/** @file\r
- Platform Key, Key Exchange Key, and Image signature database are defined \r
- for the signed image validation.\r
+ Image signature database are defined for the signed image validation.\r
\r
- Copyright (c) 2009, Intel Corporation\r
- All rights reserved. This program and the accompanying materials \r
+ Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>\r
+ This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
which accompanies this distribution. The full text of the license may be found at \r
http://opensource.org/licenses/bsd-license.php \r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. \r
\r
@par Revision Reference:\r
- GUIDs defined in UEFI 2.2 spec.\r
+ GUIDs defined in UEFI 2.3.1 spec.\r
**/\r
\r
#ifndef __IMAGE_AUTHTICATION_H__\r
///\r
#define EFI_IMAGE_SECURITY_DATABASE1 L"dbx"\r
\r
+#define SECURE_BOOT_MODE_ENABLE 1\r
+#define SECURE_BOOT_MODE_DISABLE 0\r
#define SETUP_MODE 1\r
#define USER_MODE 0\r
-///\r
-/// Globally "SetupMode" variable to specify whether the system is currently operating \r
-/// in setup mode (1) or not (0). All other values are reserved.\r
-///\r
-#define EFI_SETUP_MODE_NAME L"SetupMode"\r
-///\r
-/// Globally "PK" variable for the Platform Key Signature Database.\r
-///\r
-#define EFI_PLATFORM_KEY_NAME L"PK"\r
-///\r
-/// Globally "KEK" variable for the Key Exchange Key Signature Database.\r
-///\r
-#define EFI_KEY_EXCHANGE_KEY_NAME L"KEK"\r
-///\r
-/// Globally "SignatureSupport" variable returns an array of GUIDs, \r
-/// with each GUID representing a type of signature which the platform \r
-/// firmware supports for images and other data.\r
-///\r
-#define EFI_SIGNATURE_SUPPORT_NAME L"SignatureSupport"\r
+\r
\r
//***********************************************************************\r
// Signature Database\r
///\r
/// An identifier which identifies the agent which added the signature to the list.\r
///\r
- EFI_GUID SignatureOwner;\r
+ EFI_GUID SignatureOwner;\r
///\r
/// The format of the signature is defined by the SignatureType.\r
///\r
- UINT8 SignatureData[1];\r
+ UINT8 SignatureData[1];\r
} EFI_SIGNATURE_DATA;\r
\r
typedef struct {\r
///\r
/// Type of the signature. GUID signature types are defined in below.\r
///\r
- EFI_GUID SignatureType;\r
+ EFI_GUID SignatureType;\r
///\r
/// Total size of the signature list, including this header.\r
///\r
- UINT32 SignatureListSize;\r
+ UINT32 SignatureListSize;\r
///\r
/// Size of the signature header which precedes the array of signatures.\r
///\r
- UINT32 SignatureHeaderSize;\r
+ UINT32 SignatureHeaderSize;\r
///\r
/// Size of each signature.\r
///\r
#pragma pack()\r
\r
///\r
-/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size should \r
-/// always be 0. The SignatureSize should always be 32 bytes.\r
+/// This identifies a signature containing a SHA-256 hash. The SignatureHeader size shall\r
+/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
+/// 32 bytes.\r
///\r
#define EFI_CERT_SHA256_GUID \\r
{ \\r
}\r
\r
///\r
-/// This identifies a signature containing an RSA-2048 key. The SignatureHeader size should \r
-/// always be 0. The SignatureSize should always be 256 bytes.\r
+/// This identifies a signature containing an RSA-2048 key. The key (only the modulus\r
+/// since the public key exponent is known to be 0x10001) shall be stored in big-endian\r
+/// order.\r
+/// The SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size \r
+/// of SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_GUID \\r
{ \\r
}\r
\r
///\r
-/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The \r
-/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes.\r
+/// This identifies a signature containing a RSA-2048 signature of a SHA-256 hash. The \r
+/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of \r
+/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA256_GUID \\r
{ \\r
}\r
\r
///\r
-/// This identifies a signature containing a SHA-1 hash. The SignatureHeader size should always\r
-/// be 0. The SignatureSize should always be 20 bytes\r
+/// This identifies a signature containing a SHA-1 hash. The SignatureSize shall always\r
+/// be 16 (size of SignatureOwner component) + 20 bytes.\r
///\r
#define EFI_CERT_SHA1_GUID \\r
{ \\r
}\r
\r
///\r
-/// This identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The \r
-/// SignatureHeader size should always be 0. The SignatureSize should always be 256 bytes.\r
+/// TThis identifies a signature containing a RSA-2048 signature of a SHA-1 hash. The \r
+/// SignatureHeader size shall always be 0. The SignatureSize shall always be 16 (size of \r
+/// SignatureOwner component) + 256 bytes.\r
///\r
#define EFI_CERT_RSA2048_SHA1_GUID \\r
{ \\r
}\r
\r
///\r
-/// This identifies a signature based on an X.509 certificate. If the signature is an X.509 certificate then \r
-/// verification of the signature of an image should validate the public key certificate in the image using \r
-/// certificate path verification, up to this X.509 certificate as a trusted root.\r
+/// This identifies a signature based on an X.509 certificate. If the signature is an X.509\r
+/// certificate then verification of the signature of an image should validate the public \r
+/// key certificate in the image using certificate path verification, up to this X.509 \r
+/// certificate as a trusted root. The SignatureHeader size shall always be 0. The\r
+/// SignatureSize may vary but shall always be 16 (size of the SignatureOwner component) + \r
+/// the size of the certificate itself. \r
+/// Note: This means that each certificate will normally be in a separate EFI_SIGNATURE_LIST.\r
///\r
-#define EFI_CERT_X509 \\r
+#define EFI_CERT_X509_GUID \\r
{ \\r
0xa5c059a1, 0x94e4, 0x4aa7, {0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72} \\r
}\r
\r
+///\r
+/// This identifies a signature containing a SHA-224 hash. The SignatureHeader size shall\r
+/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
+/// 28 bytes.\r
+///\r
+#define EFI_CERT_SHA224_GUID \\r
+ { \\r
+ 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} \\r
+ }\r
+\r
+///\r
+/// This identifies a signature containing a SHA-384 hash. The SignatureHeader size shall\r
+/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
+/// 48 bytes.\r
+///\r
+#define EFI_CERT_SHA384_GUID \\r
+ { \\r
+ 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} \\r
+ } \r
+\r
+///\r
+/// This identifies a signature containing a SHA-512 hash. The SignatureHeader size shall\r
+/// always be 0. The SignatureSize shall always be 16 (size of SignatureOwner component) +\r
+/// 64 bytes.\r
+///\r
+#define EFI_CERT_SHA512_GUID \\r
+ { \\r
+ 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} \\r
+ }\r
+\r
+///\r
+/// This identifies a signature containing a DER-encoded PKCS #7 version 1.5 [RFC2315]\r
+/// SignedData value.\r
+///\r
+#define EFI_CERT_TYPE_PKCS7_GUID \\r
+ { \\r
+ 0x4aafd29d, 0x68df, 0x49ee, {0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7} \\r
+ }\r
+ \r
//***********************************************************************\r
// Image Execution Information Table Definition\r
//***********************************************************************\r
typedef UINT32 EFI_IMAGE_EXECUTION_ACTION;\r
\r
-#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007 \r
+#define EFI_IMAGE_EXECUTION_AUTHENTICATION 0x00000007 \r
+#define EFI_IMAGE_EXECUTION_AUTH_UNTESTED 0x00000000\r
+#define EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED 0x00000001\r
+#define EFI_IMAGE_EXECUTION_AUTH_SIG_PASSED 0x00000002\r
+#define EFI_IMAGE_EXECUTION_AUTH_SIG_NOT_FOUND 0x00000003\r
+#define EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND 0x00000004\r
+#define EFI_IMAGE_EXECUTION_POLICY_FAILED 0x00000005\r
+#define EFI_IMAGE_EXECUTION_INITIALIZED 0x00000008\r
\r
//\r
// EFI_IMAGE_EXECUTION_INFO is added to EFI System Configuration Table \r
///\r
/// Describes the action taken by the firmware regarding this image.\r
///\r
- EFI_IMAGE_EXECUTION_ACTION Action;\r
+ EFI_IMAGE_EXECUTION_ACTION Action;\r
///\r
/// Size of all of the entire structure.\r
///\r
///\r
\r
///\r
- /// The image digest of the image. The certificate type must be one of the hash types. \r
- /// The hash type must match the type used in the Signature field.\r
- ///\r
- WIN_CERTIFICATE ImageHash;\r
- ///\r
- /// Zero or more image signatures. If the image contained no signtures, \r
+ /// Zero or more image signatures. If the image contained no signatures, \r
/// then this field is empty.\r
///\r
- WIN_CERTIFICATE Signature;\r
+ EFI_SIGNATURE_LIST Signature;\r
} EFI_IMAGE_EXECUTION_INFO;\r
\r
+\r
+typedef struct {\r
+ ///\r
+ /// Number of EFI_IMAGE_EXECUTION_INFO structures.\r
+ ///\r
+ UINTN NumberOfImages; \r
+ ///\r
+ /// Number of image instances of EFI_IMAGE_EXECUTION_INFO structures.\r
+ ///\r
+ // EFI_IMAGE_EXECUTION_INFO InformationInfo[] \r
+} EFI_IMAGE_EXECUTION_INFO_TABLE;\r
+\r
extern EFI_GUID gEfiImageSecurityDatabaseGuid;\r
extern EFI_GUID gEfiCertSha256Guid;\r
extern EFI_GUID gEfiCertRsa2048Guid; \r
extern EFI_GUID gEfiCertSha1Guid;\r
extern EFI_GUID gEfiCertRsa2048Sha1Guid;\r
extern EFI_GUID gEfiCertX509Guid;\r
+extern EFI_GUID gEfiCertSha224Guid;\r
+extern EFI_GUID gEfiCertSha384Guid;\r
+extern EFI_GUID gEfiCertSha512Guid;\r
+extern EFI_GUID gEfiCertPkcs7Guid;\r
\r
#endif\r
projects / mirror_edk2.git / blobdiff