]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UefiCpuPkg: Move AsmRelocateApLoopStart from Mpfuncs.nasm to AmdSev.nasm
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / SecureBootConfigDxe / SecureBootConfigImpl.h
1 /** @file
2 The header file of HII Config Access protocol implementation of SecureBoot
3 configuration module.
4
5 Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
7
8 **/
9
10 #ifndef __SECUREBOOT_CONFIG_IMPL_H__
11 #define __SECUREBOOT_CONFIG_IMPL_H__
12
13 #include <Uefi.h>
14
15 #include <Protocol/HiiConfigAccess.h>
16 #include <Protocol/HiiConfigRouting.h>
17 #include <Protocol/SimpleFileSystem.h>
18 #include <Protocol/BlockIo.h>
19 #include <Protocol/DevicePath.h>
20 #include <Protocol/DebugPort.h>
21 #include <Protocol/LoadFile.h>
22
23 #include <Library/BaseLib.h>
24 #include <Library/BaseMemoryLib.h>
25 #include <Library/DebugLib.h>
26 #include <Library/MemoryAllocationLib.h>
27 #include <Library/UefiBootServicesTableLib.h>
28 #include <Library/UefiRuntimeServicesTableLib.h>
29 #include <Library/UefiHiiServicesLib.h>
30 #include <Library/UefiLib.h>
31 #include <Library/HiiLib.h>
32 #include <Library/DevicePathLib.h>
33 #include <Library/PrintLib.h>
34 #include <Library/PlatformSecureLib.h>
35 #include <Library/BaseCryptLib.h>
36 #include <Library/FileExplorerLib.h>
37 #include <Library/PeCoffLib.h>
38
39 #include <Guid/MdeModuleHii.h>
40 #include <Guid/AuthenticatedVariableFormat.h>
41 #include <Guid/FileSystemVolumeLabelInfo.h>
42 #include <Guid/ImageAuthentication.h>
43 #include <Guid/FileInfo.h>
44 #include <Guid/WinCertificate.h>
45
46 #include "SecureBootConfigNvData.h"
47
48 //
49 // Tool generated IFR binary data and String package data
50 //
51 extern UINT8 SecureBootConfigBin[];
52 extern UINT8 SecureBootConfigDxeStrings[];
53
54 //
55 // Shared IFR form update data
56 //
57 extern VOID *mStartOpCodeHandle;
58 extern VOID *mEndOpCodeHandle;
59 extern EFI_IFR_GUID_LABEL *mStartLabel;
60 extern EFI_IFR_GUID_LABEL *mEndLabel;
61
62 #define MAX_CHAR 480
63 #define TWO_BYTE_ENCODE 0x82
64 #define BUFFER_MAX_SIZE 100
65
66 //
67 // SHA-256 digest size in bytes
68 //
69 #define SHA256_DIGEST_SIZE 32
70 //
71 // SHA-384 digest size in bytes
72 //
73 #define SHA384_DIGEST_SIZE 48
74 //
75 // SHA-512 digest size in bytes
76 //
77 #define SHA512_DIGEST_SIZE 64
78
79 //
80 // Set max digest size as SHA512 Output (64 bytes) by far
81 //
82 #define MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
83
84 #define WIN_CERT_UEFI_RSA2048_SIZE 256
85
86 //
87 // Support hash types
88 //
89 #define HASHALG_SHA224 0x00000000
90 #define HASHALG_SHA256 0x00000001
91 #define HASHALG_SHA384 0x00000002
92 #define HASHALG_SHA512 0x00000003
93 #define HASHALG_RAW 0x00000004
94 #define HASHALG_MAX 0x00000004
95
96 //
97 // Certificate public key minimum size (bytes)
98 //
99 #define CER_PUBKEY_MIN_SIZE 256
100
101 //
102 // Types of errors may occur during certificate enrollment.
103 //
104 typedef enum {
105 None_Error = 0,
106 //
107 // Unsupported_type indicates the certificate type is not supported.
108 //
109 Unsupported_Type,
110 //
111 // Unqualified_key indicates the key strength of certificate is not
112 // strong enough.
113 //
114 Unqualified_Key,
115 Enroll_Error_Max
116 } ENROLL_KEY_ERROR;
117
118 typedef struct {
119 UINTN Signature;
120 LIST_ENTRY Head;
121 UINTN MenuNumber;
122 } SECUREBOOT_MENU_OPTION;
123
124 typedef struct {
125 EFI_FILE_HANDLE FHandle;
126 UINT16 *FileName;
127 UINT8 FileType;
128 } SECUREBOOT_FILE_CONTEXT;
129
130 #define SECUREBOOT_FREE_NON_NULL(Pointer) \
131 do { \
132 if ((Pointer) != NULL) { \
133 FreePool((Pointer)); \
134 (Pointer) = NULL; \
135 } \
136 } while (FALSE)
137
138 #define SECUREBOOT_FREE_NON_OPCODE(Handle) \
139 do{ \
140 if ((Handle) != NULL) { \
141 HiiFreeOpCodeHandle((Handle)); \
142 } \
143 } while (FALSE)
144
145 #define SIGNATURE_DATA_COUNTS(List) \
146 (((List)->SignatureListSize - sizeof(EFI_SIGNATURE_LIST) - (List)->SignatureHeaderSize) / (List)->SignatureSize)
147
148 //
149 // We define another format of 5th directory entry: security directory
150 //
151 typedef struct {
152 UINT32 Offset; // Offset of certificate
153 UINT32 SizeOfCert; // size of certificate appended
154 } EFI_IMAGE_SECURITY_DATA_DIRECTORY;
155
156 typedef enum {
157 ImageType_IA32,
158 ImageType_X64
159 } IMAGE_TYPE;
160
161 ///
162 /// HII specific Vendor Device Path definition.
163 ///
164 typedef struct {
165 VENDOR_DEVICE_PATH VendorDevicePath;
166 EFI_DEVICE_PATH_PROTOCOL End;
167 } HII_VENDOR_DEVICE_PATH;
168
169 typedef enum {
170 Variable_DB,
171 Variable_DBX,
172 Variable_DBT,
173 Variable_MAX
174 } CURRENT_VARIABLE_NAME;
175
176 typedef enum {
177 Delete_Signature_List_All,
178 Delete_Signature_List_One,
179 Delete_Signature_Data
180 } SIGNATURE_DELETE_TYPE;
181
182 typedef struct {
183 UINTN Signature;
184
185 EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
186 EFI_HII_HANDLE HiiHandle;
187 EFI_HANDLE DriverHandle;
188
189 SECUREBOOT_FILE_CONTEXT *FileContext;
190
191 EFI_GUID *SignatureGUID;
192
193 CURRENT_VARIABLE_NAME VariableName; // The variable name we are processing.
194 UINT32 ListCount; // Record current variable has how many signature list.
195 UINTN ListIndex; // Record which signature list is processing.
196 BOOLEAN *CheckArray; // Record which signature data checked.
197 } SECUREBOOT_CONFIG_PRIVATE_DATA;
198
199 extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
200 extern SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData;
201
202 #define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
203 #define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
204
205 //
206 // Cryptographic Key Information
207 //
208 #pragma pack(1)
209 typedef struct _CPL_KEY_INFO {
210 UINT32 KeyLengthInBits; // Key Length In Bits
211 UINT32 BlockSize; // Operation Block Size in Bytes
212 UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
213 UINT32 KeyType; // Key Type
214 UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
215 UINT32 Flags; // Additional Key Property Flags
216 } CPL_KEY_INFO;
217 #pragma pack()
218
219 /**
220 Retrieves the size, in bytes, of the context buffer required for hash operations.
221
222 @return The size, in bytes, of the context buffer required for hash operations.
223
224 **/
225 typedef
226 EFI_STATUS
227 (EFIAPI *HASH_GET_CONTEXT_SIZE)(
228 VOID
229 );
230
231 /**
232 Initializes user-supplied memory pointed by HashContext as hash context for
233 subsequent use.
234
235 If HashContext is NULL, then ASSERT().
236
237 @param[in, out] HashContext Pointer to Context being initialized.
238
239 @retval TRUE HASH context initialization succeeded.
240 @retval FALSE HASH context initialization failed.
241
242 **/
243 typedef
244 BOOLEAN
245 (EFIAPI *HASH_INIT)(
246 IN OUT VOID *HashContext
247 );
248
249 /**
250 Performs digest on a data buffer of the specified length. This function can
251 be called multiple times to compute the digest of long or discontinuous data streams.
252
253 If HashContext is NULL, then ASSERT().
254
255 @param[in, out] HashContext Pointer to the MD5 context.
256 @param[in] Data Pointer to the buffer containing the data to be hashed.
257 @param[in] DataLength Length of Data buffer in bytes.
258
259 @retval TRUE HASH data digest succeeded.
260 @retval FALSE Invalid HASH context. After HashFinal function has been called, the
261 HASH context cannot be reused.
262
263 **/
264 typedef
265 BOOLEAN
266 (EFIAPI *HASH_UPDATE)(
267 IN OUT VOID *HashContext,
268 IN CONST VOID *Data,
269 IN UINTN DataLength
270 );
271
272 /**
273 Completes hash computation and retrieves the digest value into the specified
274 memory. After this function has been called, the context cannot be used again.
275
276 If HashContext is NULL, then ASSERT().
277 If HashValue is NULL, then ASSERT().
278
279 @param[in, out] HashContext Pointer to the MD5 context
280 @param[out] HashValue Pointer to a buffer that receives the HASH digest
281 value (16 bytes).
282
283 @retval TRUE HASH digest computation succeeded.
284 @retval FALSE HASH digest computation failed.
285
286 **/
287 typedef
288 BOOLEAN
289 (EFIAPI *HASH_FINAL)(
290 IN OUT VOID *HashContext,
291 OUT UINT8 *HashValue
292 );
293
294 //
295 // Hash Algorithm Table
296 //
297 typedef struct {
298 CHAR16 *Name; ///< Name for Hash Algorithm
299 UINTN DigestLength; ///< Digest Length
300 UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
301 UINTN OidLength; ///< Length of Hash OID Value
302 HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
303 HASH_INIT HashInit; ///< Pointer to Hash Init function
304 HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
305 HASH_FINAL HashFinal; ///< Pointer to Hash Final function
306 } HASH_TABLE;
307
308 typedef struct {
309 WIN_CERTIFICATE Hdr;
310 UINT8 CertData[1];
311 } WIN_CERTIFICATE_EFI_PKCS;
312
313 /**
314 This function publish the SecureBoot configuration Form.
315
316 @param[in, out] PrivateData Points to SecureBoot configuration private data.
317
318 @retval EFI_SUCCESS HII Form is installed successfully.
319 @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
320 @retval Others Other errors as indicated.
321
322 **/
323 EFI_STATUS
324 InstallSecureBootConfigForm (
325 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
326 );
327
328 /**
329 This function removes SecureBoot configuration Form.
330
331 @param[in, out] PrivateData Points to SecureBoot configuration private data.
332
333 **/
334 VOID
335 UninstallSecureBootConfigForm (
336 IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
337 );
338
339 /**
340 This function allows a caller to extract the current configuration for one
341 or more named elements from the target driver.
342
343 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
344 @param[in] Request A null-terminated Unicode string in
345 <ConfigRequest> format.
346 @param[out] Progress On return, points to a character in the Request
347 string. Points to the string's null terminator if
348 request was successful. Points to the most recent
349 '&' before the first failing name/value pair (or
350 the beginning of the string if the failure is in
351 the first name/value pair) if the request was not
352 successful.
353 @param[out] Results A null-terminated Unicode string in
354 <ConfigAltResp> format which has all values filled
355 in for the names in the Request string. String to
356 be allocated by the called function.
357
358 @retval EFI_SUCCESS The Results is filled with the requested values.
359 @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
360 @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
361 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
362 driver.
363
364 **/
365 EFI_STATUS
366 EFIAPI
367 SecureBootExtractConfig (
368 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
369 IN CONST EFI_STRING Request,
370 OUT EFI_STRING *Progress,
371 OUT EFI_STRING *Results
372 );
373
374 /**
375 This function processes the results of changes in configuration.
376
377 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
378 @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
379 format.
380 @param[out] Progress A pointer to a string filled in with the offset of
381 the most recent '&' before the first failing
382 name/value pair (or the beginning of the string if
383 the failure is in the first name/value pair) or
384 the terminating NULL if all was successful.
385
386 @retval EFI_SUCCESS The Results is processed successfully.
387 @retval EFI_INVALID_PARAMETER Configuration is NULL.
388 @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
389 driver.
390
391 **/
392 EFI_STATUS
393 EFIAPI
394 SecureBootRouteConfig (
395 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
396 IN CONST EFI_STRING Configuration,
397 OUT EFI_STRING *Progress
398 );
399
400 /**
401 This function processes the results of changes in configuration.
402
403 @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
404 @param[in] Action Specifies the type of action taken by the browser.
405 @param[in] QuestionId A unique value which is sent to the original
406 exporting driver so that it can identify the type
407 of data to expect.
408 @param[in] Type The type of value for the question.
409 @param[in] Value A pointer to the data being sent to the original
410 exporting driver.
411 @param[out] ActionRequest On return, points to the action requested by the
412 callback function.
413
414 @retval EFI_SUCCESS The callback successfully handled the action.
415 @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
416 variable and its data.
417 @retval EFI_DEVICE_ERROR The variable could not be saved.
418 @retval EFI_UNSUPPORTED The specified Action is not supported by the
419 callback.
420
421 **/
422 EFI_STATUS
423 EFIAPI
424 SecureBootCallback (
425 IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
426 IN EFI_BROWSER_ACTION Action,
427 IN EFI_QUESTION_ID QuestionId,
428 IN UINT8 Type,
429 IN EFI_IFR_TYPE_VALUE *Value,
430 OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
431 );
432
433 /**
434 This function converts an input device structure to a Unicode string.
435
436 @param[in] DevPath A pointer to the device path structure.
437
438 @return A new allocated Unicode string that represents the device path.
439
440 **/
441 CHAR16 *
442 EFIAPI
443 DevicePathToStr (
444 IN EFI_DEVICE_PATH_PROTOCOL *DevPath
445 );
446
447 /**
448 Clean up the dynamic opcode at label and form specified by both LabelId.
449
450 @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
451 @param[in] PrivateData Module private data.
452
453 **/
454 VOID
455 CleanUpPage (
456 IN UINT16 LabelId,
457 IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
458 );
459
460 /**
461 Read file content into BufferPtr, the size of the allocate buffer
462 is *FileSize plus AdditionAllocateSize.
463
464 @param[in] FileHandle The file to be read.
465 @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
466 @param[out] FileSize Size of input file
467 @param[in] AdditionAllocateSize Addition size the buffer need to be allocated.
468 In case the buffer need to contain others besides the file content.
469
470 @retval EFI_SUCCESS The file was read into the buffer.
471 @retval EFI_INVALID_PARAMETER A parameter was invalid.
472 @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
473 @retval others Unexpected error.
474
475 **/
476 EFI_STATUS
477 ReadFileContent (
478 IN EFI_FILE_HANDLE FileHandle,
479 IN OUT VOID **BufferPtr,
480 OUT UINTN *FileSize,
481 IN UINTN AdditionAllocateSize
482 );
483
484 /**
485 Close an open file handle.
486
487 @param[in] FileHandle The file handle to close.
488
489 **/
490 VOID
491 CloseFile (
492 IN EFI_FILE_HANDLE FileHandle
493 );
494
495 /**
496 Converts a nonnegative integer to an octet string of a specified length.
497
498 @param[in] Integer Pointer to the nonnegative integer to be converted
499 @param[in] IntSizeInWords Length of integer buffer in words
500 @param[out] OctetString Converted octet string of the specified length
501 @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
502
503 Returns:
504
505 @retval EFI_SUCCESS Data conversion successfully
506 @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
507
508 **/
509 EFI_STATUS
510 EFIAPI
511 Int2OctStr (
512 IN CONST UINTN *Integer,
513 IN UINTN IntSizeInWords,
514 OUT UINT8 *OctetString,
515 IN UINTN OSSizeInBytes
516 );
517
518 /**
519 Worker function that prints an EFI_GUID into specified Buffer.
520
521 @param[in] Guid Pointer to GUID to print.
522 @param[in] Buffer Buffer to print Guid into.
523 @param[in] BufferSize Size of Buffer.
524
525 @retval Number of characters printed.
526
527 **/
528 UINTN
529 GuidToString (
530 IN EFI_GUID *Guid,
531 IN CHAR16 *Buffer,
532 IN UINTN BufferSize
533 );
534
535 /**
536 Update the PK form base on the input file path info.
537
538 @param FilePath Point to the file path.
539
540 @retval TRUE Exit caller function.
541 @retval FALSE Not exit caller function.
542 **/
543 BOOLEAN
544 EFIAPI
545 UpdatePKFromFile (
546 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
547 );
548
549 /**
550 Update the KEK form base on the input file path info.
551
552 @param FilePath Point to the file path.
553
554 @retval TRUE Exit caller function.
555 @retval FALSE Not exit caller function.
556 **/
557 BOOLEAN
558 EFIAPI
559 UpdateKEKFromFile (
560 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
561 );
562
563 /**
564 Update the DB form base on the input file path info.
565
566 @param FilePath Point to the file path.
567
568 @retval TRUE Exit caller function.
569 @retval FALSE Not exit caller function.
570 **/
571 BOOLEAN
572 EFIAPI
573 UpdateDBFromFile (
574 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
575 );
576
577 /**
578 Update the DBX form base on the input file path info.
579
580 @param FilePath Point to the file path.
581
582 @retval TRUE Exit caller function.
583 @retval FALSE Not exit caller function.
584 **/
585 BOOLEAN
586 EFIAPI
587 UpdateDBXFromFile (
588 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
589 );
590
591 /**
592 Update the DBT form base on the input file path info.
593
594 @param FilePath Point to the file path.
595
596 @retval TRUE Exit caller function.
597 @retval FALSE Not exit caller function.
598 **/
599 BOOLEAN
600 EFIAPI
601 UpdateDBTFromFile (
602 IN EFI_DEVICE_PATH_PROTOCOL *FilePath
603 );
604
605 #endif
EFI Development Kit II mirror for PVE