]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
1. Check input PK/KEK variable data to make sure it is a valid EFI_SIGNATURE_LIST.
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / AuthService.h
1 /** @file
2 The internal header file includes the common header files, defines
3 internal structure and functions used by AuthService module.
4
5 Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _AUTHSERVICE_H_
17 #define _AUTHSERVICE_H_
18
19 #define EFI_CERT_TYPE_RSA2048_SHA256_SIZE 256
20 #define EFI_CERT_TYPE_RSA2048_SIZE 256
21
22 ///
23 /// Size of AuthInfo prior to the data payload.
24 ///
25 #define AUTHINFO_SIZE ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION, AuthInfo)) + \
26 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)) + \
27 sizeof (EFI_CERT_BLOCK_RSA_2048_SHA256))
28
29 #define AUTHINFO2_SIZE(VarAuth2) ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
30 (UINTN) ((EFI_VARIABLE_AUTHENTICATION_2 *) (VarAuth2))->AuthInfo.Hdr.dwLength)
31
32 #define OFFSET_OF_AUTHINFO2_CERT_DATA ((OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo)) + \
33 (OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData)))
34
35 ///
36 /// "AuthVarKeyDatabase" variable for the Public Key store.
37 ///
38 #define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"
39 #define AUTHVAR_KEYDB_NAME_SIZE 38
40
41 ///
42 /// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.
43 ///
44 #define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)
45 #define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)
46
47 ///
48 /// Item number of support signature types.
49 ///
50 #define SIGSUPPORT_NUM 2
51
52 ///
53 /// Struct to record signature requirement defined by UEFI spec.
54 /// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.
55 ///
56 typedef struct {
57 EFI_GUID SigType;
58 // Expected SignatureHeader size in Bytes.
59 UINT32 SigHeaderSize;
60 // Expected SignatureData size in Bytes.
61 UINT32 SigDataSize;
62 } EFI_SIGNATURE_ITEM;
63
64 /**
65 Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.
66
67 @param[in] VariableName Name of Variable to be found.
68 @param[in] VendorGuid Variable vendor GUID.
69
70 @param[in] Data Data pointer.
71 @param[in] DataSize Size of Data found. If size is less than the
72 data, this value contains the required size.
73 @param[in] Variable The variable information which is used to keep track of variable usage.
74 @param[in] Attributes Attribute value of the variable.
75
76 @return EFI_INVALID_PARAMETER Invalid parameter
77 @return EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with
78 EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
79 @return EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
80 set, but the AuthInfo does NOT pass the validation
81 check carried out by the firmware.
82 @return EFI_SUCCESS Variable is not write-protected, or passed validation successfully.
83
84 **/
85 EFI_STATUS
86 ProcessVariable (
87 IN CHAR16 *VariableName,
88 IN EFI_GUID *VendorGuid,
89 IN VOID *Data,
90 IN UINTN DataSize,
91 IN VARIABLE_POINTER_TRACK *Variable,
92 IN UINT32 Attributes
93 );
94
95 /**
96 Update platform mode.
97
98 @param[in] Mode SETUP_MODE or USER_MODE.
99
100 @return EFI_INVALID_PARAMETER Invalid parameter.
101 @return EFI_SUCCESS Update platform mode successfully.
102
103 **/
104 EFI_STATUS
105 UpdatePlatformMode (
106 IN UINT32 Mode
107 );
108
109 /**
110 Initializes for authenticated varibale service.
111
112 @retval EFI_SUCCESS Function successfully executed.
113 @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource.
114
115 **/
116 EFI_STATUS
117 AutenticatedVariableServiceInitialize (
118 VOID
119 );
120
121 /**
122 Initializes for cryptlib service before use, include register algrithm and allocate scratch.
123
124 **/
125 VOID
126 CryptLibraryInitialize (
127 VOID
128 );
129
130 /**
131 Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.
132
133 @param[in] VariableName Name of Variable to be check.
134 @param[in] VendorGuid Variable vendor GUID.
135 @param[in] Data Point to the variable data to be checked.
136 @param[in] DataSize Size of Data.
137
138 @return EFI_INVALID_PARAMETER Invalid signature list format.
139 @return EFI_SUCCESS Passed signature list format check successfully.
140
141 **/
142 EFI_STATUS
143 CheckSignatureListFormat(
144 IN CHAR16 *VariableName,
145 IN EFI_GUID *VendorGuid,
146 IN VOID *Data,
147 IN UINTN DataSize
148 );
149
150 /**
151 Process variable with platform key for verification.
152
153 @param[in] VariableName Name of Variable to be found.
154 @param[in] VendorGuid Variable vendor GUID.
155 @param[in] Data Data pointer.
156 @param[in] DataSize Size of Data found. If size is less than the
157 data, this value contains the required size.
158 @param[in] Variable The variable information which is used to keep track of variable usage.
159 @param[in] Attributes Attribute value of the variable.
160 @param[in] IsPk Indicate whether it is to process pk.
161
162 @return EFI_INVALID_PARAMETER Invalid parameter
163 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
164 check carried out by the firmware.
165 @return EFI_SUCCESS Variable passed validation successfully.
166
167 **/
168 EFI_STATUS
169 ProcessVarWithPk (
170 IN CHAR16 *VariableName,
171 IN EFI_GUID *VendorGuid,
172 IN VOID *Data,
173 IN UINTN DataSize,
174 IN VARIABLE_POINTER_TRACK *Variable,
175 IN UINT32 Attributes OPTIONAL,
176 IN BOOLEAN IsPk
177 );
178
179 /**
180 Process variable with key exchange key for verification.
181
182 @param[in] VariableName Name of Variable to be found.
183 @param[in] VendorGuid Variable vendor GUID.
184 @param[in] Data Data pointer.
185 @param[in] DataSize Size of Data found. If size is less than the
186 data, this value contains the required size.
187 @param[in] Variable The variable information that is used to keep track of variable usage.
188 @param[in] Attributes Attribute value of the variable.
189
190 @return EFI_INVALID_PARAMETER Invalid parameter.
191 @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation
192 check carried out by the firmware.
193 @return EFI_SUCCESS Variable passed validation successfully.
194
195 **/
196 EFI_STATUS
197 ProcessVarWithKek (
198 IN CHAR16 *VariableName,
199 IN EFI_GUID *VendorGuid,
200 IN VOID *Data,
201 IN UINTN DataSize,
202 IN VARIABLE_POINTER_TRACK *Variable,
203 IN UINT32 Attributes OPTIONAL
204 );
205
206 /**
207 Merge two buffers which formatted as EFI_SIGNATURE_LIST. Only the new EFI_SIGNATURE_DATA
208 will be appended to the original EFI_SIGNATURE_LIST, duplicate EFI_SIGNATURE_DATA
209 will be ignored.
210
211 @param[in, out] Data Pointer to original EFI_SIGNATURE_LIST.
212 @param[in] DataSize Size of Data buffer.
213 @param[in] NewData Pointer to new EFI_SIGNATURE_LIST to be appended.
214 @param[in] NewDataSize Size of NewData buffer.
215
216 @return Size of the merged buffer.
217
218 **/
219 UINTN
220 AppendSignatureList (
221 IN OUT VOID *Data,
222 IN UINTN DataSize,
223 IN VOID *NewData,
224 IN UINTN NewDataSize
225 );
226
227 /**
228 Compare two EFI_TIME data.
229
230
231 @param FirstTime A pointer to the first EFI_TIME data.
232 @param SecondTime A pointer to the second EFI_TIME data.
233
234 @retval TRUE The FirstTime is not later than the SecondTime.
235 @retval FALSE The FirstTime is later than the SecondTime.
236
237 **/
238 BOOLEAN
239 CompareTimeStamp (
240 IN EFI_TIME *FirstTime,
241 IN EFI_TIME *SecondTime
242 );
243
244
245 /**
246 Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
247
248 @param[in] VariableName Name of Variable to be found.
249 @param[in] VendorGuid Variable vendor GUID.
250 @param[in] Data Data pointer.
251 @param[in] DataSize Size of Data found. If size is less than the
252 data, this value contains the required size.
253 @param[in] Variable The variable information which is used to keep track of variable usage.
254 @param[in] Attributes Attribute value of the variable.
255 @param[in] Pk Verify against PK or KEK database.
256 @param[out] VarDel Delete the variable or not.
257
258 @retval EFI_INVALID_PARAMETER Invalid parameter.
259 @retval EFI_SECURITY_VIOLATION The variable does NOT pass the validation
260 check carried out by the firmware.
261 @retval EFI_OUT_OF_RESOURCES Failed to process variable due to lack
262 of resources.
263 @retval EFI_SUCCESS Variable pass validation successfully.
264
265 **/
266 EFI_STATUS
267 VerifyTimeBasedPayload (
268 IN CHAR16 *VariableName,
269 IN EFI_GUID *VendorGuid,
270 IN VOID *Data,
271 IN UINTN DataSize,
272 IN VARIABLE_POINTER_TRACK *Variable,
273 IN UINT32 Attributes,
274 IN BOOLEAN Pk,
275 OUT BOOLEAN *VarDel
276 );
277
278 extern UINT8 mPubKeyStore[MAX_KEYDB_SIZE];
279 extern UINT32 mPubKeyNumber;
280 extern VOID *mHashCtx;
281 extern VOID *mStorageArea;
282 extern UINT8 *mSerializationRuntimeBuffer;
283
284 #endif
EFI Development Kit II mirror for PVE