]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg Variable: Remove mStorageData buffer allocation and use Scratch buffer...
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.h
1 /** @file
2 The internal header file includes the common header files, defines
3 internal structure and functions used by AuthService module.
4
5 Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _AUTHSERVICE_H_
17 #define _AUTHSERVICE_H_
18
19 #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
20 #define EFI_CERT_TYPE_RSA2048_SIZE 256
21
22 ///
23 /// Size of AuthInfo prior to the data payload.
24 ///
25 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
26 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
27 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
28
29 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
30 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
31
32 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
33 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
34
35 ///
36 /// "AuthVarKeyDatabase" variable for the Public Key store.
37 ///
38 #define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
39
40 ///
41 /// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.
42 ///
43 #define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (AUTHVAR_KEYDB_NAME))
44 #define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
45
46 ///
47 /// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX
48 /// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
49 ///
50 ///
51 #define EFI_CERT_DB_NAME L"certdb"
52 #define MAX_CERTDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (EFI_CERT_DB_NAME))
53
54 ///
55 /// Struct to record signature requirement defined by UEFI spec.
56 /// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.
57 ///
58 typedef struct {
59 EFI_GUID SigType;
60 // Expected SignatureHeader size in Bytes.
61 UINT32 SigHeaderSize;
62 // Expected SignatureData size in Bytes.
63 UINT32 SigDataSize;
64 } EFI_SIGNATURE_ITEM;
65
66 typedef enum {
67 AuthVarTypePk,
68 AuthVarTypeKek,
69 AuthVarTypePriv,
70 AuthVarTypePayload
71 } AUTHVAR_TYPE;
72
73 #pragma pack(1)
74 typedef struct {
75 EFI_GUID VendorGuid;
76 UINT32 CertNodeSize;
77 UINT32 NameSize;
78 UINT32 CertDataSize;
79 /// CHAR16 VariableName[NameSize];
80 /// UINT8 CertData[CertDataSize];
81 } AUTH_CERT_DB_DATA;
82 #pragma pack()
83
84 /**
85 Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
86
87 Caution: This function may receive untrusted input.
88 This function may be invoked in SMM mode, and datasize and data are external input.
89 This function will do basic validation, before parse the data.
90 This function will parse the authentication carefully to avoid security issues, like
91 buffer overflow, integer overflow.
92 This function will check attribute carefully to avoid authentication bypass.
93
94 @param[in] VariableName Name of Variable to be found.
95 @param[in] VendorGuid Variable vendor GUID.
96
97 @param[in] Data Data pointer.
98 @param[in] DataSize Size of Data found. If size is less than the
99 data, this value contains the required size.
100 @param[in] Variable The variable information which is used to keep track of variable usage.
101 @param[in] Attributes Attribute value of the variable.
102
103 @return EFI_INVALID_PARAMETER Invalid parameter
104 @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
105 EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
106 @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
107 set, but the AuthInfo does NOT pass the validation
108 check carried out by the firmware.
109 @return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.
110
111 **/
112 EFI_STATUS
113 ProcessVariable (
114 IN CHAR16 *VariableName,
115 IN EFI_GUID *VendorGuid,
116 IN VOID *Data,
117 IN UINTN DataSize,
118 IN VARIABLE_POINTER_TRACK *Variable,
119 IN UINT32 Attributes
120 );
121
122 /**
123 Update platform mode.
124
125 @param[in] Mode SETUP_MODE or USER_MODE.
126
127 @return EFI_INVALID_PARAMETER Invalid parameter.
128 @return EFI_SUCCESS Update platform mode successfully.
129
130 **/
131 EFI_STATUS
132 UpdatePlatformMode (
133 IN UINT32 Mode
134 );
135
136 /**
137 Initializes for authenticated varibale service.
138
139 @retval EFI_SUCCESS Function successfully executed.
140 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
141
142 **/
143 EFI_STATUS
144 AutenticatedVariableServiceInitialize (
145 VOID
146 );
147
148 /**
149 Initializes for cryptlib service before use, include register algrithm and allocate scratch.
150
151 **/
152 VOID
153 CryptLibraryInitialize (
154 VOID
155 );
156
157 /**
158 Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.
159
160 @param[in] VariableName Name of Variable to be check.
161 @param[in] VendorGuid Variable vendor GUID.
162 @param[in] Data Point to the variable data to be checked.
163 @param[in] DataSize Size of Data.
164
165 @return EFI_INVALID_PARAMETER Invalid signature list format.
166 @return EFI_SUCCESS Passed signature list format check successfully.
167
168 **/
169 EFI_STATUS
170 CheckSignatureListFormat(
171 IN CHAR16 *VariableName,
172 IN EFI_GUID *VendorGuid,
173 IN VOID *Data,
174 IN UINTN DataSize
175 );
176
177 /**
178 Process variable with platform key for verification.
179
180 Caution: This function may receive untrusted input.
181 This function may be invoked in SMM mode, and datasize and data are external input.
182 This function will do basic validation, before parse the data.
183 This function will parse the authentication carefully to avoid security issues, like
184 buffer overflow, integer overflow.
185 This function will check attribute carefully to avoid authentication bypass.
186
187 @param[in] VariableName Name of Variable to be found.
188 @param[in] VendorGuid Variable vendor GUID.
189 @param[in] Data Data pointer.
190 @param[in] DataSize Size of Data found. If size is less than the
191 data, this value contains the required size.
192 @param[in] Variable The variable information which is used to keep track of variable usage.
193 @param[in] Attributes Attribute value of the variable.
194 @param[in] IsPk Indicate whether it is to process pk.
195
196 @return EFI_INVALID_PARAMETER Invalid parameter
197 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
198 check carried out by the firmware.
199 @return EFI_SUCCESS Variable passed validation successfully.
200
201 **/
202 EFI_STATUS
203 ProcessVarWithPk (
204 IN CHAR16 *VariableName,
205 IN EFI_GUID *VendorGuid,
206 IN VOID *Data,
207 IN UINTN DataSize,
208 IN VARIABLE_POINTER_TRACK *Variable,
209 IN UINT32 Attributes OPTIONAL,
210 IN BOOLEAN IsPk
211 );
212
213 /**
214 Process variable with key exchange key for verification.
215
216 Caution: This function may receive untrusted input.
217 This function may be invoked in SMM mode, and datasize and data are external input.
218 This function will do basic validation, before parse the data.
219 This function will parse the authentication carefully to avoid security issues, like
220 buffer overflow, integer overflow.
221 This function will check attribute carefully to avoid authentication bypass.
222
223 @param[in] VariableName Name of Variable to be found.
224 @param[in] VendorGuid Variable vendor GUID.
225 @param[in] Data Data pointer.
226 @param[in] DataSize Size of Data found. If size is less than the
227 data, this value contains the required size.
228 @param[in] Variable The variable information that is used to keep track of variable usage.
229 @param[in] Attributes Attribute value of the variable.
230
231 @return EFI_INVALID_PARAMETER Invalid parameter.
232 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
233 check carried out by the firmware.
234 @return EFI_SUCCESS Variable passed validation successfully.
235
236 **/
237 EFI_STATUS
238 ProcessVarWithKek (
239 IN CHAR16 *VariableName,
240 IN EFI_GUID *VendorGuid,
241 IN VOID *Data,
242 IN UINTN DataSize,
243 IN VARIABLE_POINTER_TRACK *Variable,
244 IN UINT32 Attributes OPTIONAL
245 );
246
247 /**
248 Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA
249 will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
250 will be ignored.
251
252 @param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
253 @param[in] DataSize Size of Data buffer.
254 @param[in] FreeBufSize Size of free data buffer
255 @param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
256 @param[in] NewDataSize Size of NewData buffer.
257 @param[out] MergedBufSize Size of the merged buffer
258
259 @return EFI_BUFFER_TOO_SMALL if input Data buffer overflowed
260
261 **/
262 EFI_STATUS
263 AppendSignatureList (
264 IN OUT VOID *Data,
265 IN UINTN DataSize,
266 IN UINTN FreeBufSize,
267 IN VOID *NewData,
268 IN UINTN NewDataSize,
269 OUT UINTN *MergedBufSize
270 );
271
272 /**
273 Compare two EFI_TIME data.
274
275
276 @param FirstTime A pointer to the first EFI_TIME data.
277 @param SecondTime A pointer to the second EFI_TIME data.
278
279 @retval TRUE The FirstTime is not later than the SecondTime.
280 @retval FALSE The FirstTime is later than the SecondTime.
281
282 **/
283 BOOLEAN
284 CompareTimeStamp (
285 IN EFI_TIME *FirstTime,
286 IN EFI_TIME *SecondTime
287 );
288
289
290 /**
291 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
292
293 Caution: This function may receive untrusted input.
294 This function may be invoked in SMM mode, and datasize and data are external input.
295 This function will do basic validation, before parse the data.
296 This function will parse the authentication carefully to avoid security issues, like
297 buffer overflow, integer overflow.
298
299 @param[in] VariableName Name of Variable to be found.
300 @param[in] VendorGuid Variable vendor GUID.
301 @param[in] Data Data pointer.
302 @param[in] DataSize Size of Data found. If size is less than the
303 data, this value contains the required size.
304 @param[in] Variable The variable information which is used to keep track of variable usage.
305 @param[in] Attributes Attribute value of the variable.
306 @param[in] AuthVarType Verify against PK or KEK database or private database.
307 @param[out] VarDel Delete the variable or not.
308
309 @retval EFI_INVALID_PARAMETER Invalid parameter.
310 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
311 check carried out by the firmware.
312 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
313 of resources.
314 @retval EFI_SUCCESS Variable pass validation successfully.
315
316 **/
317 EFI_STATUS
318 VerifyTimeBasedPayload (
319 IN CHAR16 *VariableName,
320 IN EFI_GUID *VendorGuid,
321 IN VOID *Data,
322 IN UINTN DataSize,
323 IN VARIABLE_POINTER_TRACK *Variable,
324 IN UINT32 Attributes,
325 IN AUTHVAR_TYPE AuthVarType,
326 OUT BOOLEAN *VarDel
327 );
328
329 extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
330 extern UINT32 mPubKeyNumber;
331 extern VOID *mHashCtx;
332 extern UINT8 *mSerializationRuntimeBuffer;
333
334 #endif
EFI Development Kit II mirror for PVE