X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FLibrary%2FAuthVariableLib%2FAuthServiceInternal.h;h=ec4b3d97f59f0141e2ef1d04d53fb8f27741386d;hp=add05c21cce4fe424d9765fb2dc7ffc7fe471a94;hb=4fc08e8d683522f255727626197d919a40d4836c;hpb=af9af05bec5b1880f8e4f9142ecc0044fd0acb33 diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h index add05c21cc..ec4b3d97f5 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h @@ -117,6 +117,54 @@ typedef struct { } AUTH_CERT_DB_DATA; #pragma pack() +/// +/// "SecureBootMode" variable stores current secure boot mode. +/// The value type is SECURE_BOOT_MODE_TYPE. +/// +#define EDKII_SECURE_BOOT_MODE_NAME L"SecureBootMode" + +typedef enum { + SecureBootModeTypeUserMode, + SecureBootModeTypeSetupMode, + SecureBootModeTypeAuditMode, + SecureBootModeTypeDeployedMode, + SecureBootModeTypeMax +} SECURE_BOOT_MODE_TYPE; + +// +// Record status info of Customized Secure Boot Mode. +// +typedef struct { + /// + /// AuditMode variable value + /// + UINT8 AuditMode; + /// + /// AuditMode variable RW + /// + BOOLEAN IsAuditModeRO; + /// + /// DeployedMode variable value + /// + UINT8 DeployedMode; + /// + /// AuditMode variable RW + /// + BOOLEAN IsDeployedModeRO; + /// + /// SetupMode variable value + /// + UINT8 SetupMode; + /// + /// SetupMode is always RO. Skip IsSetupModeRO; + /// + + /// + /// SecureBoot variable value + /// + UINT8 SecureBoot; +} SECURE_BOOT_MODE; + extern UINT8 *mPubKeyStore; extern UINT32 mPubKeyNumber; extern UINT32 mMaxKeyNumber; @@ -130,6 +178,18 @@ extern VOID *mHashCtx; extern AUTH_VAR_LIB_CONTEXT_IN *mAuthVarLibContextIn; +/** + Initialize Secure Boot variables. + + @retval EFI_SUCCESS The initialization operation is successful. + @retval EFI_OUT_OF_RESOURCES There is not enough resource. + +**/ +EFI_STATUS +InitSecureBootVariables ( + VOID + ); + /** Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set @@ -219,6 +279,39 @@ FilterSignatureList ( IN OUT UINTN *NewDataSize ); +/** + Process Secure Boot Mode variable. + + Caution: This function may receive untrusted input. + This function may be invoked in SMM mode, and datasize and data are external input. + This function will do basic validation, before parse the data. + This function will parse the authentication carefully to avoid security issues, like + buffer overflow, integer overflow. + This function will check attribute carefully to avoid authentication bypass. + + @param[in] VariableName Name of Variable to be found. + @param[in] VendorGuid Variable vendor GUID. + @param[in] Data Data pointer. + @param[in] DataSize Size of Data found. If size is less than the + data, this value contains the required size. + @param[in] Attributes Attribute value of the variable + + @return EFI_INVALID_PARAMETER Invalid parameter + @return EFI_SECURITY_VIOLATION The variable does NOT pass the validation + check carried out by the firmware. + @return EFI_WRITE_PROTECTED Variable is Read-Only. + @return EFI_SUCCESS Variable passed validation successfully. + +**/ +EFI_STATUS +ProcessSecureBootModeVar ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN VOID *Data, + IN UINTN DataSize, + IN UINT32 Attributes OPTIONAL + ); + /** Process variable with platform key for verification.