\r
#include "SecureBootConfigImpl.h"\r
#include <Library/BaseCryptLib.h>\r
+#include <Library/SecureBootVariableLib.h>\r
+#include <Library/SecureBootVariableProvisionLib.h>\r
\r
CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";\r
\r
return Status;\r
}\r
\r
-/**\r
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2\r
- descriptor with the input data. NO authentication is required in this function.\r
-\r
- @param[in, out] DataSize On input, the size of Data buffer in bytes.\r
- On output, the size of data returned in Data\r
- buffer in bytes.\r
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or\r
- pointer to NULL to wrap an empty payload.\r
- On output, Pointer to the new payload date buffer allocated from pool,\r
- it's caller's responsibility to free the memory when finish using it.\r
-\r
- @retval EFI_SUCCESS Create time based payload successfully.\r
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resources to create time based payload.\r
- @retval EFI_INVALID_PARAMETER The parameter is invalid.\r
- @retval Others Unexpected error happens.\r
-\r
-**/\r
-EFI_STATUS\r
-CreateTimeBasedPayload (\r
- IN OUT UINTN *DataSize,\r
- IN OUT UINT8 **Data\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINT8 *NewData;\r
- UINT8 *Payload;\r
- UINTN PayloadSize;\r
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;\r
- UINTN DescriptorSize;\r
- EFI_TIME Time;\r
-\r
- if (Data == NULL || DataSize == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // In Setup mode or Custom mode, the variable does not need to be signed but the\r
- // parameters to the SetVariable() call still need to be prepared as authenticated\r
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate\r
- // data in it.\r
- //\r
- Payload = *Data;\r
- PayloadSize = *DataSize;\r
-\r
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);\r
- if (NewData == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- if ((Payload != NULL) && (PayloadSize != 0)) {\r
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);\r
- }\r
-\r
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);\r
-\r
- ZeroMem (&Time, sizeof (EFI_TIME));\r
- Status = gRT->GetTime (&Time, NULL);\r
- if (EFI_ERROR (Status)) {\r
- FreePool(NewData);\r
- return Status;\r
- }\r
- Time.Pad1 = 0;\r
- Time.Nanosecond = 0;\r
- Time.TimeZone = 0;\r
- Time.Daylight = 0;\r
- Time.Pad2 = 0;\r
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));\r
-\r
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);\r
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;\r
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;\r
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);\r
-\r
- if (Payload != NULL) {\r
- FreePool(Payload);\r
- }\r
-\r
- *DataSize = DescriptorSize + PayloadSize;\r
- *Data = NewData;\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Internal helper function to delete a Variable given its name and GUID, NO authentication\r
- required.\r
-\r
- @param[in] VariableName Name of the Variable.\r
- @param[in] VendorGuid GUID of the Variable.\r
-\r
- @retval EFI_SUCCESS Variable deleted successfully.\r
- @retval Others The driver failed to start the device.\r
-\r
-**/\r
-EFI_STATUS\r
-DeleteVariable (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid\r
- )\r
-{\r
- EFI_STATUS Status;\r
- VOID* Variable;\r
- UINT8 *Data;\r
- UINTN DataSize;\r
- UINT32 Attr;\r
-\r
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);\r
- if (Variable == NULL) {\r
- return EFI_SUCCESS;\r
- }\r
- FreePool (Variable);\r
-\r
- Data = NULL;\r
- DataSize = 0;\r
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS\r
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;\r
-\r
- Status = CreateTimeBasedPayload (&DataSize, &Data);\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));\r
- return Status;\r
- }\r
-\r
- Status = gRT->SetVariable (\r
- VariableName,\r
- VendorGuid,\r
- Attr,\r
- DataSize,\r
- Data\r
- );\r
- if (Data != NULL) {\r
- FreePool (Data);\r
- }\r
- return Status;\r
-}\r
-\r
-/**\r
-\r
- Set the platform secure boot mode into "Custom" or "Standard" mode.\r
-\r
- @param[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or\r
- CUSTOM_SECURE_BOOT_MODE.\r
-\r
- @return EFI_SUCCESS The platform has switched to the special mode successfully.\r
- @return other Fail to operate the secure boot mode.\r
-\r
-**/\r
-EFI_STATUS\r
-SetSecureBootMode (\r
- IN UINT8 SecureBootMode\r
- )\r
-{\r
- return gRT->SetVariable (\r
- EFI_CUSTOM_MODE_NAME,\r
- &gEfiCustomModeEnableGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,\r
- sizeof (UINT8),\r
- &SecureBootMode\r
- );\r
-}\r
-\r
/**\r
This code checks if the encode type and key strength of X.509\r
certificate is qualified.\r
return Status;\r
}\r
\r
-/**\r
- Remove the PK variable.\r
-\r
- @retval EFI_SUCCESS Delete PK successfully.\r
- @retval Others Could not allow to delete PK.\r
-\r
-**/\r
-EFI_STATUS\r
-DeletePlatformKey (\r
- VOID\r
-)\r
-{\r
- EFI_STATUS Status;\r
-\r
- Status = SetSecureBootMode(CUSTOM_SECURE_BOOT_MODE);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- Status = DeleteVariable (\r
- EFI_PLATFORM_KEY_NAME,\r
- &gEfiGlobalVariableGuid\r
- );\r
- return Status;\r
-}\r
-\r
/**\r
Enroll a new KEK item from public key storing file (*.pbk).\r
\r