X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FVariableAuthenticated%2FSecureBootConfigDxe%2FSecureBootConfigImpl.c;fp=SecurityPkg%2FVariableAuthenticated%2FSecureBootConfigDxe%2FSecureBootConfigImpl.c;h=4299a6b5e56d39b7b68e301435695588c53290a8;hp=a13c349a0f89b1b54817cdcfa9875be7af9bf6fd;hb=5678ebb42b5137556b8d62dd8a3c5779d5a21a48;hpb=d2a0f379d5bde58861345280177a5c809a021e01 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index a13c349a0f..4299a6b5e5 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include #include +#include #include #include #include @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType = UNKNOWN_FILE_TYPE; } +/** + Helper function to populate an EFI_TIME instance. + + @param[in] Time FileContext cached in SecureBootConfig driver + +**/ +STATIC +EFI_STATUS +GetCurrentTime ( + IN EFI_TIME *Time + ) +{ + EFI_STATUS Status; + VOID *TestPointer; + + if (Time == NULL) { + return EFI_INVALID_PARAMETER; + } + + Status = gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL, &TestPointer); + if (EFI_ERROR (Status)) { + return Status; + } + + ZeroMem (Time, sizeof (EFI_TIME)); + Status = gRT->GetTime (Time, NULL); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "%a(), GetTime() failed, status = '%r'\n", + __FUNCTION__, + Status + )); + return Status; + } + + Time->Pad1 = 0; + Time->Nanosecond = 0; + Time->TimeZone = 0; + Time->Daylight = 0; + Time->Pad2 = 0; + + return EFI_SUCCESS; +} + /** This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix. @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr; UINTN DataSize; EFI_SIGNATURE_LIST *PkCert; + EFI_TIME Time; PkCert = NULL; @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; DataSize = PkCert->SignatureListSize; - Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize; UINT8 *KeyBuffer; UINTN KeyLenInBytes; + EFI_TIME Time; Attr = 0; DataSize = 0; @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize; UINTN KekSigListSize; UINT32 Attr; + EFI_TIME Time; X509Data = NULL; X509DataSize = 0; @@ -735,7 +796,13 @@ EnrollX509ToKek ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigList, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize; UINTN SigDBSize; UINT32 Attr; + EFI_TIME Time; X509DataSize = 0; SigDBSize = 0; @@ -910,7 +978,13 @@ EnrollX509toSigDB ( // Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix; UINTN NameLength; EFI_TIME *Time; + EFI_TIME NewTime; X509DataSize = 0; DbSize = 0; @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize = DbSize; } - Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + Status = GetCurrentTime (&NewTime); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime); if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize; UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; + EFI_TIME Time; Data = NULL; GuidCertData = NULL; @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; - Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize; UINTN DeleteKekIndex; UINTN GuidIndex; + EFI_TIME Time; Data = NULL; OldData = NULL; @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( DataSize = Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound; UINT32 ItemDataSize; UINTN GuidIndex; + EFI_TIME Time; Data = NULL; OldData = NULL; @@ -2931,7 +3027,13 @@ DeleteSignature ( DataSize = Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&DataSize, &OldData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT; @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset; UINT8 *VariableData; UINT8 *NewVariableData; + EFI_TIME Time; Status = EFI_SUCCESS; VariableAttr = 0; @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( } if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) { - Status = CreateTimeBasedPayload (&VariableDataSize, &NewVariableData); + Status = GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status = CreateTimeBasedPayload (&VariableDataSize, &NewVariableData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Status)); goto ON_EXIT;