+\r
+ CloseFile (Private->FileContext->FHandle);\r
+ Private->FileContext->FileName = NULL;\r
+ Private->FileContext->FHandle = NULL;\r
+\r
+ if (Private->SignatureGUID != NULL) {\r
+ FreePool (Private->SignatureGUID);\r
+ Private->SignatureGUID = NULL;\r
+ }\r
+\r
+ if (KekSigList != NULL) {\r
+ FreePool (KekSigList);\r
+ }\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Enroll new KEK into the System without PK's authentication.\r
+ The SignatureOwner GUID will be Private->SignatureGUID.\r
+\r
+ @param[in] PrivateData The module's private data.\r
+\r
+ @retval EFI_SUCCESS New KEK enrolled successful.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval others Fail to enroll KEK data.\r
+\r
+**/\r
+EFI_STATUS\r
+EnrollKeyExchangeKey (\r
+ IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private\r
+ )\r
+{\r
+ UINT16* FilePostFix;\r
+ EFI_STATUS Status;\r
+ UINTN NameLength;\r
+\r
+ if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ //\r
+ // Parse the file's postfix. Supports DER-encoded X509 certificate,\r
+ // and .pbk as RSA public key file.\r
+ //\r
+ NameLength = StrLen (Private->FileContext->FileName);\r
+ if (NameLength <= 4) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
+ if (IsDerEncodeCertificate(FilePostFix)) {\r
+ return EnrollX509ToKek (Private);\r
+ } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {\r
+ return EnrollRsa2048ToKek (Private);\r
+ } else {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+}\r
+\r
+/**\r
+ Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without\r
+ KEK's authentication.\r
+\r
+ @param[in] PrivateData The module's private data.\r
+ @param[in] VariableName Variable name of signature database, must be\r
+ EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.\r
+\r
+ @retval EFI_SUCCESS New X509 is enrolled successfully.\r
+ @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.\r
+\r
+**/\r
+EFI_STATUS\r
+EnrollX509toSigDB (\r
+ IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,\r
+ IN CHAR16 *VariableName\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ UINTN X509DataSize;\r
+ VOID *X509Data;\r
+ EFI_SIGNATURE_LIST *SigDBCert;\r
+ EFI_SIGNATURE_DATA *SigDBCertData;\r
+ VOID *Data;\r
+ UINTN DataSize;\r
+ UINTN SigDBSize;\r
+ UINT32 Attr;\r
+\r
+ X509DataSize = 0;\r
+ SigDBSize = 0;\r
+ DataSize = 0;\r
+ X509Data = NULL;\r
+ SigDBCert = NULL;\r
+ SigDBCertData = NULL;\r
+ Data = NULL;\r
+\r
+ Status = ReadFileContent (\r
+ Private->FileContext->FHandle,\r
+ &X509Data,\r
+ &X509DataSize,\r
+ 0\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+ ASSERT (X509Data != NULL);\r
+\r
+ SigDBSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize;\r
+\r
+ Data = AllocateZeroPool (SigDBSize);\r
+ if (Data == NULL) {\r
+ Status = EFI_OUT_OF_RESOURCES;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ //\r
+ // Fill Certificate Database parameters.\r
+ //\r
+ SigDBCert = (EFI_SIGNATURE_LIST*) Data;\r
+ SigDBCert->SignatureListSize = (UINT32) SigDBSize;\r
+ SigDBCert->SignatureHeaderSize = 0;\r
+ SigDBCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);\r
+ CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);\r
+\r
+ SigDBCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigDBCert + sizeof (EFI_SIGNATURE_LIST));\r
+ CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);\r
+ CopyMem ((UINT8* ) (SigDBCertData->SignatureData), X509Data, X509DataSize);\r
+\r
+ //\r
+ // Check if signature database entry has been already existed.\r
+ // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the\r
+ // new signature data to original variable\r
+ //\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Status = gRT->GetVariable(\r
+ VariableName,\r
+ &gEfiImageSecurityDatabaseGuid,\r
+ NULL,\r
+ &DataSize,\r
+ NULL\r
+ );\r
+ if (Status == EFI_BUFFER_TOO_SMALL) {\r
+ Attr |= EFI_VARIABLE_APPEND_WRITE;\r
+ } else if (Status != EFI_NOT_FOUND) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Status = gRT->SetVariable(\r
+ VariableName,\r
+ &gEfiImageSecurityDatabaseGuid,\r
+ Attr,\r
+ SigDBSize,\r
+ Data\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ON_EXIT:\r
+\r
+ CloseFile (Private->FileContext->FHandle);\r
+ Private->FileContext->FileName = NULL;\r
+ Private->FileContext->FHandle = NULL;\r
+\r
+ if (Private->SignatureGUID != NULL) {\r
+ FreePool (Private->SignatureGUID);\r
+ Private->SignatureGUID = NULL;\r
+ }\r
+\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
+ }\r
+\r
+ if (X509Data != NULL) {\r
+ FreePool (X509Data);\r
+ }\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Check whether signature is in specified database.\r
+\r
+ @param[in] VariableName Name of database variable that is searched in.\r
+ @param[in] Signature Pointer to signature that is searched for.\r
+ @param[in] SignatureSize Size of Signature.\r
+\r
+ @return TRUE Found the signature in the variable database.\r
+ @return FALSE Not found the signature in the variable database.\r
+\r
+**/\r
+BOOLEAN\r
+IsSignatureFoundInDatabase (\r
+ IN CHAR16 *VariableName,\r
+ IN UINT8 *Signature,\r
+ IN UINTN SignatureSize\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_SIGNATURE_LIST *CertList;\r
+ EFI_SIGNATURE_DATA *Cert;\r
+ UINTN DataSize;\r
+ UINT8 *Data;\r
+ UINTN Index;\r
+ UINTN CertCount;\r
+ BOOLEAN IsFound;\r
+\r
+ //\r
+ // Read signature database variable.\r
+ //\r
+ IsFound = FALSE;\r
+ Data = NULL;\r
+ DataSize = 0;\r
+ Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
+ if (Status != EFI_BUFFER_TOO_SMALL) {\r
+ return FALSE;\r
+ }\r
+\r
+ Data = (UINT8 *) AllocateZeroPool (DataSize);\r
+ if (Data == NULL) {\r
+ return FALSE;\r
+ }\r
+\r
+ Status = gRT->GetVariable (VariableName, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r
+ if (EFI_ERROR (Status)) {\r
+ goto Done;\r
+ }\r
+\r
+ //\r
+ // Enumerate all signature data in SigDB to check if executable's signature exists.\r
+ //\r
+ CertList = (EFI_SIGNATURE_LIST *) Data;\r
+ while ((DataSize > 0) && (DataSize >= CertList->SignatureListSize)) {\r
+ CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;\r
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);\r
+ if ((CertList->SignatureSize == sizeof(EFI_SIGNATURE_DATA) - 1 + SignatureSize) && (CompareGuid(&CertList->SignatureType, &gEfiCertX509Guid))) {\r
+ for (Index = 0; Index < CertCount; Index++) {\r
+ if (CompareMem (Cert->SignatureData, Signature, SignatureSize) == 0) {\r
+ //\r
+ // Find the signature in database.\r
+ //\r
+ IsFound = TRUE;\r
+ break;\r
+ }\r
+ Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);\r
+ }\r
+\r
+ if (IsFound) {\r
+ break;\r
+ }\r
+ }\r
+\r
+ DataSize -= CertList->SignatureListSize;\r
+ CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);\r
+ }\r
+\r
+Done:\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
+ }\r
+\r
+ return IsFound;\r
+}\r
+\r
+/**\r
+ Calculate the hash of a certificate data with the specified hash algorithm.\r
+\r
+ @param[in] CertData The certificate data to be hashed.\r
+ @param[in] CertSize The certificate size in bytes.\r
+ @param[in] HashAlg The specified hash algorithm.\r
+ @param[out] CertHash The output digest of the certificate\r
+\r
+ @retval TRUE Successfully got the hash of the CertData.\r
+ @retval FALSE Failed to get the hash of CertData.\r
+\r
+**/\r
+BOOLEAN\r
+CalculateCertHash (\r
+ IN UINT8 *CertData,\r
+ IN UINTN CertSize,\r
+ IN UINT32 HashAlg,\r
+ OUT UINT8 *CertHash\r
+ )\r
+{\r
+ BOOLEAN Status;\r
+ VOID *HashCtx;\r
+ UINTN CtxSize;\r
+\r
+ HashCtx = NULL;\r
+ Status = FALSE;\r
+\r
+ if (HashAlg >= HASHALG_MAX) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // 1. Initialize context of hash.\r
+ //\r
+ CtxSize = mHash[HashAlg].GetContextSize ();\r
+ HashCtx = AllocatePool (CtxSize);\r
+ ASSERT (HashCtx != NULL);\r
+\r
+ //\r
+ // 2. Initialize a hash context.\r
+ //\r
+ Status = mHash[HashAlg].HashInit (HashCtx);\r
+ if (!Status) {\r
+ goto Done;\r
+ }\r
+\r
+ //\r
+ // 3. Calculate the hash.\r
+ //\r
+ Status = mHash[HashAlg].HashUpdate (HashCtx, CertData, CertSize);\r
+ if (!Status) {\r
+ goto Done;\r
+ }\r
+\r
+ //\r
+ // 4. Get the hash result.\r
+ //\r
+ ZeroMem (CertHash, mHash[HashAlg].DigestLength);\r
+ Status = mHash[HashAlg].HashFinal (HashCtx, CertHash);\r
+\r
+Done:\r
+ if (HashCtx != NULL) {\r
+ FreePool (HashCtx);\r
+ }\r
+\r
+ return Status;\r
+}\r
+\r
+/**\r
+ Check whether the hash of an X.509 certificate is in forbidden database (DBX).\r
+\r
+ @param[in] Certificate Pointer to X.509 Certificate that is searched for.\r
+ @param[in] CertSize Size of X.509 Certificate.\r
+\r
+ @return TRUE Found the certificate hash in the forbidden database.\r
+ @return FALSE Certificate hash is Not found in the forbidden database.\r
+\r
+**/\r
+BOOLEAN\r
+IsCertHashFoundInDbx (\r
+ IN UINT8 *Certificate,\r
+ IN UINTN CertSize\r
+ )\r
+{\r
+ BOOLEAN IsFound;\r
+ EFI_STATUS Status;\r
+ EFI_SIGNATURE_LIST *DbxList;\r
+ EFI_SIGNATURE_DATA *CertHash;\r
+ UINTN CertHashCount;\r
+ UINTN Index;\r
+ UINT32 HashAlg;\r
+ UINT8 CertDigest[MAX_DIGEST_SIZE];\r
+ UINT8 *DbxCertHash;\r
+ UINTN SiglistHeaderSize;\r
+ UINT8 *Data;\r
+ UINTN DataSize;\r
+\r
+ IsFound = FALSE;\r
+ HashAlg = HASHALG_MAX;\r
+ Data = NULL;\r
+\r
+ //\r
+ // Read signature database variable.\r
+ //\r
+ DataSize = 0;\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
+ if (Status != EFI_BUFFER_TOO_SMALL) {\r
+ return FALSE;\r
+ }\r
+\r
+ Data = (UINT8 *) AllocateZeroPool (DataSize);\r
+ if (Data == NULL) {\r
+ return FALSE;\r
+ }\r
+\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r
+ if (EFI_ERROR (Status)) {\r
+ goto Done;\r
+ }\r
+\r
+ //\r
+ // Check whether the certificate hash exists in the forbidden database.\r
+ //\r
+ DbxList = (EFI_SIGNATURE_LIST *) Data;\r
+ while ((DataSize > 0) && (DataSize >= DbxList->SignatureListSize)) {\r
+ //\r
+ // Determine Hash Algorithm of Certificate in the forbidden database.\r
+ //\r
+ if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha256Guid)) {\r
+ HashAlg = HASHALG_SHA256;\r
+ } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha384Guid)) {\r
+ HashAlg = HASHALG_SHA384;\r
+ } else if (CompareGuid (&DbxList->SignatureType, &gEfiCertX509Sha512Guid)) {\r
+ HashAlg = HASHALG_SHA512;\r
+ } else {\r
+ DataSize -= DbxList->SignatureListSize;\r
+ DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize);\r
+ continue;\r
+ }\r
+\r
+ //\r
+ // Calculate the hash value of current db certificate for comparision.\r
+ //\r
+ if (!CalculateCertHash (Certificate, CertSize, HashAlg, CertDigest)) {\r
+ goto Done;\r
+ }\r
+\r
+ SiglistHeaderSize = sizeof (EFI_SIGNATURE_LIST) + DbxList->SignatureHeaderSize;\r
+ CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) DbxList + SiglistHeaderSize);\r
+ CertHashCount = (DbxList->SignatureListSize - SiglistHeaderSize) / DbxList->SignatureSize;\r
+ for (Index = 0; Index < CertHashCount; Index++) {\r
+ //\r
+ // Iterate each Signature Data Node within this CertList for verify.\r
+ //\r
+ DbxCertHash = CertHash->SignatureData;\r
+ if (CompareMem (DbxCertHash, CertDigest, mHash[HashAlg].DigestLength) == 0) {\r
+ //\r
+ // Hash of Certificate is found in forbidden database.\r
+ //\r
+ IsFound = TRUE;\r
+ goto Done;\r
+ }\r
+ CertHash = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertHash + DbxList->SignatureSize);\r
+ }\r
+\r
+ DataSize -= DbxList->SignatureListSize;\r
+ DbxList = (EFI_SIGNATURE_LIST *) ((UINT8 *) DbxList + DbxList->SignatureListSize);\r
+ }\r
+\r
+Done:\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
+ }\r
+\r
+ return IsFound;\r
+}\r
+\r
+/**\r
+ Check whether the signature list exists in given variable data.\r
+\r
+ It searches the signature list for the ceritificate hash by CertType.\r
+ If the signature list is found, get the offset of Database for the\r
+ next hash of a certificate.\r
+\r
+ @param[in] Database Variable data to save signature list.\r
+ @param[in] DatabaseSize Variable size.\r
+ @param[in] SignatureType The type of the signature.\r
+ @param[out] Offset The offset to save a new hash of certificate.\r
+\r
+ @return TRUE The signature list is found in the forbidden database.\r
+ @return FALSE The signature list is not found in the forbidden database.\r
+**/\r
+BOOLEAN\r
+GetSignaturelistOffset (\r
+ IN EFI_SIGNATURE_LIST *Database,\r
+ IN UINTN DatabaseSize,\r
+ IN EFI_GUID *SignatureType,\r
+ OUT UINTN *Offset\r
+ )\r
+{\r
+ EFI_SIGNATURE_LIST *SigList;\r
+ UINTN SiglistSize;\r
+\r
+ if ((Database == NULL) || (DatabaseSize == 0)) {\r
+ *Offset = 0;\r
+ return FALSE;\r
+ }\r
+\r
+ SigList = Database;\r
+ SiglistSize = DatabaseSize;\r
+ while ((SiglistSize > 0) && (SiglistSize >= SigList->SignatureListSize)) {\r
+ if (CompareGuid (&SigList->SignatureType, SignatureType)) {\r
+ *Offset = DatabaseSize - SiglistSize;\r
+ return TRUE;\r
+ }\r
+ SiglistSize -= SigList->SignatureListSize;\r
+ SigList = (EFI_SIGNATURE_LIST *) ((UINT8 *) SigList + SigList->SignatureListSize);\r
+ }\r
+ *Offset = 0;\r
+ return FALSE;\r
+}\r
+\r
+/**\r
+ Enroll a new X509 certificate hash into Signature Database (dbx) without\r
+ KEK's authentication.\r
+\r
+ @param[in] PrivateData The module's private data.\r
+ @param[in] HashAlg The hash algorithm to enroll the certificate.\r
+ @param[in] RevocationDate The revocation date of the certificate.\r
+ @param[in] RevocationTime The revocation time of the certificate.\r
+ @param[in] AlwaysRevocation Indicate whether the certificate is always revoked.\r
+\r
+ @retval EFI_SUCCESS New X509 is enrolled successfully.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.\r
+\r
+**/\r
+EFI_STATUS\r
+EnrollX509HashtoSigDB (\r
+ IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,\r
+ IN UINT32 HashAlg,\r
+ IN EFI_HII_DATE *RevocationDate,\r
+ IN EFI_HII_TIME *RevocationTime,\r
+ IN BOOLEAN AlwaysRevocation\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ UINTN X509DataSize;\r
+ VOID *X509Data;\r
+ EFI_SIGNATURE_LIST *SignatureList;\r
+ UINTN SignatureListSize;\r
+ UINT8 *Data;\r
+ UINT8 *NewData;\r
+ UINTN DataSize;\r
+ UINTN DbSize;\r
+ UINT32 Attr;\r
+ EFI_SIGNATURE_DATA *SignatureData;\r
+ UINTN SignatureSize;\r
+ EFI_GUID SignatureType;\r
+ UINTN Offset;\r
+ UINT8 CertHash[MAX_DIGEST_SIZE];\r
+ UINT16* FilePostFix;\r
+ UINTN NameLength;\r
+ EFI_TIME *Time;\r
+\r
+ X509DataSize = 0;\r
+ DbSize = 0;\r
+ X509Data = NULL;\r
+ SignatureData = NULL;\r
+ SignatureList = NULL;\r
+ Data = NULL;\r
+ NewData = NULL;\r
+\r
+ if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);\r
+ if (EFI_ERROR (Status)) {\r
+ return Status;\r
+ }\r
+\r
+ //\r
+ // Parse the file's postfix.\r
+ //\r
+ NameLength = StrLen (Private->FileContext->FileName);\r
+ if (NameLength <= 4) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ FilePostFix = Private->FileContext->FileName + NameLength - 4;\r
+ if (!IsDerEncodeCertificate(FilePostFix)) {\r
+ //\r
+ // Only supports DER-encoded X509 certificate.\r
+ //\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Get the certificate from file and calculate its hash.\r
+ //\r
+ Status = ReadFileContent (\r
+ Private->FileContext->FHandle,\r
+ &X509Data,\r
+ &X509DataSize,\r
+ 0\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+ ASSERT (X509Data != NULL);\r
+\r
+ if (!CalculateCertHash (X509Data, X509DataSize, HashAlg, CertHash)) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ //\r
+ // Get the variable for enrollment.\r
+ //\r
+ DataSize = 0;\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, NULL);\r
+ if (Status == EFI_BUFFER_TOO_SMALL) {\r
+ Data = (UINT8 *) AllocateZeroPool (DataSize);\r
+ if (Data == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ Status = gRT->GetVariable (EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid, NULL, &DataSize, Data);\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Allocate memory for Signature and fill the Signature\r
+ //\r
+ SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + sizeof (EFI_TIME) + mHash[HashAlg].DigestLength;\r
+ SignatureData = (EFI_SIGNATURE_DATA *) AllocateZeroPool (SignatureSize);\r
+ if (SignatureData == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+ CopyGuid (&SignatureData->SignatureOwner, Private->SignatureGUID);\r
+ CopyMem (SignatureData->SignatureData, CertHash, mHash[HashAlg].DigestLength);\r
+\r
+ //\r
+ // Fill the time.\r
+ //\r
+ if (!AlwaysRevocation) {\r
+ Time = (EFI_TIME *)(&SignatureData->SignatureData + mHash[HashAlg].DigestLength);\r
+ Time->Year = RevocationDate->Year;\r
+ Time->Month = RevocationDate->Month;\r
+ Time->Day = RevocationDate->Day;\r
+ Time->Hour = RevocationTime->Hour;\r
+ Time->Minute = RevocationTime->Minute;\r
+ Time->Second = RevocationTime->Second;\r
+ }\r
+\r
+ //\r
+ // Determine the GUID for certificate hash.\r
+ //\r
+ switch (HashAlg) {\r
+ case HASHALG_SHA256:\r
+ SignatureType = gEfiCertX509Sha256Guid;\r
+ break;\r
+ case HASHALG_SHA384:\r
+ SignatureType = gEfiCertX509Sha384Guid;\r
+ break;\r
+ case HASHALG_SHA512:\r
+ SignatureType = gEfiCertX509Sha512Guid;\r
+ break;\r
+ default:\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Add signature into the new variable data buffer\r
+ //\r
+ if (GetSignaturelistOffset((EFI_SIGNATURE_LIST *)Data, DataSize, &SignatureType, &Offset)) {\r
+ //\r
+ // Add the signature to the found signaturelist.\r
+ //\r
+ DbSize = DataSize + SignatureSize;\r
+ NewData = AllocateZeroPool (DbSize);\r
+ if (NewData == NULL) {\r
+ Status = EFI_OUT_OF_RESOURCES;\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ SignatureList = (EFI_SIGNATURE_LIST *)(Data + Offset);\r
+ SignatureListSize = (UINTN) ReadUnaligned32 ((UINT32 *)&SignatureList->SignatureListSize);\r
+ CopyMem (NewData, Data, Offset + SignatureListSize);\r
+\r
+ SignatureList = (EFI_SIGNATURE_LIST *)(NewData + Offset);\r
+ WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32)(SignatureListSize + SignatureSize));\r
+\r
+ Offset += SignatureListSize;\r
+ CopyMem (NewData + Offset, SignatureData, SignatureSize);\r
+ CopyMem (NewData + Offset + SignatureSize, Data + Offset, DataSize - Offset);\r
+\r
+ FreePool (Data);\r
+ Data = NewData;\r
+ DataSize = DbSize;\r
+ } else {\r
+ //\r
+ // Create a new signaturelist, and add the signature into the signaturelist.\r
+ //\r
+ DbSize = DataSize + sizeof(EFI_SIGNATURE_LIST) + SignatureSize;\r
+ NewData = AllocateZeroPool (DbSize);\r
+ if (NewData == NULL) {\r
+ Status = EFI_OUT_OF_RESOURCES;\r
+ goto ON_EXIT;\r
+ }\r
+ //\r
+ // Fill Certificate Database parameters.\r
+ //\r
+ SignatureList = (EFI_SIGNATURE_LIST*) (NewData + DataSize);\r
+ SignatureListSize = sizeof(EFI_SIGNATURE_LIST) + SignatureSize;\r
+ WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureListSize, (UINT32) SignatureListSize);\r
+ WriteUnaligned32 ((UINT32 *) &SignatureList->SignatureSize, (UINT32) SignatureSize);\r
+ CopyGuid (&SignatureList->SignatureType, &SignatureType);\r
+ CopyMem ((UINT8* ) SignatureList + sizeof (EFI_SIGNATURE_LIST), SignatureData, SignatureSize);\r
+ if ((DataSize != 0) && (Data != NULL)) {\r
+ CopyMem (NewData, Data, DataSize);\r
+ FreePool (Data);\r
+ }\r
+ Data = NewData;\r
+ DataSize = DbSize;\r
+ }\r
+\r
+ Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = gRT->SetVariable(\r
+ EFI_IMAGE_SECURITY_DATABASE1,\r
+ &gEfiImageSecurityDatabaseGuid,\r
+ Attr,\r
+ DataSize,\r
+ Data\r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
+ }\r
+\r
+ON_EXIT:\r