Add “VendorKeys” variable for indicating out of band key modification.
authorFu Siyuan <siyuan.fu@intel.com>
Thu, 12 Sep 2013 05:23:28 +0000 (05:23 +0000)
committersfu5 <sfu5@6f19259b-4bc3-4df7-8a09-765794883524>
Thu, 12 Sep 2013 05:23:28 +0000 (05:23 +0000)
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524

SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
SecurityPkg/SecurityPkg.dec
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf

index 6ffd9f17e389d68c8556e504c02ff52b5c0665dc..66947e176536f75836594282975facfc95e5b275 100644 (file)
@@ -4,7 +4,7 @@
   AuthenticatedVariableFormat.h defines variable data headers \r
   and variable storage region headers.\r
 \r
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials \r
 are licensed and made available under the terms and conditions of the BSD License \r
 which accompanies this distribution.  The full text of the license may be found at \r
@@ -29,6 +29,7 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid;
 extern EFI_GUID gEfiSecureBootEnableDisableGuid;\r
 extern EFI_GUID gEfiCertDbGuid;\r
 extern EFI_GUID gEfiCustomModeEnableGuid;\r
+extern EFI_GUID gEfiVendorKeysNvGuid;\r
 \r
 ///\r
 /// "SecureBootEnable" variable for the Secure Boot feature enable/disable.\r
@@ -51,6 +52,16 @@ extern EFI_GUID gEfiCustomModeEnableGuid;
 #define CUSTOM_SECURE_BOOT_MODE       1\r
 #define STANDARD_SECURE_BOOT_MODE     0\r
 \r
+///\r
+///  "VendorKeysNv" variable to record the out of band secure boot keys modification.\r
+///  This variable is a read-only NV varaible that indicates whether someone other than\r
+///  the platform vendor has used a mechanism not defined by the UEFI Specification to\r
+///  transition the system to setup mode or to update secure boot keys.\r
+///\r
+#define EFI_VENDOR_KEYS_NV_VARIABLE_NAME       L"VendorKeysNv"\r
+#define VENDOR_KEYS_VALID             1\r
+#define VENDOR_KEYS_MODIFIED          0\r
+\r
 ///\r
 /// Alignment of variable name and data, according to the architecture:\r
 /// * For IA-32 and Intel(R) 64 architectures: 1.\r
index 610682717e1901e2fdfe7d6ec72cec8846ec17eb..444332c88cf1e8b057e177685bf46df13e6d32b4 100644 (file)
@@ -41,6 +41,9 @@
   #  Include/Guid/AuthenticatedVariableFormat.h\r
   gEfiCustomModeEnableGuid           = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0, 0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } }\r
 \r
+  #  Include/Guid/AuthenticatedVariableFormat.h\r
+  gEfiVendorKeysNvGuid               = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99, 0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } }\r
+\r
   #  Include/Guid/AuthenticatedVariableFormat.h\r
   gEfiCertDbGuid                     = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4, 0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } }\r
   \r
index 7da0d63aba90dc86448cd9b46b4e8512afd386af..909de960b723ddf9f9cfe71526cf9d6525f05a74 100644 (file)
@@ -36,6 +36,8 @@ UINT8    mPubKeyStore[MAX_KEYDB_SIZE];
 UINT32   mPubKeyNumber;\r
 UINT8    mCertDbStore[MAX_CERTDB_SIZE];\r
 UINT32   mPlatformMode;\r
+UINT8    mVendorKeyState;\r
+\r
 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};\r
 //\r
 // Public Exponent of RSA Key.\r
@@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize (
   }\r
   \r
   //\r
-  // Create "SetupMode" varable with BS+RT attribute set.\r
+  // Create "SetupMode" variable with BS+RT attribute set.\r
   //\r
   FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
   if (PkVariable.CurrPtr == NULL) {\r
@@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize (
   }\r
   \r
   //\r
-  // Create "SignatureSupport" varable with BS+RT attribute set.\r
+  // Create "SignatureSupport" variable with BS+RT attribute set.\r
   //\r
   FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
   Status  = UpdateVariable (\r
@@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize (
   }\r
 \r
   //\r
-  // Create "SecureBoot" varable with BS+RT attribute set.\r
+  // Create "SecureBoot" variable with BS+RT attribute set.\r
   //\r
   if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {\r
     SecureBootMode = SECURE_BOOT_MODE_ENABLE;\r
@@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize (
     }\r
   }  \r
 \r
+  //\r
+  // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly.\r
+  //\r
+  FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+  if (Variable.CurrPtr != NULL) {\r
+    mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));\r
+  } else {\r
+    //\r
+    // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.\r
+    //\r
+    mVendorKeyState = VENDOR_KEYS_VALID;\r
+    Status = UpdateVariable (\r
+               EFI_VENDOR_KEYS_NV_VARIABLE_NAME,\r
+               &gEfiVendorKeysNvGuid,\r
+               &mVendorKeyState,\r
+               sizeof (UINT8),\r
+               EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,\r
+               0,\r
+               0,\r
+               &Variable,\r
+               NULL\r
+               );\r
+    if (EFI_ERROR (Status)) {\r
+      return Status;\r
+    }\r
+  }\r
+\r
+  //\r
+  // Create "VendorKeys" variable with BS+RT attribute set.\r
+  //\r
+  FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+  Status = UpdateVariable (\r
+             EFI_VENDOR_KEYS_VARIABLE_NAME,\r
+             &gEfiGlobalVariableGuid,\r
+             &mVendorKeyState,\r
+             sizeof (UINT8),\r
+             EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+             0,\r
+             0,\r
+             &Variable,\r
+             NULL\r
+             );\r
+  if (EFI_ERROR (Status)) {\r
+    return Status;\r
+  }\r
+\r
+  DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState));\r
+\r
   return Status;\r
 }\r
 \r
@@ -911,6 +961,56 @@ CheckSignatureListFormat(
   return EFI_SUCCESS;\r
 }\r
 \r
+/**\r
+  Update "VendorKeys" variable to record the out of band secure boot key modification.\r
+\r
+  @return EFI_SUCCESS           Variable is updated successfully.\r
+  @return Others                Failed to update variable.\r
+  \r
+**/\r
+EFI_STATUS\r
+VendorKeyIsModified (\r
+  VOID\r
+  )\r
+{\r
+  EFI_STATUS              Status;\r
+  VARIABLE_POINTER_TRACK  Variable;\r
+\r
+  if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {\r
+    return EFI_SUCCESS;\r
+  }\r
+  mVendorKeyState = VENDOR_KEYS_MODIFIED;\r
+  \r
+  FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+  Status = UpdateVariable (\r
+             EFI_VENDOR_KEYS_NV_VARIABLE_NAME,\r
+             &gEfiVendorKeysNvGuid,\r
+             &mVendorKeyState,\r
+             sizeof (UINT8),\r
+             EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,\r
+             0,\r
+             0,\r
+             &Variable,\r
+             NULL\r
+             );\r
+  if (EFI_ERROR (Status)) {\r
+    return Status;\r
+  }\r
+\r
+  FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);\r
+  return UpdateVariable (\r
+           EFI_VENDOR_KEYS_VARIABLE_NAME,\r
+           &gEfiGlobalVariableGuid,\r
+           &mVendorKeyState,\r
+           sizeof (UINT8),\r
+           EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
+           0,\r
+           0,\r
+           &Variable,\r
+           NULL\r
+           );\r
+}\r
+\r
 /**\r
   Process variable with platform key for verification.\r
 \r
@@ -985,6 +1085,13 @@ ProcessVarWithPk (
                Variable,\r
                &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
                );\r
+    if (EFI_ERROR(Status)) {\r
+      return Status;\r
+    }\r
+\r
+    if (mPlatformMode != SETUP_MODE) {\r
+      Status = VendorKeyIsModified ();\r
+    }\r
   } else if (mPlatformMode == USER_MODE) {\r
     //\r
     // Verify against X509 Cert in PK database.\r
@@ -1117,6 +1224,13 @@ ProcessVarWithKek (
                Variable,\r
                &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp\r
                );\r
+    if (EFI_ERROR (Status)) {\r
+      return Status;\r
+    }\r
+\r
+    if (mPlatformMode != SETUP_MODE) {\r
+      Status = VendorKeyIsModified ();\r
+    }\r
   }\r
 \r
   return Status;\r
index 5261157ff24883439ac60e79d6b2cb1ab0ffc077..5ff48cff2ff073525f4ba48b6b70e7e68fe38c9e 100644 (file)
@@ -2500,7 +2500,8 @@ IsReadOnlyVariable (
   if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {\r
     if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) ||\r
         (StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) ||\r
-        (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) {\r
+        (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0) ||\r
+        (StrCmp (VariableName, EFI_VENDOR_KEYS_VARIABLE_NAME) == 0)) {\r
       return TRUE;\r
     }\r
   }\r
index 4904adae2e794c8251d30dc423ebc9d7ead02414..7f8c28ec72341864f48ee4a1ed482aaf34db1a04 100644 (file)
@@ -80,6 +80,7 @@
   gEfiCertRsa2048Guid\r
   gEfiSecureBootEnableDisableGuid\r
   gEfiCustomModeEnableGuid\r
+  gEfiVendorKeysNvGuid\r
   gEfiSystemNvDataFvGuid                        ## CONSUMES\r
   gEfiCertDbGuid\r
   gEfiHardwareErrorVariableGuid                 ## SOMETIMES_CONSUMES\r
index 4180309c7f828204739bf9ee5fb1b970420a167d..5a4082309775db0a356817ab968a168926a86fe6 100644 (file)
@@ -86,6 +86,7 @@
   gEfiCertRsa2048Guid\r
   gEfiSecureBootEnableDisableGuid\r
   gEfiCustomModeEnableGuid\r
+  gEfiVendorKeysNvGuid\r
   gEfiSystemNvDataFvGuid                        ## CONSUMES\r
   gEfiCertDbGuid\r
   gEfiHardwareErrorVariableGuid                 ## SOMETIMES_CONSUMES\r