SecurityPkg: SecureBootConfigDxe: Support AUTH_2 enrollment to DBX
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / SecureBootConfigDxe / SecureBootConfigImpl.h
1 /** @file
2 The header file of HII Config Access protocol implementation of SecureBoot
3 configuration module.
4
5 Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef __SECUREBOOT_CONFIG_IMPL_H__
17 #define __SECUREBOOT_CONFIG_IMPL_H__
18
19 #include <Uefi.h>
20
21 #include <Protocol/HiiConfigAccess.h>
22 #include <Protocol/HiiConfigRouting.h>
23 #include <Protocol/SimpleFileSystem.h>
24 #include <Protocol/BlockIo.h>
25 #include <Protocol/DevicePath.h>
26 #include <Protocol/DebugPort.h>
27 #include <Protocol/LoadFile.h>
28
29 #include <Library/BaseLib.h>
30 #include <Library/BaseMemoryLib.h>
31 #include <Library/DebugLib.h>
32 #include <Library/MemoryAllocationLib.h>
33 #include <Library/UefiBootServicesTableLib.h>
34 #include <Library/UefiRuntimeServicesTableLib.h>
35 #include <Library/UefiHiiServicesLib.h>
36 #include <Library/UefiLib.h>
37 #include <Library/HiiLib.h>
38 #include <Library/DevicePathLib.h>
39 #include <Library/PrintLib.h>
40 #include <Library/PlatformSecureLib.h>
41 #include <Library/BaseCryptLib.h>
42 #include <Library/FileExplorerLib.h>
43 #include <Library/PeCoffLib.h>
44
45 #include <Guid/MdeModuleHii.h>
46 #include <Guid/AuthenticatedVariableFormat.h>
47 #include <Guid/FileSystemVolumeLabelInfo.h>
48 #include <Guid/ImageAuthentication.h>
49 #include <Guid/FileInfo.h>
50 #include <Guid/WinCertificate.h>
51
52 #include "SecureBootConfigNvData.h"
53
54 //
55 // Tool generated IFR binary data and String package data
56 //
57 extern UINT8 SecureBootConfigBin[];
58 extern UINT8 SecureBootConfigDxeStrings[];
59
60 //
61 // Shared IFR form update data
62 //
63 extern VOID *mStartOpCodeHandle;
64 extern VOID *mEndOpCodeHandle;
65 extern EFI_IFR_GUID_LABEL *mStartLabel;
66 extern EFI_IFR_GUID_LABEL *mEndLabel;
67
68 #define MAX_CHAR 480
69 #define TWO_BYTE_ENCODE 0x82
70
71
72 //
73 // SHA-256 digest size in bytes
74 //
75 #define SHA256_DIGEST_SIZE 32
76 //
77 // SHA-384 digest size in bytes
78 //
79 #define SHA384_DIGEST_SIZE 48
80 //
81 // SHA-512 digest size in bytes
82 //
83 #define SHA512_DIGEST_SIZE 64
84
85 //
86 // Set max digest size as SHA512 Output (64 bytes) by far
87 //
88 #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
89
90 #define WIN_CERT_UEFI_RSA2048_SIZE 256
91
92 //
93 // Support hash types
94 //
95 #define HASHALG_SHA224 0x00000000
96 #define HASHALG_SHA256 0x00000001
97 #define HASHALG_SHA384 0x00000002
98 #define HASHALG_SHA512 0x00000003
99 #define HASHALG_RAW 0x00000004
100 #define HASHALG_MAX 0x00000004
101
102
103 typedef struct {
104 UINTN Signature;
105 LIST_ENTRY Head;
106 UINTN MenuNumber;
107 } SECUREBOOT_MENU_OPTION;
108
109 typedef struct {
110 EFI_FILE_HANDLE FHandle;
111 UINT16 *FileName;
112 UINT8 FileType;
113 } SECUREBOOT_FILE_CONTEXT;
114
115
116 //
117 // We define another format of 5th directory entry: security directory
118 //
119 typedef struct {
120 UINT32 Offset; // Offset of certificate
121 UINT32 SizeOfCert; // size of certificate appended
122 } EFI_IMAGE_SECURITY_DATA_DIRECTORY;
123
124 typedef enum{
125 ImageType_IA32,
126 ImageType_X64
127 } IMAGE_TYPE;
128
129 ///
130 /// HII specific Vendor Device Path definition.
131 ///
132 typedef struct {
133 VENDOR_DEVICE_PATH VendorDevicePath;
134 EFI_DEVICE_PATH_PROTOCOL End;
135 } HII_VENDOR_DEVICE_PATH;
136
137 typedef struct {
138 UINTN Signature;
139
140 EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
141 EFI_HII_HANDLE HiiHandle;
142 EFI_HANDLE DriverHandle;
143
144 SECUREBOOT_FILE_CONTEXT *FileContext;
145
146 EFI_GUID *SignatureGUID;
147 } SECUREBOOT_CONFIG_PRIVATE_DATA;
148
149 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
150 extern SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData;
151
152 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
153 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
154
155 //
156 // Cryptograhpic Key Information
157 //
158 #pragma pack(1)
159 typedef struct _CPL_KEY_INFO {
160 UINT32 KeyLengthInBits; // Key Length In Bits
161 UINT32 BlockSize; // Operation Block Size in Bytes
162 UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
163 UINT32 KeyType; // Key Type
164 UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
165 UINT32 Flags; // Additional Key Property Flags
166 } CPL_KEY_INFO;
167 #pragma pack()
168
169
170 /**
171 Retrieves the size, in bytes, of the context buffer required for hash operations.
172
173 @return The size, in bytes, of the context buffer required for hash operations.
174
175 **/
176 typedef
177 EFI_STATUS
178 (EFIAPI *HASH_GET_CONTEXT_SIZE)(
179 VOID
180 );
181
182 /**
183 Initializes user-supplied memory pointed by HashContext as hash context for
184 subsequent use.
185
186 If HashContext is NULL, then ASSERT().
187
188 @param[in, out] HashContext Pointer to Context being initialized.
189
190 @retval TRUE HASH context initialization succeeded.
191 @retval FALSE HASH context initialization failed.
192
193 **/
194 typedef
195 BOOLEAN
196 (EFIAPI *HASH_INIT)(
197 IN OUT VOID *HashContext
198 );
199
200
201 /**
202 Performs digest on a data buffer of the specified length. This function can
203 be called multiple times to compute the digest of long or discontinuous data streams.
204
205 If HashContext is NULL, then ASSERT().
206
207 @param[in, out] HashContext Pointer to the MD5 context.
208 @param[in] Data Pointer to the buffer containing the data to be hashed.
209 @param[in] DataLength Length of Data buffer in bytes.
210
211 @retval TRUE HASH data digest succeeded.
212 @retval FALSE Invalid HASH context. After HashFinal function has been called, the
213 HASH context cannot be reused.
214
215 **/
216 typedef
217 BOOLEAN
218 (EFIAPI *HASH_UPDATE)(
219 IN OUT VOID *HashContext,
220 IN CONST VOID *Data,
221 IN UINTN DataLength
222 );
223
224 /**
225 Completes hash computation and retrieves the digest value into the specified
226 memory. After this function has been called, the context cannot be used again.
227
228 If HashContext is NULL, then ASSERT().
229 If HashValue is NULL, then ASSERT().
230
231 @param[in, out] HashContext Pointer to the MD5 context
232 @param[out] HashValue Pointer to a buffer that receives the HASH digest
233 value (16 bytes).
234
235 @retval TRUE HASH digest computation succeeded.
236 @retval FALSE HASH digest computation failed.
237
238 **/
239 typedef
240 BOOLEAN
241 (EFIAPI *HASH_FINAL)(
242 IN OUT VOID *HashContext,
243 OUT UINT8 *HashValue
244 );
245
246 //
247 // Hash Algorithm Table
248 //
249 typedef struct {
250 CHAR16 *Name; ///< Name for Hash Algorithm
251 UINTN DigestLength; ///< Digest Length
252 UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
253 UINTN OidLength; ///< Length of Hash OID Value
254 HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
255 HASH_INIT HashInit; ///< Pointer to Hash Init function
256 HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
257 HASH_FINAL HashFinal; ///< Pointer to Hash Final function
258 } HASH_TABLE;
259
260 typedef struct {
261 WIN_CERTIFICATE Hdr;
262 UINT8 CertData[1];
263 } WIN_CERTIFICATE_EFI_PKCS;
264
265
266 /**
267 This function publish the SecureBoot configuration Form.
268
269 @param[in, out] PrivateData Points to SecureBoot configuration private data.
270
271 @retval EFI_SUCCESS HII Form is installed successfully.
272 @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
273 @retval Others Other errors as indicated.
274
275 **/
276 EFI_STATUS
277 InstallSecureBootConfigForm (
278 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
279 );
280
281
282 /**
283 This function removes SecureBoot configuration Form.
284
285 @param[in, out] PrivateData Points to SecureBoot configuration private data.
286
287 **/
288 VOID
289 UninstallSecureBootConfigForm (
290 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
291 );
292
293
294 /**
295 This function allows a caller to extract the current configuration for one
296 or more named elements from the target driver.
297
298 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
299 @param[in] Request A null-terminated Unicode string in
300 <ConfigRequest> format.
301 @param[out] Progress On return, points to a character in the Request
302 string. Points to the string's null terminator if
303 request was successful. Points to the most recent
304 '&' before the first failing name/value pair (or
305 the beginning of the string if the failure is in
306 the first name/value pair) if the request was not
307 successful.
308 @param[out] Results A null-terminated Unicode string in
309 <ConfigAltResp> format which has all values filled
310 in for the names in the Request string. String to
311 be allocated by the called function.
312
313 @retval EFI_SUCCESS The Results is filled with the requested values.
314 @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
315 @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
316 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
317 driver.
318
319 **/
320 EFI_STATUS
321 EFIAPI
322 SecureBootExtractConfig (
323 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
324 IN CONST EFI_STRING Request,
325 OUT EFI_STRING *Progress,
326 OUT EFI_STRING *Results
327 );
328
329
330 /**
331 This function processes the results of changes in configuration.
332
333 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
334 @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
335 format.
336 @param[out] Progress A pointer to a string filled in with the offset of
337 the most recent '&' before the first failing
338 name/value pair (or the beginning of the string if
339 the failure is in the first name/value pair) or
340 the terminating NULL if all was successful.
341
342 @retval EFI_SUCCESS The Results is processed successfully.
343 @retval EFI_INVALID_PARAMETER Configuration is NULL.
344 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
345 driver.
346
347 **/
348 EFI_STATUS
349 EFIAPI
350 SecureBootRouteConfig (
351 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
352 IN CONST EFI_STRING Configuration,
353 OUT EFI_STRING *Progress
354 );
355
356
357 /**
358 This function processes the results of changes in configuration.
359
360 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
361 @param[in] Action Specifies the type of action taken by the browser.
362 @param[in] QuestionId A unique value which is sent to the original
363 exporting driver so that it can identify the type
364 of data to expect.
365 @param[in] Type The type of value for the question.
366 @param[in] Value A pointer to the data being sent to the original
367 exporting driver.
368 @param[out] ActionRequest On return, points to the action requested by the
369 callback function.
370
371 @retval EFI_SUCCESS The callback successfully handled the action.
372 @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
373 variable and its data.
374 @retval EFI_DEVICE_ERROR The variable could not be saved.
375 @retval EFI_UNSUPPORTED The specified Action is not supported by the
376 callback.
377
378 **/
379 EFI_STATUS
380 EFIAPI
381 SecureBootCallback (
382 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
383 IN EFI_BROWSER_ACTION Action,
384 IN EFI_QUESTION_ID QuestionId,
385 IN UINT8 Type,
386 IN EFI_IFR_TYPE_VALUE *Value,
387 OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
388 );
389
390
391 /**
392 This function converts an input device structure to a Unicode string.
393
394 @param[in] DevPath A pointer to the device path structure.
395
396 @return A new allocated Unicode string that represents the device path.
397
398 **/
399 CHAR16 *
400 EFIAPI
401 DevicePathToStr (
402 IN EFI_DEVICE_PATH_PROTOCOL *DevPath
403 );
404
405
406 /**
407 Clean up the dynamic opcode at label and form specified by both LabelId.
408
409 @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
410 @param[in] PrivateData Module private data.
411
412 **/
413 VOID
414 CleanUpPage (
415 IN UINT16 LabelId,
416 IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
417 );
418
419
420 /**
421 Read file content into BufferPtr, the size of the allocate buffer
422 is *FileSize plus AddtionAllocateSize.
423
424 @param[in] FileHandle The file to be read.
425 @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
426 @param[out] FileSize Size of input file
427 @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
428 In case the buffer need to contain others besides the file content.
429
430 @retval EFI_SUCCESS The file was read into the buffer.
431 @retval EFI_INVALID_PARAMETER A parameter was invalid.
432 @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
433 @retval others Unexpected error.
434
435 **/
436 EFI_STATUS
437 ReadFileContent (
438 IN EFI_FILE_HANDLE FileHandle,
439 IN OUT VOID **BufferPtr,
440 OUT UINTN *FileSize,
441 IN UINTN AddtionAllocateSize
442 );
443
444
445 /**
446 Close an open file handle.
447
448 @param[in] FileHandle The file handle to close.
449
450 **/
451 VOID
452 CloseFile (
453 IN EFI_FILE_HANDLE FileHandle
454 );
455
456
457 /**
458 Converts a nonnegative integer to an octet string of a specified length.
459
460 @param[in] Integer Pointer to the nonnegative integer to be converted
461 @param[in] IntSizeInWords Length of integer buffer in words
462 @param[out] OctetString Converted octet string of the specified length
463 @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
464
465 Returns:
466
467 @retval EFI_SUCCESS Data conversion successfully
468 @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
469
470 **/
471 EFI_STATUS
472 EFIAPI
473 Int2OctStr (
474 IN CONST UINTN *Integer,
475 IN UINTN IntSizeInWords,
476 OUT UINT8 *OctetString,
477 IN UINTN OSSizeInBytes
478 );
479
480 /**
481 Worker function that prints an EFI_GUID into specified Buffer.
482
483 @param[in] Guid Pointer to GUID to print.
484 @param[in] Buffer Buffer to print Guid into.
485 @param[in] BufferSize Size of Buffer.
486
487 @retval Number of characters printed.
488
489 **/
490 UINTN
491 GuidToString (
492 IN EFI_GUID *Guid,
493 IN CHAR16 *Buffer,
494 IN UINTN BufferSize
495 );
496
497 /**
498 Update the PK form base on the input file path info.
499
500 @param FilePath Point to the file path.
501
502 @retval TRUE Exit caller function.
503 @retval FALSE Not exit caller function.
504 **/
505 BOOLEAN
506 EFIAPI
507 UpdatePKFromFile (
508 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
509 );
510
511 /**
512 Update the KEK form base on the input file path info.
513
514 @param FilePath Point to the file path.
515
516 @retval TRUE Exit caller function.
517 @retval FALSE Not exit caller function.
518 **/
519 BOOLEAN
520 EFIAPI
521 UpdateKEKFromFile (
522 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
523 );
524
525 /**
526 Update the DB form base on the input file path info.
527
528 @param FilePath Point to the file path.
529
530 @retval TRUE Exit caller function.
531 @retval FALSE Not exit caller function.
532 **/
533 BOOLEAN
534 EFIAPI
535 UpdateDBFromFile (
536 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
537 );
538
539 /**
540 Update the DBX form base on the input file path info.
541
542 @param FilePath Point to the file path.
543
544 @retval TRUE Exit caller function.
545 @retval FALSE Not exit caller function.
546 **/
547 BOOLEAN
548 EFIAPI
549 UpdateDBXFromFile (
550 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
551 );
552
553 /**
554 Update the DBT form base on the input file path info.
555
556 @param FilePath Point to the file path.
557
558 @retval TRUE Exit caller function.
559 @retval FALSE Not exit caller function.
560 **/
561 BOOLEAN
562 EFIAPI
563 UpdateDBTFromFile (
564 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
565 );
566
567 #endif