may not be modified without authorization. If platform fails to protect these resources,\r
the authentication service provided in this driver will be broken, and the behavior is undefined.\r
\r
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
#include <Guid/AuthenticatedVariableFormat.h>\r
#include <Guid/ImageAuthentication.h>\r
\r
+#define TWO_BYTE_ENCODE 0x82\r
+\r
///\r
/// Struct to record signature requirement defined by UEFI spec.\r
/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.\r
#pragma pack()\r
\r
///\r
-/// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX\r
-/// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
+/// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX\r
+/// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS|EFI_VARIABLE_NON_VOLATILE set.\r
+/// "certdbv" variable stores the signer's certificates for non PK/KEK/DB/DBX\r
+/// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
///\r
/// GUID: gEfiCertDbGuid\r
///\r
/// | AUTH_CERT_DB_DATA | <-- Last CERT\r
/// +----------------------------+\r
///\r
-#define EFI_CERT_DB_NAME L"certdb"\r
+#define EFI_CERT_DB_NAME L"certdb"\r
+#define EFI_CERT_DB_VOLATILE_NAME L"certdbv"\r
\r
#pragma pack(1)\r
typedef struct {\r
} AUTH_CERT_DB_DATA;\r
#pragma pack()\r
\r
-///\r
-/// "SecureBootMode" variable stores current secure boot mode.\r
-/// The value type is SECURE_BOOT_MODE_TYPE.\r
-///\r
-#define EDKII_SECURE_BOOT_MODE_NAME L"SecureBootMode"\r
-\r
-typedef enum { \r
- SecureBootModeTypeUserMode,\r
- SecureBootModeTypeSetupMode,\r
- SecureBootModeTypeAuditMode,\r
- SecureBootModeTypeDeployedMode,\r
- SecureBootModeTypeMax\r
-} SECURE_BOOT_MODE_TYPE;\r
-\r
-//\r
-// Record status info of Customized Secure Boot Mode.\r
-//\r
-typedef struct {\r
- ///\r
- /// AuditMode variable value\r
- ///\r
- UINT8 AuditMode;\r
- ///\r
- /// AuditMode variable RW\r
- ///\r
- BOOLEAN IsAuditModeRO;\r
- ///\r
- /// DeployedMode variable value\r
- ///\r
- UINT8 DeployedMode;\r
- ///\r
- /// AuditMode variable RW\r
- ///\r
- BOOLEAN IsDeployedModeRO;\r
- ///\r
- /// SetupMode variable value\r
- ///\r
- UINT8 SetupMode;\r
- /// \r
- /// SetupMode is always RO. Skip IsSetupModeRO; \r
- ///\r
-\r
- ///\r
- /// SecureBoot variable value\r
- ///\r
- UINT8 SecureBoot;\r
-} SECURE_BOOT_MODE;\r
-\r
extern UINT8 *mPubKeyStore;\r
extern UINT32 mPubKeyNumber;\r
extern UINT32 mMaxKeyNumber;\r
\r
extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;\r
\r
-/**\r
- Initialize Secure Boot variables.\r
-\r
- @retval EFI_SUCCESS The initialization operation is successful.\r
- @retval EFI_OUT_OF_RESOURCES There is not enough resource.\r
-\r
-**/\r
-EFI_STATUS \r
-InitSecureBootVariables (\r
- VOID\r
- );\r
\r
/**\r
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
\r
/**\r
Delete matching signer's certificates when deleting common authenticated\r
- variable by corresponding VariableName and VendorGuid from "certdb".\r
+ variable by corresponding VariableName and VendorGuid from "certdb" or \r
+ "certdbv" according to authenticated variable attributes.\r
\r
@param[in] VariableName Name of authenticated Variable.\r
@param[in] VendorGuid Vendor GUID of authenticated Variable.\r
+ @param[in] Attributes Attributes of authenticated variable.\r
\r
@retval EFI_INVALID_PARAMETER Any input parameter is invalid.\r
- @retval EFI_NOT_FOUND Fail to find "certdb" or matching certs.\r
+ @retval EFI_NOT_FOUND Fail to find "certdb"/"certdbv" or matching certs.\r
@retval EFI_OUT_OF_RESOURCES The operation is failed due to lack of resources.\r
@retval EFI_SUCCESS The operation is completed successfully.\r
\r
EFI_STATUS\r
DeleteCertsFromDb (\r
IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid\r
+ IN EFI_GUID *VendorGuid,\r
+ IN UINT32 Attributes\r
);\r
\r
/**\r
IN OUT UINTN *NewDataSize\r
);\r
\r
-/**\r
- Process Secure Boot Mode variable.\r
-\r
- Caution: This function may receive untrusted input.\r
- This function may be invoked in SMM mode, and datasize and data are external input.\r
- This function will do basic validation, before parse the data.\r
- This function will parse the authentication carefully to avoid security issues, like\r
- buffer overflow, integer overflow.\r
- This function will check attribute carefully to avoid authentication bypass.\r
-\r
- @param[in] VariableName Name of Variable to be found.\r
- @param[in] VendorGuid Variable vendor GUID.\r
- @param[in] Data Data pointer.\r
- @param[in] DataSize Size of Data found. If size is less than the\r
- data, this value contains the required size.\r
- @param[in] Attributes Attribute value of the variable\r
-\r
- @return EFI_INVALID_PARAMETER Invalid parameter\r
- @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation\r
- check carried out by the firmware.\r
- @return EFI_WRITE_PROTECTED Variable is Read-Only.\r
- @return EFI_SUCCESS Variable passed validation successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-ProcessSecureBootModeVar (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid,\r
- IN VOID *Data,\r
- IN UINTN DataSize,\r
- IN UINT32 Attributes OPTIONAL\r
- );\r
-\r
/**\r
Process variable with platform key for verification.\r
\r
IN EFI_GUID *VendorGuid,\r
IN VOID *Data,\r
IN UINTN DataSize,\r
- IN UINT32 Attributes OPTIONAL\r
+ IN UINT32 Attributes\r
);\r
\r
/**\r