
440 return EFI_INVALID_PARAMETER;
441 }
442 if (mSupportSigItem[Index].SigHeaderSize != ((UINT32) ~0) &&
443 SigList->SignatureHeaderSize != mSupportSigItem[Index].SigHeaderSize) {
444 return EFI_INVALID_PARAMETER;
445 }
446 break;
447 }
448 }
449
450 if (Index == (sizeof (mSupportSigItem) / sizeof (EFI_SIGNATURE_ITEM))) {
451 //
452 // Undefined signature type.
453 //
454 return EFI_INVALID_PARAMETER;
455 }
456
457 if (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)) {
458 //
459 // Try to retrieve the RSA public key from the X.509 certificate.
460 // If this operation fails, it's not a valid certificate.
461 //
462 RsaContext = RsaNew ();
463 if (RsaContext == NULL) {
464 return EFI_INVALID_PARAMETER;
465 }
466 CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);
467 CertLen = SigList->SignatureSize - sizeof (EFI_GUID);
468 if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen, &RsaContext)) {
469 RsaFree (RsaContext);
470 return EFI_INVALID_PARAMETER;
471 }
472 RsaFree (RsaContext);
473 }
474
475 if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) {
476 return EFI_INVALID_PARAMETER;
477 }
478 SigCount += (SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) / SigList->SignatureSize;
479
480 SigDataSize -= SigList->SignatureListSize;
481 SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize);
482 }
483
484 if (((UINTN) SigList - (UINTN) Data) != DataSize) {
485 return EFI_INVALID_PARAMETER;
486 }
487
488 if (IsPk && SigCount > 1) {
489 return EFI_INVALID_PARAMETER;
490 }
491
492 return EFI_SUCCESS;
493 }
494
495 /**
496 Update "VendorKeys" variable to record the out of band secure boot key modification.
497
498 @return EFI_SUCCESS Variable is updated successfully.
499 @return Others Failed to update variable.
500
501 **/
502 EFI_STATUS
503 VendorKeyIsModified (
504 VOID
505 )
506 {
507 EFI_STATUS Status;
508
509 if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
510 return EFI_SUCCESS;
511 }
512 mVendorKeyState = VENDOR_KEYS_MODIFIED;
513
514 Status = AuthServiceInternalUpdateVariable (
515 EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
516 &gEfiVendorKeysNvGuid,
517 &mVendorKeyState,
518 sizeof (UINT8),
519 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
520 );
521 if (EFI_ERROR (Status)) {
522 return Status;
523 }
524
525 return AuthServiceInternalUpdateVariable (
526 EFI_VENDOR_KEYS_VARIABLE_NAME,
527 &gEfiGlobalVariableGuid,
528 &mVendorKeyState,
529 sizeof (UINT8),
530 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
531 );
532 }
533
534 /**
535 Process variable with platform key for verification.
536
537 Caution: This function may receive untrusted input.
538 This function may be invoked in SMM mode, and datasize and data are external input.
539 This function will do basic validation, before parse the data.
540 This function will parse the authentication carefully to avoid security issues, like
541 buffer overflow, integer overflow.
542 This function will check attribute carefully to avoid authentication bypass.
543
544 @param[in] VariableName Name of Variable to be found.
545 @param[in] VendorGuid Variable vendor GUID.
546 @param[in] Data Data pointer.
547 @param[in] DataSize Size of Data found. If size is less than the
548 data, this value contains the required size.
549 @param[in] Attributes Attribute value of the variable
550 @param[in] IsPk Indicate whether it is to process pk.
551
552 @return EFI_INVALID_PARAMETER Invalid parameter.
553 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation.
554 check carried out by the firmware.
555 @return EFI_SUCCESS Variable passed validation successfully.
556
557 **/
558 EFI_STATUS
559 ProcessVarWithPk (
560 IN CHAR16 *VariableName,
561 IN EFI_GUID *VendorGuid,
562 IN VOID *Data,
563 IN UINTN DataSize,
564 IN UINT32 Attributes OPTIONAL,
565 IN BOOLEAN IsPk
566 )
567 {
568 EFI_STATUS Status;
569 BOOLEAN Del;
570 UINT8 *Payload;
571 UINTN PayloadSize;
572
573 if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
574 (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
575 //
576 // PK, KEK and db/dbx/dbt should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
577 // authenticated variable.
578 //
579 return EFI_INVALID_PARAMETER;
580 }
581
582 //
583 // Init state of Del. State may change due to secure check
584 //
585 Del = FALSE;
586 if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
587 Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
588 PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
589 if (PayloadSize == 0) {
590 Del = TRUE;
591 }
592
593 Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
594 if (EFI_ERROR (Status)) {
595 return Status;
596 }
597
598 Status = AuthServiceInternalUpdateVariableWithTimeStamp (
599 VariableName,
600 VendorGuid,
601 Payload,
602 PayloadSize,
603 Attributes,
604 &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
605 );
606 if (EFI_ERROR(Status)) {
607 return Status;
608 }
609
610 if ((mPlatformMode != SETUP_MODE) || IsPk) {
611 Status = VendorKeyIsModified ();
612 }
613 } else if (mPlatformMode == USER_MODE) {
614 //
615 // Verify against X509 Cert in PK database.
616 //
617 Status = VerifyTimeBasedPayloadAndUpdate (
618 VariableName,
619 VendorGuid,
620 Data,
621 DataSize,
622 Attributes,
623 AuthVarTypePk,
624 &Del
625 );
626 } else {
627 //
628 // Verify against the certificate in data payload.
629 //
630 Status = VerifyTimeBasedPayloadAndUpdate (
631 VariableName,
632 VendorGuid,
633 Data,
634 DataSize,
635 Attributes,
636 AuthVarTypePayload,
637 &Del
638 );
639 }
640
641 if (!EFI_ERROR(Status) && IsPk) {
642 if (mPlatformMode == SETUP_MODE && !Del) {
643 //
644 // If enroll PK in setup mode, need change to user mode.
645 //
646 Status = UpdatePlatformMode (USER_MODE);
647 } else if (mPlatformMode == USER_MODE && Del){
648 //
649 // If delete PK in user mode, need change to setup mode.
650 //
651 Status = UpdatePlatformMode (SETUP_MODE);
652 }
653 }
654
655 return Status;
656 }
657
658 /**
659 Process variable with key exchange key for verification.
660
661 Caution: This function may receive untrusted input.
662 This function may be invoked in SMM mode, and datasize and data are external input.
663 This function will do basic validation, before parse the data.
664 This function will parse the authentication carefully to avoid security issues, like
665 buffer overflow, integer overflow.
666 This function will check attribute carefully to avoid authentication bypass.
667
668 @param[in] VariableName Name of Variable to be found.
669 @param[in] VendorGuid Variable vendor GUID.
670 @param[in] Data Data pointer.
671 @param[in] DataSize Size of Data found. If size is less than the
672 data, this value contains the required size.
673 @param[in] Attributes Attribute value of the variable.
674
675 @return EFI_INVALID_PARAMETER Invalid parameter.
676 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
677 check carried out by the firmware.
678 @return EFI_SUCCESS Variable pass validation successfully.
679
680 **/
681 EFI_STATUS
682 ProcessVarWithKek (
683 IN CHAR16 *VariableName,
684 IN EFI_GUID *VendorGuid,
685 IN VOID *Data,
686 IN UINTN DataSize,
687 IN UINT32 Attributes OPTIONAL
688 )
689 {
690 EFI_STATUS Status;
691 UINT8 *Payload;
692 UINTN PayloadSize;
693
694 if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||
695 (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
696 //
697 // DB, DBX and DBT should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based
698 // authenticated variable.
699 //
700 return EFI_INVALID_PARAMETER;
701 }
702
703 Status = EFI_SUCCESS;
704 if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
705 //
706 // Time-based, verify against X509 Cert KEK.
707 //
708 return VerifyTimeBasedPayloadAndUpdate (
709 VariableName,
710 VendorGuid,
711 Data,
712 DataSize,
713 Attributes,
714 AuthVarTypeKek,
715 NULL
716 );
717 } else {
718 //
719 // If in setup mode or custom secure boot mode, no authentication needed.
720 //
721 Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
722 PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
723
724 Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
725 if (EFI_ERROR (Status)) {
726 return Status;
727 }
728
729 Status = AuthServiceInternalUpdateVariableWithTimeStamp (
730 VariableName,
731 VendorGuid,
732 Payload,
733 PayloadSize,
734 Attributes,
735 &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
736 );
737 if (EFI_ERROR (Status)) {
738 return Status;
739 }
740
741 if (mPlatformMode != SETUP_MODE) {
742 Status = VendorKeyIsModified ();
743 }
744 }
745
746 return Status;
747 }
748
749 /**
750 Check if it is to delete auth variable.
751
752 @param[in] OrgAttributes Original attribute value of the variable.
753 @param[in] Data Data pointer.
754 @param[in] DataSize Size of Data.
755 @param[in] Attributes Attribute value of the variable.
756
757 @retval TRUE It is to delete auth variable.
758 @retval FALSE It is not to delete auth variable.
759
760 **/
761 BOOLEAN
762 IsDeleteAuthVariable (
763 IN UINT32 OrgAttributes,
764 IN VOID *Data,
765 IN UINTN DataSize,
766 IN UINT32 Attributes
767 )
768 {
769 BOOLEAN Del;
770 UINTN PayloadSize;
771
772 Del = FALSE;
773
774 //
775 // To delete a variable created with the EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
776 // or the EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute,
777 // SetVariable must be used with attributes matching the existing variable
778 // and the DataSize set to the size of the AuthInfo descriptor.
779 //
780 if ((Attributes == OrgAttributes) &&
781 ((Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)) {
782 if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
783 PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
784 if (PayloadSize == 0) {
785 Del = TRUE;
786 }
787 } else {
788 PayloadSize = DataSize - AUTHINFO_SIZE;
789 if (PayloadSize == 0) {
790 Del = TRUE;
791 }
792 }
793 }
794
795 return Del;
796 }
797
798 /**
799 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
800
801 Caution: This function may receive untrusted input.
802 This function may be invoked in SMM mode, and datasize and data are external input.
803 This function will do basic validation, before parse the data.
804 This function will parse the authentication carefully to avoid security issues, like
805 buffer overflow, integer overflow.
806 This function will check attribute carefully to avoid authentication bypass.
807
808 @param[in] VariableName Name of the variable.
809 @param[in] VendorGuid Variable vendor GUID.
810 @param[in] Data Data pointer.
811 @param[in] DataSize Size of Data.
812 @param[in] Attributes Attribute value of the variable.
813
814 @return EFI_INVALID_PARAMETER Invalid parameter.
815 @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
816 EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
817 @return EFI_OUT_OF_RESOURCES The Database to save the public key is full.
818 @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
819 set, but the AuthInfo does NOT pass the validation
820 check carried out by the firmware.
821 @return EFI_SUCCESS Variable is not write-protected or pass validation successfully.
822
823 **/
824 EFI_STATUS
825 ProcessVariable (
826 IN CHAR16 *VariableName,
827 IN EFI_GUID *VendorGuid,
828 IN VOID *Data,
829 IN UINTN DataSize,
830 IN UINT32 Attributes
831 )
832 {
833 EFI_STATUS Status;
834 AUTH_VARIABLE_INFO OrgVariableInfo;
835
836 Status = EFI_SUCCESS;
837
838 ZeroMem (&OrgVariableInfo, sizeof (OrgVariableInfo));
839 Status = mAuthVarLibContextIn->FindVariable (
840 VariableName,
841 VendorGuid,
842 &OrgVariableInfo
843 );
844
845 if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {
846 //
847 // Allow the delete operation of common authenticated variable(AT or AW) at user physical presence.
848 //
849 Status = AuthServiceInternalUpdateVariable (
850 VariableName,
851 VendorGuid,
852 NULL,
853 0,
854 0
855 );
856 if (!EFI_ERROR (Status) && ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0)) {
857 Status = DeleteCertsFromDb (VariableName, VendorGuid, Attributes);
858 }
859
860 return Status;
861 }
862
863 if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
864 //
865 // This variable is protected, only physical present user could modify its value.
866 //
867 return EFI_SECURITY_VIOLATION;
868 }
869
870 //
871 if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {
872 //
873 // Reject Counter Based Auth Variable processing request.
874 //
875 return EFI_UNSUPPORTED;
876 } else if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
877 //
878 // Process Time-based Authenticated variable.
879 //
880 return VerifyTimeBasedPayloadAndUpdate (
881 VariableName,
882 VendorGuid,
883 Data,
884 DataSize,
885 Attributes,
886 AuthVarTypePriv,
887 NULL
888 );
889 }
890
891 if ((OrgVariableInfo.Data != NULL) &&
892 ((OrgVariableInfo.Attributes & (EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)) != 0)) {
893 //
894 // If the variable is already write-protected, it always needs authentication before update.
895 //
896 return EFI_WRITE_PROTECTED;
897 }
898
899 //
900 // Not authenticated variable, just update variable as usual.
901 //
902 Status = AuthServiceInternalUpdateVariable (VariableName, VendorGuid, Data, DataSize, Attributes);
903 return Status;
904
905 }
906
907 /**
908 Filter out the duplicated EFI_SIGNATURE_DATA from the new data by comparing to the original data.
909
910 @param[in] Data Pointer to original EFI_SIGNATURE_LIST.
911 @param[in] DataSize Size of Data buffer.
912 @param[in, out] NewData Pointer to new EFI_SIGNATURE_LIST.
913 @param[in, out] NewDataSize Size of NewData buffer.
914
915 **/
916 EFI_STATUS
917 FilterSignatureList (
918 IN VOID *Data,
919 IN UINTN DataSize,
920 IN OUT VOID *NewData,
921 IN OUT UINTN *NewDataSize
922 )
923 {
924 EFI_SIGNATURE_LIST *CertList;
925 EFI_SIGNATURE_DATA *Cert;
926 UINTN CertCount;
927 EFI_SIGNATURE_LIST *NewCertList;
928 EFI_SIGNATURE_DATA *NewCert;
929 UINTN NewCertCount;
930 UINTN Index;
931 UINTN Index2;
932 UINTN Size;
933 UINT8 *Tail;
934 UINTN CopiedCount;
935 UINTN SignatureListSize;
936 BOOLEAN IsNewCert;
937 UINT8 *TempData;
938 UINTN TempDataSize;
939 EFI_STATUS Status;
940
941 if (*NewDataSize == 0) {
942 return EFI_SUCCESS;
943 }
944
945 TempDataSize = *NewDataSize;
946 Status = mAuthVarLibContextIn->GetScratchBuffer (&TempDataSize, (VOID **) &TempData);
947 if (EFI_ERROR (Status)) {
948 return EFI_OUT_OF_RESOURCES;
949 }
950
951 Tail = TempData;
952
953 NewCertList = (EFI_SIGNATURE_LIST *) NewData;
954 while ((*NewDataSize > 0) && (*NewDataSize >= NewCertList->SignatureListSize)) {
955 NewCert = (EFI_SIGNATURE_DATA *) ((UINT8 *) NewCertList + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);
956 NewCertCount = (NewCertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - NewCertList->SignatureHeaderSize) / NewCertList->SignatureSize;
957
958 CopiedCount = 0;
959 for (Index = 0; Index < NewCertCount; Index++) {
960 IsNewCert = TRUE;
961
962 Size = DataSize;
963 CertList = (EFI_SIGNATURE_LIST *) Data;
964 while ((Size > 0) && (Size >= CertList->SignatureListSize)) {
965 if (CompareGuid (&CertList->SignatureType, &NewCertList->SignatureType) &&
966 (CertList->SignatureSize == NewCertList->SignatureSize)) {
967 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
968 CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
969 for (Index2 = 0; Index2 < CertCount; Index2++) {
970 //
971 // Iterate each Signature Data in this Signature List.
972 //
973 if (CompareMem (NewCert, Cert, CertList->SignatureSize) == 0) {
974 IsNewCert = FALSE;
975 break;
976 }
977 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
978 }
979 }
980
981 if (!IsNewCert) {
982 break;
983 }
984 Size -= CertList->SignatureListSize;
985 CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
986 }
987
988 if (IsNewCert) {
989 //
990 // New EFI_SIGNATURE_DATA, keep it.
991 //
992 if (CopiedCount == 0) {
993 //
994 // Copy EFI_SIGNATURE_LIST header for only once.
995 //
996 CopyMem (Tail, NewCertList, sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize);
997 Tail = Tail + sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize;
998 }
999
1000 CopyMem (Tail, NewCert, NewCertList->SignatureSize);
1001 Tail += NewCertList->SignatureSize;
1002 CopiedCount++;
1003 }
1004
1005 NewCert = (EFI_SIGNATURE_DATA *) ((UINT8 *) NewCert + NewCertList->SignatureSize);
1006 }
1007
1008 //
1009 // Update SignatureListSize in the kept EFI_SIGNATURE_LIST.
1010 //
1011 if (CopiedCount != 0) {
1012 SignatureListSize = sizeof (EFI_SIGNATURE_LIST) + NewCertList->SignatureHeaderSize + (CopiedCount * NewCertList->SignatureSize);
1013 CertList = (EFI_SIGNATURE_LIST *) (Tail - SignatureListSize);
1014 CertList->SignatureListSize = (UINT32) SignatureListSize;
1015 }
1016
1017 *NewDataSize -= NewCertList->SignatureListSize;
1018 NewCertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) NewCertList + NewCertList->SignatureListSize);
1019 }
1020
1021 TempDataSize = (Tail - (UINT8 *) TempData);
1022
1023 CopyMem (NewData, TempData, TempDataSize);
1024 *NewDataSize = TempDataSize;
1025
1026 return EFI_SUCCESS;
1027 }
1028
1029 /**
1030 Compare two EFI_TIME data.
1031
1032
1033 @param FirstTime A pointer to the first EFI_TIME data.
1034 @param SecondTime A pointer to the second EFI_TIME data.
1035
1036 @retval TRUE The FirstTime is not later than the SecondTime.
1037 @retval FALSE The FirstTime is later than the SecondTime.
1038
1039 **/
1040 BOOLEAN
1041 AuthServiceInternalCompareTimeStamp (
1042 IN EFI_TIME *FirstTime,
1043 IN EFI_TIME *SecondTime
1044 )
1045 {
1046 if (FirstTime->Year != SecondTime->Year) {
1047 return (BOOLEAN) (FirstTime->Year < SecondTime->Year);
1048 } else if (FirstTime->Month != SecondTime->Month) {
1049 return (BOOLEAN) (FirstTime->Month < SecondTime->Month);
1050 } else if (FirstTime->Day != SecondTime->Day) {
1051 return (BOOLEAN) (FirstTime->Day < SecondTime->Day);
1052 } else if (FirstTime->Hour != SecondTime->Hour) {
1053 return (BOOLEAN) (FirstTime->Hour < SecondTime->Hour);
1054 } else if (FirstTime->Minute != SecondTime->Minute) {
1055 return (BOOLEAN) (FirstTime->Minute < SecondTime->Minute);
1056 }
1057
1058 return (BOOLEAN) (FirstTime->Second <= SecondTime->Second);
1059 }
1060
1061 /**
1062 Calculate SHA256 digest of SignerCert CommonName + ToplevelCert tbsCertificate
1063 SignerCert and ToplevelCert are inside the signer certificate chain.
1064
1065 @param[in] SignerCert A pointer to SignerCert data.
1066 @param[in] SignerCertSize Length of SignerCert data.
1067 @param[in] TopLevelCert A pointer to TopLevelCert data.
1068 @param[in] TopLevelCertSize Length of TopLevelCert data.
1069 @param[out] Sha256Digest Sha256 digest calculated.
1070
1071 @return EFI_ABORTED Digest process failed.
1072 @return EFI_SUCCESS SHA256 Digest is succesfully calculated.
1073
1074 **/
1075 EFI_STATUS
1076 CalculatePrivAuthVarSignChainSHA256Digest(
1077 IN UINT8 *SignerCert,
1078 IN UINTN SignerCertSize,
1079 IN UINT8 *TopLevelCert,
1080 IN UINTN TopLevelCertSize,
1081 OUT UINT8 *Sha256Digest
1082 )
1083 {
1084 UINT8 *TbsCert;
1085 UINTN TbsCertSize;
1086 CHAR8 CertCommonName[128];
1087 UINTN CertCommonNameSize;
1088 BOOLEAN CryptoStatus;
1089 EFI_STATUS Status;
1090
1091 CertCommonNameSize = sizeof(CertCommonName);
1092
1093 //
1094 // Get SignerCert CommonName
1095 //
1096 Status = X509GetCommonName(SignerCert, SignerCertSize, CertCommonName, &CertCommonNameSize);
1097 if (EFI_ERROR(Status)) {
1098 DEBUG((DEBUG_INFO, "%a Get SignerCert CommonName failed with status %x\n", __FUNCTION__, Status));
1099 return EFI_ABORTED;
1100 }
1101
1102 //
1103 // Get TopLevelCert tbsCertificate
1104 //
1105 if (!X509GetTBSCert(TopLevelCert, TopLevelCertSize, &TbsCert, &TbsCertSize)) {
1106 DEBUG((DEBUG_INFO, "%a Get Top-level Cert tbsCertificate failed!\n", __FUNCTION__));
1107 return EFI_ABORTED;
1108 }
1109
1110 //
1111 // Digest SignerCert CN + TopLevelCert tbsCertificate
1112 //
1113 ZeroMem (Sha256Digest, SHA256_DIGEST_SIZE);
1114 CryptoStatus = Sha256Init (mHashCtx);
1115 if (!CryptoStatus) {
1116 return EFI_ABORTED;
1117 }
1118
1119 //
1120 // '\0' is forced in CertCommonName. No overflow issue
1121 //
1122 CryptoStatus = Sha256Update (
1123 mHashCtx,
1124 CertCommonName,
1125 AsciiStrLen (CertCommonName)
1126 );
1127 if (!CryptoStatus) {
1128 return EFI_ABORTED;
1129 }
1130
1131 CryptoStatus = Sha256Update (mHashCtx, TbsCert, TbsCertSize);
1132 if (!CryptoStatus) {
1133 return EFI_ABORTED;
1134 }
1135
1136 CryptoStatus = Sha256Final (mHashCtx, Sha256Digest);
1137 if (!CryptoStatus) {
1138 return EFI_ABORTED;
1139 }
1140
1141 return EFI_SUCCESS;
1142 }
1143
1144 /**
1145 Find matching signer's certificates for common authenticated variable
1146 by corresponding VariableName and VendorGuid from "certdb" or "certdbv".
1147
1148 The data format of "certdb" or "certdbv":
1149 //
1150 // UINT32 CertDbListSize;
1151 // /// AUTH_CERT_DB_DATA Certs1[];
1152 // /// AUTH_CERT_DB_DATA Certs2[];
1153 // /// ...
1154 // /// AUTH_CERT_DB_DATA Certsn[];
1155 //
1156
1157 @param[in] VariableName Name of authenticated Variable.
1158 @param[in] VendorGuid Vendor GUID of authenticated Variable.
1159 @param[in] Data Pointer to variable "certdb" or "certdbv".
1160 @param[in] DataSize Size of variable "certdb" or "certdbv".
1161 @param[out] CertOffset Offset of matching CertData, from starting of Data.
1162 @param[out] CertDataSize Length of CertData in bytes.
1163 @param[out] CertNodeOffset Offset of matching AUTH_CERT_DB_DATA , from
1164 starting of Data.
1165 @param[out] CertNodeSize Length of AUTH_CERT_DB_DATA in bytes.
1166
1167 @retval EFI_INVALID_PARAMETER Any input parameter is invalid.
1168 @retval EFI_NOT_FOUND Fail to find matching certs.
1169 @retval EFI_SUCCESS Find matching certs and output parameters.
1170
1171 **/
1172 EFI_STATUS
1173 FindCertsFromDb (
1174 IN CHAR16 *VariableName,
1175 IN EFI_GUID *VendorGuid,
1176 IN UINT8 *Data,
1177 IN UINTN DataSize,
1178 OUT UINT32 *CertOffset, OPTIONAL
1179 OUT UINT32 *CertDataSize, OPTIONAL
1180 OUT UINT32 *CertNodeOffset,OPTIONAL
1181 OUT UINT32 *CertNodeSize OPTIONAL
1182 )
1183 {
1184 UINT32 Offset;
1185 AUTH_CERT_DB_DATA *Ptr;
1186 UINT32 CertSize;
1187 UINT32 NameSize;
1188 UINT32 NodeSize;
1189 UINT32 CertDbListSize;
1190
1191 if ((VariableName == NULL) || (VendorGuid == NULL) || (Data == NULL)) {
1192 return EFI_INVALID_PARAMETER;
1193 }
1194
1195 //
1196 // Check whether DataSize matches recorded CertDbListSize.
1197 //
1198 if (DataSize < sizeof (UINT32)) {
1199 return EFI_INVALID_PARAMETER;
1200 }
1201
1202 CertDbListSize = ReadUnaligned32 ((UINT32 *) Data);
1203
1204 if (CertDbListSize != (UINT32) DataSize) {
1205 return EFI_INVALID_PARAMETER;
1206 }
1207
1208 Offset = sizeof (UINT32);
1209
1210 //
1211 // Get corresponding certificates by VendorGuid and VariableName.
1212 //
1213 while (Offset < (UINT32) DataSize) {
1214 Ptr = (AUTH_CERT_DB_DATA *) (Data + Offset);
1215 //
1216 // Check whether VendorGuid matches.
1217 //
1218 if (CompareGuid (&Ptr->VendorGuid, VendorGuid)) {
1219 NodeSize = ReadUnaligned32 (&Ptr->CertNodeSize);
1220 NameSize = ReadUnaligned32 (&Ptr->NameSize);
1221 CertSize = ReadUnaligned32 (&Ptr->CertDataSize);
1222
1223 if (NodeSize != sizeof (EFI_GUID) + sizeof (UINT32) * 3 + CertSize +
1224 sizeof (CHAR16) * NameSize) {
1225 return EFI_INVALID_PARAMETER;
1226 }
1227
1228 Offset = Offset + sizeof (EFI_GUID) + sizeof (UINT32) * 3;
1229 //
1230 // Check whether VariableName matches.
1231 //
1232 if ((NameSize == StrLen (VariableName)) &&
1233 (CompareMem (Data + Offset, VariableName, NameSize * sizeof (CHAR16)) == 0)) {
1234 Offset = Offset + NameSize * sizeof (CHAR16);
1235
1236 if (CertOffset != NULL) {
1237 *CertOffset = Offset;
1238 }
1239
1240 if (CertDataSize != NULL) {
1241 *CertDataSize = CertSize;
1242 }
1243
1244 if (CertNodeOffset != NULL) {
1245 *CertNodeOffset = (UINT32) ((UINT8 *) Ptr - Data);
1246 }
1247
1248 if (CertNodeSize != NULL) {
1249 *CertNodeSize = NodeSize;
1250 }
1251
1252 return EFI_SUCCESS;
1253 } else {
1254 Offset = Offset + NameSize * sizeof (CHAR16) + CertSize;
1255 }
1256 } else {
1257 NodeSize = ReadUnaligned32 (&Ptr->CertNodeSize);
1258 Offset = Offset + NodeSize;
1259 }
1260 }
1261
1262 return EFI_NOT_FOUND;
1263 }
1264
1265 /**
1266 Retrieve signer's certificates for common authenticated variable
1267 by corresponding VariableName and VendorGuid from "certdb"
1268 or "certdbv" according to authenticated variable attributes.
1269
1270 @param[in] VariableName Name of authenticated Variable.
1271 @param[in] VendorGuid Vendor GUID of authenticated Variable.
1272 @param[in] Attributes Attributes of authenticated variable.
1273 @param[out] CertData Pointer to signer's certificates.
1274 @param[out] CertDataSize Length of CertData in bytes.
1275
1276 @retval EFI_INVALID_PARAMETER Any input parameter is invalid.
1277 @retval EFI_NOT_FOUND Fail to find "certdb"/"certdbv" or matching certs.
1278 @retval EFI_SUCCESS Get signer's certificates successfully.
1279
1280 **/
1281 EFI_STATUS
1282 GetCertsFromDb (
1283 IN CHAR16 *VariableName,
1284 IN EFI_GUID *VendorGuid,
1285 IN UINT32 Attributes,
1286 OUT UINT8 **CertData,
1287 OUT UINT32 *CertDataSize
1288 )
1289 {
1290 EFI_STATUS Status;
1291 UINT8 *Data;
1292 UINTN DataSize;
1293 UINT32 CertOffset;
1294 CHAR16 *DbName;
1295
1296 if ((VariableName == NULL) || (VendorGuid == NULL) || (CertData == NULL) || (CertDataSize == NULL)) {
1297 return EFI_INVALID_PARAMETER;
1298 }
1299
1300
1301 if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
1302 //
1303 // Get variable "certdb".
1304 //
1305 DbName = EFI_CERT_DB_NAME;
1306 } else {
1307 //
1308 // Get variable "certdbv".
1309 //
1310 DbName = EFI_CERT_DB_VOLATILE_NAME;
1311 }
1312
1313 //
1314 // Get variable "certdb" or "certdbv".
1315 //
1316 Status = AuthServiceInternalFindVariable (
1317 DbName,
1318 &gEfiCertDbGuid,
1319 (VOID **) &Data,
1320 &DataSize
1321 );
1322 if (EFI_ERROR (Status)) {
1323 return Status;
1324 }
1325
1326 if ((DataSize == 0) || (Data == NULL)) {
1327 ASSERT (FALSE);
1328 return EFI_NOT_FOUND;
1329 }
1330
1331 Status = FindCertsFromDb (
1332 VariableName,
1333 VendorGuid,
1334 Data,
1335 DataSize,
1336 &CertOffset,
1337 CertDataSize,
1338 NULL,
1339 NULL
1340 );
1341
1342 if (EFI_ERROR (Status)) {
1343 return Status;
1344 }
1345
1346 *CertData = Data + CertOffset;
1347 return EFI_SUCCESS;
1348 }
1349
1350 /**
1351 Delete matching signer's certificates when deleting common authenticated
1352 variable by corresponding VariableName and VendorGuid from "certdb" or
1353 "certdbv" according to authenticated variable attributes.
1354
1355 @param[in] VariableName Name of authenticated Variable.
1356 @param[in] VendorGuid Vendor GUID of authenticated Variable.
1357 @param[in] Attributes Attributes of authenticated variable.
1358
1359 @retval EFI_INVALID_PARAMETER Any input parameter is invalid.
1360 @retval EFI_NOT_FOUND Fail to find "certdb"/"certdbv" or matching certs.
1361 @retval EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.
1362 @retval EFI_SUCCESS The operation is completed successfully.
1363
1364 **/
1365 EFI_STATUS
1366 DeleteCertsFromDb (
1367 IN CHAR16 *VariableName,
1368 IN EFI_GUID *VendorGuid,
1369 IN UINT32 Attributes
1370 )
1371 {
1372 EFI_STATUS Status;
1373 UINT8 *Data;
1374 UINTN DataSize;
1375 UINT32 VarAttr;
1376 UINT32 CertNodeOffset;
1377 UINT32 CertNodeSize;
1378 UINT8 *NewCertDb;
1379 UINT32 NewCertDbSize;
1380 CHAR16 *DbName;
1381
1382 if ((VariableName == NULL) || (VendorGuid == NULL)) {
1383 return EFI_INVALID_PARAMETER;
1384 }
1385
1386 if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
1387 //
1388 // Get variable "certdb".
1389 //
1390 DbName = EFI_CERT_DB_NAME;
1391 VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
1392 } else {
1393 //
1394 // Get variable "certdbv".
1395 //
1396 DbName = EFI_CERT_DB_VOLATILE_NAME;
1397 VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
1398 }
1399
1400 Status = AuthServiceInternalFindVariable (
1401 DbName,
1402 &gEfiCertDbGuid,
1403 (VOID **) &Data,
1404 &DataSize
1405 );
1406
1407 if (EFI_ERROR (Status)) {
1408 return Status;
1409 }
1410
1411 if ((DataSize == 0) || (Data == NULL)) {
1412 ASSERT (FALSE);
1413 return EFI_NOT_FOUND;
1414 }
1415
1416 if (DataSize == sizeof (UINT32)) {
1417 //
1418 // There is no certs in "certdb" or "certdbv".
1419 //
1420 return EFI_SUCCESS;
1421 }
1422
1423 //
1424 // Get corresponding cert node from "certdb" or "certdbv".
1425 //
1426 Status = FindCertsFromDb (
1427 VariableName,
1428 VendorGuid,
1429 Data,
1430 DataSize,
1431 NULL,
1432 NULL,
1433 &CertNodeOffset,
1434 &CertNodeSize
1435 );
1436
1437 if (EFI_ERROR (Status)) {
1438 return Status;
1439 }
1440
1441 if (DataSize < (CertNodeOffset + CertNodeSize)) {
1442 return EFI_NOT_FOUND;
1443 }
1444
1445 //
1446 // Construct new data content of variable "certdb" or "certdbv".
1447 //
1448 NewCertDbSize = (UINT32) DataSize - CertNodeSize;
1449 NewCertDb = (UINT8*) mCertDbStore;
1450
1451 //
1452 // Copy the DB entries before deleting node.
1453 //
1454 CopyMem (NewCertDb, Data, CertNodeOffset);
1455 //
1456 // Update CertDbListSize.
1457 //
1458 CopyMem (NewCertDb, &NewCertDbSize, sizeof (UINT32));
1459 //
1460 // Copy the DB entries after deleting node.
1461 //
1462 if (DataSize > (CertNodeOffset + CertNodeSize)) {
1463 CopyMem (
1464 NewCertDb + CertNodeOffset,
1465 Data + CertNodeOffset + CertNodeSize,
1466 DataSize - CertNodeOffset - CertNodeSize
1467 );
1468 }
1469
1470 //
1471 // Set "certdb" or "certdbv".
1472 //
1473 Status = AuthServiceInternalUpdateVariable (
1474 DbName,
1475 &gEfiCertDbGuid,
1476 NewCertDb,
1477 NewCertDbSize,
1478 VarAttr
1479 );
1480
1481 return Status;
1482 }
1483
1484 /**
1485 Insert signer's certificates for common authenticated variable with VariableName
1486 and VendorGuid in AUTH_CERT_DB_DATA to "certdb" or "certdbv" according to
1487 time based authenticated variable attributes. CertData is the SHA256 digest of
1488 SignerCert CommonName + TopLevelCert tbsCertificate.
1489
1490 @param[in] VariableName Name of authenticated Variable.
1491 @param[in] VendorGuid Vendor GUID of authenticated Variable.
1492 @param[in] Attributes Attributes of authenticated variable.
1493 @param[in] SignerCert Signer certificate data.
1494 @param[in] SignerCertSize Length of signer certificate.
1495 @param[in] TopLevelCert Top-level certificate data.
1496 @param[in] TopLevelCertSize Length of top-level certificate.
1497
1498 @retval EFI_INVALID_PARAMETER Any input parameter is invalid.
1499 @retval EFI_ACCESS_DENIED An AUTH_CERT_DB_DATA entry with same VariableName
1500 and VendorGuid already exists.
1501 @retval EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.
1502 @retval EFI_SUCCESS Insert an AUTH_CERT_DB_DATA entry to "certdb" or "certdbv"
1503
1504 **/
1505 EFI_STATUS
1506 InsertCertsToDb (
1507 IN CHAR16 *VariableName,
1508 IN EFI_GUID *VendorGuid,
1509 IN UINT32 Attributes,
1510 IN UINT8 *SignerCert,
1511 IN UINTN SignerCertSize,
1512 IN UINT8 *TopLevelCert,
1513 IN UINTN TopLevelCertSize
1514 )
1515 {
1516 EFI_STATUS Status;
1517 UINT8 *Data;
1518 UINTN DataSize;
1519 UINT32 VarAttr;
1520 UINT8 *NewCertDb;
1521 UINT32 NewCertDbSize;
1522 UINT32 CertNodeSize;
1523 UINT32 NameSize;
1524 UINT32 CertDataSize;
1525 AUTH_CERT_DB_DATA *Ptr;
1526 CHAR16 *DbName;
1527 UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
1528
1529 if ((VariableName == NULL) || (VendorGuid == NULL) || (SignerCert == NULL) ||(TopLevelCert == NULL)) {
1530 return EFI_INVALID_PARAMETER;
1531 }
1532
1533 if ((Attributes & EFI_VARIABLE_NON_VOLATILE) != 0) {
1534 //
1535 // Get variable "certdb".
1536 //
1537 DbName = EFI_CERT_DB_NAME;
1538 VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
1539 } else {
1540 //
1541 // Get variable "certdbv".
1542 //
1543 DbName = EFI_CERT_DB_VOLATILE_NAME;
1544 VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
1545 }
1546
1547 //
1548 // Get variable "certdb" or "certdbv".
1549 //
1550 Status = AuthServiceInternalFindVariable (
1551 DbName,
1552 &gEfiCertDbGuid,
1553 (VOID **) &Data,
1554 &DataSize
1555 );
1556 if (EFI_ERROR (Status)) {
1557 return Status;
1558 }
1559
1560 if ((DataSize == 0) || (Data == NULL)) {
1561 ASSERT (FALSE);
1562 return EFI_NOT_FOUND;
1563 }
1564
1565 //
1566 // Find whether matching cert node already exists in "certdb" or "certdbv".
1567 // If yes return error.
1568 //
1569 Status = FindCertsFromDb (
1570 VariableName,
1571 VendorGuid,
1572 Data,
1573 DataSize,
1574 NULL,
1575 NULL,
1576 NULL,
1577 NULL
1578 );
1579
1580 if (!EFI_ERROR (Status)) {
1581 ASSERT (FALSE);
1582 return EFI_ACCESS_DENIED;
1583 }
1584
1585 //
1586 // Construct new data content of variable "certdb" or "certdbv".
1587 //
1588 NameSize = (UINT32) StrLen (VariableName);
1589 CertDataSize = sizeof(Sha256Digest);
1590 CertNodeSize = sizeof (AUTH_CERT_DB_DATA) + (UINT32) CertDataSize + NameSize * sizeof (CHAR16);
1591 NewCertDbSize = (UINT32) DataSize + CertNodeSize;
1592 if (NewCertDbSize > mMaxCertDbSize) {
1593 return EFI_OUT_OF_RESOURCES;
1594 }
1595
1596 Status = CalculatePrivAuthVarSignChainSHA256Digest(
1597 SignerCert,
1598 SignerCertSize,
1599 TopLevelCert,
1600 TopLevelCertSize,
1601 Sha256Digest
1602 );
1603 if (EFI_ERROR (Status)) {
1604 return Status;
1605 }
1606
1607 NewCertDb = (UINT8*) mCertDbStore;
1608
1609 //
1610 // Copy the DB entries before inserting node.
1611 //
1612 CopyMem (NewCertDb, Data, DataSize);
1613 //
1614 // Update CertDbListSize.
1615 //
1616 CopyMem (NewCertDb, &NewCertDbSize, sizeof (UINT32));
1617 //
1618 // Construct new cert node.
1619 //
1620 Ptr = (AUTH_CERT_DB_DATA *) (NewCertDb + DataSize);
1621 CopyGuid (&Ptr->VendorGuid, VendorGuid);
1622 CopyMem (&Ptr->CertNodeSize, &CertNodeSize, sizeof (UINT32));
1623 CopyMem (&Ptr->NameSize, &NameSize, sizeof (UINT32));
1624 CopyMem (&Ptr->CertDataSize, &CertDataSize, sizeof (UINT32));
1625
1626 CopyMem (
1627 (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA),
1628 VariableName,
1629 NameSize * sizeof (CHAR16)
1630 );
1631
1632 CopyMem (
1633 (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA) + NameSize * sizeof (CHAR16),
1634 Sha256Digest,
1635 CertDataSize
1636 );
1637
1638 //
1639 // Set "certdb" or "certdbv".
1640 //
1641 Status = AuthServiceInternalUpdateVariable (
1642 DbName,
1643 &gEfiCertDbGuid,
1644 NewCertDb,
1645 NewCertDbSize,
1646 VarAttr
1647 );
1648
1649 return Status;
1650 }
1651
1652 /**
1653 Clean up signer's certificates for common authenticated variable
1654 by corresponding VariableName and VendorGuid from "certdb".
1655 System may break down during Timebased Variable update & certdb update,
1656 make them inconsistent, this function is called in AuthVariable Init
1657 to ensure consistency.
1658
1659 @retval EFI_NOT_FOUND Fail to find variable "certdb".
1660 @retval EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.
1661 @retval EFI_SUCCESS The operation is completed successfully.
1662
1663 **/
1664 EFI_STATUS
1665 CleanCertsFromDb (
1666 VOID
1667 )
1668 {
1669 UINT32 Offset;
1670 AUTH_CERT_DB_DATA *Ptr;
1671 UINT32 NameSize;
1672 UINT32 NodeSize;
1673 CHAR16 *VariableName;
1674 EFI_STATUS Status;
1675 BOOLEAN CertCleaned;
1676 UINT8 *Data;
1677 UINTN DataSize;
1678 EFI_GUID AuthVarGuid;
1679 AUTH_VARIABLE_INFO AuthVariableInfo;
1680
1681 Status = EFI_SUCCESS;
1682
1683 //
1684 // Get corresponding certificates by VendorGuid and VariableName.
1685 //
1686 do {
1687 CertCleaned = FALSE;
1688
1689 //
1690 // Get latest variable "certdb"
1691 //
1692 Status = AuthServiceInternalFindVariable (
1693 EFI_CERT_DB_NAME,
1694 &gEfiCertDbGuid,
1695 (VOID **) &Data,
1696 &DataSize
1697 );
1698 if (EFI_ERROR (Status)) {
1699 return Status;
1700 }
1701
1702 if ((DataSize == 0) || (Data == NULL)) {
1703 ASSERT (FALSE);
1704 return EFI_NOT_FOUND;
1705 }
1706
1707 Offset = sizeof (UINT32);
1708
1709 while (Offset < (UINT32) DataSize) {
1710 Ptr = (AUTH_CERT_DB_DATA *) (Data + Offset);
1711 NodeSize = ReadUnaligned32 (&Ptr->CertNodeSize);
1712 NameSize = ReadUnaligned32 (&Ptr->NameSize);
1713
1714 //
1715 // Get VarName tailed with '\0'
1716 //
1717 VariableName = AllocateZeroPool((NameSize + 1) * sizeof(CHAR16));
1718 if (VariableName == NULL) {
1719 return EFI_OUT_OF_RESOURCES;
1720 }
1721 CopyMem (VariableName, (UINT8 *) Ptr + sizeof (AUTH_CERT_DB_DATA), NameSize * sizeof(CHAR16));
1722 //
1723 // Keep VarGuid aligned
1724 //
1725 CopyMem (&AuthVarGuid, &Ptr->VendorGuid, sizeof(EFI_GUID));
1726
1727 //
1728 // Find corresponding time auth variable
1729 //
1730 ZeroMem (&AuthVariableInfo, sizeof (AuthVariableInfo));
1731 Status = mAuthVarLibContextIn->FindVariable (
1732 VariableName,
1733 &AuthVarGuid,
1734 &AuthVariableInfo
1735 );
1736
1737 if (EFI_ERROR(Status) || (AuthVariableInfo.Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {
1738 Status = DeleteCertsFromDb(
1739 VariableName,
1740 &AuthVarGuid,
1741 AuthVariableInfo.Attributes
1742 );
1743 CertCleaned = TRUE;
1744 DEBUG((EFI_D_INFO, "Recovery!! Cert for Auth Variable %s Guid %g is removed for consistency\n", VariableName, &AuthVarGuid));
1745 FreePool(VariableName);
1746 break;
1747 }
1748
1749 FreePool(VariableName);
1750 Offset = Offset + NodeSize;
1751 }
1752 } while (CertCleaned);
1753
1754 return Status;
1755 }
1756
1757 /**
1758 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
1759
1760 Caution: This function may receive untrusted input.
1761 This function may be invoked in SMM mode, and datasize and data are external input.
1762 This function will do basic validation, before parse the data.
1763 This function will parse the authentication carefully to avoid security issues, like
1764 buffer overflow, integer overflow.
1765
1766 @param[in] VariableName Name of Variable to be found.
1767 @param[in] VendorGuid Variable vendor GUID.
1768 @param[in] Data Data pointer.
1769 @param[in] DataSize Size of Data found. If size is less than the
1770 data, this value contains the required size.
1771 @param[in] Attributes Attribute value of the variable.
1772 @param[in] AuthVarType Verify against PK, KEK database, private database or certificate in data payload.
1773 @param[in] OrgTimeStamp Pointer to original time stamp,
1774 original variable is not found if NULL.
1775 @param[out] VarPayloadPtr Pointer to variable payload address.
1776 @param[out] VarPayloadSize Pointer to variable payload size.
1777
1778 @retval EFI_INVALID_PARAMETER Invalid parameter.
1779 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
1780 check carried out by the firmware.
1781 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
1782 of resources.
1783 @retval EFI_SUCCESS Variable pass validation successfully.
1784
1785 **/
1786 EFI_STATUS
1787 VerifyTimeBasedPayload (
1788 IN CHAR16 *VariableName,
1789 IN EFI_GUID *VendorGuid,
1790 IN VOID *Data,
1791 IN UINTN DataSize,
1792 IN UINT32 Attributes,
1793 IN AUTHVAR_TYPE AuthVarType,
1794 IN EFI_TIME *OrgTimeStamp,
1795 OUT UINT8 **VarPayloadPtr,
1796 OUT UINTN *VarPayloadSize
1797 )
1798 {
1799 EFI_VARIABLE_AUTHENTICATION_2 *CertData;
1800 UINT8 *SigData;
1801 UINT32 SigDataSize;
1802 UINT8 *PayloadPtr;
1803 UINTN PayloadSize;
1804 UINT32 Attr;
1805 BOOLEAN VerifyStatus;
1806 EFI_STATUS Status;
1807 EFI_SIGNATURE_LIST *CertList;
1808 EFI_SIGNATURE_DATA *Cert;
1809 UINTN Index;
1810 UINTN CertCount;
1811 UINT32 KekDataSize;
1812 UINT8 *NewData;
1813 UINTN NewDataSize;
1814 UINT8 *Buffer;
1815 UINTN Length;
1816 UINT8 *TopLevelCert;
1817 UINTN TopLevelCertSize;
1818 UINT8 *TrustedCert;
1819 UINTN TrustedCertSize;
1820 UINT8 *SignerCerts;
1821 UINTN CertStackSize;
1822 UINT8 *CertsInCertDb;
1823 UINT32 CertsSizeinDb;
1824 UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
1825 EFI_CERT_DATA *CertDataPtr;
1826
1827 //
1828 // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
1829 // 2. TrustedCert is the certificate which firmware trusts. It could be saved in protected
1830 // storage or PK payload on PK init
1831 //
1832 VerifyStatus = FALSE;
1833 CertData = NULL;
1834 NewData = NULL;
1835 Attr = Attributes;
1836 SignerCerts = NULL;
1837 TopLevelCert = NULL;
1838 CertsInCertDb = NULL;
1839 CertDataPtr = NULL;
1840
1841 //
1842 // When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
1843 // set, then the Data buffer shall begin with an instance of a complete (and serialized)
1844 // EFI_VARIABLE_AUTHENTICATION_2 descriptor. The descriptor shall be followed by the new
1845 // variable value and DataSize shall reflect the combined size of the descriptor and the new
1846 // variable value. The authentication descriptor is not part of the variable data and is not
1847 // returned by subsequent calls to GetVariable().
1848 //
1849 CertData = (EFI_VARIABLE_AUTHENTICATION_2 *) Data;
1850
1851 //
1852 // Verify that Pad1, Nanosecond, TimeZone, Daylight and Pad2 components of the
1853 // TimeStamp value are set to zero.
1854 //
1855 if ((CertData->TimeStamp.Pad1 != 0) ||
1856 (CertData->TimeStamp.Nanosecond != 0) ||
1857 (CertData->TimeStamp.TimeZone != 0) ||
1858 (CertData->TimeStamp.Daylight != 0) ||
1859 (CertData->TimeStamp.Pad2 != 0)) {
1860 return EFI_SECURITY_VIOLATION;
1861 }
1862
1863 if ((OrgTimeStamp != NULL) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0)) {
1864 if (AuthServiceInternalCompareTimeStamp (&CertData->TimeStamp, OrgTimeStamp)) {
1865 //
1866 // TimeStamp check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.
1867 //
1868 return EFI_SECURITY_VIOLATION;
1869 }
1870 }
1871
1872 //
1873 // wCertificateType should be WIN_CERT_TYPE_EFI_GUID.
1874 // Cert type should be EFI_CERT_TYPE_PKCS7_GUID.
1875 //
1876 if ((CertData->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) ||
1877 !CompareGuid (&CertData->AuthInfo.CertType, &gEfiCertPkcs7Guid)) {
1878 //
1879 // Invalid AuthInfo type, return EFI_SECURITY_VIOLATION.
1880 //
1881 return EFI_SECURITY_VIOLATION;
1882 }
1883
1884 //
1885 // Find out Pkcs7 SignedData which follows the EFI_VARIABLE_AUTHENTICATION_2 descriptor.
1886 // AuthInfo.Hdr.dwLength is the length of the entire certificate, including the length of the header.
1887 //
1888 SigData = CertData->AuthInfo.CertData;
1889 SigDataSize = CertData->AuthInfo.Hdr.dwLength - (UINT32) (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData));
1890
1891 //
1892 // SignedData.digestAlgorithms shall contain the digest algorithm used when preparing the
1893 // signature. Only a digest algorithm of SHA-256 is accepted.
1894 //
1895 // According to PKCS#7 Definition:
1896 // SignedData ::= SEQUENCE {
1897 // version Version,
1898 // digestAlgorithms DigestAlgorithmIdentifiers,
1899 // contentInfo ContentInfo,
1900 // .... }
1901 // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm
1902 // in VARIABLE_AUTHENTICATION_2 descriptor.
1903 // This field has the fixed offset (+13) and be calculated based on two bytes of length encoding.
1904 //
1905 if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
1906 if (SigDataSize >= (13 + sizeof (mSha256OidValue))) {
1907 if (((*(SigData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) ||
1908 (CompareMem (SigData + 13, &mSha256OidValue, sizeof (mSha256OidValue)) != 0)) {
1909 return EFI_SECURITY_VIOLATION;
1910 }
1911 }
1912 }
1913
1914 //
1915 // Find out the new data payload which follows Pkcs7 SignedData directly.
1916 //
1917 PayloadPtr = SigData + SigDataSize;
1918 PayloadSize = DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN) SigDataSize;
1919
1920 //
1921 // Construct a serialization buffer of the values of the VariableName, VendorGuid and Attributes
1922 // parameters of the SetVariable() call and the TimeStamp component of the
1923 // EFI_VARIABLE_AUTHENTICATION_2 descriptor followed by the variable's new value
1924 // i.e. (VariableName, VendorGuid, Attributes, TimeStamp, Data)
1925 //
1926 NewDataSize = PayloadSize + sizeof (EFI_TIME) + sizeof (UINT32) +
1927 sizeof (EFI_GUID) + StrSize (VariableName) - sizeof (CHAR16);
1928
1929 //
1930 // Here is to reuse scratch data area(at the end of volatile variable store)
1931 // to reduce SMRAM consumption for SMM variable driver.
1932 // The scratch buffer is enough to hold the serialized data and safe to use,
1933 // because it is only used at here to do verification temporarily first
1934 // and then used in UpdateVariable() for a time based auth variable set.
1935 //
1936 Status = mAuthVarLibContextIn->GetScratchBuffer (&NewDataSize, (VOID **) &NewData);
1937 if (EFI_ERROR (Status)) {
1938 return EFI_OUT_OF_RESOURCES;
1939 }
1940
1941 Buffer = NewData;
1942 Length = StrLen (VariableName) * sizeof (CHAR16);
1943 CopyMem (Buffer, VariableName, Length);
1944 Buffer += Length;
1945
1946 Length = sizeof (EFI_GUID);
1947 CopyMem (Buffer, VendorGuid, Length);
1948 Buffer += Length;
1949
1950 Length = sizeof (UINT32);
1951 CopyMem (Buffer, &Attr, Length);
1952 Buffer += Length;
1953
1954 Length = sizeof (EFI_TIME);
1955 CopyMem (Buffer, &CertData->TimeStamp, Length);
1956 Buffer += Length;
1957
1958 CopyMem (Buffer, PayloadPtr, PayloadSize);
1959
1960 if (AuthVarType == AuthVarTypePk) {
1961 //
1962 // Verify that the signature has been made with the current Platform Key (no chaining for PK).
1963 // First, get signer's certificates from SignedData.
1964 //
1965 VerifyStatus = Pkcs7GetSigners (
1966 SigData,
1967 SigDataSize,
1968 &SignerCerts,
1969 &CertStackSize,
1970 &TopLevelCert,
1971 &TopLevelCertSize
1972 );
1973 if (!VerifyStatus) {
1974 goto Exit;
1975 }
1976
1977 //
1978 // Second, get the current platform key from variable. Check whether it's identical with signer's certificates
1979 // in SignedData. If not, return error immediately.
1980 //
1981 Status = AuthServiceInternalFindVariable (
1982 EFI_PLATFORM_KEY_NAME,
1983 &gEfiGlobalVariableGuid,
1984 &Data,
1985 &DataSize
1986 );
1987 if (EFI_ERROR (Status)) {
1988 VerifyStatus = FALSE;
1989 goto Exit;
1990 }
1991 CertList = (EFI_SIGNATURE_LIST *) Data;
1992 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
1993 if ((TopLevelCertSize != (CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1))) ||
1994 (CompareMem (Cert->SignatureData, TopLevelCert, TopLevelCertSize) != 0)) {
1995 VerifyStatus = FALSE;
1996 goto Exit;
1997 }
1998
1999 //
2000 // Verify Pkcs7 SignedData via Pkcs7Verify library.
2001 //
2002 VerifyStatus = Pkcs7Verify (
2003 SigData,
2004 SigDataSize,
2005 TopLevelCert,
2006 TopLevelCertSize,
2007 NewData,
2008 NewDataSize
2009 );
2010
2011 } else if (AuthVarType == AuthVarTypeKek) {
2012
2013 //
2014 // Get KEK database from variable.
2015 //
2016 Status = AuthServiceInternalFindVariable (
2017 EFI_KEY_EXCHANGE_KEY_NAME,
2018 &gEfiGlobalVariableGuid,
2019 &Data,
2020 &DataSize
2021 );
2022 if (EFI_ERROR (Status)) {
2023 return Status;
2024 }
2025
2026 //
2027 // Ready to verify Pkcs7 SignedData. Go through KEK Signature Database to find out X.509 CertList.
2028 //
2029 KekDataSize = (UINT32) DataSize;
2030 CertList = (EFI_SIGNATURE_LIST *) Data;
2031 while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
2032 if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
2033 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
2034 CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
2035 for (Index = 0; Index < CertCount; Index++) {
2036 //
2037 // Iterate each Signature Data Node within this CertList for a verify
2038 //
2039 TrustedCert = Cert->SignatureData;
2040 TrustedCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
2041
2042 //
2043 // Verify Pkcs7 SignedData via Pkcs7Verify library.
2044 //
2045 VerifyStatus = Pkcs7Verify (
2046 SigData,
2047 SigDataSize,
2048 TrustedCert,
2049 TrustedCertSize,
2050 NewData,
2051 NewDataSize
2052 );
2053 if (VerifyStatus) {
2054 goto Exit;
2055 }
2056 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
2057 }
2058 }
2059 KekDataSize -= CertList->SignatureListSize;
2060 CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
2061 }
2062 } else if (AuthVarType == AuthVarTypePriv) {
2063
2064 //
2065 // Process common authenticated variable except PK/KEK/DB/DBX/DBT.
2066 // Get signer's certificates from SignedData.
2067 //
2068 VerifyStatus = Pkcs7GetSigners (
2069 SigData,
2070 SigDataSize,
2071 &SignerCerts,
2072 &CertStackSize,
2073 &TopLevelCert,
2074 &TopLevelCertSize
2075 );
2076 if (!VerifyStatus) {
2077 goto Exit;
2078 }
2079
2080 //
2081 // Get previously stored signer's certificates from certdb or certdbv for existing
2082 // variable. Check whether they are identical with signer's certificates
2083 // in SignedData. If not, return error immediately.
2084 //
2085 if (OrgTimeStamp != NULL) {
2086 VerifyStatus = FALSE;
2087
2088 Status = GetCertsFromDb (VariableName, VendorGuid, Attributes, &CertsInCertDb, &CertsSizeinDb);
2089 if (EFI_ERROR (Status)) {
2090 goto Exit;
2091 }
2092
2093 if (CertsSizeinDb == SHA256_DIGEST_SIZE) {
2094 //
2095 // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
2096 //
2097 CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
2098 Status = CalculatePrivAuthVarSignChainSHA256Digest(
2099 CertDataPtr->CertDataBuffer,
2100 ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
2101 TopLevelCert,
2102 TopLevelCertSize,
2103 Sha256Digest
2104 );
2105 if (EFI_ERROR(Status) || CompareMem (Sha256Digest, CertsInCertDb, CertsSizeinDb) != 0){
2106 goto Exit;
2107 }
2108 } else {
2109 //
2110 // Keep backward compatible with previous solution which saves whole signer certs stack in CertDb
2111 //
2112 if ((CertStackSize != CertsSizeinDb) ||
2113 (CompareMem (SignerCerts, CertsInCertDb, CertsSizeinDb) != 0)) {
2114 goto Exit;
2115 }
2116 }
2117 }
2118
2119 VerifyStatus = Pkcs7Verify (
2120 SigData,
2121 SigDataSize,
2122 TopLevelCert,
2123 TopLevelCertSize,
2124 NewData,
2125 NewDataSize
2126 );
2127 if (!VerifyStatus) {
2128 goto Exit;
2129 }
2130
2131 if ((OrgTimeStamp == NULL) && (PayloadSize != 0)) {
2132 //
2133 // When adding a new common authenticated variable, always save Hash of cn of signer cert + tbsCertificate of Top-level issuer
2134 //
2135 CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
2136 Status = InsertCertsToDb (
2137 VariableName,
2138 VendorGuid,
2139 Attributes,
2140 CertDataPtr->CertDataBuffer,
2141 ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
2142 TopLevelCert,
2143 TopLevelCertSize
2144 );
2145 if (EFI_ERROR (Status)) {
2146 VerifyStatus = FALSE;
2147 goto Exit;
2148 }
2149 }
2150 } else if (AuthVarType == AuthVarTypePayload) {
2151 CertList = (EFI_SIGNATURE_LIST *) PayloadPtr;
2152 Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
2153 TrustedCert = Cert->SignatureData;
2154 TrustedCertSize = CertList->SignatureSize - (sizeof (EFI_SIGNATURE_DATA) - 1);
2155 //
2156 // Verify Pkcs7 SignedData via Pkcs7Verify library.
2157 //
2158 VerifyStatus = Pkcs7Verify (
2159 SigData,
2160 SigDataSize,
2161 TrustedCert,
2162 TrustedCertSize,
2163 NewData,
2164 NewDataSize
2165 );
2166 } else {
2167 return EFI_SECURITY_VIOLATION;
2168 }
2169
2170 Exit:
2171
2172 if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
2173 Pkcs7FreeSigners (TopLevelCert);
2174 Pkcs7FreeSigners (SignerCerts);
2175 }
2176
2177 if (!VerifyStatus) {
2178 return EFI_SECURITY_VIOLATION;
2179 }
2180
2181 Status = CheckSignatureListFormat(VariableName, VendorGuid, PayloadPtr, PayloadSize);
2182 if (EFI_ERROR (Status)) {
2183 return Status;
2184 }
2185
2186 *VarPayloadPtr = PayloadPtr;
2187 *VarPayloadSize = PayloadSize;
2188
2189 return EFI_SUCCESS;
2190 }
2191
2192 /**
2193 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
2194
2195 Caution: This function may receive untrusted input.
2196 This function may be invoked in SMM mode, and datasize and data are external input.
2197 This function will do basic validation, before parse the data.
2198 This function will parse the authentication carefully to avoid security issues, like
2199 buffer overflow, integer overflow.
2200
2201 @param[in] VariableName Name of Variable to be found.
2202 @param[in] VendorGuid Variable vendor GUID.
2203 @param[in] Data Data pointer.
2204 @param[in] DataSize Size of Data found. If size is less than the
2205 data, this value contains the required size.
2206 @param[in] Attributes Attribute value of the variable.
2207 @param[in] AuthVarType Verify against PK, KEK database, private database or certificate in data payload.
2208 @param[out] VarDel Delete the variable or not.
2209
2210 @retval EFI_INVALID_PARAMETER Invalid parameter.
2211 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
2212 check carried out by the firmware.
2213 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
2214 of resources.
2215 @retval EFI_SUCCESS Variable pass validation successfully.
2216
2217 **/
2218 EFI_STATUS
2219 VerifyTimeBasedPayloadAndUpdate (
2220 IN CHAR16 *VariableName,
2221 IN EFI_GUID *VendorGuid,
2222 IN VOID *Data,
2223 IN UINTN DataSize,
2224 IN UINT32 Attributes,
2225 IN AUTHVAR_TYPE AuthVarType,
2226 OUT BOOLEAN *VarDel
2227 )
2228 {
2229 EFI_STATUS Status;
2230 EFI_STATUS FindStatus;
2231 UINT8 *PayloadPtr;
2232 UINTN PayloadSize;
2233 EFI_VARIABLE_AUTHENTICATION_2 *CertData;
2234 AUTH_VARIABLE_INFO OrgVariableInfo;
2235 BOOLEAN IsDel;
2236
2237 ZeroMem (&OrgVariableInfo, sizeof (OrgVariableInfo));
2238 FindStatus = mAuthVarLibContextIn->FindVariable (
2239 VariableName,
2240 VendorGuid,
2241 &OrgVariableInfo
2242 );
2243
2244 Status = VerifyTimeBasedPayload (
2245 VariableName,
2246 VendorGuid,
2247 Data,
2248 DataSize,
2249 Attributes,
2250 AuthVarType,
2251 (!EFI_ERROR (FindStatus)) ? OrgVariableInfo.TimeStamp : NULL,
2252 &PayloadPtr,
2253 &PayloadSize
2254 );
2255 if (EFI_ERROR (Status)) {
2256 return Status;
2257 }
2258
2259 if (!EFI_ERROR(FindStatus)
2260 && (PayloadSize == 0)
2261 && ((Attributes & EFI_VARIABLE_APPEND_WRITE) == 0)) {
2262 IsDel = TRUE;
2263 } else {
2264 IsDel = FALSE;
2265 }
2266
2267 CertData = (EFI_VARIABLE_AUTHENTICATION_2 *) Data;
2268
2269 //
2270 // Final step: Update/Append Variable if it pass Pkcs7Verify
2271 //
2272 Status = AuthServiceInternalUpdateVariableWithTimeStamp (
2273 VariableName,
2274 VendorGuid,
2275 PayloadPtr,
2276 PayloadSize,
2277 Attributes,
2278 &CertData->TimeStamp
2279 );
2280
2281 //
2282 // Delete signer's certificates when delete the common authenticated variable.
2283 //
2284 if (IsDel && AuthVarType == AuthVarTypePriv && !EFI_ERROR(Status) ) {
2285 Status = DeleteCertsFromDb (VariableName, VendorGuid, Attributes);
2286 }
2287
2288 if (VarDel != NULL) {
2289 if (IsDel && !EFI_ERROR(Status)) {
2290 *VarDel = TRUE;
2291 } else {
2292 *VarDel = FALSE;
2293 }
2294 }
2295
2296 return Status;
2297 }
EFI Development Kit II mirror for PVE