2 The header file of HII Config Access protocol implementation of SecureBoot
5 Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
10 #ifndef __SECUREBOOT_CONFIG_IMPL_H__
11 #define __SECUREBOOT_CONFIG_IMPL_H__
15 #include <Protocol/HiiConfigAccess.h>
16 #include <Protocol/HiiConfigRouting.h>
17 #include <Protocol/SimpleFileSystem.h>
18 #include <Protocol/BlockIo.h>
19 #include <Protocol/DevicePath.h>
20 #include <Protocol/DebugPort.h>
21 #include <Protocol/LoadFile.h>
23 #include <Library/BaseLib.h>
24 #include <Library/BaseMemoryLib.h>
25 #include <Library/DebugLib.h>
26 #include <Library/MemoryAllocationLib.h>
27 #include <Library/UefiBootServicesTableLib.h>
28 #include <Library/UefiRuntimeServicesTableLib.h>
29 #include <Library/UefiHiiServicesLib.h>
30 #include <Library/UefiLib.h>
31 #include <Library/HiiLib.h>
32 #include <Library/DevicePathLib.h>
33 #include <Library/PrintLib.h>
34 #include <Library/PlatformSecureLib.h>
35 #include <Library/BaseCryptLib.h>
36 #include <Library/FileExplorerLib.h>
37 #include <Library/PeCoffLib.h>
39 #include <Guid/MdeModuleHii.h>
40 #include <Guid/AuthenticatedVariableFormat.h>
41 #include <Guid/FileSystemVolumeLabelInfo.h>
42 #include <Guid/ImageAuthentication.h>
43 #include <Guid/FileInfo.h>
44 #include <Guid/WinCertificate.h>
46 #include "SecureBootConfigNvData.h"
49 // Tool generated IFR binary data and String package data
51 extern UINT8 SecureBootConfigBin
[];
52 extern UINT8 SecureBootConfigDxeStrings
[];
55 // Shared IFR form update data
57 extern VOID
*mStartOpCodeHandle
;
58 extern VOID
*mEndOpCodeHandle
;
59 extern EFI_IFR_GUID_LABEL
*mStartLabel
;
60 extern EFI_IFR_GUID_LABEL
*mEndLabel
;
63 #define TWO_BYTE_ENCODE 0x82
64 #define BUFFER_MAX_SIZE 100
67 // SHA-256 digest size in bytes
69 #define SHA256_DIGEST_SIZE 32
71 // SHA-384 digest size in bytes
73 #define SHA384_DIGEST_SIZE 48
75 // SHA-512 digest size in bytes
77 #define SHA512_DIGEST_SIZE 64
80 // Set max digest size as SHA512 Output (64 bytes) by far
82 #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
84 #define WIN_CERT_UEFI_RSA2048_SIZE 256
89 #define HASHALG_SHA224 0x00000000
90 #define HASHALG_SHA256 0x00000001
91 #define HASHALG_SHA384 0x00000002
92 #define HASHALG_SHA512 0x00000003
93 #define HASHALG_RAW 0x00000004
94 #define HASHALG_MAX 0x00000004
101 } SECUREBOOT_MENU_OPTION
;
104 EFI_FILE_HANDLE FHandle
;
107 } SECUREBOOT_FILE_CONTEXT
;
109 #define SECUREBOOT_FREE_NON_NULL(Pointer) \
111 if ((Pointer) != NULL) { \
112 FreePool((Pointer)); \
117 #define SECUREBOOT_FREE_NON_OPCODE(Handle) \
119 if ((Handle) != NULL) { \
120 HiiFreeOpCodeHandle((Handle)); \
124 #define SIGNATURE_DATA_COUNTS(List) \
125 (((List)->SignatureListSize - sizeof(EFI_SIGNATURE_LIST) - (List)->SignatureHeaderSize) / (List)->SignatureSize)
128 // We define another format of 5th directory entry: security directory
131 UINT32 Offset
; // Offset of certificate
132 UINT32 SizeOfCert
; // size of certificate appended
133 } EFI_IMAGE_SECURITY_DATA_DIRECTORY
;
141 /// HII specific Vendor Device Path definition.
144 VENDOR_DEVICE_PATH VendorDevicePath
;
145 EFI_DEVICE_PATH_PROTOCOL End
;
146 } HII_VENDOR_DEVICE_PATH
;
153 } CURRENT_VARIABLE_NAME
;
156 Delete_Signature_List_All
,
157 Delete_Signature_List_One
,
158 Delete_Signature_Data
159 }SIGNATURE_DELETE_TYPE
;
164 EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess
;
165 EFI_HII_HANDLE HiiHandle
;
166 EFI_HANDLE DriverHandle
;
168 SECUREBOOT_FILE_CONTEXT
*FileContext
;
170 EFI_GUID
*SignatureGUID
;
172 CURRENT_VARIABLE_NAME VariableName
; // The variable name we are processing.
173 UINT32 ListCount
; // Record current variable has how many signature list.
174 UINTN ListIndex
; // Record which signature list is processing.
175 BOOLEAN
*CheckArray
; // Record whcih siganture data checked.
176 } SECUREBOOT_CONFIG_PRIVATE_DATA
;
178 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate
;
179 extern SECUREBOOT_CONFIG_PRIVATE_DATA
*gSecureBootPrivateData
;
181 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
182 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
185 // Cryptograhpic Key Information
188 typedef struct _CPL_KEY_INFO
{
189 UINT32 KeyLengthInBits
; // Key Length In Bits
190 UINT32 BlockSize
; // Operation Block Size in Bytes
191 UINT32 CipherBlockSize
; // Output Cipher Block Size in Bytes
192 UINT32 KeyType
; // Key Type
193 UINT32 CipherMode
; // Cipher Mode for Symmetric Algorithm
194 UINT32 Flags
; // Additional Key Property Flags
200 Retrieves the size, in bytes, of the context buffer required for hash operations.
202 @return The size, in bytes, of the context buffer required for hash operations.
207 (EFIAPI
*HASH_GET_CONTEXT_SIZE
)(
212 Initializes user-supplied memory pointed by HashContext as hash context for
215 If HashContext is NULL, then ASSERT().
217 @param[in, out] HashContext Pointer to Context being initialized.
219 @retval TRUE HASH context initialization succeeded.
220 @retval FALSE HASH context initialization failed.
226 IN OUT VOID
*HashContext
231 Performs digest on a data buffer of the specified length. This function can
232 be called multiple times to compute the digest of long or discontinuous data streams.
234 If HashContext is NULL, then ASSERT().
236 @param[in, out] HashContext Pointer to the MD5 context.
237 @param[in] Data Pointer to the buffer containing the data to be hashed.
238 @param[in] DataLength Length of Data buffer in bytes.
240 @retval TRUE HASH data digest succeeded.
241 @retval FALSE Invalid HASH context. After HashFinal function has been called, the
242 HASH context cannot be reused.
247 (EFIAPI
*HASH_UPDATE
)(
248 IN OUT VOID
*HashContext
,
254 Completes hash computation and retrieves the digest value into the specified
255 memory. After this function has been called, the context cannot be used again.
257 If HashContext is NULL, then ASSERT().
258 If HashValue is NULL, then ASSERT().
260 @param[in, out] HashContext Pointer to the MD5 context
261 @param[out] HashValue Pointer to a buffer that receives the HASH digest
264 @retval TRUE HASH digest computation succeeded.
265 @retval FALSE HASH digest computation failed.
270 (EFIAPI
*HASH_FINAL
)(
271 IN OUT VOID
*HashContext
,
276 // Hash Algorithm Table
279 CHAR16
*Name
; ///< Name for Hash Algorithm
280 UINTN DigestLength
; ///< Digest Length
281 UINT8
*OidValue
; ///< Hash Algorithm OID ASN.1 Value
282 UINTN OidLength
; ///< Length of Hash OID Value
283 HASH_GET_CONTEXT_SIZE GetContextSize
; ///< Pointer to Hash GetContentSize function
284 HASH_INIT HashInit
; ///< Pointer to Hash Init function
285 HASH_UPDATE HashUpdate
; ///< Pointer to Hash Update function
286 HASH_FINAL HashFinal
; ///< Pointer to Hash Final function
292 } WIN_CERTIFICATE_EFI_PKCS
;
296 This function publish the SecureBoot configuration Form.
298 @param[in, out] PrivateData Points to SecureBoot configuration private data.
300 @retval EFI_SUCCESS HII Form is installed successfully.
301 @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
302 @retval Others Other errors as indicated.
306 InstallSecureBootConfigForm (
307 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA
*PrivateData
312 This function removes SecureBoot configuration Form.
314 @param[in, out] PrivateData Points to SecureBoot configuration private data.
318 UninstallSecureBootConfigForm (
319 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA
*PrivateData
324 This function allows a caller to extract the current configuration for one
325 or more named elements from the target driver.
327 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
328 @param[in] Request A null-terminated Unicode string in
329 <ConfigRequest> format.
330 @param[out] Progress On return, points to a character in the Request
331 string. Points to the string's null terminator if
332 request was successful. Points to the most recent
333 '&' before the first failing name/value pair (or
334 the beginning of the string if the failure is in
335 the first name/value pair) if the request was not
337 @param[out] Results A null-terminated Unicode string in
338 <ConfigAltResp> format which has all values filled
339 in for the names in the Request string. String to
340 be allocated by the called function.
342 @retval EFI_SUCCESS The Results is filled with the requested values.
343 @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
344 @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
345 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
351 SecureBootExtractConfig (
352 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL
*This
,
353 IN CONST EFI_STRING Request
,
354 OUT EFI_STRING
*Progress
,
355 OUT EFI_STRING
*Results
360 This function processes the results of changes in configuration.
362 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
363 @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
365 @param[out] Progress A pointer to a string filled in with the offset of
366 the most recent '&' before the first failing
367 name/value pair (or the beginning of the string if
368 the failure is in the first name/value pair) or
369 the terminating NULL if all was successful.
371 @retval EFI_SUCCESS The Results is processed successfully.
372 @retval EFI_INVALID_PARAMETER Configuration is NULL.
373 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
379 SecureBootRouteConfig (
380 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL
*This
,
381 IN CONST EFI_STRING Configuration
,
382 OUT EFI_STRING
*Progress
387 This function processes the results of changes in configuration.
389 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
390 @param[in] Action Specifies the type of action taken by the browser.
391 @param[in] QuestionId A unique value which is sent to the original
392 exporting driver so that it can identify the type
394 @param[in] Type The type of value for the question.
395 @param[in] Value A pointer to the data being sent to the original
397 @param[out] ActionRequest On return, points to the action requested by the
400 @retval EFI_SUCCESS The callback successfully handled the action.
401 @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
402 variable and its data.
403 @retval EFI_DEVICE_ERROR The variable could not be saved.
404 @retval EFI_UNSUPPORTED The specified Action is not supported by the
411 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL
*This
,
412 IN EFI_BROWSER_ACTION Action
,
413 IN EFI_QUESTION_ID QuestionId
,
415 IN EFI_IFR_TYPE_VALUE
*Value
,
416 OUT EFI_BROWSER_ACTION_REQUEST
*ActionRequest
421 This function converts an input device structure to a Unicode string.
423 @param[in] DevPath A pointer to the device path structure.
425 @return A new allocated Unicode string that represents the device path.
431 IN EFI_DEVICE_PATH_PROTOCOL
*DevPath
436 Clean up the dynamic opcode at label and form specified by both LabelId.
438 @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
439 @param[in] PrivateData Module private data.
445 IN SECUREBOOT_CONFIG_PRIVATE_DATA
*PrivateData
450 Read file content into BufferPtr, the size of the allocate buffer
451 is *FileSize plus AddtionAllocateSize.
453 @param[in] FileHandle The file to be read.
454 @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
455 @param[out] FileSize Size of input file
456 @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
457 In case the buffer need to contain others besides the file content.
459 @retval EFI_SUCCESS The file was read into the buffer.
460 @retval EFI_INVALID_PARAMETER A parameter was invalid.
461 @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
462 @retval others Unexpected error.
467 IN EFI_FILE_HANDLE FileHandle
,
468 IN OUT VOID
**BufferPtr
,
470 IN UINTN AddtionAllocateSize
475 Close an open file handle.
477 @param[in] FileHandle The file handle to close.
482 IN EFI_FILE_HANDLE FileHandle
487 Converts a nonnegative integer to an octet string of a specified length.
489 @param[in] Integer Pointer to the nonnegative integer to be converted
490 @param[in] IntSizeInWords Length of integer buffer in words
491 @param[out] OctetString Converted octet string of the specified length
492 @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
496 @retval EFI_SUCCESS Data conversion successfully
497 @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
503 IN CONST UINTN
*Integer
,
504 IN UINTN IntSizeInWords
,
505 OUT UINT8
*OctetString
,
506 IN UINTN OSSizeInBytes
510 Worker function that prints an EFI_GUID into specified Buffer.
512 @param[in] Guid Pointer to GUID to print.
513 @param[in] Buffer Buffer to print Guid into.
514 @param[in] BufferSize Size of Buffer.
516 @retval Number of characters printed.
527 Update the PK form base on the input file path info.
529 @param FilePath Point to the file path.
531 @retval TRUE Exit caller function.
532 @retval FALSE Not exit caller function.
537 IN EFI_DEVICE_PATH_PROTOCOL
*FilePath
541 Update the KEK form base on the input file path info.
543 @param FilePath Point to the file path.
545 @retval TRUE Exit caller function.
546 @retval FALSE Not exit caller function.
551 IN EFI_DEVICE_PATH_PROTOCOL
*FilePath
555 Update the DB form base on the input file path info.
557 @param FilePath Point to the file path.
559 @retval TRUE Exit caller function.
560 @retval FALSE Not exit caller function.
565 IN EFI_DEVICE_PATH_PROTOCOL
*FilePath
569 Update the DBX form base on the input file path info.
571 @param FilePath Point to the file path.
573 @retval TRUE Exit caller function.
574 @retval FALSE Not exit caller function.
579 IN EFI_DEVICE_PATH_PROTOCOL
*FilePath
583 Update the DBT form base on the input file path info.
585 @param FilePath Point to the file path.
587 @retval TRUE Exit caller function.
588 @retval FALSE Not exit caller function.
593 IN EFI_DEVICE_PATH_PROTOCOL
*FilePath