UINT32 mPubKeyNumber;\r
UINT8 mCertDbStore[MAX_CERTDB_SIZE];\r
UINT32 mPlatformMode;\r
+UINT8 mVendorKeyState;\r
+\r
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};\r
//\r
// Public Exponent of RSA Key.\r
}\r
\r
//\r
- // Create "SetupMode" varable with BS+RT attribute set.\r
+ // Create "SetupMode" variable with BS+RT attribute set.\r
//\r
FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
if (PkVariable.CurrPtr == NULL) {\r
}\r
\r
//\r
- // Create "SignatureSupport" varable with BS+RT attribute set.\r
+ // Create "SignatureSupport" variable with BS+RT attribute set.\r
//\r
FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
Status = UpdateVariable (\r
}\r
\r
//\r
- // Create "SecureBoot" varable with BS+RT attribute set.\r
+ // Create "SecureBoot" variable with BS+RT attribute set.\r
//\r
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {\r
SecureBootMode = SECURE_BOOT_MODE_ENABLE;\r
}\r
} \r
\r
+ //\r
+ // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.\r
+ //\r
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+ if (Variable.CurrPtr != NULL) {\r
+ mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));\r
+ } else {\r
+ //\r
+ // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.\r
+ //\r
+ mVendorKeyState = VENDOR_KEYS_VALID;\r
+ Status = UpdateVariable (\r
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,\r
+ &gEfiVendorKeysNvGuid,\r
+ &mVendorKeyState,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,\r
+ 0,\r
+ 0,\r
+ &Variable,\r
+ NULL\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Create "VendorKeys" variable with BS+RT attribute set.\r
+ //\r
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+ Status = UpdateVariable (\r
+ EFI_VENDOR_KEYS_VARIABLE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &mVendorKeyState,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ 0,\r
+ 0,\r
+ &Variable,\r
+ NULL\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));\r
+\r
return Status;\r
}\r
\r
return EFI_SUCCESS;\r
}\r
\r
+/**\r
+ Update "VendorKeys" variable to record the out of band secure boot key modification.\r
+\r
+ @return EFI_SUCCESS Variable is updated successfully.\r
+ @return Others Failed to update variable.\r
+ \r
+**/\r
+EFI_STATUS\r
+VendorKeyIsModified (\r
+ VOID\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ VARIABLE_POINTER_TRACK Variable;\r
+\r
+ if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {\r
+ return EFI_SUCCESS;\r
+ }\r
+ mVendorKeyState = VENDOR_KEYS_MODIFIED;\r
+ \r
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+ Status = UpdateVariable (\r
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,\r
+ &gEfiVendorKeysNvGuid,\r
+ &mVendorKeyState,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,\r
+ 0,\r
+ 0,\r
+ &Variable,\r
+ NULL\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+ return UpdateVariable (\r
+ EFI_VENDOR_KEYS_VARIABLE_NAME,\r
+ &gEfiGlobalVariableGuid,\r
+ &mVendorKeyState,\r
+ sizeof (UINT8),\r
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+ 0,\r
+ 0,\r
+ &Variable,\r
+ NULL\r
+ );\r
+}\r
+\r
/**\r
Process variable with platform key for verification.\r
\r
Variable,\r
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
+ if (EFI_ERROR(Status)) {\r
+ return Status;\r
+ }\r
+\r
+ if (mPlatformMode != SETUP_MODE) {\r
+ Status = VendorKeyIsModified ();\r
+ }\r
} else if (mPlatformMode == USER_MODE) {\r
//\r
// Verify against X509 Cert in PK database.\r
Variable,\r
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ if (mPlatformMode != SETUP_MODE) {\r
+ Status = VendorKeyIsModified ();\r
+ }\r
}\r
\r
return Status;\r