X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FVariableAuthenticated%2FSecureBootConfigDxe%2FSecureBootConfigImpl.c;h=c8f4d977d92a5506d7a4cdd2c556276d9a5087ae;hp=e2340e63023d9ebf1a32110bb4acec2eb698cdcc;hb=126f3b1de02c71fde8e28abc35a46ac5f135b527;hpb=e8cd9b804126aabe15cd53ec44b7ff4c7e95763b diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c index e2340e6302..c8f4d977d9 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c @@ -97,6 +97,8 @@ CHAR16* mDerEncodedSuffix[] = { }; CHAR16* mSupportX509Suffix = L"*.cer/der/crt"; +SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL; + /** This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix. @@ -657,7 +659,11 @@ ON_EXIT: CloseFile (Private->FileContext->FHandle); Private->FileContext->FHandle = NULL; - Private->FileContext->FileName = NULL; + + if (Private->FileContext->FileName != NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } if (Private->SignatureGUID != NULL) { FreePool (Private->SignatureGUID); @@ -779,7 +785,11 @@ EnrollX509ToKek ( ON_EXIT: CloseFile (Private->FileContext->FHandle); - Private->FileContext->FileName = NULL; + if (Private->FileContext->FileName != NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } + Private->FileContext->FHandle = NULL; if (Private->SignatureGUID != NULL) { @@ -949,7 +959,11 @@ EnrollX509toSigDB ( ON_EXIT: CloseFile (Private->FileContext->FHandle); - Private->FileContext->FileName = NULL; + if (Private->FileContext->FileName != NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } + Private->FileContext->FHandle = NULL; if (Private->SignatureGUID != NULL) { @@ -1509,7 +1523,11 @@ EnrollX509HashtoSigDB ( ON_EXIT: CloseFile (Private->FileContext->FHandle); - Private->FileContext->FileName = NULL; + if (Private->FileContext->FileName != NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } + Private->FileContext->FHandle = NULL; if (Private->SignatureGUID != NULL) { @@ -2157,7 +2175,11 @@ ON_EXIT: CloseFile (Private->FileContext->FHandle); Private->FileContext->FHandle = NULL; - Private->FileContext->FileName = NULL; + + if (Private->FileContext->FileName != NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } if (Private->SignatureGUID != NULL) { FreePool (Private->SignatureGUID); @@ -3074,7 +3096,8 @@ ExtractSecureBootModeFromVariable( EFI_STATUS UpdateSecureBootString( IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private - ) { + ) +{ UINT8 CurSecureBootMode; UINT8 *SecureBoot; @@ -3144,20 +3167,6 @@ SecureBootExtractConfigFromVariable ( ConfigData->RevocationTime.Minute = CurrTime.Minute; ConfigData->RevocationTime.Second = 0; - // - // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable - // Checkbox. - // - ConfigData->AttemptSecureBoot = FALSE; - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (SecureBootEnable == NULL) { - ConfigData->HideSecureBoot = TRUE; - } else { - ConfigData->HideSecureBoot = FALSE; - if ((*SecureBootEnable) == SECURE_BOOT_ENABLE) { - ConfigData->AttemptSecureBoot = TRUE; - } - } // // If it is Physical Presence User, set the PhysicalPresent to true. @@ -3192,6 +3201,26 @@ SecureBootExtractConfigFromVariable ( ConfigData->HasPk = TRUE; } + // + // Check SecureBootEnable & Pk status, fix the inconsistence. + // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable + // Checkbox. + // + ConfigData->AttemptSecureBoot = FALSE; + GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); + + // + // Fix Pk, SecureBootEnable inconsistence + // + if (ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_USER_MODE || ConfigData->CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE) { + ConfigData->HideSecureBoot = FALSE; + if ((SecureBootEnable != NULL) && (*SecureBootEnable == SECURE_BOOT_ENABLE)) { + ConfigData->AttemptSecureBoot = TRUE; + } + } else { + ConfigData->HideSecureBoot = TRUE; + } + if (SecureBootEnable != NULL) { FreePool (SecureBootEnable); } @@ -3340,7 +3369,6 @@ SecureBootRouteConfig ( OUT EFI_STRING *Progress ) { - UINT8 *SecureBootEnable; SECUREBOOT_CONFIGURATION IfrNvData; UINTN BufferSize; EFI_STATUS Status; @@ -3377,10 +3405,7 @@ SecureBootRouteConfig ( // // Store Buffer Storage back to EFI variable if needed // - SecureBootEnable = NULL; - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (NULL != SecureBootEnable) { - FreePool (SecureBootEnable); + if (!IfrNvData.HideSecureBoot) { Status = SaveSecureBootVariable (IfrNvData.AttemptSecureBoot); if (EFI_ERROR (Status)) { return Status; @@ -3431,19 +3456,24 @@ SecureBootCallback ( SECUREBOOT_CONFIGURATION *IfrNvData; UINT16 LabelId; UINT8 *SecureBootEnable; + UINT8 *Pk; UINT8 *SecureBootMode; CHAR16 PromptString[100]; UINT8 CurSecureBootMode; + EFI_DEVICE_PATH_PROTOCOL *File; Status = EFI_SUCCESS; SecureBootEnable = NULL; SecureBootMode = NULL; + File = NULL; if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) { return EFI_INVALID_PARAMETER; } Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); + gSecureBootPrivateData = Private; + // // Retrieve uncommitted data from Browser // @@ -3461,6 +3491,7 @@ SecureBootCallback ( // Update secure boot strings when opening this form // Status = UpdateSecureBootString(Private); + SecureBootExtractConfigFromVariable (IfrNvData); mIsEnterSecureBootForm = TRUE; } else if (QuestionId == KEY_TRANS_SECURE_BOOT_MODE){ // @@ -3523,11 +3554,6 @@ SecureBootCallback ( } break; - case KEY_SECURE_BOOT_OPTION: - FreeMenu (&DirectoryMenu); - FreeMenu (&FsOptionMenu); - break; - case KEY_SECURE_BOOT_KEK_OPTION: case KEY_SECURE_BOOT_DB_OPTION: case KEY_SECURE_BOOT_DBX_OPTION: @@ -3558,28 +3584,32 @@ SecureBootCallback ( // CleanUpPage (LabelId, Private); break; + case KEY_SECURE_BOOT_PK_OPTION: + LabelId = FORMID_ENROLL_PK_FORM; + // + // Refresh selected file. + // + CleanUpPage (LabelId, Private); + break; + + case FORMID_ENROLL_PK_FORM: + ChooseFile (NULL, NULL, UpdatePKFromFile, &File); + break; - case SECUREBOOT_ADD_PK_FILE_FORM_ID: case FORMID_ENROLL_KEK_FORM: + ChooseFile (NULL, NULL, UpdateKEKFromFile, &File); + break; + case SECUREBOOT_ENROLL_SIGNATURE_TO_DB: + ChooseFile (NULL, NULL, UpdateDBFromFile, &File); + break; + case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX: - case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: - if (QuestionId == SECUREBOOT_ADD_PK_FILE_FORM_ID) { - Private->FeCurrentState = FileExplorerStateEnrollPkFile; - } else if (QuestionId == FORMID_ENROLL_KEK_FORM) { - Private->FeCurrentState = FileExplorerStateEnrollKekFile; - } else if (QuestionId == SECUREBOOT_ENROLL_SIGNATURE_TO_DB) { - Private->FeCurrentState = FileExplorerStateEnrollSignatureFileToDb; - } else if (QuestionId == SECUREBOOT_ENROLL_SIGNATURE_TO_DBX) { - Private->FeCurrentState = FileExplorerStateEnrollSignatureFileToDbx; - IfrNvData->CertificateFormat = HASHALG_SHA256; - } else { - Private->FeCurrentState = FileExplorerStateEnrollSignatureFileToDbt; - } + ChooseFile (NULL, NULL, UpdateDBXFromFile, &File); + break; - Private->FeDisplayContext = FileExplorerDisplayUnknown; - CleanUpPage (FORM_FILE_EXPLORER_ID, Private); - UpdateFileExplorer (Private, 0); + case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: + ChooseFile (NULL, NULL, UpdateDBTFromFile, &File); break; case KEY_SECURE_BOOT_DELETE_PK: @@ -3722,6 +3752,24 @@ SecureBootCallback ( ); } break; + case KEY_VALUE_SAVE_AND_EXIT_PK: + Status = EnrollPlatformKey (Private); + if (EFI_ERROR (Status)) { + UnicodeSPrint ( + PromptString, + sizeof (PromptString), + L"Only DER encoded certificate file (%s) is supported.", + mSupportX509Suffix + ); + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"ERROR: Unsupported file type!", + PromptString, + NULL + ); + } + break; case KEY_TRANS_SECURE_BOOT_MODE: // // Pop up to alert user want to change secure boot mode @@ -3774,9 +3822,7 @@ SecureBootCallback ( break; default: - if (QuestionId >= FILE_OPTION_GOTO_OFFSET) { - UpdateFileExplorer (Private, QuestionId); - } else if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) && + if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) && (QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) { DeleteKeyExchangeKey (Private, QuestionId); } else if ((QuestionId >= OPTION_DEL_DB_QUESTION_ID) && @@ -3814,32 +3860,6 @@ SecureBootCallback ( ); } break; - } - } else if (Action == EFI_BROWSER_ACTION_CHANGED) { - switch (QuestionId) { - case KEY_SECURE_BOOT_ENABLE: - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; - break; - case KEY_VALUE_SAVE_AND_EXIT_PK: - Status = EnrollPlatformKey (Private); - if (EFI_ERROR (Status)) { - UnicodeSPrint ( - PromptString, - sizeof (PromptString), - L"Only DER encoded certificate file (%s) is supported.", - mSupportX509Suffix - ); - CreatePopUp ( - EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, - &Key, - L"ERROR: Unsupported file type!", - PromptString, - NULL - ); - } else { - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_RESET; - } - break; case KEY_VALUE_NO_SAVE_AND_EXIT_PK: case KEY_VALUE_NO_SAVE_AND_EXIT_KEK: @@ -3849,16 +3869,23 @@ SecureBootCallback ( if (Private->FileContext->FHandle != NULL) { CloseFile (Private->FileContext->FHandle); Private->FileContext->FHandle = NULL; - Private->FileContext->FileName = NULL; + if (Private->FileContext->FileName!= NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName = NULL; + } } if (Private->SignatureGUID != NULL) { FreePool (Private->SignatureGUID); Private->SignatureGUID = NULL; } - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_EXIT; break; - + } + } else if (Action == EFI_BROWSER_ACTION_CHANGED) { + switch (QuestionId) { + case KEY_SECURE_BOOT_ENABLE: + *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; + break; case KEY_SECURE_BOOT_MODE: mIsEnterSecureBootForm = FALSE; break; @@ -3898,20 +3925,15 @@ SecureBootCallback ( } break; default: - if (QuestionId >= FILE_OPTION_OFFSET && QuestionId < FILE_OPTION_GOTO_OFFSET) { - if (UpdateFileExplorer (Private, QuestionId)) { - *ActionRequest = EFI_BROWSER_ACTION_REQUEST_EXIT; - } - } break; } } else if (Action == EFI_BROWSER_ACTION_DEFAULT_STANDARD) { if (QuestionId == KEY_HIDE_SECURE_BOOT) { - GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL); - if (SecureBootEnable == NULL) { + GetVariable2 (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid, (VOID**)&Pk, NULL); + if (Pk == NULL) { IfrNvData->HideSecureBoot = TRUE; } else { - FreePool (SecureBootEnable); + FreePool (Pk); IfrNvData->HideSecureBoot = FALSE; } Value->b = IfrNvData->HideSecureBoot; @@ -3939,6 +3961,11 @@ EXIT: FreePool (IfrNvData); + if (File != NULL){ + FreePool(File); + File = NULL; + } + return EFI_SUCCESS; } @@ -4003,19 +4030,12 @@ InstallSecureBootConfigForm ( PrivateData->HiiHandle = HiiHandle; PrivateData->FileContext = AllocateZeroPool (sizeof (SECUREBOOT_FILE_CONTEXT)); - PrivateData->MenuEntry = AllocateZeroPool (sizeof (SECUREBOOT_MENU_ENTRY)); - if (PrivateData->FileContext == NULL || PrivateData->MenuEntry == NULL) { + if (PrivateData->FileContext == NULL) { UninstallSecureBootConfigForm (PrivateData); return EFI_OUT_OF_RESOURCES; } - PrivateData->FeCurrentState = FileExplorerStateInActive; - PrivateData->FeDisplayContext = FileExplorerDisplayUnknown; - - InitializeListHead (&FsOptionMenu.Head); - InitializeListHead (&DirectoryMenu.Head); - // // Init OpCode Handle and Allocate space for creation of Buffer // @@ -4095,19 +4115,12 @@ UninstallSecureBootConfigForm ( FreePool (PrivateData->SignatureGUID); } - if (PrivateData->MenuEntry != NULL) { - FreePool (PrivateData->MenuEntry); - } - if (PrivateData->FileContext != NULL) { FreePool (PrivateData->FileContext); } FreePool (PrivateData); - FreeMenu (&DirectoryMenu); - FreeMenu (&FsOptionMenu); - if (mStartOpCodeHandle != NULL) { HiiFreeOpCodeHandle (mStartOpCodeHandle); }