SecurityPkg: AuthVariableLib: Customized SecureBoot Mode transition.

[mirror_edk2.git] / SecurityPkg / Library / AuthVariableLib / AuthServiceInternal.h

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index add05c21cce4fe424d9765fb2dc7ffc7fe471a94..ec4b3d97f59f0141e2ef1d04d53fb8f27741386d 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -117,6 +117,54 @@ typedef struct {
 } AUTH_CERT_DB_DATA;\r
 #pragma pack()\r
 \r
 } AUTH_CERT_DB_DATA;\r
 #pragma pack()\r
 \r

+///\r
+/// "SecureBootMode" variable stores current secure boot mode.\r
+/// The value type is SECURE_BOOT_MODE_TYPE.\r
+///\r
+#define EDKII_SECURE_BOOT_MODE_NAME    L"SecureBootMode"\r
+\r
+typedef enum { \r
+  SecureBootModeTypeUserMode,\r
+  SecureBootModeTypeSetupMode,\r
+  SecureBootModeTypeAuditMode,\r
+  SecureBootModeTypeDeployedMode,\r
+  SecureBootModeTypeMax\r
+} SECURE_BOOT_MODE_TYPE;\r
+\r
+//\r
+// Record status info of Customized Secure Boot Mode.\r
+//\r
+typedef struct {\r
+  ///\r
+  /// AuditMode variable value\r
+  ///\r
+  UINT8   AuditMode;\r
+  ///\r
+  /// AuditMode variable RW\r
+  ///\r
+  BOOLEAN IsAuditModeRO;\r
+  ///\r
+  /// DeployedMode variable value\r
+  ///\r
+  UINT8   DeployedMode;\r
+  ///\r
+  /// AuditMode variable RW\r
+  ///\r
+  BOOLEAN IsDeployedModeRO;\r
+  ///\r
+  /// SetupMode variable value\r
+  ///\r
+  UINT8   SetupMode;\r
+  /// \r
+  /// SetupMode is always RO. Skip IsSetupModeRO;              \r
+  ///\r
+\r
+  ///\r
+  /// SecureBoot variable value\r
+  ///\r
+  UINT8   SecureBoot;\r
+} SECURE_BOOT_MODE;\r
+\r

 extern UINT8    *mPubKeyStore;\r
 extern UINT32   mPubKeyNumber;\r
 extern UINT32   mMaxKeyNumber;\r
 extern UINT8    *mPubKeyStore;\r
 extern UINT32   mPubKeyNumber;\r
 extern UINT32   mMaxKeyNumber;\r


@@ -130,6 +178,18 @@ extern VOID     *mHashCtx;
 \r
 extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;\r
 \r
 \r
 extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn;\r
 \r

+/**\r
+  Initialize Secure Boot variables.\r
+\r
+  @retval EFI_SUCCESS               The initialization operation is successful.\r
+  @retval EFI_OUT_OF_RESOURCES      There is not enough resource.\r
+\r
+**/\r
+EFI_STATUS \r
+InitSecureBootVariables (\r
+  VOID\r
+  );\r
+\r

 /**\r
   Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
 \r
 /**\r
   Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
 \r


@@ -219,6 +279,39 @@ FilterSignatureList (
   IN OUT UINTN      *NewDataSize\r
   );\r
 \r
   IN OUT UINTN      *NewDataSize\r
   );\r
 \r

+/**\r
+  Process Secure Boot Mode variable.\r
+\r
+  Caution: This function may receive untrusted input.\r
+  This function may be invoked in SMM mode, and datasize and data are external input.\r
+  This function will do basic validation, before parse the data.\r
+  This function will parse the authentication carefully to avoid security issues, like\r
+  buffer overflow, integer overflow.\r
+  This function will check attribute carefully to avoid authentication bypass.\r
+\r
+  @param[in]  VariableName                Name of Variable to be found.\r
+  @param[in]  VendorGuid                  Variable vendor GUID.\r
+  @param[in]  Data                        Data pointer.\r
+  @param[in]  DataSize                    Size of Data found. If size is less than the\r
+                                          data, this value contains the required size.\r
+  @param[in]  Attributes                  Attribute value of the variable\r
+\r
+  @return EFI_INVALID_PARAMETER           Invalid parameter\r
+  @return EFI_SECURITY_VIOLATION          The variable does NOT pass the validation\r
+                                          check carried out by the firmware.\r
+  @return EFI_WRITE_PROTECTED             Variable is Read-Only.\r
+  @return EFI_SUCCESS                     Variable passed validation successfully.\r
+\r
+**/\r
+EFI_STATUS\r
+ProcessSecureBootModeVar (\r
+  IN  CHAR16         *VariableName,\r
+  IN  EFI_GUID       *VendorGuid,\r
+  IN  VOID           *Data,\r
+  IN  UINTN          DataSize,\r
+  IN  UINT32         Attributes OPTIONAL\r
+  );\r
+\r

 /**\r
   Process variable with platform key for verification.\r
 \r
 /**\r
   Process variable with platform key for verification.\r
 \r