From: Fu Siyuan Date: Thu, 12 Sep 2013 05:23:28 +0000 (+0000) Subject: Add “VendorKeys” variable for indicating out of band key modification. X-Git-Tag: edk2-stable201903~12266 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=a555940b2d4cb525d8c2bfcf16fbaab89157556f Add “VendorKeys” variable for indicating out of band key modification. Signed-off-by: Fu Siyuan Reviewed-by: Ye Ting Reviewed-by: Dong Guo git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14660 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h index 6ffd9f17e3..66947e1765 100644 --- a/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h +++ b/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h @@ -4,7 +4,7 @@ AuthenticatedVariableFormat.h defines variable data headers and variable storage region headers. -Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -29,6 +29,7 @@ extern EFI_GUID gEfiAuthenticatedVariableGuid; extern EFI_GUID gEfiSecureBootEnableDisableGuid; extern EFI_GUID gEfiCertDbGuid; extern EFI_GUID gEfiCustomModeEnableGuid; +extern EFI_GUID gEfiVendorKeysNvGuid; /// /// "SecureBootEnable" variable for the Secure Boot feature enable/disable. @@ -51,6 +52,16 @@ extern EFI_GUID gEfiCustomModeEnableGuid; #define CUSTOM_SECURE_BOOT_MODE 1 #define STANDARD_SECURE_BOOT_MODE 0 +/// +/// "VendorKeysNv" variable to record the out of band secure boot keys modification. +/// This variable is a read-only NV varaible that indicates whether someone other than +/// the platform vendor has used a mechanism not defined by the UEFI Specification to +/// transition the system to setup mode or to update secure boot keys. +/// +#define EFI_VENDOR_KEYS_NV_VARIABLE_NAME L"VendorKeysNv" +#define VENDOR_KEYS_VALID 1 +#define VENDOR_KEYS_MODIFIED 0 + /// /// Alignment of variable name and data, according to the architecture: /// * For IA-32 and Intel(R) 64 architectures: 1. diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 610682717e..444332c88c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -41,6 +41,9 @@ # Include/Guid/AuthenticatedVariableFormat.h gEfiCustomModeEnableGuid = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0, 0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } } + # Include/Guid/AuthenticatedVariableFormat.h + gEfiVendorKeysNvGuid = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99, 0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } } + # Include/Guid/AuthenticatedVariableFormat.h gEfiCertDbGuid = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4, 0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } } diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 7da0d63aba..909de960b7 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -36,6 +36,8 @@ UINT8 mPubKeyStore[MAX_KEYDB_SIZE]; UINT32 mPubKeyNumber; UINT8 mCertDbStore[MAX_CERTDB_SIZE]; UINT32 mPlatformMode; +UINT8 mVendorKeyState; + EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID}; // // Public Exponent of RSA Key. @@ -255,7 +257,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SetupMode" varable with BS+RT attribute set. + // Create "SetupMode" variable with BS+RT attribute set. // FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); if (PkVariable.CurrPtr == NULL) { @@ -279,7 +281,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SignatureSupport" varable with BS+RT attribute set. + // Create "SignatureSupport" variable with BS+RT attribute set. // FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); Status = UpdateVariable ( @@ -328,7 +330,7 @@ AutenticatedVariableServiceInitialize ( } // - // Create "SecureBoot" varable with BS+RT attribute set. + // Create "SecureBoot" variable with BS+RT attribute set. // if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) { SecureBootMode = SECURE_BOOT_MODE_ENABLE; @@ -409,6 +411,54 @@ AutenticatedVariableServiceInitialize ( } } + // + // Check "VendorKeysNv" variable's existence and create "VendorKeys" variable accordingly. + // + FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + if (Variable.CurrPtr != NULL) { + mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr)); + } else { + // + // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state. + // + mVendorKeyState = VENDOR_KEYS_VALID; + Status = UpdateVariable ( + EFI_VENDOR_KEYS_NV_VARIABLE_NAME, + &gEfiVendorKeysNvGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + // + // Create "VendorKeys" variable with BS+RT attribute set. + // + FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + Status = UpdateVariable ( + EFI_VENDOR_KEYS_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + + DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME, mVendorKeyState)); + return Status; } @@ -911,6 +961,56 @@ CheckSignatureListFormat( return EFI_SUCCESS; } +/** + Update "VendorKeys" variable to record the out of band secure boot key modification. + + @return EFI_SUCCESS Variable is updated successfully. + @return Others Failed to update variable. + +**/ +EFI_STATUS +VendorKeyIsModified ( + VOID + ) +{ + EFI_STATUS Status; + VARIABLE_POINTER_TRACK Variable; + + if (mVendorKeyState == VENDOR_KEYS_MODIFIED) { + return EFI_SUCCESS; + } + mVendorKeyState = VENDOR_KEYS_MODIFIED; + + FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + Status = UpdateVariable ( + EFI_VENDOR_KEYS_NV_VARIABLE_NAME, + &gEfiVendorKeysNvGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + + FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE); + return UpdateVariable ( + EFI_VENDOR_KEYS_VARIABLE_NAME, + &gEfiGlobalVariableGuid, + &mVendorKeyState, + sizeof (UINT8), + EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, + 0, + &Variable, + NULL + ); +} + /** Process variable with platform key for verification. @@ -985,6 +1085,13 @@ ProcessVarWithPk ( Variable, &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp ); + if (EFI_ERROR(Status)) { + return Status; + } + + if (mPlatformMode != SETUP_MODE) { + Status = VendorKeyIsModified (); + } } else if (mPlatformMode == USER_MODE) { // // Verify against X509 Cert in PK database. @@ -1117,6 +1224,13 @@ ProcessVarWithKek ( Variable, &((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp ); + if (EFI_ERROR (Status)) { + return Status; + } + + if (mPlatformMode != SETUP_MODE) { + Status = VendorKeyIsModified (); + } } return Status; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 5261157ff2..5ff48cff2f 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2500,7 +2500,8 @@ IsReadOnlyVariable ( if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) { if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) || (StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) || - (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) { + (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0) || + (StrCmp (VariableName, EFI_VENDOR_KEYS_VARIABLE_NAME) == 0)) { return TRUE; } } diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index 4904adae2e..7f8c28ec72 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -80,6 +80,7 @@ gEfiCertRsa2048Guid gEfiSecureBootEnableDisableGuid gEfiCustomModeEnableGuid + gEfiVendorKeysNvGuid gEfiSystemNvDataFvGuid ## CONSUMES gEfiCertDbGuid gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf index 4180309c7f..5a40823097 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf @@ -86,6 +86,7 @@ gEfiCertRsa2048Guid gEfiSecureBootEnableDisableGuid gEfiCustomModeEnableGuid + gEfiVendorKeysNvGuid gEfiSystemNvDataFvGuid ## CONSUMES gEfiCertDbGuid gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES