]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Remove Counter Based AuthVariable support
[mirror_edk2.git] / SecurityPkg / Library / AuthVariableLib / AuthVariableLib.c
1 /** @file
2 Implement authentication services for the authenticated variables.
3
4 Caution: This module requires additional review when modified.
5 This driver will have external input - variable data. It may be input in SMM mode.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
8 Variable attribute should also be checked to avoid authentication bypass.
9 The whole SMM authentication variable design relies on the integrity of flash part and SMM.
10 which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory
11 may not be modified without authorization. If platform fails to protect these resources,
12 the authentication service provided in this driver will be broken, and the behavior is undefined.
13
14 Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
15 This program and the accompanying materials
16 are licensed and made available under the terms and conditions of the BSD License
17 which accompanies this distribution. The full text of the license may be found at
18 http://opensource.org/licenses/bsd-license.php
19
20 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
21 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
22
23 **/
24
25 #include "AuthServiceInternal.h"
26
27 ///
28 /// Global database array for scratch
29 ///
30 UINT8 *mCertDbStore;
31 UINT32 mMaxCertDbSize;
32 UINT32 mPlatformMode;
33 UINT8 mVendorKeyState;
34
35 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
36
37 //
38 // Hash context pointer
39 //
40 VOID *mHashCtx = NULL;
41
42 VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
43 {
44 &gEfiSecureBootEnableDisableGuid,
45 EFI_SECURE_BOOT_ENABLE_NAME,
46 {
47 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
48 0,
49 VARIABLE_ATTRIBUTE_NV_BS,
50 sizeof (UINT8),
51 sizeof (UINT8)
52 }
53 },
54 {
55 &gEfiCustomModeEnableGuid,
56 EFI_CUSTOM_MODE_NAME,
57 {
58 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
59 0,
60 VARIABLE_ATTRIBUTE_NV_BS,
61 sizeof (UINT8),
62 sizeof (UINT8)
63 }
64 },
65 {
66 &gEfiVendorKeysNvGuid,
67 EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
68 {
69 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
70 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
71 VARIABLE_ATTRIBUTE_NV_BS_RT_AT,
72 sizeof (UINT8),
73 sizeof (UINT8)
74 }
75 },
76 {
77 &gEfiCertDbGuid,
78 EFI_CERT_DB_NAME,
79 {
80 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
81 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
82 VARIABLE_ATTRIBUTE_NV_BS_RT_AT,
83 sizeof (UINT32),
84 MAX_UINTN
85 }
86 },
87 {
88 &gEfiCertDbGuid,
89 EFI_CERT_DB_VOLATILE_NAME,
90 {
91 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
92 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
93 VARIABLE_ATTRIBUTE_BS_RT_AT,
94 sizeof (UINT32),
95 MAX_UINTN
96 }
97 },
98 };
99
100 VOID **mAuthVarAddressPointer[9];
101
102 AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
103
104 /**
105 Initialization for authenticated varibale services.
106 If this initialization returns error status, other APIs will not work
107 and expect to be not called then.
108
109 @param[in] AuthVarLibContextIn Pointer to input auth variable lib context.
110 @param[out] AuthVarLibContextOut Pointer to output auth variable lib context.
111
112 @retval EFI_SUCCESS Function successfully executed.
113 @retval EFI_INVALID_PARAMETER If AuthVarLibContextIn == NULL or AuthVarLibContextOut == NULL.
114 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
115 @retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
116
117 **/
118 EFI_STATUS
119 EFIAPI
120 AuthVariableLibInitialize (
121 IN AUTH_VAR_LIB_CONTEXT_IN *AuthVarLibContextIn,
122 OUT AUTH_VAR_LIB_CONTEXT_OUT *AuthVarLibContextOut
123 )
124 {
125 EFI_STATUS Status;
126 UINT32 VarAttr;
127 UINT8 *Data;
128 UINTN DataSize;
129 UINTN CtxSize;
130 UINT8 SecureBootMode;
131 UINT8 SecureBootEnable;
132 UINT8 CustomMode;
133 UINT32 ListSize;
134
135 if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
136 return EFI_INVALID_PARAMETER;
137 }
138
139 mAuthVarLibContextIn = AuthVarLibContextIn;
140
141 //
142 // Initialize hash context.
143 //
144 CtxSize = Sha256GetContextSize ();
145 mHashCtx = AllocateRuntimePool (CtxSize);
146 if (mHashCtx == NULL) {
147 return EFI_OUT_OF_RESOURCES;
148 }
149
150 //
151 // Reserve runtime buffer for certificate database. The size excludes variable header and name size.
152 // Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
153 //
154 mMaxCertDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (EFI_CERT_DB_VOLATILE_NAME));
155 mCertDbStore = AllocateRuntimePool (mMaxCertDbSize);
156 if (mCertDbStore == NULL) {
157 return EFI_OUT_OF_RESOURCES;
158 }
159
160 Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
161 if (EFI_ERROR (Status)) {
162 DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
163 } else {
164 DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
165 }
166
167 //
168 // Create "SetupMode" variable with BS+RT attribute set.
169 //
170 if (EFI_ERROR (Status)) {
171 mPlatformMode = SETUP_MODE;
172 } else {
173 mPlatformMode = USER_MODE;
174 }
175 Status = AuthServiceInternalUpdateVariable (
176 EFI_SETUP_MODE_NAME,
177 &gEfiGlobalVariableGuid,
178 &mPlatformMode,
179 sizeof(UINT8),
180 EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
181 );
182 if (EFI_ERROR (Status)) {
183 return Status;
184 }
185
186 //
187 // Create "SignatureSupport" variable with BS+RT attribute set.
188 //
189 Status = AuthServiceInternalUpdateVariable (
190 EFI_SIGNATURE_SUPPORT_NAME,
191 &gEfiGlobalVariableGuid,
192 mSignatureSupport,
193 sizeof(mSignatureSupport),
194 EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
195 );
196 if (EFI_ERROR (Status)) {
197 return Status;
198 }
199
200 //
201 // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
202 // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
203 // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
204 //
205 SecureBootEnable = SECURE_BOOT_DISABLE;
206 Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
207 if (!EFI_ERROR (Status)) {
208 if (mPlatformMode == USER_MODE){
209 SecureBootEnable = *(UINT8 *) Data;
210 }
211 } else if (mPlatformMode == USER_MODE) {
212 //
213 // "SecureBootEnable" not exist, initialize it in USER_MODE.
214 //
215 SecureBootEnable = SECURE_BOOT_ENABLE;
216 Status = AuthServiceInternalUpdateVariable (
217 EFI_SECURE_BOOT_ENABLE_NAME,
218 &gEfiSecureBootEnableDisableGuid,
219 &SecureBootEnable,
220 sizeof (UINT8),
221 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
222 );
223 if (EFI_ERROR (Status)) {
224 return Status;
225 }
226 }
227
228 //
229 // Create "SecureBoot" variable with BS+RT attribute set.
230 //
231 if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
232 SecureBootMode = SECURE_BOOT_MODE_ENABLE;
233 } else {
234 SecureBootMode = SECURE_BOOT_MODE_DISABLE;
235 }
236 Status = AuthServiceInternalUpdateVariable (
237 EFI_SECURE_BOOT_MODE_NAME,
238 &gEfiGlobalVariableGuid,
239 &SecureBootMode,
240 sizeof (UINT8),
241 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
242 );
243 if (EFI_ERROR (Status)) {
244 return Status;
245 }
246
247 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
248 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
249 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
250
251 //
252 // Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
253 //
254 CustomMode = STANDARD_SECURE_BOOT_MODE;
255 Status = AuthServiceInternalUpdateVariable (
256 EFI_CUSTOM_MODE_NAME,
257 &gEfiCustomModeEnableGuid,
258 &CustomMode,
259 sizeof (UINT8),
260 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
261 );
262 if (EFI_ERROR (Status)) {
263 return Status;
264 }
265
266 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_CUSTOM_MODE_NAME, CustomMode));
267
268 //
269 // Check "certdb" variable's existence.
270 // If it doesn't exist, then create a new one with
271 // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
272 //
273 Status = AuthServiceInternalFindVariable (
274 EFI_CERT_DB_NAME,
275 &gEfiCertDbGuid,
276 (VOID **) &Data,
277 &DataSize
278 );
279 if (EFI_ERROR (Status)) {
280 VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
281 ListSize = sizeof (UINT32);
282 Status = AuthServiceInternalUpdateVariable (
283 EFI_CERT_DB_NAME,
284 &gEfiCertDbGuid,
285 &ListSize,
286 sizeof (UINT32),
287 VarAttr
288 );
289 if (EFI_ERROR (Status)) {
290 return Status;
291 }
292 } else {
293 //
294 // Clean up Certs to make certDB & Time based auth variable consistent
295 //
296 Status = CleanCertsFromDb();
297 if (EFI_ERROR (Status)) {
298 DEBUG ((EFI_D_ERROR, "Clean up CertDB fail! Status %x\n", Status));
299 return Status;
300 }
301 }
302
303 //
304 // Create "certdbv" variable with RT+BS+AT set.
305 //
306 VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
307 ListSize = sizeof (UINT32);
308 Status = AuthServiceInternalUpdateVariable (
309 EFI_CERT_DB_VOLATILE_NAME,
310 &gEfiCertDbGuid,
311 &ListSize,
312 sizeof (UINT32),
313 VarAttr
314 );
315 if (EFI_ERROR (Status)) {
316 return Status;
317 }
318
319 //
320 // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
321 //
322 Status = AuthServiceInternalFindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, (VOID **) &Data, &DataSize);
323 if (!EFI_ERROR (Status)) {
324 mVendorKeyState = *(UINT8 *)Data;
325 } else {
326 //
327 // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
328 //
329 mVendorKeyState = VENDOR_KEYS_VALID;
330 Status = AuthServiceInternalUpdateVariable (
331 EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
332 &gEfiVendorKeysNvGuid,
333 &mVendorKeyState,
334 sizeof (UINT8),
335 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
336 );
337 if (EFI_ERROR (Status)) {
338 return Status;
339 }
340 }
341
342 //
343 // Create "VendorKeys" variable with BS+RT attribute set.
344 //
345 Status = AuthServiceInternalUpdateVariable (
346 EFI_VENDOR_KEYS_VARIABLE_NAME,
347 &gEfiGlobalVariableGuid,
348 &mVendorKeyState,
349 sizeof (UINT8),
350 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
351 );
352 if (EFI_ERROR (Status)) {
353 return Status;
354 }
355
356 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
357
358 AuthVarLibContextOut->StructVersion = AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION;
359 AuthVarLibContextOut->StructSize = sizeof (AUTH_VAR_LIB_CONTEXT_OUT);
360 AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
361 AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
362 mAuthVarAddressPointer[0] = (VOID **) &mCertDbStore;
363 mAuthVarAddressPointer[1] = (VOID **) &mHashCtx;
364 mAuthVarAddressPointer[2] = (VOID **) &mAuthVarLibContextIn;
365 mAuthVarAddressPointer[3] = (VOID **) &(mAuthVarLibContextIn->FindVariable),
366 mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),
367 mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),
368 mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),
369 mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
370 mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),
371 AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
372 AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
373
374 return Status;
375 }
376
377 /**
378 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
379
380 @param[in] VariableName Name of the variable.
381 @param[in] VendorGuid Variable vendor GUID.
382 @param[in] Data Data pointer.
383 @param[in] DataSize Size of Data.
384 @param[in] Attributes Attribute value of the variable.
385
386 @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as
387 defined by the Attributes.
388 @retval EFI_INVALID_PARAMETER Invalid parameter.
389 @retval EFI_WRITE_PROTECTED Variable is write-protected.
390 @retval EFI_OUT_OF_RESOURCES There is not enough resource.
391 @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS
392 set, but the AuthInfo does NOT pass the validation
393 check carried out by the firmware.
394 @retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
395
396 **/
397 EFI_STATUS
398 EFIAPI
399 AuthVariableLibProcessVariable (
400 IN CHAR16 *VariableName,
401 IN EFI_GUID *VendorGuid,
402 IN VOID *Data,
403 IN UINTN DataSize,
404 IN UINT32 Attributes
405 )
406 {
407 EFI_STATUS Status;
408
409 if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
410 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
411 } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
412 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
413 } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
414 ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||
415 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
416 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0)
417 )) {
418 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
419 if (EFI_ERROR (Status)) {
420 Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, Attributes);
421 }
422 } else {
423 Status = ProcessVariable (VariableName, VendorGuid, Data, DataSize, Attributes);
424 }
425
426 return Status;
427 }
EFI Development Kit II mirror for PVE