]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Apply uncrustify changes
[mirror_edk2.git] / SecurityPkg / Library / SecureBootVariableProvisionLib / SecureBootVariableProvisionLib.c
1 /** @file
2 This library provides functions to set/clear Secure Boot
3 keys and databases.
4
5 Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR>
6 (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR>
7 Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
8 Copyright (c) 2021, Semihalf All rights reserved.<BR>
9 SPDX-License-Identifier: BSD-2-Clause-Patent
10 **/
11 #include <Guid/GlobalVariable.h>
12 #include <Guid/AuthenticatedVariableFormat.h>
13 #include <Guid/ImageAuthentication.h>
14 #include <Library/BaseLib.h>
15 #include <Library/BaseMemoryLib.h>
16 #include <Library/DebugLib.h>
17 #include <Library/UefiLib.h>
18 #include <Library/MemoryAllocationLib.h>
19 #include <Library/UefiRuntimeServicesTableLib.h>
20 #include <Library/SecureBootVariableLib.h>
21 #include <Library/SecureBootVariableProvisionLib.h>
22
23 /**
24 Enroll a key/certificate based on a default variable.
25
26 @param[in] VariableName The name of the key/database.
27 @param[in] DefaultName The name of the default variable.
28 @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable
29
30 @retval EFI_OUT_OF_RESOURCES Out of memory while allocating AuthHeader.
31 @retval EFI_SUCCESS Successful enrollment.
32 @return Error codes from GetTime () and SetVariable ().
33 **/
34 STATIC
35 EFI_STATUS
36 EnrollFromDefault (
37 IN CHAR16 *VariableName,
38 IN CHAR16 *DefaultName,
39 IN EFI_GUID *VendorGuid
40 )
41 {
42 VOID *Data;
43 UINTN DataSize;
44 EFI_STATUS Status;
45
46 Status = EFI_SUCCESS;
47
48 DataSize = 0;
49 Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, &DataSize);
50 if (EFI_ERROR (Status)) {
51 DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", DefaultName, Status));
52 return Status;
53 }
54
55 CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data);
56 if (EFI_ERROR (Status)) {
57 DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status));
58 return Status;
59 }
60
61 //
62 // Allocate memory for auth variable
63 //
64 Status = gRT->SetVariable (
65 VariableName,
66 VendorGuid,
67 (EFI_VARIABLE_NON_VOLATILE |
68 EFI_VARIABLE_BOOTSERVICE_ACCESS |
69 EFI_VARIABLE_RUNTIME_ACCESS |
70 EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS),
71 DataSize,
72 Data
73 );
74
75 if (EFI_ERROR (Status)) {
76 DEBUG ((
77 DEBUG_ERROR,
78 "error: %a (\"%s\", %g): %r\n",
79 __FUNCTION__,
80 VariableName,
81 VendorGuid,
82 Status
83 ));
84 }
85
86 if (Data != NULL) {
87 FreePool (Data);
88 }
89
90 return Status;
91 }
92
93 /** Initializes PKDefault variable with data from FFS section.
94
95 @retval EFI_SUCCESS Variable was initialized successfully.
96 @retval EFI_UNSUPPORTED Variable already exists.
97 **/
98 EFI_STATUS
99 SecureBootInitPKDefault (
100 IN VOID
101 )
102 {
103 EFI_SIGNATURE_LIST *EfiSig;
104 UINTN SigListsSize;
105 EFI_STATUS Status;
106 UINT8 *Data;
107 UINTN DataSize;
108
109 //
110 // Check if variable exists, if so do not change it
111 //
112 Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
113 if (Status == EFI_SUCCESS) {
114 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_PK_DEFAULT_VARIABLE_NAME));
115 FreePool (Data);
116 return EFI_UNSUPPORTED;
117 }
118
119 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
120 return Status;
121 }
122
123 //
124 // Variable does not exist, can be initialized
125 //
126 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_PK_DEFAULT_VARIABLE_NAME));
127
128 Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, &EfiSig);
129 if (EFI_ERROR (Status)) {
130 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_PK_DEFAULT_VARIABLE_NAME));
131 return Status;
132 }
133
134 Status = gRT->SetVariable (
135 EFI_PK_DEFAULT_VARIABLE_NAME,
136 &gEfiGlobalVariableGuid,
137 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
138 SigListsSize,
139 (VOID *)EfiSig
140 );
141 if (EFI_ERROR (Status)) {
142 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_PK_DEFAULT_VARIABLE_NAME));
143 }
144
145 FreePool (EfiSig);
146
147 return Status;
148 }
149
150 /** Initializes KEKDefault variable with data from FFS section.
151
152 @retval EFI_SUCCESS Variable was initialized successfully.
153 @retval EFI_UNSUPPORTED Variable already exists.
154 **/
155 EFI_STATUS
156 SecureBootInitKEKDefault (
157 IN VOID
158 )
159 {
160 EFI_SIGNATURE_LIST *EfiSig;
161 UINTN SigListsSize;
162 EFI_STATUS Status;
163 UINT8 *Data;
164 UINTN DataSize;
165
166 //
167 // Check if variable exists, if so do not change it
168 //
169 Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
170 if (Status == EFI_SUCCESS) {
171 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
172 FreePool (Data);
173 return EFI_UNSUPPORTED;
174 }
175
176 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
177 return Status;
178 }
179
180 //
181 // Variable does not exist, can be initialized
182 //
183 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
184
185 Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, &EfiSig);
186 if (EFI_ERROR (Status)) {
187 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
188 return Status;
189 }
190
191 Status = gRT->SetVariable (
192 EFI_KEK_DEFAULT_VARIABLE_NAME,
193 &gEfiGlobalVariableGuid,
194 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
195 SigListsSize,
196 (VOID *)EfiSig
197 );
198 if (EFI_ERROR (Status)) {
199 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_KEK_DEFAULT_VARIABLE_NAME));
200 }
201
202 FreePool (EfiSig);
203
204 return Status;
205 }
206
207 /** Initializes dbDefault variable with data from FFS section.
208
209 @retval EFI_SUCCESS Variable was initialized successfully.
210 @retval EFI_UNSUPPORTED Variable already exists.
211 **/
212 EFI_STATUS
213 SecureBootInitDbDefault (
214 IN VOID
215 )
216 {
217 EFI_SIGNATURE_LIST *EfiSig;
218 UINTN SigListsSize;
219 EFI_STATUS Status;
220 UINT8 *Data;
221 UINTN DataSize;
222
223 Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
224 if (Status == EFI_SUCCESS) {
225 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DB_DEFAULT_VARIABLE_NAME));
226 FreePool (Data);
227 return EFI_UNSUPPORTED;
228 }
229
230 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
231 return Status;
232 }
233
234 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DB_DEFAULT_VARIABLE_NAME));
235
236 Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, &EfiSig);
237 if (EFI_ERROR (Status)) {
238 return Status;
239 }
240
241 Status = gRT->SetVariable (
242 EFI_DB_DEFAULT_VARIABLE_NAME,
243 &gEfiGlobalVariableGuid,
244 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
245 SigListsSize,
246 (VOID *)EfiSig
247 );
248 if (EFI_ERROR (Status)) {
249 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DB_DEFAULT_VARIABLE_NAME));
250 }
251
252 FreePool (EfiSig);
253
254 return Status;
255 }
256
257 /** Initializes dbxDefault variable with data from FFS section.
258
259 @retval EFI_SUCCESS Variable was initialized successfully.
260 @retval EFI_UNSUPPORTED Variable already exists.
261 **/
262 EFI_STATUS
263 SecureBootInitDbxDefault (
264 IN VOID
265 )
266 {
267 EFI_SIGNATURE_LIST *EfiSig;
268 UINTN SigListsSize;
269 EFI_STATUS Status;
270 UINT8 *Data;
271 UINTN DataSize;
272
273 //
274 // Check if variable exists, if so do not change it
275 //
276 Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
277 if (Status == EFI_SUCCESS) {
278 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
279 FreePool (Data);
280 return EFI_UNSUPPORTED;
281 }
282
283 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
284 return Status;
285 }
286
287 //
288 // Variable does not exist, can be initialized
289 //
290 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
291
292 Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, &EfiSig);
293 if (EFI_ERROR (Status)) {
294 DEBUG ((DEBUG_INFO, "Content for %s not found\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
295 return Status;
296 }
297
298 Status = gRT->SetVariable (
299 EFI_DBX_DEFAULT_VARIABLE_NAME,
300 &gEfiGlobalVariableGuid,
301 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
302 SigListsSize,
303 (VOID *)EfiSig
304 );
305 if (EFI_ERROR (Status)) {
306 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBX_DEFAULT_VARIABLE_NAME));
307 }
308
309 FreePool (EfiSig);
310
311 return Status;
312 }
313
314 /** Initializes dbtDefault variable with data from FFS section.
315
316 @retval EFI_SUCCESS Variable was initialized successfully.
317 @retval EFI_UNSUPPORTED Variable already exists.
318 **/
319 EFI_STATUS
320 SecureBootInitDbtDefault (
321 IN VOID
322 )
323 {
324 EFI_SIGNATURE_LIST *EfiSig;
325 UINTN SigListsSize;
326 EFI_STATUS Status;
327 UINT8 *Data;
328 UINTN DataSize;
329
330 //
331 // Check if variable exists, if so do not change it
332 //
333 Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, &gEfiGlobalVariableGuid, (VOID **)&Data, &DataSize);
334 if (Status == EFI_SUCCESS) {
335 DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
336 FreePool (Data);
337 return EFI_UNSUPPORTED;
338 }
339
340 if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
341 return Status;
342 }
343
344 //
345 // Variable does not exist, can be initialized
346 //
347 DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
348
349 Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, &EfiSig);
350 if (EFI_ERROR (Status)) {
351 return Status;
352 }
353
354 Status = gRT->SetVariable (
355 EFI_DBT_DEFAULT_VARIABLE_NAME,
356 &gEfiGlobalVariableGuid,
357 EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
358 SigListsSize,
359 (VOID *)EfiSig
360 );
361 if (EFI_ERROR (Status)) {
362 DEBUG ((DEBUG_INFO, "Failed to set %s\n", EFI_DBT_DEFAULT_VARIABLE_NAME));
363 }
364
365 FreePool (EfiSig);
366
367 return EFI_SUCCESS;
368 }
369
370 /**
371 Sets the content of the 'db' variable based on 'dbDefault' variable content.
372
373 @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
374 while VendorGuid is NULL.
375 @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
376 **/
377 EFI_STATUS
378 EFIAPI
379 EnrollDbFromDefault (
380 VOID
381 )
382 {
383 EFI_STATUS Status;
384
385 Status = EnrollFromDefault (
386 EFI_IMAGE_SECURITY_DATABASE,
387 EFI_DB_DEFAULT_VARIABLE_NAME,
388 &gEfiImageSecurityDatabaseGuid
389 );
390
391 return Status;
392 }
393
394 /**
395 Sets the content of the 'dbx' variable based on 'dbxDefault' variable content.
396
397 @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
398 while VendorGuid is NULL.
399 @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
400 **/
401 EFI_STATUS
402 EFIAPI
403 EnrollDbxFromDefault (
404 VOID
405 )
406 {
407 EFI_STATUS Status;
408
409 Status = EnrollFromDefault (
410 EFI_IMAGE_SECURITY_DATABASE1,
411 EFI_DBX_DEFAULT_VARIABLE_NAME,
412 &gEfiImageSecurityDatabaseGuid
413 );
414
415 return Status;
416 }
417
418 /**
419 Sets the content of the 'dbt' variable based on 'dbtDefault' variable content.
420
421 @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
422 while VendorGuid is NULL.
423 @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
424 **/
425 EFI_STATUS
426 EFIAPI
427 EnrollDbtFromDefault (
428 VOID
429 )
430 {
431 EFI_STATUS Status;
432
433 Status = EnrollFromDefault (
434 EFI_IMAGE_SECURITY_DATABASE2,
435 EFI_DBT_DEFAULT_VARIABLE_NAME,
436 &gEfiImageSecurityDatabaseGuid
437 );
438
439 return Status;
440 }
441
442 /**
443 Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
444
445 @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
446 while VendorGuid is NULL.
447 @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
448 **/
449 EFI_STATUS
450 EFIAPI
451 EnrollKEKFromDefault (
452 VOID
453 )
454 {
455 EFI_STATUS Status;
456
457 Status = EnrollFromDefault (
458 EFI_KEY_EXCHANGE_KEY_NAME,
459 EFI_KEK_DEFAULT_VARIABLE_NAME,
460 &gEfiGlobalVariableGuid
461 );
462
463 return Status;
464 }
465
466 /**
467 Sets the content of the 'KEK' variable based on 'KEKDefault' variable content.
468
469 @retval EFI_OUT_OF_RESOURCES If memory allocation for EFI_VARIABLE_AUTHENTICATION_2 fails
470 while VendorGuid is NULL.
471 @retval other Errors from GetVariable2 (), GetTime () and SetVariable ()
472 **/
473 EFI_STATUS
474 EFIAPI
475 EnrollPKFromDefault (
476 VOID
477 )
478 {
479 EFI_STATUS Status;
480
481 Status = EnrollFromDefault (
482 EFI_PLATFORM_KEY_NAME,
483 EFI_PK_DEFAULT_VARIABLE_NAME,
484 &gEfiGlobalVariableGuid
485 );
486
487 return Status;
488 }
EFI Development Kit II mirror for PVE