///\r
/// Global database array for scratch\r
///\r
-UINT8 *mPubKeyStore;\r
-UINT32 mPubKeyNumber;\r
-UINT32 mMaxKeyNumber;\r
-UINT32 mMaxKeyDbSize;\r
UINT8 *mCertDbStore;\r
UINT32 mMaxCertDbSize;\r
+UINT32 mPlatformMode;\r
UINT8 mVendorKeyState;\r
\r
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};\r
sizeof (UINT8)\r
}\r
},\r
- {\r
- &gEfiAuthenticatedVariableGuid,\r
- AUTHVAR_KEYDB_NAME,\r
- {\r
- VAR_CHECK_VARIABLE_PROPERTY_REVISION,\r
- VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,\r
- VARIABLE_ATTRIBUTE_NV_BS_RT_AW,\r
- sizeof (UINT8),\r
- MAX_UINTN\r
- }\r
- },\r
{\r
&gEfiCertDbGuid,\r
EFI_CERT_DB_NAME,\r
MAX_UINTN\r
}\r
},\r
- {\r
- &gEdkiiSecureBootModeGuid,\r
- L"SecureBootMode",\r
- {\r
- VAR_CHECK_VARIABLE_PROPERTY_REVISION,\r
- VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY,\r
- VARIABLE_ATTRIBUTE_NV_BS_RT,\r
- sizeof (UINT8),\r
- sizeof (UINT8)\r
- }\r
- }\r
};\r
\r
-VOID **mAuthVarAddressPointer[10];\r
+VOID **mAuthVarAddressPointer[9];\r
\r
AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn = NULL;\r
\r
)\r
{\r
EFI_STATUS Status;\r
- UINT8 VarValue;\r
UINT32 VarAttr;\r
UINT8 *Data;\r
UINTN DataSize;\r
UINTN CtxSize;\r
+ UINT8 SecureBootMode;\r
+ UINT8 SecureBootEnable;\r
UINT8 CustomMode;\r
UINT32 ListSize;\r
\r
return EFI_OUT_OF_RESOURCES;\r
}\r
\r
- //\r
- // Reserve runtime buffer for public key database. The size excludes variable header and name size.\r
- //\r
- mMaxKeyDbSize = (UINT32) (mAuthVarLibContextIn->MaxAuthVariableSize - sizeof (AUTHVAR_KEYDB_NAME));\r
- mMaxKeyNumber = mMaxKeyDbSize / sizeof (AUTHVAR_KEY_DB_DATA);\r
- mPubKeyStore = AllocateRuntimePool (mMaxKeyDbSize);\r
- if (mPubKeyStore == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
//\r
// Reserve runtime buffer for certificate database. The size excludes variable header and name size.\r
// Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.\r
return EFI_OUT_OF_RESOURCES;\r
}\r
\r
- //\r
- // Check "AuthVarKeyDatabase" variable's existence.\r
- // If it doesn't exist, create a new one with initial value of 0 and EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.\r
- //\r
- Status = AuthServiceInternalFindVariable (\r
- AUTHVAR_KEYDB_NAME,\r
- &gEfiAuthenticatedVariableGuid,\r
- (VOID **) &Data,\r
- &DataSize\r
- );\r
+ Status = AuthServiceInternalFindVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize);\r
if (EFI_ERROR (Status)) {\r
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;\r
- VarValue = 0;\r
- mPubKeyNumber = 0;\r
- Status = AuthServiceInternalUpdateVariable (\r
- AUTHVAR_KEYDB_NAME,\r
- &gEfiAuthenticatedVariableGuid,\r
- &VarValue,\r
- sizeof(UINT8),\r
- VarAttr\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
+ DEBUG ((EFI_D_INFO, "Variable %s does not exist.\n", EFI_PLATFORM_KEY_NAME));\r
} else {\r
- //\r
- // Load database in global variable for cache.\r
- //\r
- ASSERT ((DataSize != 0) && (Data != NULL));\r
- //\r
- // "AuthVarKeyDatabase" is an internal variable. Its DataSize is always ensured not to exceed mPubKeyStore buffer size(See definition before)\r
- // Therefore, there is no memory overflow in underlying CopyMem.\r
- //\r
- CopyMem (mPubKeyStore, (UINT8 *) Data, DataSize);\r
- mPubKeyNumber = (UINT32) (DataSize / sizeof (AUTHVAR_KEY_DB_DATA));\r
+ DEBUG ((EFI_D_INFO, "Variable %s exists.\n", EFI_PLATFORM_KEY_NAME));\r
}\r
\r
//\r
- // Init Secure Boot variables\r
+ // Create "SetupMode" variable with BS+RT attribute set.\r
//\r
- Status = InitSecureBootVariables ();\r
-\r
+ if (EFI_ERROR (Status)) {\r
+ mPlatformMode = SETUP_MODE;\r
+ } else {\r
+ mPlatformMode = USER_MODE;\r
+ }\r
+ Status = AuthServiceInternalUpdateVariable (\r
+ EFI_SETUP_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &mPlatformMode,\r
+ sizeof(UINT8),\r
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
\r
//\r
// Create "SignatureSupport" variable with BS+RT attribute set.\r
return Status;\r
}\r
\r
+ //\r
+ // If "SecureBootEnable" variable exists, then update "SecureBoot" variable.\r
+ // If "SecureBootEnable" variable is SECURE_BOOT_ENABLE and in USER_MODE, Set "SecureBoot" variable to SECURE_BOOT_MODE_ENABLE.\r
+ // If "SecureBootEnable" variable is SECURE_BOOT_DISABLE, Set "SecureBoot" variable to SECURE_BOOT_MODE_DISABLE.\r
+ //\r
+ SecureBootEnable = SECURE_BOOT_DISABLE;\r
+ Status = AuthServiceInternalFindVariable (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID **) &Data, &DataSize);\r
+ if (!EFI_ERROR (Status)) {\r
+ if (mPlatformMode == USER_MODE){\r
+ SecureBootEnable = *(UINT8 *) Data;\r
+ }\r
+ } else if (mPlatformMode == USER_MODE) {\r
+ //\r
+ // "SecureBootEnable" not exist, initialize it in USER_MODE.\r
+ //\r
+ SecureBootEnable = SECURE_BOOT_ENABLE;\r
+ Status = AuthServiceInternalUpdateVariable (\r
+ EFI_SECURE_BOOT_ENABLE_NAME,\r
+ &gEfiSecureBootEnableDisableGuid,\r
+ &SecureBootEnable,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Create "SecureBoot" variable with BS+RT attribute set.\r
+ //\r
+ if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {\r
+ SecureBootMode = SECURE_BOOT_MODE_ENABLE;\r
+ } else {\r
+ SecureBootMode = SECURE_BOOT_MODE_DISABLE;\r
+ }\r
+ Status = AuthServiceInternalUpdateVariable (\r
+ EFI_SECURE_BOOT_MODE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &SecureBootMode,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SETUP_MODE_NAME, mPlatformMode));\r
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_MODE_NAME, SecureBootMode));\r
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_SECURE_BOOT_ENABLE_NAME, SecureBootEnable));\r
+\r
//\r
// Initialize "CustomMode" in STANDARD_SECURE_BOOT_MODE state.\r
//\r
AuthVarLibContextOut->StructVersion = AUTH_VAR_LIB_CONTEXT_OUT_STRUCT_VERSION;\r
AuthVarLibContextOut->StructSize = sizeof (AUTH_VAR_LIB_CONTEXT_OUT);\r
AuthVarLibContextOut->AuthVarEntry = mAuthVarEntry;\r
- AuthVarLibContextOut->AuthVarEntryCount = sizeof (mAuthVarEntry) / sizeof (mAuthVarEntry[0]);\r
- mAuthVarAddressPointer[0] = (VOID **) &mPubKeyStore;\r
- mAuthVarAddressPointer[1] = (VOID **) &mCertDbStore;\r
- mAuthVarAddressPointer[2] = (VOID **) &mHashCtx;\r
- mAuthVarAddressPointer[3] = (VOID **) &mAuthVarLibContextIn;\r
- mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindVariable),\r
- mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),\r
- mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),\r
- mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),\r
- mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),\r
- mAuthVarAddressPointer[9] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),\r
+ AuthVarLibContextOut->AuthVarEntryCount = ARRAY_SIZE (mAuthVarEntry);\r
+ mAuthVarAddressPointer[0] = (VOID **) &mCertDbStore;\r
+ mAuthVarAddressPointer[1] = (VOID **) &mHashCtx;\r
+ mAuthVarAddressPointer[2] = (VOID **) &mAuthVarLibContextIn;\r
+ mAuthVarAddressPointer[3] = (VOID **) &(mAuthVarLibContextIn->FindVariable),\r
+ mAuthVarAddressPointer[4] = (VOID **) &(mAuthVarLibContextIn->FindNextVariable),\r
+ mAuthVarAddressPointer[5] = (VOID **) &(mAuthVarLibContextIn->UpdateVariable),\r
+ mAuthVarAddressPointer[6] = (VOID **) &(mAuthVarLibContextIn->GetScratchBuffer),\r
+ mAuthVarAddressPointer[7] = (VOID **) &(mAuthVarLibContextIn->CheckRemainingSpaceForConsistency),\r
+ mAuthVarAddressPointer[8] = (VOID **) &(mAuthVarLibContextIn->AtRuntime),\r
AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;\r
- AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);\r
+ AuthVarLibContextOut->AddressPointerCount = ARRAY_SIZE (mAuthVarAddressPointer);\r
\r
return Status;\r
}\r
\r
/**\r
- Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
+ Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
\r
@param[in] VariableName Name of the variable.\r
@param[in] VendorGuid Variable vendor GUID.\r
@retval EFI_INVALID_PARAMETER Invalid parameter.\r
@retval EFI_WRITE_PROTECTED Variable is write-protected.\r
@retval EFI_OUT_OF_RESOURCES There is not enough resource.\r
- @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS\r
- or EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS\r
+ @retval EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS\r
set, but the AuthInfo does NOT pass the validation\r
check carried out by the firmware.\r
@retval EFI_UNSUPPORTED Unsupported to process authenticated variable.\r
{\r
EFI_STATUS Status;\r
\r
- //\r
- // Process PK, KEK, Sigdb, AuditMode, DeployedMode separately.\r
- //\r
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){\r
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, TRUE);\r
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {\r
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, Attributes, FALSE);\r
- } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) \r
- && (StrCmp (VariableName, EFI_AUDIT_MODE_NAME) == 0 || StrCmp (VariableName, EFI_DEPLOYED_MODE_NAME) == 0)) {\r
- Status = ProcessSecureBootModeVar(VariableName, VendorGuid, Data, DataSize, Attributes);\r
} else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&\r
((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) ||\r
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||\r