The internal header file includes the common header files, defines\r
internal structure and functions used by AuthService module.\r
\r
-Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
/// "AuthVarKeyDatabase" variable for the Public Key store.\r
///\r
#define AUTHVAR_KEYDB_NAME L"AuthVarKeyDatabase"\r
-#define AUTHVAR_KEYDB_NAME_SIZE 38\r
\r
///\r
/// Max size of public key database, restricted by max individal EFI varible size, exclude variable header and name size.\r
///\r
-#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - AUTHVAR_KEYDB_NAME_SIZE)\r
+#define MAX_KEYDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (AUTHVAR_KEYDB_NAME))\r
#define MAX_KEY_NUM (MAX_KEYDB_SIZE / EFI_CERT_TYPE_RSA2048_SIZE)\r
\r
+///\r
+/// "certdb" variable stores the signer's certificates for non PK/KEK/DB/DBX\r
+/// variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
+/// \r
+///\r
+#define EFI_CERT_DB_NAME L"certdb"\r
+#define MAX_CERTDB_SIZE (FixedPcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (EFI_CERT_DB_NAME))\r
+\r
///\r
/// Struct to record signature requirement defined by UEFI spec.\r
/// For SigHeaderSize and SigDataSize, ((UINT32) ~0) means NO exact length requirement for this field.\r
UINT32 SigDataSize;\r
} EFI_SIGNATURE_ITEM;\r
\r
+typedef enum {\r
+ AuthVarTypePk,\r
+ AuthVarTypeKek,\r
+ AuthVarTypePriv,\r
+ AuthVarTypePayload\r
+} AUTHVAR_TYPE;\r
+\r
+#pragma pack(1)\r
+typedef struct {\r
+ EFI_GUID VendorGuid;\r
+ UINT32 CertNodeSize;\r
+ UINT32 NameSize;\r
+ UINT32 CertDataSize;\r
+ /// CHAR16 VariableName[NameSize];\r
+ /// UINT8 CertData[CertDataSize];\r
+} AUTH_CERT_DB_DATA;\r
+#pragma pack()\r
+\r
/**\r
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set.\r
\r
+ Caution: This function may receive untrusted input.\r
+ This function may be invoked in SMM mode, and datasize and data are external input.\r
+ This function will do basic validation, before parse the data.\r
+ This function will parse the authentication carefully to avoid security issues, like\r
+ buffer overflow, integer overflow.\r
+ This function will check attribute carefully to avoid authentication bypass.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
\r
/**\r
Process variable with platform key for verification.\r
\r
+ Caution: This function may receive untrusted input.\r
+ This function may be invoked in SMM mode, and datasize and data are external input.\r
+ This function will do basic validation, before parse the data.\r
+ This function will parse the authentication carefully to avoid security issues, like\r
+ buffer overflow, integer overflow.\r
+ This function will check attribute carefully to avoid authentication bypass.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
@param[in] Data Data pointer.\r
/**\r
Process variable with key exchange key for verification.\r
\r
+ Caution: This function may receive untrusted input.\r
+ This function may be invoked in SMM mode, and datasize and data are external input.\r
+ This function will do basic validation, before parse the data.\r
+ This function will parse the authentication carefully to avoid security issues, like\r
+ buffer overflow, integer overflow.\r
+ This function will check attribute carefully to avoid authentication bypass.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
@param[in] Data Data pointer.\r
/**\r
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set\r
\r
+ Caution: This function may receive untrusted input.\r
+ This function may be invoked in SMM mode, and datasize and data are external input.\r
+ This function will do basic validation, before parse the data.\r
+ This function will parse the authentication carefully to avoid security issues, like\r
+ buffer overflow, integer overflow.\r
+\r
@param[in] VariableName Name of Variable to be found.\r
@param[in] VendorGuid Variable vendor GUID.\r
@param[in] Data Data pointer.\r
data, this value contains the required size.\r
@param[in] Variable The variable information which is used to keep track of variable usage.\r
@param[in] Attributes Attribute value of the variable.\r
- @param[in] Pk Verify against PK or KEK database.\r
+ @param[in] AuthVarType Verify against PK or KEK database or private database.\r
@param[out] VarDel Delete the variable or not.\r
\r
@retval EFI_INVALID_PARAMETER Invalid parameter.\r
IN UINTN DataSize,\r
IN VARIABLE_POINTER_TRACK *Variable,\r
IN UINT32 Attributes,\r
- IN BOOLEAN Pk,\r
+ IN AUTHVAR_TYPE AuthVarType,\r
OUT BOOLEAN *VarDel\r
);\r
\r