]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update common authenticated variable (non PK/KEK/DB/DBX) support to comply with lates...
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.h
1 /** @file
2 The internal header file includes the common header files, defines
3 internal structure and functions used by AuthService module.
4
5 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _AUTHSERVICE_H_
17 #define _AUTHSERVICE_H_
18
19 #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
20 #define EFI_CERT_TYPE_RSA2048_SIZE 256
21
22 ///
23 /// Size of AuthInfo prior to the data payload.
24 ///
25 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
26 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
27 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
28
29 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
30 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
31
32 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
33 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
34
35 ///
36 /// "AuthVarKeyDatabase" variable for the Public Key store.
37 ///
38 #define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
39 #define AUTHVAR_KEYDB_NAME_SIZE 38
40
41 ///
42 /// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.
43 ///
44 #define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)
45 #define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
46
47 ///
48 /// Struct to record signature requirement defined by UEFI spec.
49 /// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.
50 ///
51 typedef struct {
52 EFI_GUID SigType;
53 // Expected SignatureHeader size in Bytes.
54 UINT32 SigHeaderSize;
55 // Expected SignatureData size in Bytes.
56 UINT32 SigDataSize;
57 } EFI_SIGNATURE_ITEM;
58
59 typedef enum {
60 AuthVarTypePk,
61 AuthVarTypeKek,
62 AuthVarTypePriv
63 } AUTHVAR_TYPE;
64
65 #pragma pack(1)
66 typedef struct {
67 EFI_GUID VendorGuid;
68 UINT32 CertNodeSize;
69 UINT32 NameSize;
70 UINT32 CertDataSize;
71 /// CHAR16 VariableName[NameSize];
72 /// UINT8 CertData[CertDataSize];
73 } AUTH_CERT_DB_DATA;
74 #pragma pack()
75
76 /**
77 Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
78
79 @param[in] VariableName Name of Variable to be found.
80 @param[in] VendorGuid Variable vendor GUID.
81
82 @param[in] Data Data pointer.
83 @param[in] DataSize Size of Data found. If size is less than the
84 data, this value contains the required size.
85 @param[in] Variable The variable information which is used to keep track of variable usage.
86 @param[in] Attributes Attribute value of the variable.
87
88 @return EFI_INVALID_PARAMETER Invalid parameter
89 @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
90 EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
91 @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
92 set, but the AuthInfo does NOT pass the validation
93 check carried out by the firmware.
94 @return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.
95
96 **/
97 EFI_STATUS
98 ProcessVariable (
99 IN CHAR16 *VariableName,
100 IN EFI_GUID *VendorGuid,
101 IN VOID *Data,
102 IN UINTN DataSize,
103 IN VARIABLE_POINTER_TRACK *Variable,
104 IN UINT32 Attributes
105 );
106
107 /**
108 Update platform mode.
109
110 @param[in] Mode SETUP_MODE or USER_MODE.
111
112 @return EFI_INVALID_PARAMETER Invalid parameter.
113 @return EFI_SUCCESS Update platform mode successfully.
114
115 **/
116 EFI_STATUS
117 UpdatePlatformMode (
118 IN UINT32 Mode
119 );
120
121 /**
122 Initializes for authenticated varibale service.
123
124 @retval EFI_SUCCESS Function successfully executed.
125 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
126
127 **/
128 EFI_STATUS
129 AutenticatedVariableServiceInitialize (
130 VOID
131 );
132
133 /**
134 Initializes for cryptlib service before use, include register algrithm and allocate scratch.
135
136 **/
137 VOID
138 CryptLibraryInitialize (
139 VOID
140 );
141
142 /**
143 Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.
144
145 @param[in] VariableName Name of Variable to be check.
146 @param[in] VendorGuid Variable vendor GUID.
147 @param[in] Data Point to the variable data to be checked.
148 @param[in] DataSize Size of Data.
149
150 @return EFI_INVALID_PARAMETER Invalid signature list format.
151 @return EFI_SUCCESS Passed signature list format check successfully.
152
153 **/
154 EFI_STATUS
155 CheckSignatureListFormat(
156 IN CHAR16 *VariableName,
157 IN EFI_GUID *VendorGuid,
158 IN VOID *Data,
159 IN UINTN DataSize
160 );
161
162 /**
163 Process variable with platform key for verification.
164
165 @param[in] VariableName Name of Variable to be found.
166 @param[in] VendorGuid Variable vendor GUID.
167 @param[in] Data Data pointer.
168 @param[in] DataSize Size of Data found. If size is less than the
169 data, this value contains the required size.
170 @param[in] Variable The variable information which is used to keep track of variable usage.
171 @param[in] Attributes Attribute value of the variable.
172 @param[in] IsPk Indicate whether it is to process pk.
173
174 @return EFI_INVALID_PARAMETER Invalid parameter
175 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
176 check carried out by the firmware.
177 @return EFI_SUCCESS Variable passed validation successfully.
178
179 **/
180 EFI_STATUS
181 ProcessVarWithPk (
182 IN CHAR16 *VariableName,
183 IN EFI_GUID *VendorGuid,
184 IN VOID *Data,
185 IN UINTN DataSize,
186 IN VARIABLE_POINTER_TRACK *Variable,
187 IN UINT32 Attributes OPTIONAL,
188 IN BOOLEAN IsPk
189 );
190
191 /**
192 Process variable with key exchange key for verification.
193
194 @param[in] VariableName Name of Variable to be found.
195 @param[in] VendorGuid Variable vendor GUID.
196 @param[in] Data Data pointer.
197 @param[in] DataSize Size of Data found. If size is less than the
198 data, this value contains the required size.
199 @param[in] Variable The variable information that is used to keep track of variable usage.
200 @param[in] Attributes Attribute value of the variable.
201
202 @return EFI_INVALID_PARAMETER Invalid parameter.
203 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
204 check carried out by the firmware.
205 @return EFI_SUCCESS Variable passed validation successfully.
206
207 **/
208 EFI_STATUS
209 ProcessVarWithKek (
210 IN CHAR16 *VariableName,
211 IN EFI_GUID *VendorGuid,
212 IN VOID *Data,
213 IN UINTN DataSize,
214 IN VARIABLE_POINTER_TRACK *Variable,
215 IN UINT32 Attributes OPTIONAL
216 );
217
218 /**
219 Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA
220 will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
221 will be ignored.
222
223 @param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
224 @param[in] DataSize Size of Data buffer.
225 @param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
226 @param[in] NewDataSize Size of NewData buffer.
227
228 @return Size of the merged buffer.
229
230 **/
231 UINTN
232 AppendSignatureList (
233 IN OUT VOID *Data,
234 IN UINTN DataSize,
235 IN VOID *NewData,
236 IN UINTN NewDataSize
237 );
238
239 /**
240 Compare two EFI_TIME data.
241
242
243 @param FirstTime A pointer to the first EFI_TIME data.
244 @param SecondTime A pointer to the second EFI_TIME data.
245
246 @retval TRUE The FirstTime is not later than the SecondTime.
247 @retval FALSE The FirstTime is later than the SecondTime.
248
249 **/
250 BOOLEAN
251 CompareTimeStamp (
252 IN EFI_TIME *FirstTime,
253 IN EFI_TIME *SecondTime
254 );
255
256
257 /**
258 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
259
260 @param[in] VariableName Name of Variable to be found.
261 @param[in] VendorGuid Variable vendor GUID.
262 @param[in] Data Data pointer.
263 @param[in] DataSize Size of Data found. If size is less than the
264 data, this value contains the required size.
265 @param[in] Variable The variable information which is used to keep track of variable usage.
266 @param[in] Attributes Attribute value of the variable.
267 @param[in] AuthVarType Verify against PK or KEK database or private database.
268 @param[out] VarDel Delete the variable or not.
269
270 @retval EFI_INVALID_PARAMETER Invalid parameter.
271 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
272 check carried out by the firmware.
273 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
274 of resources.
275 @retval EFI_SUCCESS Variable pass validation successfully.
276
277 **/
278 EFI_STATUS
279 VerifyTimeBasedPayload (
280 IN CHAR16 *VariableName,
281 IN EFI_GUID *VendorGuid,
282 IN VOID *Data,
283 IN UINTN DataSize,
284 IN VARIABLE_POINTER_TRACK *Variable,
285 IN UINT32 Attributes,
286 IN AUTHVAR_TYPE AuthVarType,
287 OUT BOOLEAN *VarDel
288 );
289
290 extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
291 extern UINT32 mPubKeyNumber;
292 extern VOID *mHashCtx;
293 extern VOID *mStorageArea;
294 extern UINT8 *mSerializationRuntimeBuffer;
295
296 #endif
EFI Development Kit II mirror for PVE