]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
projects / mirror_edk2.git / blob
? search:


1f62383aed622e4456ae52d419b84289d4b83c13
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.h
1 /** @file
2 The internal header file includes the common header files, defines
3 internal structure and functions used by AuthService module.
4
5 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _AUTHSERVICE_H_
17 #define _AUTHSERVICE_H_
18
19 #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
20 #define EFI_CERT_TYPE_RSA2048_SIZE 256
21
22 ///
23 /// Size of AuthInfo prior to the data payload.
24 ///
25 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
26 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
27 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
28
29 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
30 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
31
32 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
33 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
34
35 ///
36 /// "AuthVarKeyDatabase" variable for the Public Key store.
37 ///
38 #define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
39
40 ///
41 /// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.
42 ///
43 #define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (AUTHVAR_KEYDB_NAME))
44 #define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
45
46 ///
47 /// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX
48 /// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
49 ///
50 ///
51 #define EFI_CERT_DB_NAME L"certdb"
52 #define MAX_CERTDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (EFI_CERT_DB_NAME))
53
54 extern EFI_GUID gEfiCertDbGuid;
55
56 ///
57 /// Struct to record signature requirement defined by UEFI spec.
58 /// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.
59 ///
60 typedef struct {
61 EFI_GUID SigType;
62 // Expected SignatureHeader size in Bytes.
63 UINT32 SigHeaderSize;
64 // Expected SignatureData size in Bytes.
65 UINT32 SigDataSize;
66 } EFI_SIGNATURE_ITEM;
67
68 typedef enum {
69 AuthVarTypePk,
70 AuthVarTypeKek,
71 AuthVarTypePriv,
72 AuthVarTypePayload
73 } AUTHVAR_TYPE;
74
75 #pragma pack(1)
76 typedef struct {
77 EFI_GUID VendorGuid;
78 UINT32 CertNodeSize;
79 UINT32 NameSize;
80 UINT32 CertDataSize;
81 /// CHAR16 VariableName[NameSize];
82 /// UINT8 CertData[CertDataSize];
83 } AUTH_CERT_DB_DATA;
84 #pragma pack()
85
86 /**
87 Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
88
89 Caution: This function may receive untrusted input.
90 This function may be invoked in SMM mode, and datasize and data are external input.
91 This function will do basic validation, before parse the data.
92 This function will parse the authentication carefully to avoid security issues, like
93 buffer overflow, integer overflow.
94 This function will check attribute carefully to avoid authentication bypass.
95
96 @param[in] VariableName Name of Variable to be found.
97 @param[in] VendorGuid Variable vendor GUID.
98
99 @param[in] Data Data pointer.
100 @param[in] DataSize Size of Data found. If size is less than the
101 data, this value contains the required size.
102 @param[in] Variable The variable information which is used to keep track of variable usage.
103 @param[in] Attributes Attribute value of the variable.
104
105 @return EFI_INVALID_PARAMETER Invalid parameter
106 @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
107 EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
108 @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
109 set, but the AuthInfo does NOT pass the validation
110 check carried out by the firmware.
111 @return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.
112
113 **/
114 EFI_STATUS
115 ProcessVariable (
116 IN CHAR16 *VariableName,
117 IN EFI_GUID *VendorGuid,
118 IN VOID *Data,
119 IN UINTN DataSize,
120 IN VARIABLE_POINTER_TRACK *Variable,
121 IN UINT32 Attributes
122 );
123
124 /**
125 Update platform mode.
126
127 @param[in] Mode SETUP_MODE or USER_MODE.
128
129 @return EFI_INVALID_PARAMETER Invalid parameter.
130 @return EFI_SUCCESS Update platform mode successfully.
131
132 **/
133 EFI_STATUS
134 UpdatePlatformMode (
135 IN UINT32 Mode
136 );
137
138 /**
139 Initializes for authenticated varibale service.
140
141 @retval EFI_SUCCESS Function successfully executed.
142 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
143
144 **/
145 EFI_STATUS
146 AutenticatedVariableServiceInitialize (
147 VOID
148 );
149
150 /**
151 Initializes for cryptlib service before use, include register algrithm and allocate scratch.
152
153 **/
154 VOID
155 CryptLibraryInitialize (
156 VOID
157 );
158
159 /**
160 Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.
161
162 @param[in] VariableName Name of Variable to be check.
163 @param[in] VendorGuid Variable vendor GUID.
164 @param[in] Data Point to the variable data to be checked.
165 @param[in] DataSize Size of Data.
166
167 @return EFI_INVALID_PARAMETER Invalid signature list format.
168 @return EFI_SUCCESS Passed signature list format check successfully.
169
170 **/
171 EFI_STATUS
172 CheckSignatureListFormat(
173 IN CHAR16 *VariableName,
174 IN EFI_GUID *VendorGuid,
175 IN VOID *Data,
176 IN UINTN DataSize
177 );
178
179 /**
180 Process variable with platform key for verification.
181
182 Caution: This function may receive untrusted input.
183 This function may be invoked in SMM mode, and datasize and data are external input.
184 This function will do basic validation, before parse the data.
185 This function will parse the authentication carefully to avoid security issues, like
186 buffer overflow, integer overflow.
187 This function will check attribute carefully to avoid authentication bypass.
188
189 @param[in] VariableName Name of Variable to be found.
190 @param[in] VendorGuid Variable vendor GUID.
191 @param[in] Data Data pointer.
192 @param[in] DataSize Size of Data found. If size is less than the
193 data, this value contains the required size.
194 @param[in] Variable The variable information which is used to keep track of variable usage.
195 @param[in] Attributes Attribute value of the variable.
196 @param[in] IsPk Indicate whether it is to process pk.
197
198 @return EFI_INVALID_PARAMETER Invalid parameter
199 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
200 check carried out by the firmware.
201 @return EFI_SUCCESS Variable passed validation successfully.
202
203 **/
204 EFI_STATUS
205 ProcessVarWithPk (
206 IN CHAR16 *VariableName,
207 IN EFI_GUID *VendorGuid,
208 IN VOID *Data,
209 IN UINTN DataSize,
210 IN VARIABLE_POINTER_TRACK *Variable,
211 IN UINT32 Attributes OPTIONAL,
212 IN BOOLEAN IsPk
213 );
214
215 /**
216 Process variable with key exchange key for verification.
217
218 Caution: This function may receive untrusted input.
219 This function may be invoked in SMM mode, and datasize and data are external input.
220 This function will do basic validation, before parse the data.
221 This function will parse the authentication carefully to avoid security issues, like
222 buffer overflow, integer overflow.
223 This function will check attribute carefully to avoid authentication bypass.
224
225 @param[in] VariableName Name of Variable to be found.
226 @param[in] VendorGuid Variable vendor GUID.
227 @param[in] Data Data pointer.
228 @param[in] DataSize Size of Data found. If size is less than the
229 data, this value contains the required size.
230 @param[in] Variable The variable information that is used to keep track of variable usage.
231 @param[in] Attributes Attribute value of the variable.
232
233 @return EFI_INVALID_PARAMETER Invalid parameter.
234 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
235 check carried out by the firmware.
236 @return EFI_SUCCESS Variable passed validation successfully.
237
238 **/
239 EFI_STATUS
240 ProcessVarWithKek (
241 IN CHAR16 *VariableName,
242 IN EFI_GUID *VendorGuid,
243 IN VOID *Data,
244 IN UINTN DataSize,
245 IN VARIABLE_POINTER_TRACK *Variable,
246 IN UINT32 Attributes OPTIONAL
247 );
248
249 /**
250 Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA
251 will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
252 will be ignored.
253
254 @param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
255 @param[in] DataSize Size of Data buffer.
256 @param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
257 @param[in] NewDataSize Size of NewData buffer.
258
259 @return Size of the merged buffer.
260
261 **/
262 UINTN
263 AppendSignatureList (
264 IN OUT VOID *Data,
265 IN UINTN DataSize,
266 IN VOID *NewData,
267 IN UINTN NewDataSize
268 );
269
270 /**
271 Compare two EFI_TIME data.
272
273
274 @param FirstTime A pointer to the first EFI_TIME data.
275 @param SecondTime A pointer to the second EFI_TIME data.
276
277 @retval TRUE The FirstTime is not later than the SecondTime.
278 @retval FALSE The FirstTime is later than the SecondTime.
279
280 **/
281 BOOLEAN
282 CompareTimeStamp (
283 IN EFI_TIME *FirstTime,
284 IN EFI_TIME *SecondTime
285 );
286
287
288 /**
289 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
290
291 Caution: This function may receive untrusted input.
292 This function may be invoked in SMM mode, and datasize and data are external input.
293 This function will do basic validation, before parse the data.
294 This function will parse the authentication carefully to avoid security issues, like
295 buffer overflow, integer overflow.
296
297 @param[in] VariableName Name of Variable to be found.
298 @param[in] VendorGuid Variable vendor GUID.
299 @param[in] Data Data pointer.
300 @param[in] DataSize Size of Data found. If size is less than the
301 data, this value contains the required size.
302 @param[in] Variable The variable information which is used to keep track of variable usage.
303 @param[in] Attributes Attribute value of the variable.
304 @param[in] AuthVarType Verify against PK or KEK database or private database.
305 @param[out] VarDel Delete the variable or not.
306
307 @retval EFI_INVALID_PARAMETER Invalid parameter.
308 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
309 check carried out by the firmware.
310 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
311 of resources.
312 @retval EFI_SUCCESS Variable pass validation successfully.
313
314 **/
315 EFI_STATUS
316 VerifyTimeBasedPayload (
317 IN CHAR16 *VariableName,
318 IN EFI_GUID *VendorGuid,
319 IN VOID *Data,
320 IN UINTN DataSize,
321 IN VARIABLE_POINTER_TRACK *Variable,
322 IN UINT32 Attributes,
323 IN AUTHVAR_TYPE AuthVarType,
324 OUT BOOLEAN *VarDel
325 );
326
327 extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
328 extern UINT32 mPubKeyNumber;
329 extern VOID *mHashCtx;
330 extern VOID *mStorageArea;
331 extern UINT8 *mSerializationRuntimeBuffer;
332
333 #endif
EFI Development Kit II mirror for PVE