]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
projects / mirror_edk2.git / blob
? search:


52ad91b002f23fd3c59ee1c647b5d65baed5a3e4
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / SecureBootConfigDxe / SecureBootConfigImpl.h
1 /** @file
2 The header file of HII Config Access protocol implementation of SecureBoot
3 configuration module.
4
5 Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef __SECUREBOOT_CONFIG_IMPL_H__
17 #define __SECUREBOOT_CONFIG_IMPL_H__
18
19 #include <Uefi.h>
20
21 #include <Protocol/HiiConfigAccess.h>
22 #include <Protocol/HiiConfigRouting.h>
23 #include <Protocol/SimpleFileSystem.h>
24 #include <Protocol/BlockIo.h>
25 #include <Protocol/DevicePath.h>
26 #include <Protocol/DebugPort.h>
27 #include <Protocol/LoadFile.h>
28
29 #include <Library/BaseLib.h>
30 #include <Library/BaseMemoryLib.h>
31 #include <Library/DebugLib.h>
32 #include <Library/MemoryAllocationLib.h>
33 #include <Library/UefiBootServicesTableLib.h>
34 #include <Library/UefiRuntimeServicesTableLib.h>
35 #include <Library/UefiHiiServicesLib.h>
36 #include <Library/UefiLib.h>
37 #include <Library/HiiLib.h>
38 #include <Library/DevicePathLib.h>
39 #include <Library/PrintLib.h>
40 #include <Library/PlatformSecureLib.h>
41 #include <Library/BaseCryptLib.h>
42 #include <Library/FileExplorerLib.h>
43 #include <Library/PeCoffLib.h>
44
45 #include <Guid/MdeModuleHii.h>
46 #include <Guid/AuthenticatedVariableFormat.h>
47 #include <Guid/FileSystemVolumeLabelInfo.h>
48 #include <Guid/ImageAuthentication.h>
49 #include <Guid/FileInfo.h>
50 #include <Guid/WinCertificate.h>
51
52 #include "SecureBootConfigNvData.h"
53
54 //
55 // Tool generated IFR binary data and String package data
56 //
57 extern UINT8 SecureBootConfigBin[];
58 extern UINT8 SecureBootConfigDxeStrings[];
59
60 //
61 // Shared IFR form update data
62 //
63 extern VOID *mStartOpCodeHandle;
64 extern VOID *mEndOpCodeHandle;
65 extern EFI_IFR_GUID_LABEL *mStartLabel;
66 extern EFI_IFR_GUID_LABEL *mEndLabel;
67
68 #define MAX_CHAR 480
69 #define TWO_BYTE_ENCODE 0x82
70
71
72 //
73 // SHA-256 digest size in bytes
74 //
75 #define SHA256_DIGEST_SIZE 32
76 //
77 // SHA-384 digest size in bytes
78 //
79 #define SHA384_DIGEST_SIZE 48
80 //
81 // SHA-512 digest size in bytes
82 //
83 #define SHA512_DIGEST_SIZE 64
84
85 //
86 // Set max digest size as SHA512 Output (64 bytes) by far
87 //
88 #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
89
90 #define WIN_CERT_UEFI_RSA2048_SIZE 256
91
92 //
93 // Support hash types
94 //
95 #define HASHALG_SHA224 0x00000000
96 #define HASHALG_SHA256 0x00000001
97 #define HASHALG_SHA384 0x00000002
98 #define HASHALG_SHA512 0x00000003
99 #define HASHALG_RAW 0x00000004
100 #define HASHALG_MAX 0x00000004
101
102
103 typedef struct {
104 UINTN Signature;
105 LIST_ENTRY Head;
106 UINTN MenuNumber;
107 } SECUREBOOT_MENU_OPTION;
108
109 typedef struct {
110 EFI_FILE_HANDLE FHandle;
111 UINT16 *FileName;
112 UINT8 FileType;
113 } SECUREBOOT_FILE_CONTEXT;
114
115 #define SECUREBOOT_FREE_NON_NULL(Pointer) \
116 do { \
117 if ((Pointer) != NULL) { \
118 FreePool((Pointer)); \
119 (Pointer) = NULL; \
120 } \
121 } while (FALSE)
122
123 #define SECUREBOOT_FREE_NON_OPCODE(Handle) \
124 do{ \
125 if ((Handle) != NULL) { \
126 HiiFreeOpCodeHandle((Handle)); \
127 } \
128 } while (FALSE)
129
130 #define SIGNATURE_DATA_COUNTS(List) \
131 (((List)->SignatureListSize - sizeof(EFI_SIGNATURE_LIST) - (List)->SignatureHeaderSize) / (List)->SignatureSize)
132
133 //
134 // We define another format of 5th directory entry: security directory
135 //
136 typedef struct {
137 UINT32 Offset; // Offset of certificate
138 UINT32 SizeOfCert; // size of certificate appended
139 } EFI_IMAGE_SECURITY_DATA_DIRECTORY;
140
141 typedef enum{
142 ImageType_IA32,
143 ImageType_X64
144 } IMAGE_TYPE;
145
146 ///
147 /// HII specific Vendor Device Path definition.
148 ///
149 typedef struct {
150 VENDOR_DEVICE_PATH VendorDevicePath;
151 EFI_DEVICE_PATH_PROTOCOL End;
152 } HII_VENDOR_DEVICE_PATH;
153
154 typedef enum {
155 VARIABLE_DB,
156 VARIABLE_DBX,
157 VARIABLE_DBT,
158 VARIABLE_MAX
159 } CURRENT_VARIABLE_NAME;
160
161 typedef enum {
162 DELETE_SIGNATURE_LIST_ALL,
163 DELETE_SIGNATURE_LIST_ONE,
164 DELETE_SIGNATURE_DATA
165 }SIGNATURE_DELETE_TYPE;
166
167 typedef struct {
168 UINTN Signature;
169
170 EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
171 EFI_HII_HANDLE HiiHandle;
172 EFI_HANDLE DriverHandle;
173
174 SECUREBOOT_FILE_CONTEXT *FileContext;
175
176 EFI_GUID *SignatureGUID;
177
178 CURRENT_VARIABLE_NAME VariableName; // The variable name we are processing.
179 UINT32 ListCount; // Record current variable has how many signature list.
180 UINTN ListIndex; // Record which signature list is processing.
181 BOOLEAN *CheckArray; // Record whcih siganture data checked.
182 } SECUREBOOT_CONFIG_PRIVATE_DATA;
183
184 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
185 extern SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData;
186
187 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
188 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
189
190 //
191 // Cryptograhpic Key Information
192 //
193 #pragma pack(1)
194 typedef struct _CPL_KEY_INFO {
195 UINT32 KeyLengthInBits; // Key Length In Bits
196 UINT32 BlockSize; // Operation Block Size in Bytes
197 UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
198 UINT32 KeyType; // Key Type
199 UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
200 UINT32 Flags; // Additional Key Property Flags
201 } CPL_KEY_INFO;
202 #pragma pack()
203
204
205 /**
206 Retrieves the size, in bytes, of the context buffer required for hash operations.
207
208 @return The size, in bytes, of the context buffer required for hash operations.
209
210 **/
211 typedef
212 EFI_STATUS
213 (EFIAPI *HASH_GET_CONTEXT_SIZE)(
214 VOID
215 );
216
217 /**
218 Initializes user-supplied memory pointed by HashContext as hash context for
219 subsequent use.
220
221 If HashContext is NULL, then ASSERT().
222
223 @param[in, out] HashContext Pointer to Context being initialized.
224
225 @retval TRUE HASH context initialization succeeded.
226 @retval FALSE HASH context initialization failed.
227
228 **/
229 typedef
230 BOOLEAN
231 (EFIAPI *HASH_INIT)(
232 IN OUT VOID *HashContext
233 );
234
235
236 /**
237 Performs digest on a data buffer of the specified length. This function can
238 be called multiple times to compute the digest of long or discontinuous data streams.
239
240 If HashContext is NULL, then ASSERT().
241
242 @param[in, out] HashContext Pointer to the MD5 context.
243 @param[in] Data Pointer to the buffer containing the data to be hashed.
244 @param[in] DataLength Length of Data buffer in bytes.
245
246 @retval TRUE HASH data digest succeeded.
247 @retval FALSE Invalid HASH context. After HashFinal function has been called, the
248 HASH context cannot be reused.
249
250 **/
251 typedef
252 BOOLEAN
253 (EFIAPI *HASH_UPDATE)(
254 IN OUT VOID *HashContext,
255 IN CONST VOID *Data,
256 IN UINTN DataLength
257 );
258
259 /**
260 Completes hash computation and retrieves the digest value into the specified
261 memory. After this function has been called, the context cannot be used again.
262
263 If HashContext is NULL, then ASSERT().
264 If HashValue is NULL, then ASSERT().
265
266 @param[in, out] HashContext Pointer to the MD5 context
267 @param[out] HashValue Pointer to a buffer that receives the HASH digest
268 value (16 bytes).
269
270 @retval TRUE HASH digest computation succeeded.
271 @retval FALSE HASH digest computation failed.
272
273 **/
274 typedef
275 BOOLEAN
276 (EFIAPI *HASH_FINAL)(
277 IN OUT VOID *HashContext,
278 OUT UINT8 *HashValue
279 );
280
281 //
282 // Hash Algorithm Table
283 //
284 typedef struct {
285 CHAR16 *Name; ///< Name for Hash Algorithm
286 UINTN DigestLength; ///< Digest Length
287 UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
288 UINTN OidLength; ///< Length of Hash OID Value
289 HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
290 HASH_INIT HashInit; ///< Pointer to Hash Init function
291 HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
292 HASH_FINAL HashFinal; ///< Pointer to Hash Final function
293 } HASH_TABLE;
294
295 typedef struct {
296 WIN_CERTIFICATE Hdr;
297 UINT8 CertData[1];
298 } WIN_CERTIFICATE_EFI_PKCS;
299
300
301 /**
302 This function publish the SecureBoot configuration Form.
303
304 @param[in, out] PrivateData Points to SecureBoot configuration private data.
305
306 @retval EFI_SUCCESS HII Form is installed successfully.
307 @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
308 @retval Others Other errors as indicated.
309
310 **/
311 EFI_STATUS
312 InstallSecureBootConfigForm (
313 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
314 );
315
316
317 /**
318 This function removes SecureBoot configuration Form.
319
320 @param[in, out] PrivateData Points to SecureBoot configuration private data.
321
322 **/
323 VOID
324 UninstallSecureBootConfigForm (
325 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
326 );
327
328
329 /**
330 This function allows a caller to extract the current configuration for one
331 or more named elements from the target driver.
332
333 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
334 @param[in] Request A null-terminated Unicode string in
335 <ConfigRequest> format.
336 @param[out] Progress On return, points to a character in the Request
337 string. Points to the string's null terminator if
338 request was successful. Points to the most recent
339 '&' before the first failing name/value pair (or
340 the beginning of the string if the failure is in
341 the first name/value pair) if the request was not
342 successful.
343 @param[out] Results A null-terminated Unicode string in
344 <ConfigAltResp> format which has all values filled
345 in for the names in the Request string. String to
346 be allocated by the called function.
347
348 @retval EFI_SUCCESS The Results is filled with the requested values.
349 @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
350 @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
351 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
352 driver.
353
354 **/
355 EFI_STATUS
356 EFIAPI
357 SecureBootExtractConfig (
358 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
359 IN CONST EFI_STRING Request,
360 OUT EFI_STRING *Progress,
361 OUT EFI_STRING *Results
362 );
363
364
365 /**
366 This function processes the results of changes in configuration.
367
368 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
369 @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
370 format.
371 @param[out] Progress A pointer to a string filled in with the offset of
372 the most recent '&' before the first failing
373 name/value pair (or the beginning of the string if
374 the failure is in the first name/value pair) or
375 the terminating NULL if all was successful.
376
377 @retval EFI_SUCCESS The Results is processed successfully.
378 @retval EFI_INVALID_PARAMETER Configuration is NULL.
379 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
380 driver.
381
382 **/
383 EFI_STATUS
384 EFIAPI
385 SecureBootRouteConfig (
386 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
387 IN CONST EFI_STRING Configuration,
388 OUT EFI_STRING *Progress
389 );
390
391
392 /**
393 This function processes the results of changes in configuration.
394
395 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
396 @param[in] Action Specifies the type of action taken by the browser.
397 @param[in] QuestionId A unique value which is sent to the original
398 exporting driver so that it can identify the type
399 of data to expect.
400 @param[in] Type The type of value for the question.
401 @param[in] Value A pointer to the data being sent to the original
402 exporting driver.
403 @param[out] ActionRequest On return, points to the action requested by the
404 callback function.
405
406 @retval EFI_SUCCESS The callback successfully handled the action.
407 @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
408 variable and its data.
409 @retval EFI_DEVICE_ERROR The variable could not be saved.
410 @retval EFI_UNSUPPORTED The specified Action is not supported by the
411 callback.
412
413 **/
414 EFI_STATUS
415 EFIAPI
416 SecureBootCallback (
417 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
418 IN EFI_BROWSER_ACTION Action,
419 IN EFI_QUESTION_ID QuestionId,
420 IN UINT8 Type,
421 IN EFI_IFR_TYPE_VALUE *Value,
422 OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
423 );
424
425
426 /**
427 This function converts an input device structure to a Unicode string.
428
429 @param[in] DevPath A pointer to the device path structure.
430
431 @return A new allocated Unicode string that represents the device path.
432
433 **/
434 CHAR16 *
435 EFIAPI
436 DevicePathToStr (
437 IN EFI_DEVICE_PATH_PROTOCOL *DevPath
438 );
439
440
441 /**
442 Clean up the dynamic opcode at label and form specified by both LabelId.
443
444 @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
445 @param[in] PrivateData Module private data.
446
447 **/
448 VOID
449 CleanUpPage (
450 IN UINT16 LabelId,
451 IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
452 );
453
454
455 /**
456 Read file content into BufferPtr, the size of the allocate buffer
457 is *FileSize plus AddtionAllocateSize.
458
459 @param[in] FileHandle The file to be read.
460 @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
461 @param[out] FileSize Size of input file
462 @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
463 In case the buffer need to contain others besides the file content.
464
465 @retval EFI_SUCCESS The file was read into the buffer.
466 @retval EFI_INVALID_PARAMETER A parameter was invalid.
467 @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
468 @retval others Unexpected error.
469
470 **/
471 EFI_STATUS
472 ReadFileContent (
473 IN EFI_FILE_HANDLE FileHandle,
474 IN OUT VOID **BufferPtr,
475 OUT UINTN *FileSize,
476 IN UINTN AddtionAllocateSize
477 );
478
479
480 /**
481 Close an open file handle.
482
483 @param[in] FileHandle The file handle to close.
484
485 **/
486 VOID
487 CloseFile (
488 IN EFI_FILE_HANDLE FileHandle
489 );
490
491
492 /**
493 Converts a nonnegative integer to an octet string of a specified length.
494
495 @param[in] Integer Pointer to the nonnegative integer to be converted
496 @param[in] IntSizeInWords Length of integer buffer in words
497 @param[out] OctetString Converted octet string of the specified length
498 @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
499
500 Returns:
501
502 @retval EFI_SUCCESS Data conversion successfully
503 @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
504
505 **/
506 EFI_STATUS
507 EFIAPI
508 Int2OctStr (
509 IN CONST UINTN *Integer,
510 IN UINTN IntSizeInWords,
511 OUT UINT8 *OctetString,
512 IN UINTN OSSizeInBytes
513 );
514
515 /**
516 Worker function that prints an EFI_GUID into specified Buffer.
517
518 @param[in] Guid Pointer to GUID to print.
519 @param[in] Buffer Buffer to print Guid into.
520 @param[in] BufferSize Size of Buffer.
521
522 @retval Number of characters printed.
523
524 **/
525 UINTN
526 GuidToString (
527 IN EFI_GUID *Guid,
528 IN CHAR16 *Buffer,
529 IN UINTN BufferSize
530 );
531
532 /**
533 Update the PK form base on the input file path info.
534
535 @param FilePath Point to the file path.
536
537 @retval TRUE Exit caller function.
538 @retval FALSE Not exit caller function.
539 **/
540 BOOLEAN
541 EFIAPI
542 UpdatePKFromFile (
543 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
544 );
545
546 /**
547 Update the KEK form base on the input file path info.
548
549 @param FilePath Point to the file path.
550
551 @retval TRUE Exit caller function.
552 @retval FALSE Not exit caller function.
553 **/
554 BOOLEAN
555 EFIAPI
556 UpdateKEKFromFile (
557 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
558 );
559
560 /**
561 Update the DB form base on the input file path info.
562
563 @param FilePath Point to the file path.
564
565 @retval TRUE Exit caller function.
566 @retval FALSE Not exit caller function.
567 **/
568 BOOLEAN
569 EFIAPI
570 UpdateDBFromFile (
571 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
572 );
573
574 /**
575 Update the DBX form base on the input file path info.
576
577 @param FilePath Point to the file path.
578
579 @retval TRUE Exit caller function.
580 @retval FALSE Not exit caller function.
581 **/
582 BOOLEAN
583 EFIAPI
584 UpdateDBXFromFile (
585 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
586 );
587
588 /**
589 Update the DBT form base on the input file path info.
590
591 @param FilePath Point to the file path.
592
593 @retval TRUE Exit caller function.
594 @retval FALSE Not exit caller function.
595 **/
596 BOOLEAN
597 EFIAPI
598 UpdateDBTFromFile (
599 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
600 );
601
602 #endif
EFI Development Kit II mirror for PVE