\r
SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL;\r
\r
+/**\r
+ This code cleans up enrolled file by closing file & free related resources attached to\r
+ enrolled file\r
+\r
+ @param[in] FileSuffix The suffix of the input certificate file\r
+\r
+ @retval TRUE It's a DER-encoded certificate.\r
+ @retval FALSE It's NOT a DER-encoded certificate.\r
+\r
+**/\r
+\r
+VOID\r
+CloseEnrolledFile(\r
+ IN SECUREBOOT_FILE_CONTEXT *FileContext\r
+)\r
+{\r
+ if (FileContext->FHandle != NULL) {\r
+ CloseFile (FileContext->FHandle);\r
+ FileContext->FHandle = NULL;\r
+ }\r
+\r
+ if (FileContext->FileName != NULL){\r
+ FreePool(FileContext->FileName);\r
+ FileContext->FileName = NULL;\r
+ }\r
+ FileContext->FileType = UNKNOWN_FILE_TYPE;\r
+\r
+}\r
+\r
/**\r
This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.\r
\r
return FALSE;\r
}\r
\r
+/**\r
+ This code checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format\r
+The function reads file content but won't open/close given FileHandle.\r
+\r
+ @param[in] FileHandle The FileHandle to be checked\r
+\r
+ @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.\r
+ @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.\r
+\r
+**/\r
+BOOLEAN\r
+IsAuthentication2Format (\r
+ IN EFI_FILE_HANDLE FileHandle\r
+)\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_VARIABLE_AUTHENTICATION_2 *Auth2;\r
+ BOOLEAN IsAuth2Format;\r
+\r
+ IsAuth2Format = FALSE;\r
+\r
+ //\r
+ // Read the whole file content\r
+ //\r
+ Status = ReadFileContent(\r
+ FileHandle,\r
+ (VOID **) &mImageBase,\r
+ &mImageSize,\r
+ 0\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase;\r
+ if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {\r
+ IsAuth2Format = TRUE;\r
+ }\r
+\r
+ON_EXIT:\r
+ //\r
+ // Do not close File. simply check file content\r
+ //\r
+ if (mImageBase != NULL) {\r
+ FreePool (mImageBase);\r
+ mImageBase = NULL;\r
+ }\r
+\r
+ return IsAuth2Format;\r
+}\r
+\r
/**\r
Set Secure Boot option into variable space.\r
\r
FreePool(PkCert);\r
}\r
\r
- if (Private->FileContext->FHandle != NULL) {\r
- CloseFile (Private->FileContext->FHandle);\r
- Private->FileContext->FHandle = NULL;\r
- }\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
return Status;\r
}\r
\r
ON_EXIT:\r
\r
- CloseFile (Private->FileContext->FHandle);\r
- Private->FileContext->FHandle = NULL;\r
-\r
- if (Private->FileContext->FileName != NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
\r
ON_EXIT:\r
\r
- CloseFile (Private->FileContext->FHandle);\r
- if (Private->FileContext->FileName != NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
-\r
- Private->FileContext->FHandle = NULL;\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
EFI_STATUS Status;\r
UINTN NameLength;\r
\r
- if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {\r
+ if ((Private->FileContext->FHandle == NULL) || (Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
} else if (CompareMem (FilePostFix, L".pbk",4) == 0) {\r
return EnrollRsa2048ToKek (Private);\r
} else {\r
+ //\r
+ // File type is wrong, simply close it\r
+ //\r
+ CloseEnrolledFile(Private->FileContext);\r
+\r
return EFI_INVALID_PARAMETER;\r
}\r
}\r
\r
ON_EXIT:\r
\r
- CloseFile (Private->FileContext->FHandle);\r
- if (Private->FileContext->FileName != NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
-\r
- Private->FileContext->FHandle = NULL;\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
}\r
\r
ON_EXIT:\r
- CloseFile (Private->FileContext->FHandle);\r
- if (Private->FileContext->FileName != NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
\r
- Private->FileContext->FHandle = NULL;\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
return EFI_SUCCESS;\r
}\r
\r
+/**\r
+ Enroll a new executable's signature into Signature Database.\r
+\r
+ @param[in] PrivateData The module's private data.\r
+ @param[in] VariableName Variable name of signature database, must be\r
+ EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1\r
+ or EFI_IMAGE_SECURITY_DATABASE2.\r
+\r
+ @retval EFI_SUCCESS New signature is enrolled successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_UNSUPPORTED Unsupported command.\r
+ @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.\r
+\r
+**/\r
+EFI_STATUS\r
+EnrollAuthentication2Descriptor (\r
+ IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,\r
+ IN CHAR16 *VariableName\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ VOID *Data;\r
+ UINTN DataSize;\r
+ UINT32 Attr;\r
+\r
+ Data = NULL;\r
+\r
+ //\r
+ // DBT only support DER-X509 Cert Enrollment\r
+ //\r
+ if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) {\r
+ return EFI_UNSUPPORTED;\r
+ }\r
+\r
+ //\r
+ // Read the whole file content\r
+ //\r
+ Status = ReadFileContent(\r
+ Private->FileContext->FHandle,\r
+ (VOID **) &mImageBase,\r
+ &mImageSize,\r
+ 0\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+ ASSERT (mImageBase != NULL);\r
+\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+\r
+ //\r
+ // Check if SigDB variable has been already existed.\r
+ // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the\r
+ // new signature data to original variable\r
+ //\r
+ DataSize = 0;\r
+ Status = gRT->GetVariable(\r
+ VariableName,\r
+ &gEfiImageSecurityDatabaseGuid,\r
+ NULL,\r
+ &DataSize,\r
+ NULL\r
+ );\r
+ if (Status == EFI_BUFFER_TOO_SMALL) {\r
+ Attr |= EFI_VARIABLE_APPEND_WRITE;\r
+ } else if (Status != EFI_NOT_FOUND) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ //\r
+ // Diretly set AUTHENTICATION_2 data to SetVariable\r
+ //\r
+ Status = gRT->SetVariable(\r
+ VariableName,\r
+ &gEfiImageSecurityDatabaseGuid,\r
+ Attr,\r
+ mImageSize,\r
+ mImageBase\r
+ );\r
+\r
+ DEBUG((DEBUG_INFO, "Enroll AUTH_2 data to Var:%s Status: %x\n", VariableName, Status));\r
+\r
+ON_EXIT:\r
+\r
+ CloseEnrolledFile(Private->FileContext);\r
+\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
+ }\r
+\r
+ if (mImageBase != NULL) {\r
+ FreePool (mImageBase);\r
+ mImageBase = NULL;\r
+ }\r
+\r
+ return Status;\r
+\r
+}\r
+\r
+\r
/**\r
Enroll a new executable's signature into Signature Database.\r
\r
\r
ON_EXIT:\r
\r
- CloseFile (Private->FileContext->FHandle);\r
- Private->FileContext->FHandle = NULL;\r
-\r
- if (Private->FileContext->FileName != NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
// Supports DER-encoded X509 certificate.\r
//\r
return EnrollX509toSigDB (Private, VariableName);\r
+ } else if (IsAuthentication2Format(Private->FileContext->FHandle)){\r
+ return EnrollAuthentication2Descriptor(Private, VariableName);\r
+ } else {\r
+ return EnrollImageSignatureToSigDB (Private, VariableName);\r
}\r
-\r
- return EnrollImageSignatureToSigDB (Private, VariableName);\r
}\r
\r
/**\r
/**\r
This function extracts configuration from variable.\r
\r
+ @param[in] Private Point to SecureBoot configuration driver private data.\r
@param[in, out] ConfigData Point to SecureBoot configuration private data.\r
\r
**/\r
VOID\r
SecureBootExtractConfigFromVariable (\r
+ IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,\r
IN OUT SECUREBOOT_CONFIGURATION *ConfigData\r
)\r
{\r
ConfigData->RevocationTime.Hour = CurrTime.Hour;\r
ConfigData->RevocationTime.Minute = CurrTime.Minute;\r
ConfigData->RevocationTime.Second = 0;\r
-\r
+ if (Private->FileContext->FHandle != NULL) {\r
+ ConfigData->FileEnrollType = Private->FileContext->FileType;\r
+ } else {\r
+ ConfigData->FileEnrollType = UNKNOWN_FILE_TYPE;\r
+ }\r
\r
//\r
// If it is Physical Presence User, set the PhysicalPresent to true.\r
return EFI_NOT_FOUND;\r
}\r
\r
+ ZeroMem(&Configuration, sizeof(SECUREBOOT_CONFIGURATION));\r
+\r
//\r
// Get Configuration from Variable.\r
//\r
- SecureBootExtractConfigFromVariable (&Configuration);\r
+ SecureBootExtractConfigFromVariable (PrivateData, &Configuration);\r
\r
BufferSize = sizeof (SECUREBOOT_CONFIGURATION);\r
ConfigRequest = Request;\r
OUT EFI_STRING *Progress\r
)\r
{\r
- SECUREBOOT_CONFIGURATION IfrNvData;\r
- UINTN BufferSize;\r
- EFI_STATUS Status;\r
+ SECUREBOOT_CONFIGURATION IfrNvData;\r
+ UINTN BufferSize;\r
+ SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;\r
+ EFI_STATUS Status;\r
\r
if (Configuration == NULL || Progress == NULL) {\r
return EFI_INVALID_PARAMETER;\r
return EFI_NOT_FOUND;\r
}\r
\r
+ PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);\r
+\r
//\r
// Get Configuration from Variable.\r
//\r
- SecureBootExtractConfigFromVariable (&IfrNvData);\r
+ SecureBootExtractConfigFromVariable (PrivateData, &IfrNvData);\r
\r
//\r
// Map the Configuration to the configuration block.\r
UINT8 *SetupMode;\r
CHAR16 PromptString[100];\r
EFI_DEVICE_PATH_PROTOCOL *File;\r
+ UINTN NameLength;\r
+ UINT16 *FilePostFix;\r
+ SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;\r
\r
Status = EFI_SUCCESS;\r
SecureBootEnable = NULL;\r
// Update secure boot strings when opening this form\r
//\r
Status = UpdateSecureBootString(Private);\r
- SecureBootExtractConfigFromVariable (IfrNvData);\r
+ SecureBootExtractConfigFromVariable (Private, IfrNvData);\r
mIsEnterSecureBootForm = TRUE;\r
+ } else {\r
+ //\r
+ // When entering SecureBoot OPTION Form\r
+ // always close opened file & free resource\r
+ //\r
+ if ((QuestionId == KEY_SECURE_BOOT_PK_OPTION) ||\r
+ (QuestionId == KEY_SECURE_BOOT_KEK_OPTION) ||\r
+ (QuestionId == KEY_SECURE_BOOT_DB_OPTION) ||\r
+ (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) ||\r
+ (QuestionId == KEY_SECURE_BOOT_DBT_OPTION)) {\r
+ CloseEnrolledFile(Private->FileContext);\r
+ }\r
}\r
goto EXIT;\r
}\r
case KEY_SECURE_BOOT_DB_OPTION:\r
case KEY_SECURE_BOOT_DBX_OPTION:\r
case KEY_SECURE_BOOT_DBT_OPTION:\r
+ PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);\r
//\r
// Clear Signature GUID.\r
//\r
}\r
}\r
\r
+ //\r
+ // Cleanup VFRData once leaving PK/KEK/DB/DBX/DBT enroll/delete page\r
+ //\r
+ SecureBootExtractConfigFromVariable (PrivateData, IfrNvData);\r
+\r
if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) {\r
LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;\r
} else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) {\r
\r
case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX:\r
ChooseFile (NULL, NULL, UpdateDBXFromFile, &File);\r
+\r
+ if (Private->FileContext->FHandle != NULL) {\r
+ //\r
+ // Parse the file's postfix.\r
+ //\r
+ NameLength = StrLen (Private->FileContext->FileName);\r
+ if (NameLength <= 4) {\r
+ return FALSE;\r
+ }\r
+ FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
+\r
+ if (IsDerEncodeCertificate (FilePostFix)) {\r
+ //\r
+ // Supports DER-encoded X509 certificate.\r
+ //\r
+ IfrNvData->FileEnrollType = X509_CERT_FILE_TYPE;\r
+ } else if (IsAuthentication2Format(Private->FileContext->FHandle)){\r
+ IfrNvData->FileEnrollType = AUTHENTICATION_2_FILE_TYPE;\r
+ } else {\r
+ IfrNvData->FileEnrollType = PE_IMAGE_FILE_TYPE;\r
+ }\r
+ Private->FileContext->FileType = IfrNvData->FileEnrollType;\r
+\r
+ //\r
+ // Clean up Certificate Format if File type is not X509 DER\r
+ //\r
+ if (IfrNvData->FileEnrollType != X509_CERT_FILE_TYPE) {\r
+ IfrNvData->CertificateFormat = HASHALG_RAW;\r
+ }\r
+ DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", Private->FileContext->FileType));\r
+ }\r
+\r
break;\r
\r
case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT:\r
L"Enrollment failed! Same certificate had already been in the dbx!",\r
NULL\r
);\r
- break;\r
+\r
+ //\r
+ // Cert already exists in DBX. Close opened file before exit.\r
+ //\r
+ CloseEnrolledFile(Private->FileContext);\r
+ break;\r
}\r
\r
if ((IfrNvData != NULL) && (IfrNvData->CertificateFormat < HASHALG_MAX)) {\r
&IfrNvData->RevocationTime,\r
IfrNvData->AlwaysRevocation\r
);\r
+ IfrNvData->CertificateFormat = HASHALG_RAW;\r
} else {\r
Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);\r
}\r
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
&Key,\r
L"ERROR: Unsupported file type!",\r
- L"Only supports DER-encoded X509 certificate and executable EFI image",\r
+ L"Only supports DER-encoded X509 certificate, AUTH_2 format data & executable EFI image",\r
NULL\r
);\r
}\r
case KEY_VALUE_NO_SAVE_AND_EXIT_DB:\r
case KEY_VALUE_NO_SAVE_AND_EXIT_DBX:\r
case KEY_VALUE_NO_SAVE_AND_EXIT_DBT:\r
- if (Private->FileContext->FHandle != NULL) {\r
- CloseFile (Private->FileContext->FHandle);\r
- Private->FileContext->FHandle = NULL;\r
- if (Private->FileContext->FileName!= NULL){\r
- FreePool(Private->FileContext->FileName);\r
- Private->FileContext->FileName = NULL;\r
- }\r
- }\r
+ CloseEnrolledFile(Private->FileContext);\r
\r
if (Private->SignatureGUID != NULL) {\r
FreePool (Private->SignatureGUID);\r
\r
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;\r
break;\r
-\r
case KEY_SECURE_BOOT_DELETE_PK:\r
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);\r
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {\r