)\r
{\r
EFI_STATUS Status;\r
- VARIABLE_POINTER_TRACK PkVariable;\r
- EFI_SIGNATURE_LIST *OldPkList;\r
- EFI_SIGNATURE_DATA *OldPkData;\r
- EFI_VARIABLE_AUTHENTICATION *CertData;\r
- BOOLEAN TimeBase;\r
BOOLEAN Del;\r
UINT8 *Payload;\r
UINTN PayloadSize;\r
- UINT64 MonotonicCount;\r
- EFI_TIME *TimeStamp;\r
\r
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {\r
+ if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 || \r
+ (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {\r
//\r
- // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute.\r
+ // PK and KEK should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based\r
+ // authenticated variable.\r
//\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
-\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute means time-based X509 Cert PK.\r
- //\r
- TimeBase = TRUE;\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute means counter-based RSA-2048 Cert PK.\r
- //\r
- TimeBase = FALSE;\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (TimeBase) {\r
- //\r
- // Verify against X509 Cert PK.\r
- //\r
- Del = FALSE;\r
- Status = VerifyTimeBasedPayload (\r
- VariableName,\r
- VendorGuid,\r
- Data,\r
- DataSize,\r
- Variable,\r
- Attributes,\r
- AuthVarTypePk,\r
- &Del\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If delete PK in user mode, need change to setup mode.\r
- //\r
- if (Del && IsPk) {\r
- Status = UpdatePlatformMode (SETUP_MODE);\r
- }\r
- }\r
- return Status;\r
- } else {\r
- //\r
- // Verify against RSA2048 Cert PK.\r
- //\r
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;\r
- if ((Variable->CurrPtr != NULL) && (CertData->MonotonicCount <= Variable->CurrPtr->MonotonicCount)) {\r
- //\r
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.\r
- //\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
+ //\r
+ // Verify against X509 Cert PK.\r
+ //\r
+ Del = FALSE;\r
+ Status = VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypePk,\r
+ &Del\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
//\r
- // Get platform key from variable.\r
+ // If delete PK in user mode, need change to setup mode.\r
//\r
- Status = FindVariable (\r
- EFI_PLATFORM_KEY_NAME,\r
- &gEfiGlobalVariableGuid,\r
- &PkVariable,\r
- &mVariableModuleGlobal->VariableGlobal,\r
- FALSE\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- OldPkList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (PkVariable.CurrPtr);\r
- OldPkData = (EFI_SIGNATURE_DATA *) ((UINT8 *) OldPkList + sizeof (EFI_SIGNATURE_LIST) + OldPkList->SignatureHeaderSize);\r
- Status = VerifyCounterBasedPayload (Data, DataSize, OldPkData->SignatureData);\r
- if (!EFI_ERROR (Status)) {\r
- Status = CheckSignatureListFormat(\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- \r
- Status = UpdateVariable (\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE,\r
- Attributes,\r
- 0,\r
- CertData->MonotonicCount,\r
- Variable,\r
- NULL\r
- );\r
-\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If delete PK in user mode, need change to setup mode.\r
- //\r
- if ((DataSize == AUTHINFO_SIZE) && IsPk) {\r
- Status = UpdatePlatformMode (SETUP_MODE);\r
- }\r
- }\r
+ if (Del && IsPk) {\r
+ Status = UpdatePlatformMode (SETUP_MODE);\r
}\r
}\r
+ return Status;\r
} else {\r
//\r
// Process PK or KEK in Setup mode or Custom Secure Boot mode.\r
//\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp;\r
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
- PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based Authentication descriptor.\r
- //\r
- MonotonicCount = ((EFI_VARIABLE_AUTHENTICATION *) Data)->MonotonicCount;\r
- TimeStamp = NULL;\r
- Payload = (UINT8*) Data + AUTHINFO_SIZE;\r
- PayloadSize = DataSize - AUTHINFO_SIZE;\r
- } else {\r
- //\r
- // No Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = NULL;\r
- Payload = Data;\r
- PayloadSize = DataSize;\r
- }\r
+ Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
+ PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
\r
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);\r
if (EFI_ERROR (Status)) {\r
PayloadSize,\r
Attributes,\r
0,\r
- MonotonicCount,\r
+ 0,\r
Variable,\r
- TimeStamp\r
+ &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
\r
if (IsPk) {\r
)\r
{\r
EFI_STATUS Status;\r
- VARIABLE_POINTER_TRACK KekVariable;\r
- EFI_SIGNATURE_LIST *KekList;\r
- EFI_SIGNATURE_DATA *KekItem;\r
- UINT32 KekCount;\r
- EFI_VARIABLE_AUTHENTICATION *CertData;\r
- EFI_CERT_BLOCK_RSA_2048_SHA256 *CertBlock;\r
- BOOLEAN IsFound;\r
- UINT32 Index;\r
- UINT32 KekDataSize;\r
UINT8 *Payload;\r
UINTN PayloadSize;\r
- UINT64 MonotonicCount;\r
- EFI_TIME *TimeStamp;\r
\r
- if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0) {\r
+ if ((Attributes & EFI_VARIABLE_NON_VOLATILE) == 0 ||\r
+ (Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0) {\r
//\r
- // DB and DBX should set EFI_VARIABLE_NON_VOLATILE attribute.\r
+ // DB and DBX should set EFI_VARIABLE_NON_VOLATILE attribute and should be a time-based\r
+ // authenticated variable.\r
//\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
Status = EFI_SUCCESS;\r
if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
- if (((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) == 0) &&\r
- ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0)){\r
- //\r
- // In user mode, should set EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS or\r
- // EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute.\r
- //\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based, verify against X509 Cert KEK.\r
- //\r
- return VerifyTimeBasedPayload (\r
- VariableName,\r
- VendorGuid,\r
- Data,\r
- DataSize,\r
- Variable,\r
- Attributes,\r
- AuthVarTypeKek,\r
- NULL\r
- );\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based, verify against RSA2048 Cert KEK.\r
- //\r
- CertData = (EFI_VARIABLE_AUTHENTICATION *) Data;\r
- CertBlock = (EFI_CERT_BLOCK_RSA_2048_SHA256 *) (CertData->AuthInfo.CertData);\r
- if ((Variable->CurrPtr != NULL) && (CertData->MonotonicCount <= Variable->CurrPtr->MonotonicCount)) {\r
- //\r
- // Monotonic count check fail, suspicious replay attack, return EFI_SECURITY_VIOLATION.\r
- //\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
- //\r
- // Get KEK database from variable.\r
- //\r
- Status = FindVariable (\r
- EFI_KEY_EXCHANGE_KEY_NAME,\r
- &gEfiGlobalVariableGuid,\r
- &KekVariable,\r
- &mVariableModuleGlobal->VariableGlobal,\r
- FALSE\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- KekDataSize = KekVariable.CurrPtr->DataSize;\r
- KekList = (EFI_SIGNATURE_LIST *) GetVariableDataPtr (KekVariable.CurrPtr);\r
-\r
- //\r
- // Enumerate all Kek items in this list to verify the variable certificate data.\r
- // If anyone is authenticated successfully, it means the variable is correct!\r
- //\r
- IsFound = FALSE;\r
- while ((KekDataSize > 0) && (KekDataSize >= KekList->SignatureListSize)) {\r
- if (CompareGuid (&KekList->SignatureType, &gEfiCertRsa2048Guid)) {\r
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekList + sizeof (EFI_SIGNATURE_LIST) + KekList->SignatureHeaderSize);\r
- KekCount = (KekList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - KekList->SignatureHeaderSize) / KekList->SignatureSize;\r
- for (Index = 0; Index < KekCount; Index++) {\r
- if (CompareMem (KekItem->SignatureData, CertBlock->PublicKey, EFI_CERT_TYPE_RSA2048_SIZE) == 0) {\r
- IsFound = TRUE;\r
- break;\r
- }\r
- KekItem = (EFI_SIGNATURE_DATA *) ((UINT8 *) KekItem + KekList->SignatureSize);\r
- }\r
- }\r
- KekDataSize -= KekList->SignatureListSize;\r
- KekList = (EFI_SIGNATURE_LIST *) ((UINT8 *) KekList + KekList->SignatureListSize);\r
- }\r
-\r
- if (!IsFound) {\r
- return EFI_SECURITY_VIOLATION;\r
- }\r
-\r
- Status = VerifyCounterBasedPayload (Data, DataSize, CertBlock->PublicKey);\r
- if (!EFI_ERROR (Status)) {\r
- Status = UpdateVariable (\r
- VariableName,\r
- VendorGuid,\r
- (UINT8*)Data + AUTHINFO_SIZE,\r
- DataSize - AUTHINFO_SIZE,\r
- Attributes,\r
- 0,\r
- CertData->MonotonicCount,\r
- Variable,\r
- NULL\r
- );\r
- }\r
- }\r
+ //\r
+ // Time-based, verify against X509 Cert KEK.\r
+ //\r
+ return VerifyTimeBasedPayload (\r
+ VariableName,\r
+ VendorGuid,\r
+ Data,\r
+ DataSize,\r
+ Variable,\r
+ Attributes,\r
+ AuthVarTypeKek,\r
+ NULL\r
+ );\r
} else {\r
//\r
// If in setup mode or custom secure boot mode, no authentication needed.\r
//\r
- if ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Time-based Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp;\r
- Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
- PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
- } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
- //\r
- // Counter-based Authentication descriptor.\r
- //\r
- MonotonicCount = ((EFI_VARIABLE_AUTHENTICATION *) Data)->MonotonicCount;\r
- TimeStamp = NULL;\r
- Payload = (UINT8*) Data + AUTHINFO_SIZE;\r
- PayloadSize = DataSize - AUTHINFO_SIZE;\r
- } else {\r
- //\r
- // No Authentication descriptor.\r
- //\r
- MonotonicCount = 0;\r
- TimeStamp = NULL;\r
- Payload = Data;\r
- PayloadSize = DataSize;\r
- }\r
+ Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
+ PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
\r
Status = UpdateVariable (\r
VariableName,\r
PayloadSize,\r
Attributes,\r
0,\r
- MonotonicCount,\r
+ 0,\r
Variable,\r
- TimeStamp\r
+ &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
);\r
}\r
\r
return Status;\r
}\r
\r
+/**\r
+ Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2\r
+ descriptor with the input data. NO authentication is required in this function.\r
+ \r
+ @param[in, out] DataSize On input, the size of Data buffer in bytes.\r
+ On output, the size of data returned in Data\r
+ buffer in bytes.\r
+ @param[in, out] Data On input, Pointer to data buffer to be wrapped or \r
+ pointer to NULL to wrap an empty payload.\r
+ On output, Pointer to the new payload date buffer allocated from pool,\r
+ it's caller's responsibility to free the memory when finish using it. \r
+\r
+ @retval EFI_SUCCESS Create time based payload successfully.\r
+ @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.\r
+ @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
+ @retval Others Unexpected error happens.\r
+\r
+**/\r
+EFI_STATUS\r
+CreateTimeBasedPayload (\r
+ IN OUT UINTN *DataSize,\r
+ IN OUT UINT8 **Data\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ UINT8 *NewData;\r
+ UINT8 *Payload;\r
+ UINTN PayloadSize;\r
+ EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;\r
+ UINTN DescriptorSize;\r
+ EFI_TIME Time;\r
+ \r
+ if (Data == NULL || DataSize == NULL) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ \r
+ //\r
+ // In Setup mode or Custom mode, the variable does not need to be signed but the \r
+ // parameters to the SetVariable() call still need to be prepared as authenticated\r
+ // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate\r
+ // data in it.\r
+ //\r
+ Payload = *Data;\r
+ PayloadSize = *DataSize;\r
+ \r
+ DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
+ NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);\r
+ if (NewData == NULL) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+\r
+ if ((Payload != NULL) && (PayloadSize != 0)) {\r
+ CopyMem (NewData + DescriptorSize, Payload, PayloadSize);\r
+ }\r
+\r
+ DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);\r
+\r
+ ZeroMem (&Time, sizeof (EFI_TIME));\r
+ Status = gRT->GetTime (&Time, NULL);\r
+ if (EFI_ERROR (Status)) {\r
+ FreePool(NewData);\r
+ return Status;\r
+ }\r
+ Time.Pad1 = 0;\r
+ Time.Nanosecond = 0;\r
+ Time.TimeZone = 0;\r
+ Time.Daylight = 0;\r
+ Time.Pad2 = 0;\r
+ CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));\r
+ \r
+ DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
+ DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;\r
+ DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
+ CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);\r
+ \r
+ if (Payload != NULL) {\r
+ FreePool(Payload);\r
+ }\r
+ \r
+ *DataSize = DescriptorSize + PayloadSize;\r
+ *Data = NewData;\r
+ return EFI_SUCCESS;\r
+}\r
+\r
/**\r
Internal helper function to delete a Variable given its name and GUID, NO authentication\r
required.\r
{\r
EFI_STATUS Status;\r
VOID* Variable;\r
+ UINT8 *Data;\r
+ UINTN DataSize;\r
+ UINT32 Attr;\r
\r
Variable = GetVariable (VariableName, VendorGuid);\r
if (Variable == NULL) {\r
return EFI_SUCCESS;\r
}\r
\r
- Status = gRT->SetVariable (\r
- VariableName,\r
- VendorGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
- 0,\r
- NULL\r
- );\r
- return Status;\r
-}\r
-\r
-/**\r
- Generate a PK signature list from the public key storing file (*.pbk).\r
-\r
- @param[in] PkKeyFile FileHandle of the public key storing file.\r
- @param[out] PkCert Point to the data buffer to store the signature list.\r
- \r
- @return EFI_UNSUPPORTED Unsupported Key Length.\r
- @return EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.\r
- \r
-**/\r
-EFI_STATUS\r
-CreatePkRsaSignatureList (\r
- IN EFI_FILE_HANDLE PkKeyFile, \r
- OUT EFI_SIGNATURE_LIST **PkCert \r
- )\r
-{\r
- EFI_STATUS Status; \r
- UINTN KeyBlobSize;\r
- VOID *KeyBlob;\r
- CPL_KEY_INFO *KeyInfo;\r
- EFI_SIGNATURE_DATA *PkCertData;\r
- VOID *KeyBuffer; \r
- UINTN KeyLenInBytes;\r
-\r
- PkCertData = NULL;\r
- KeyBlob = NULL;\r
- KeyBuffer = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Get key from PK key file\r
- // \r
- Status = ReadFileContent (PkKeyFile, &KeyBlob, &KeyBlobSize, 0);\r
- if (EFI_ERROR(Status)) {\r
- DEBUG ((EFI_D_ERROR, "Can't Open the file for PK enrolling.\n"));\r
- goto ON_EXIT;\r
- }\r
- ASSERT (KeyBlob != NULL);\r
-\r
- KeyInfo = (CPL_KEY_INFO *)KeyBlob;\r
- if (KeyInfo->KeyLengthInBits/8 != WIN_CERT_UEFI_RSA2048_SIZE) {\r
- Status = EFI_UNSUPPORTED;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Convert the Public key to fix octet string format represented in RSA PKCS#1.\r
- // \r
- KeyLenInBytes = KeyInfo->KeyLengthInBits / 8;\r
- KeyBuffer = AllocateZeroPool(KeyLenInBytes);\r
- if (KeyBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- Status = Int2OctStr (\r
- (UINTN*) ((UINTN)KeyBlob + sizeof(CPL_KEY_INFO)), \r
- KeyLenInBytes / sizeof (UINTN), \r
- (UINT8*)KeyBuffer, \r
- KeyLenInBytes\r
- );\r
- if (EFI_ERROR(Status)) {\r
- goto ON_EXIT;\r
- }\r
+ Data = NULL;\r
+ DataSize = 0;\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS\r
+ | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
\r
- // Allocate space for PK certificate list and initialize the list.\r
- // Create PK database entry with SignatureHeaderSize equals 0.\r
- //\r
- *PkCert = (EFI_SIGNATURE_LIST*)AllocateZeroPool(\r
- sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1\r
- + WIN_CERT_UEFI_RSA2048_SIZE\r
- );\r
- \r
- if (*PkCert == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
+ Status = CreateTimeBasedPayload (&DataSize, &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ return Status;\r
}\r
\r
- (*PkCert)->SignatureListSize = sizeof(EFI_SIGNATURE_LIST) \r
- + sizeof(EFI_SIGNATURE_DATA) - 1\r
- + WIN_CERT_UEFI_RSA2048_SIZE;\r
- (*PkCert)->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;\r
- (*PkCert)->SignatureHeaderSize = 0;\r
- CopyGuid (&(*PkCert)->SignatureType, &gEfiCertRsa2048Guid);\r
-\r
- PkCertData = (EFI_SIGNATURE_DATA*)((UINTN)(*PkCert) \r
- + sizeof(EFI_SIGNATURE_LIST)\r
- + (*PkCert)->SignatureHeaderSize);\r
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);\r
- //\r
- // Fill the PK database with PKpub data from PKKeyFile.\r
- // \r
- CopyMem (&(PkCertData->SignatureData[0]), KeyBuffer, WIN_CERT_UEFI_RSA2048_SIZE);\r
-\r
-ON_EXIT:\r
- \r
- if (KeyBlob != NULL) {\r
- FreePool (KeyBlob);\r
- }\r
- \r
- if (EFI_ERROR(Status) && *PkCert != NULL) {\r
- FreePool (*PkCert);\r
- *PkCert = NULL;\r
- }\r
- \r
- if (KeyBuffer != NULL) {\r
- FreePool (KeyBuffer);\r
+ Status = gRT->SetVariable (\r
+ VariableName,\r
+ VendorGuid,\r
+ Attr,\r
+ DataSize,\r
+ Data\r
+ );\r
+ if (Data != NULL) {\r
+ FreePool (Data);\r
}\r
- \r
return Status;\r
}\r
\r
PkCert = NULL;\r
\r
//\r
- // Parse the file's postfix. Only support *.pbk(RSA2048) and *.cer(X509) files.\r
+ // Parse the file's postfix. Only support *.cer(X509) files.\r
//\r
FilePostFix = Private->FileContext->FileName + StrLen (Private->FileContext->FileName) - 4;\r
- if (CompareMem (FilePostFix, L".pbk",4) && CompareMem (FilePostFix, L".cer",4)) {\r
- DEBUG ((EFI_D_ERROR, "Don't support the file, only *.pbk or *.cer.\n is supported."));\r
+ if (CompareMem (FilePostFix, L".cer",4)) {\r
+ DEBUG ((EFI_D_ERROR, "Don't support the file, only *.cer is supported."));\r
return EFI_INVALID_PARAMETER;\r
}\r
DEBUG ((EFI_D_INFO, "FileName= %s\n", Private->FileContext->FileName));\r
//\r
// Prase the selected PK file and generature PK certificate list.\r
//\r
- if (!CompareMem (FilePostFix, L".pbk",4)) {\r
- Status = CreatePkRsaSignatureList (\r
- Private->FileContext->FHandle, \r
- &PkCert \r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- } else if (!CompareMem (FilePostFix, L".cer",4)) {\r
- Status = CreatePkX509SignatureList (\r
- Private->FileContext->FHandle, \r
- &PkCert \r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
+ Status = CreatePkX509SignatureList (\r
+ Private->FileContext->FHandle, \r
+ &PkCert \r
+ );\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_EXIT;\r
}\r
ASSERT (PkCert != NULL);\r
\r
// Set Platform Key variable.\r
// \r
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
- | EFI_VARIABLE_BOOTSERVICE_ACCESS;\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
DataSize = PkCert->SignatureListSize;\r
+ Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &PkCert);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+ \r
Status = gRT->SetVariable(\r
EFI_PLATFORM_KEY_NAME, \r
&gEfiGlobalVariableGuid, \r
{\r
EFI_STATUS Status;\r
\r
- Status = DeleteVariable (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGuid);\r
- \r
+ Status = DeleteVariable (\r
+ EFI_PLATFORM_KEY_NAME,\r
+ &gEfiGlobalVariableGuid\r
+ );\r
return Status;\r
}\r
\r
// If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the \r
// new KEK to original variable.\r
// \r
- Attr |= EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS;\r
- DataSize = 0;\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+\r
Status = gRT->GetVariable(\r
EFI_KEY_EXCHANGE_KEY_NAME, \r
&gEfiGlobalVariableGuid, \r
// new kek to original variable\r
// \r
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
- | EFI_VARIABLE_BOOTSERVICE_ACCESS;\r
-\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+ \r
Status = gRT->GetVariable(\r
EFI_KEY_EXCHANGE_KEY_NAME, \r
&gEfiGlobalVariableGuid, \r
// new signature data to original variable\r
// \r
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
- | EFI_VARIABLE_BOOTSERVICE_ACCESS;\r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
\r
Status = gRT->GetVariable(\r
VariableName, \r
\r
Data = NULL;\r
GuidCertData = NULL;\r
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
- | EFI_VARIABLE_BOOTSERVICE_ACCESS;\r
\r
//\r
// Form the SigDB certificate list.\r
CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);\r
CopyMem (SigDBCertData->SignatureData, mImageDigest, mImageDigestSize);\r
\r
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS \r
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
+ Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+ \r
//\r
// Check if SigDB variable has been already existed. \r
// If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the \r
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);\r
}\r
\r
- CertList = (EFI_SIGNATURE_LIST*) OldData;\r
DataSize = Offset;\r
+ if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
+ Status = CreateTimeBasedPayload (&DataSize, &OldData);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
\r
Status = gRT->SetVariable(\r
EFI_KEY_EXCHANGE_KEY_NAME, \r
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);\r
}\r
\r
- CertList = (EFI_SIGNATURE_LIST*) OldData;\r
DataSize = Offset;\r
+ if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {\r
+ Status = CreateTimeBasedPayload (&DataSize, &OldData);\r
+ if (EFI_ERROR (Status)) {\r
+ DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
+ goto ON_EXIT;\r
+ }\r
+ }\r
\r
Status = gRT->SetVariable(\r
VariableName, \r
CreatePopUp (\r
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
&Key,\r
- L"ERROR: The File Type is neither *.cer nor *.pbk!",\r
+ L"ERROR: Unsupported file type, only *.cer is supported!",\r
NULL\r
);\r
} else {\r