]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Fix spelling errors
[mirror_edk2.git] / SecurityPkg / Library / AuthVariableLib / AuthVariableLib.c
1 /** @file
2 Implement authentication services for the authenticated variables.
3
4 Caution: This module requires additional review when modified.
5 This driver will have external input - variable data. It may be input in SMM mode.
6 This external input must be validated carefully to avoid security issue like
7 buffer overflow, integer overflow.
8 Variable attribute should also be checked to avoid authentication bypass.
9 The whole SMM authentication variable design relies on the integrity of flash part and SMM.
10 which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory
11 may not be modified without authorization. If platform fails to protect these resources,
12 the authentication service provided in this driver will be broken, and the behavior is undefined.
13
14 Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
15 SPDX-License-Identifier: BSD-2-Clause-Patent
16
17 **/
18
19 #include "AuthServiceInternal.h"
20
21 ///
22 /// Global database array for scratch
23 ///
24 UINT8 *mCertDbStore;
25 UINT32 mMaxCertDbSize;
26 UINT32 mPlatformMode;
27 UINT8 mVendorKeyState;
28
29 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
30
31 //
32 // Hash context pointer
33 //
34 VOID *mHashCtx = NULL;
35
36 VARIABLE_ENTRY_PROPERTY mAuthVarEntry[] = {
37 {
38 &gEfiSecureBootEnableDisableGuid,
39 EFI_SECURE_BOOT_ENABLE_NAME,
40 {
41 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
42 0,
43 VARIABLE_ATTRIBUTE_NV_BS,
44 sizeof (UINT8),
45 sizeof (UINT8)
46 }
47 },
48 {
49 &gEfiCustomModeEnableGuid,
50 EFI_CUSTOM_MODE_NAME,
51 {
52 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
53 0,
54 VARIABLE_ATTRIBUTE_NV_BS,
55 sizeof (UINT8),
56 sizeof (UINT8)
57 }
58 },
59 {
60 &gEfiVendorKeysNvGuid,
61 EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
62 {
63 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
64 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
65 VARIABLE_ATTRIBUTE_NV_BS_RT_AT,
66 sizeof (UINT8),
67 sizeof (UINT8)
68 }
69 },
70 {
71 &gEfiCertDbGuid,
72 EFI_CERT_DB_NAME,
73 {
74 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
75 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
76 VARIABLE_ATTRIBUTE_NV_BS_RT_AT,
77 sizeof (UINT32),
78 MAX_UINTN
79 }
80 },
81 {
82 &gEfiCertDbGuid,
83 EFI_CERT_DB_VOLATILE_NAME,
84 {
85 VAR_CHECK_VARIABLE_PROPERTY_REVISION,
86 VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,
87 VARIABLE_ATTRIBUTE_BS_RT_AT,
88 sizeof (UINT32),
89 MAX_UINTN
90 }
91 },
92 };
93
94 VOID **mAuthVarAddressPointer[9];
95
96 AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;
97
98 /**
99 Initialization for authenticated variable services.
100 If this initialization returns error status, other APIs will not work
101 and expect to be not called then.
102
103 @param[in] AuthVarLibContextIn Pointer to input auth variable lib context.
104 @param[out] AuthVarLibContextOut Pointer to output auth variable lib context.
105
106 @retval EFI_SUCCESS Function successfully executed.
107 @retval EFI_INVALID_PARAMETER If AuthVarLibContextIn == NULL or AuthVarLibContextOut == NULL.
108 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough resource.
109 @retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
110
111 **/
112 EFI_STATUS
113 EFIAPI
114 AuthVariableLibInitialize (
115 IN AUTH_VAR_LIB_CONTEXT_IN *AuthVarLibContextIn,
116 OUT AUTH_VAR_LIB_CONTEXT_OUT *AuthVarLibContextOut
117 )
118 {
119 EFI_STATUS Status;
120 UINT32 VarAttr;
121 UINT8 *Data;
122 UINTN DataSize;
123 UINTN CtxSize;
124 UINT8 SecureBootMode;
125 UINT8 SecureBootEnable;
126 UINT8 CustomMode;
127 UINT32 ListSize;
128
129 if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
130 return EFI_INVALID_PARAMETER;
131 }
132
133 mAuthVarLibContextIn = AuthVarLibContextIn;
134
135 //
136 // Initialize hash context.
137 //
138 CtxSize = Sha256GetContextSize ();
139 mHashCtx = AllocateRuntimePool (CtxSize);
140 if (mHashCtx == NULL) {
141 return EFI_OUT_OF_RESOURCES;
142 }
143
144 //
145 // Reserve runtime buffer for certificate database. The size excludes variable header and name size.
146 // Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
147 //
148 mMaxCertDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (EFI_CERT_DB_VOLATILE_NAME));
149 mCertDbStore = AllocateRuntimePool (mMaxCertDbSize);
150 if (mCertDbStore == NULL) {
151 return EFI_OUT_OF_RESOURCES;
152 }
153
154 Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);
155 if (EFI_ERROR (Status)) {
156 DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));
157 } else {
158 DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));
159 }
160
161 //
162 // Create "SetupMode" variable with BS+RT attribute set.
163 //
164 if (EFI_ERROR (Status)) {
165 mPlatformMode = SETUP_MODE;
166 } else {
167 mPlatformMode = USER_MODE;
168 }
169 Status = AuthServiceInternalUpdateVariable (
170 EFI_SETUP_MODE_NAME,
171 &gEfiGlobalVariableGuid,
172 &mPlatformMode,
173 sizeof(UINT8),
174 EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
175 );
176 if (EFI_ERROR (Status)) {
177 return Status;
178 }
179
180 //
181 // Create "SignatureSupport" variable with BS+RT attribute set.
182 //
183 Status = AuthServiceInternalUpdateVariable (
184 EFI_SIGNATURE_SUPPORT_NAME,
185 &gEfiGlobalVariableGuid,
186 mSignatureSupport,
187 sizeof(mSignatureSupport),
188 EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
189 );
190 if (EFI_ERROR (Status)) {
191 return Status;
192 }
193
194 //
195 // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.
196 // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.
197 // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.
198 //
199 SecureBootEnable = SECURE_BOOT_DISABLE;
200 Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);
201 if (!EFI_ERROR (Status)) {
202 if (mPlatformMode == USER_MODE){
203 SecureBootEnable = *(UINT8 *) Data;
204 }
205 } else if (mPlatformMode == USER_MODE) {
206 //
207 // "SecureBootEnable" not exist, initialize it in USER_MODE.
208 //
209 SecureBootEnable = SECURE_BOOT_ENABLE;
210 Status = AuthServiceInternalUpdateVariable (
211 EFI_SECURE_BOOT_ENABLE_NAME,
212 &gEfiSecureBootEnableDisableGuid,
213 &SecureBootEnable,
214 sizeof (UINT8),
215 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
216 );
217 if (EFI_ERROR (Status)) {
218 return Status;
219 }
220 }
221
222 //
223 // Create "SecureBoot" variable with BS+RT attribute set.
224 //
225 if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
226 SecureBootMode = SECURE_BOOT_MODE_ENABLE;
227 } else {
228 SecureBootMode = SECURE_BOOT_MODE_DISABLE;
229 }
230 Status = AuthServiceInternalUpdateVariable (
231 EFI_SECURE_BOOT_MODE_NAME,
232 &gEfiGlobalVariableGuid,
233 &SecureBootMode,
234 sizeof (UINT8),
235 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
236 );
237 if (EFI_ERROR (Status)) {
238 return Status;
239 }
240
241 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));
242 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));
243 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));
244
245 //
246 // Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.
247 //
248 CustomMode = STANDARD_SECURE_BOOT_MODE;
249 Status = AuthServiceInternalUpdateVariable (
250 EFI_CUSTOM_MODE_NAME,
251 &gEfiCustomModeEnableGuid,
252 &CustomMode,
253 sizeof (UINT8),
254 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS
255 );
256 if (EFI_ERROR (Status)) {
257 return Status;
258 }
259
260 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_CUSTOM_MODE_NAME, CustomMode));
261
262 //
263 // Check "certdb" variable's existence.
264 // If it doesn't exist, then create a new one with
265 // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
266 //
267 Status = AuthServiceInternalFindVariable (
268 EFI_CERT_DB_NAME,
269 &gEfiCertDbGuid,
270 (VOID **) &Data,
271 &DataSize
272 );
273 if (EFI_ERROR (Status)) {
274 VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
275 ListSize = sizeof (UINT32);
276 Status = AuthServiceInternalUpdateVariable (
277 EFI_CERT_DB_NAME,
278 &gEfiCertDbGuid,
279 &ListSize,
280 sizeof (UINT32),
281 VarAttr
282 );
283 if (EFI_ERROR (Status)) {
284 return Status;
285 }
286 } else {
287 //
288 // Clean up Certs to make certDB & Time based auth variable consistent
289 //
290 Status = CleanCertsFromDb();
291 if (EFI_ERROR (Status)) {
292 DEBUG ((EFI_D_ERROR, "Clean up CertDB fail! Status %x\n", Status));
293 return Status;
294 }
295 }
296
297 //
298 // Create "certdbv" variable with RT+BS+AT set.
299 //
300 VarAttr = EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
301 ListSize = sizeof (UINT32);
302 Status = AuthServiceInternalUpdateVariable (
303 EFI_CERT_DB_VOLATILE_NAME,
304 &gEfiCertDbGuid,
305 &ListSize,
306 sizeof (UINT32),
307 VarAttr
308 );
309 if (EFI_ERROR (Status)) {
310 return Status;
311 }
312
313 //
314 // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.
315 //
316 Status = AuthServiceInternalFindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, (VOID **) &Data, &DataSize);
317 if (!EFI_ERROR (Status)) {
318 mVendorKeyState = *(UINT8 *)Data;
319 } else {
320 //
321 // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
322 //
323 mVendorKeyState = VENDOR_KEYS_VALID;
324 Status = AuthServiceInternalUpdateVariable (
325 EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
326 &gEfiVendorKeysNvGuid,
327 &mVendorKeyState,
328 sizeof (UINT8),
329 EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
330 );
331 if (EFI_ERROR (Status)) {
332 return Status;
333 }
334 }
335
336 //
337 // Create "VendorKeys" variable with BS+RT attribute set.
338 //
339 Status = AuthServiceInternalUpdateVariable (
340 EFI_VENDOR_KEYS_VARIABLE_NAME,
341 &gEfiGlobalVariableGuid,
342 &mVendorKeyState,
343 sizeof (UINT8),
344 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
345 );
346 if (EFI_ERROR (Status)) {
347 return Status;
348 }
349
350 DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));
351
352 AuthVarLibContextOut->StructVersion = AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION;
353 AuthVarLibContextOut->StructSize = sizeof (AUTH_VAR_LIB_CONTEXT_OUT);
354 AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;
355 AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);
356 mAuthVarAddressPointer[0] = (VOID **) &mCertDbStore;
357 mAuthVarAddressPointer[1] = (VOID **) &mHashCtx;
358 mAuthVarAddressPointer[2] = (VOID **) &mAuthVarLibContextIn;
359 mAuthVarAddressPointer[3] = (VOID **) &(mAuthVarLibContextIn->FindVariable),
360 mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),
361 mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),
362 mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),
363 mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),
364 mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),
365 AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
366 AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);
367
368 return Status;
369 }
370
371 /**
372 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
373
374 @param[in] VariableName Name of the variable.
375 @param[in] VendorGuid Variable vendor GUID.
376 @param[in] Data Data pointer.
377 @param[in] DataSize Size of Data.
378 @param[in] Attributes Attribute value of the variable.
379
380 @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as
381 defined by the Attributes.
382 @retval EFI_INVALID_PARAMETER Invalid parameter.
383 @retval EFI_WRITE_PROTECTED Variable is write-protected.
384 @retval EFI_OUT_OF_RESOURCES There is not enough resource.
385 @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
386 set, but the AuthInfo does NOT pass the validation
387 check carried out by the firmware.
388 @retval EFI_UNSUPPORTED Unsupported to process authenticated variable.
389
390 **/
391 EFI_STATUS
392 EFIAPI
393 AuthVariableLibProcessVariable (
394 IN CHAR16 *VariableName,
395 IN EFI_GUID *VendorGuid,
396 IN VOID *Data,
397 IN UINTN DataSize,
398 IN UINT32 Attributes
399 )
400 {
401 EFI_STATUS Status;
402
403 if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
404 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);
405 } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
406 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
407 } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
408 ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||
409 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||
410 (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0)
411 )) {
412 Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);
413 if (EFI_ERROR (Status)) {
414 Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, Attributes);
415 }
416 } else {
417 Status = ProcessVariable (VariableName, VendorGuid, Data, DataSize, Attributes);
418 }
419
420 return Status;
421 }
EFI Development Kit II mirror for PVE