Functions | |
BOOLEAN | IsDerEncodeCertificate (IN CONST CHAR16 *FileSuffix) |
EFI_STATUS | SaveSecureBootVariable (IN UINT8 VarValue) |
EFI_STATUS | CreateTimeBasedPayload (IN OUT UINTN *DataSize, IN OUT UINT8 **Data) |
EFI_STATUS | DeleteVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid) |
EFI_STATUS | SetSecureBootMode (IN UINT8 SecureBootMode) |
EFI_STATUS | CreatePkX509SignatureList (IN EFI_FILE_HANDLE X509File, OUT EFI_SIGNATURE_LIST **PkCert) |
EFI_STATUS | EnrollPlatformKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private) |
EFI_STATUS | DeletePlatformKey (VOID) |
EFI_STATUS | EnrollRsa2048ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private) |
EFI_STATUS | EnrollX509ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private) |
EFI_STATUS | EnrollKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private) |
EFI_STATUS | EnrollX509toSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName) |
BOOLEAN | IsSignatureFoundInDatabase (IN CHAR16 *VariableName, IN UINT8 *Signature, IN UINTN SignatureSize) |
BOOLEAN | CalculateCertHash (IN UINT8 *CertData, IN UINTN CertSize, IN UINT32 HashAlg, OUT UINT8 *CertHash) |
BOOLEAN | IsCertHashFoundInDbx (IN UINT8 *Certificate, IN UINTN CertSize) |
BOOLEAN | GetSignaturelistOffset (IN EFI_SIGNATURE_LIST *Database, IN UINTN DatabaseSize, IN EFI_GUID *SignatureType, OUT UINTN *Offset) |
EFI_STATUS | EnrollX509HashtoSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN UINT32 HashAlg, IN EFI_HII_DATE *RevocationDate, IN EFI_HII_TIME *RevocationTime, IN BOOLEAN AlwaysRevocation) |
BOOLEAN | IsX509CertInDbx (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName) |
EFI_STATUS | LoadPeImage (VOID) |
BOOLEAN | HashPeImage (IN UINT32 HashAlg) |
EFI_STATUS | HashPeImageByType (VOID) |
EFI_STATUS | EnrollImageSignatureToSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName) |
EFI_STATUS | EnrollSignatureDatabase (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName) |
EFI_STATUS | UpdateDeletePage (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase) |
EFI_STATUS | DeleteKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN EFI_QUESTION_ID QuestionId) |
EFI_STATUS | DeleteSignature (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase, IN UINTN DeleteIndex) |
VOID | SecureBootExtractConfigFromVariable (IN OUT SECUREBOOT_CONFIGURATION *ConfigData) |
EFI_STATUS EFIAPI | SecureBootExtractConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Request, OUT EFI_STRING *Progress, OUT EFI_STRING *Results) |
EFI_STATUS EFIAPI | SecureBootRouteConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Configuration, OUT EFI_STRING *Progress) |
EFI_STATUS EFIAPI | SecureBootCallback (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN EFI_BROWSER_ACTION Action, IN EFI_QUESTION_ID QuestionId, IN UINT8 Type, IN EFI_IFR_TYPE_VALUE *Value, OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest) |
EFI_STATUS | InstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData) |
VOID | UninstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData) |
Variables | |
CHAR16 | mSecureBootStorageName [] = L"SECUREBOOT_CONFIGURATION" |
SECUREBOOT_CONFIG_PRIVATE_DATA | mSecureBootConfigPrivateDateTemplate |
HII_VENDOR_DEVICE_PATH | mSecureBootHiiVendorDevicePath |
BOOLEAN | mIsEnterSecureBootForm = FALSE |
UINT8 | mHashOidValue [] |
HASH_TABLE | mHash [] |
UINT32 | mPeCoffHeaderOffset = 0 |
WIN_CERTIFICATE * | mCertificate = NULL |
IMAGE_TYPE | mImageType |
UINT8 * | mImageBase = NULL |
UINTN | mImageSize = 0 |
UINT8 | mImageDigest [MAX_DIGEST_SIZE] |
UINTN | mImageDigestSize |
EFI_GUID | mCertType |
EFI_IMAGE_SECURITY_DATA_DIRECTORY * | mSecDataDir = NULL |
EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION | mNtHeader |
CHAR16 * | mDerEncodedSuffix [] |
CHAR16 * | mSupportX509Suffix = L"*.cer/der/crt" |
Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
BOOLEAN CalculateCertHash | ( | IN UINT8 * | CertData, | |
IN UINTN | CertSize, | |||
IN UINT32 | HashAlg, | |||
OUT UINT8 * | CertHash | |||
) |
Calculate the hash of a certificate data with the specified hash algorithm.
[in] | CertData | The certificate data to be hashed. |
[in] | CertSize | The certificate size in bytes. |
[in] | HashAlg | The specified hash algorithm. |
[out] | CertHash | The output digest of the certificate |
TRUE | Successfully got the hash of the CertData. | |
FALSE | Failed to get the hash of CertData. |
References BOOLEAN(), HASH_TABLE::GetContextSize, HASHALG_MAX, HASH_TABLE::HashFinal, HASH_TABLE::HashInit, HASH_TABLE::HashUpdate, and UINTN().
Referenced by EnrollX509HashtoSigDB(), and IsCertHashFoundInDbx().
EFI_STATUS CreatePkX509SignatureList | ( | IN EFI_FILE_HANDLE | X509File, | |
OUT EFI_SIGNATURE_LIST ** | PkCert | |||
) |
Generate the PK signature list from the X509 Certificate storing file (.cer)
[in] | X509File | FileHandle of X509 Certificate storing file. |
[out] | PkCert | Point to the data buffer to store the signature list. |
EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.
References EFI_STATUS(), ReadFileContent(), and UINTN().
Referenced by EnrollPlatformKey().
EFI_STATUS CreateTimeBasedPayload | ( | IN OUT UINTN * | DataSize, | |
IN OUT UINT8 ** | Data | |||
) |
Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 descriptor with the input data. NO authentication is required in this function.
[in,out] | DataSize | On input, the size of Data buffer in bytes. On output, the size of data returned in Data buffer in bytes. |
[in,out] | Data | On input, Pointer to data buffer to be wrapped or pointer to NULL to wrap an empty payload. On output, Pointer to the new payload date buffer allocated from pool, it's caller's responsibility to free the memory when finish using it. |
EFI_SUCCESS | Create time based payload successfully. | |
EFI_OUT_OF_RESOURCES | There are not enough memory resourses to create time based payload. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
Others | Unexpected error happens. |
References EFI_STATUS(), and UINTN().
Referenced by DeleteKeyExchangeKey(), DeleteSignature(), DeleteVariable(), EnrollImageSignatureToSigDB(), EnrollPlatformKey(), EnrollRsa2048ToKek(), EnrollX509HashtoSigDB(), EnrollX509ToKek(), and EnrollX509toSigDB().
EFI_STATUS DeleteKeyExchangeKey | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | PrivateData, | |
IN EFI_QUESTION_ID | QuestionId | |||
) |
Delete a KEK entry from KEK database.
[in] | PrivateData | Module's private data. |
[in] | QuestionId | Question id of the KEK item to delete. |
EFI_SUCCESS | Delete kek item successfully. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References BOOLEAN(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), FORMID_DELETE_KEK_FORM, LABEL_KEK_DELETE, OPTION_DEL_KEK_QUESTION_ID, SetSecureBootMode(), TRUE, UINTN(), and UpdateDeletePage().
Referenced by SecureBootCallback().
EFI_STATUS DeletePlatformKey | ( | VOID | ) |
Remove the PK variable.
EFI_SUCCESS | Delete PK successfully. | |
Others | Could not allow to delete PK. |
References CUSTOM_SECURE_BOOT_MODE, DeleteVariable(), EFI_STATUS(), and SetSecureBootMode().
Referenced by SecureBootCallback().
EFI_STATUS DeleteSignature | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | PrivateData, | |
IN CHAR16 * | VariableName, | |||
IN EFI_GUID * | VendorGuid, | |||
IN UINT16 | LabelNumber, | |||
IN EFI_FORM_ID | FormId, | |||
IN EFI_QUESTION_ID | QuestionIdBase, | |||
IN UINTN | DeleteIndex | |||
) |
Delete a signature entry from siganture database.
[in] | PrivateData | Module's private data. |
[in] | VariableName | The variable name of the vendor's signature database. |
[in] | VendorGuid | A unique identifier for the vendor. |
[in] | LabelNumber | Label number to insert opcodes. |
[in] | FormId | Form ID of current page. |
[in] | QuestionIdBase | Base question id of the signature list. |
[in] | DeleteIndex | Signature index to delete. |
EFI_SUCCESS | Delete siganture successfully. | |
EFI_NOT_FOUND | Can't find the signature item, | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References BOOLEAN(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), SetSecureBootMode(), TRUE, UINTN(), and UpdateDeletePage().
Referenced by SecureBootCallback().
EFI_STATUS DeleteVariable | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid | |||
) |
Internal helper function to delete a Variable given its name and GUID, NO authentication required.
[in] | VariableName | Name of the Variable. |
[in] | VendorGuid | GUID of the Variable. |
EFI_SUCCESS | Variable deleted successfully. | |
Others | The driver failed to start the device. |
References CreateTimeBasedPayload(), EFI_STATUS(), and UINTN().
Referenced by DeletePlatformKey().
EFI_STATUS EnrollImageSignatureToSigDB | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private, | |
IN CHAR16 * | VariableName | |||
) |
Enroll a new executable's signature into Signature Database.
[in] | PrivateData | The module's private data. |
[in] | VariableName | Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 or EFI_IMAGE_SECURITY_DATABASE2. |
EFI_SUCCESS | New signature is enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
EFI_UNSUPPORTED | Unsupported command. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), HASHALG_SHA256, HashPeImage(), HashPeImageByType(), LoadPeImage(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::Offset, ReadFileContent(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::SizeOfCert, and UINTN().
Referenced by EnrollSignatureDatabase().
EFI_STATUS EnrollKeyExchangeKey | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private | ) |
Enroll new KEK into the System without PK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.
[in] | PrivateData | The module's private data. |
EFI_SUCCESS | New KEK enrolled successful. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
others | Fail to enroll KEK data. |
References CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), EnrollRsa2048ToKek(), EnrollX509ToKek(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().
Referenced by SecureBootCallback().
EFI_STATUS EnrollPlatformKey | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private | ) |
Enroll new PK into the System without original PK's authentication.
The SignatureOwner GUID will be the same with PK's vendorguid.
[in] | PrivateData | The module's private data. |
EFI_SUCCESS | New PK enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CloseFile(), CreatePkX509SignatureList(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().
Referenced by SecureBootCallback().
EFI_STATUS EnrollRsa2048ToKek | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private | ) |
Enroll a new KEK item from public key storing file (*.pbk).
[in] | PrivateData | The module's private data. |
EFI_SUCCESS | New KEK enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
EFI_UNSUPPORTED | Unsupported command. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), Int2OctStr(), _CPL_KEY_INFO::KeyLengthInBits, ReadFileContent(), UINTN(), and WIN_CERT_UEFI_RSA2048_SIZE.
Referenced by EnrollKeyExchangeKey().
EFI_STATUS EnrollSignatureDatabase | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private, | |
IN CHAR16 * | VariableName | |||
) |
Enroll signature into DB/DBX/DBT without KEK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.
[in] | PrivateData | The module's private data. |
[in] | VariableName | Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1. |
EFI_SUCCESS | New signature enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
others | Fail to enroll signature data. |
References CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), EnrollImageSignatureToSigDB(), EnrollX509toSigDB(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().
Referenced by SecureBootCallback().
EFI_STATUS EnrollX509HashtoSigDB | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private, | |
IN UINT32 | HashAlg, | |||
IN EFI_HII_DATE * | RevocationDate, | |||
IN EFI_HII_TIME * | RevocationTime, | |||
IN BOOLEAN | AlwaysRevocation | |||
) |
Enroll a new X509 certificate hash into Signature Database (dbx) without KEK's authentication.
[in] | PrivateData | The module's private data. |
[in] | HashAlg | The hash algorithm to enroll the certificate. |
[in] | RevocationDate | The revocation date of the certificate. |
[in] | RevocationTime | The revocation time of the certificate. |
[in] | AlwaysRevocation | Indicate whether the certificate is always revoked. |
EFI_SUCCESS | New X509 is enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CalculateCertHash(), CloseFile(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, HASH_TABLE::DigestLength, EFI_STATUS(), GetSignaturelistOffset(), HASHALG_SHA256, HASHALG_SHA384, HASHALG_SHA512, IsDerEncodeCertificate(), MAX_DIGEST_SIZE, ReadFileContent(), SetSecureBootMode(), and UINTN().
Referenced by SecureBootCallback().
EFI_STATUS EnrollX509ToKek | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private | ) |
Enroll a new KEK item from X509 certificate file.
[in] | PrivateData | The module's private data. |
EFI_SUCCESS | New X509 is enrolled successfully. | |
EFI_INVALID_PARAMETER | The parameter is invalid. | |
EFI_UNSUPPORTED | Unsupported command. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), ReadFileContent(), and UINTN().
Referenced by EnrollKeyExchangeKey().
EFI_STATUS EnrollX509toSigDB | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private, | |
IN CHAR16 * | VariableName | |||
) |
Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without KEK's authentication.
[in] | PrivateData | The module's private data. |
[in] | VariableName | Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1. |
EFI_SUCCESS | New X509 is enrolled successfully. | |
EFI_OUT_OF_RESOURCES | Could not allocate needed resources. |
References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), ReadFileContent(), and UINTN().
Referenced by EnrollSignatureDatabase().
BOOLEAN GetSignaturelistOffset | ( | IN EFI_SIGNATURE_LIST * | Database, | |
IN UINTN | DatabaseSize, | |||
IN EFI_GUID * | SignatureType, | |||
OUT UINTN * | Offset | |||
) |
Check whether the signature list exists in given variable data.
It searches the signature list for the ceritificate hash by CertType. If the signature list is found, get the offset of Database for the next hash of a certificate.
[in] | Database | Variable data to save signature list. |
[in] | DatabaseSize | Variable size. |
[in] | SignatureType | The type of the signature. |
[out] | Offset | The offset to save a new hash of certificate. |
FALSE The signature list is not found in the forbidden database.
Referenced by EnrollX509HashtoSigDB().
BOOLEAN HashPeImage | ( | IN UINT32 | HashAlg | ) |
Calculate hash of Pe/Coff image based on the authenticode image hashing in PE/COFF Specification 8.0 Appendix A
[in] | HashAlg | Hash algorithm type. |
TRUE | Successfully hash image. | |
FALSE | Fail in hash image. |
References BOOLEAN(), HASH_TABLE::GetContextSize, HASHALG_SHA1, HASHALG_SHA256, HASH_TABLE::HashFinal, HASH_TABLE::HashInit, HASH_TABLE::HashUpdate, MAX_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, and UINTN().
EFI_STATUS HashPeImageByType | ( | VOID | ) |
Recognize the Hash algorithm in PE/COFF Authenticode and calculate hash of Pe/Coff image based on the authenticated image hashing in PE/COFF Specification 8.0 Appendix A
EFI_UNSUPPORTED | Hash algorithm is not supported. | |
EFI_SUCCESS | Hash successfully. |
References WIN_CERTIFICATE_EFI_PKCS::CertData, HASHALG_MAX, HashPeImage(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::Offset, HASH_TABLE::OidLength, HASH_TABLE::OidValue, and TWO_BYTE_ENCODE.
EFI_STATUS InstallSecureBootConfigForm | ( | IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA * | PrivateData | ) |
This function publish the SecureBoot configuration Form.
[in,out] | PrivateData | Points to SecureBoot configuration private data. |
EFI_SUCCESS | HII Form is installed successfully. | |
EFI_OUT_OF_RESOURCES | Not enough resource for HII Form installation. | |
Others | Other errors as indicated. |
References DirectoryMenu, EFI_STATUS(), FileExplorerDisplayUnknown, FileExplorerStateInActive, FsOptionMenu, gSecureBootConfigFormSetGuid, SECUREBOOT_MENU_OPTION::Head, LABEL_END, mEndLabel, mEndOpCodeHandle, mStartLabel, mStartOpCodeHandle, SecureBootConfigBin, SecureBootConfigDxeStrings, and UninstallSecureBootConfigForm().
Referenced by SecureBootConfigDriverEntryPoint().
BOOLEAN IsCertHashFoundInDbx | ( | IN UINT8 * | Certificate, | |
IN UINTN | CertSize | |||
) |
Check whether the hash of an X.509 certificate is in forbidden database (DBX).
[in] | Certificate | Pointer to X.509 Certificate that is searched for. |
[in] | CertSize | Size of X.509 Certificate. |
FALSE Certificate hash is Not found in the forbidden database.
References BOOLEAN(), CalculateCertHash(), EFI_STATUS(), HASHALG_MAX, HASHALG_SHA256, HASHALG_SHA384, HASHALG_SHA512, MAX_DIGEST_SIZE, TRUE, and UINTN().
Referenced by IsX509CertInDbx().
BOOLEAN IsDerEncodeCertificate | ( | IN CONST CHAR16 * | FileSuffix | ) |
This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.
[in] | FileSuffix | The suffix of the input certificate file |
TRUE | It's a DER-encoded certificate. | |
FALSE | It's NOT a DER-encoded certificate. |
Referenced by EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), and EnrollX509HashtoSigDB().
BOOLEAN IsSignatureFoundInDatabase | ( | IN CHAR16 * | VariableName, | |
IN UINT8 * | Signature, | |||
IN UINTN | SignatureSize | |||
) |
Check whether signature is in specified database.
[in] | VariableName | Name of database variable that is searched in. |
[in] | Signature | Pointer to signature that is searched for. |
[in] | SignatureSize | Size of Signature. |
FALSE Not found the signature in the variable database.
References BOOLEAN(), EFI_STATUS(), TRUE, and UINTN().
BOOLEAN IsX509CertInDbx | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | Private, | |
IN CHAR16 * | VariableName | |||
) |
Check whether a certificate from a file exists in dbx.
[in] | PrivateData | The module's private data. |
[in] | VariableName | Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE1. |
TRUE | The X509 certificate is found in dbx successfully. | |
FALSE | The X509 certificate is not found in dbx. |
References BOOLEAN(), EFI_STATUS(), IsCertHashFoundInDbx(), IsSignatureFoundInDatabase(), ReadFileContent(), TRUE, and UINTN().
Referenced by SecureBootCallback().
EFI_STATUS LoadPeImage | ( | VOID | ) |
Load PE/COFF image information into internal buffer and check its validity.
EFI_SUCCESS | Successful | |
EFI_UNSUPPORTED | Invalid PE/COFF file | |
EFI_ABORTED | Serious error occurs, like file I/O error etc. |
References ImageType_IA32, and ImageType_X64.
Referenced by EnrollImageSignatureToSigDB().
EFI_STATUS SaveSecureBootVariable | ( | IN UINT8 | VarValue | ) |
Set Secure Boot option into variable space.
[in] | VarValue | The option of Secure Boot. |
EFI_SUCCESS | The operation is finished successfully. | |
Others | Other errors as indicated. |
References EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), and gEfiSecureBootEnableDisableGuid.
Referenced by SecureBootCallback(), and SecureBootRouteConfig().
EFI_STATUS EFIAPI SecureBootCallback | ( | IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL * | This, | |
IN EFI_BROWSER_ACTION | Action, | |||
IN EFI_QUESTION_ID | QuestionId, | |||
IN UINT8 | Type, | |||
IN EFI_IFR_TYPE_VALUE * | Value, | |||
OUT EFI_BROWSER_ACTION_REQUEST * | ActionRequest | |||
) |
This function is called to provide results data to the driver.
[in] | This | Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. |
[in] | Action | Specifies the type of action taken by the browser. |
[in] | QuestionId | A unique value which is sent to the original exporting driver so that it can identify the type of data to expect. |
[in] | Type | The type of value for the question. |
[in] | Value | A pointer to the data being sent to the original exporting driver. |
[out] | ActionRequest | On return, points to the action requested by the callback function. |
EFI_SUCCESS | The callback successfully handled the action. | |
EFI_OUT_OF_RESOURCES | Not enough storage is available to hold the variable and its data. | |
EFI_DEVICE_ERROR | The variable could not be saved. | |
EFI_UNSUPPORTED | The specified Action is not supported by the callback. |
References CleanUpPage(), CloseFile(), CUSTOM_SECURE_BOOT_MODE, DeleteKeyExchangeKey(), DeletePlatformKey(), DeleteSignature(), DirectoryMenu, EFI_CUSTOM_MODE_NAME, EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), EnrollX509HashtoSigDB(), SECUREBOOT_CONFIG_PRIVATE_DATA::FeCurrentState, SECUREBOOT_CONFIG_PRIVATE_DATA::FeDisplayContext, SECUREBOOT_FILE_CONTEXT::FHandle, FILE_OPTION_GOTO_OFFSET, FILE_OPTION_OFFSET, SECUREBOOT_CONFIG_PRIVATE_DATA::FileContext, FileExplorerDisplayUnknown, FileExplorerStateEnrollKekFile, FileExplorerStateEnrollPkFile, FileExplorerStateEnrollSignatureFileToDb, FileExplorerStateEnrollSignatureFileToDbt, FileExplorerStateEnrollSignatureFileToDbx, SECUREBOOT_FILE_CONTEXT::FileName, FORM_FILE_EXPLORER_ID, FORMID_DELETE_KEK_FORM, FORMID_ENROLL_KEK_FORM, FreeMenu(), FsOptionMenu, gEfiCustomModeEnableGuid, gEfiSecureBootEnableDisableGuid, gSecureBootConfigFormSetGuid, HASHALG_MAX, HASHALG_SHA256, IsX509CertInDbx(), KEY_DELETE_KEK, KEY_HIDE_SECURE_BOOT, KEY_SECURE_BOOT_DB_OPTION, KEY_SECURE_BOOT_DBT_OPTION, KEY_SECURE_BOOT_DBX_OPTION, KEY_SECURE_BOOT_DELETE_PK, KEY_SECURE_BOOT_ENABLE, KEY_SECURE_BOOT_KEK_GUID, KEY_SECURE_BOOT_KEK_OPTION, KEY_SECURE_BOOT_MODE, KEY_SECURE_BOOT_OPTION, KEY_SECURE_BOOT_SIGNATURE_GUID_DB, KEY_SECURE_BOOT_SIGNATURE_GUID_DBT, KEY_SECURE_BOOT_SIGNATURE_GUID_DBX, KEY_VALUE_NO_SAVE_AND_EXIT_DB, KEY_VALUE_NO_SAVE_AND_EXIT_DBT, KEY_VALUE_NO_SAVE_AND_EXIT_DBX, KEY_VALUE_NO_SAVE_AND_EXIT_KEK, KEY_VALUE_NO_SAVE_AND_EXIT_PK, KEY_VALUE_SAVE_AND_EXIT_DB, KEY_VALUE_SAVE_AND_EXIT_DBT, KEY_VALUE_SAVE_AND_EXIT_DBX, KEY_VALUE_SAVE_AND_EXIT_KEK, KEY_VALUE_SAVE_AND_EXIT_PK, LABEL_DB_DELETE, LABEL_DBT_DELETE, LABEL_DBX_DELETE, LABEL_KEK_DELETE, mSecureBootStorageName, OPTION_CONFIG_RANGE, OPTION_DEL_DB_QUESTION_ID, OPTION_DEL_DBT_QUESTION_ID, OPTION_DEL_DBX_QUESTION_ID, OPTION_DEL_KEK_QUESTION_ID, SaveSecureBootVariable(), SECURE_BOOT_MODE_STANDARD, SECUREBOOT_ADD_PK_FILE_FORM_ID, SECUREBOOT_CONFIG_PRIVATE_FROM_THIS, SECUREBOOT_DELETE_SIGNATURE_FROM_DB, SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, SECUREBOOT_ENROLL_SIGNATURE_TO_DB, SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, SECUREBOOT_ENROLL_SIGNATURE_TO_DBX, SetSecureBootMode(), SECUREBOOT_CONFIG_PRIVATE_DATA::SignatureGUID, STANDARD_SECURE_BOOT_MODE, StringToGuid(), TRUE, UINTN(), UpdateDeletePage(), and UpdateFileExplorer().
EFI_STATUS EFIAPI SecureBootExtractConfig | ( | IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL * | This, | |
IN CONST EFI_STRING | Request, | |||
OUT EFI_STRING * | Progress, | |||
OUT EFI_STRING * | Results | |||
) |
This function allows a caller to extract the current configuration for one or more named elements from the target driver.
[in] | This | Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. |
[in] | Request | A null-terminated Unicode string in <ConfigRequest> format. |
[out] | Progress | On return, points to a character in the Request string. Points to the string's null terminator if request was successful. Points to the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) if the request was not successful. |
[out] | Results | A null-terminated Unicode string in <ConfigAltResp> format which has all values filled in for the names in the Request string. String to be allocated by the called function. |
EFI_SUCCESS | The Results is filled with the requested values. | |
EFI_OUT_OF_RESOURCES | Not enough memory to store the results. | |
EFI_INVALID_PARAMETER | Request is illegal syntax, or unknown name. | |
EFI_NOT_FOUND | Routing data doesn't match any storage in this driver. |
References BOOLEAN(), SECUREBOOT_CONFIG_PRIVATE_DATA::DriverHandle, EFI_STATUS(), gSecureBootConfigFormSetGuid, SECUREBOOT_CONFIG_PRIVATE_DATA::HiiHandle, mSecureBootStorageName, SECUREBOOT_CONFIG_PRIVATE_FROM_THIS, SecureBootExtractConfigFromVariable(), TRUE, and UINTN().
VOID SecureBootExtractConfigFromVariable | ( | IN OUT SECUREBOOT_CONFIGURATION * | ConfigData | ) |
This function extracts configuration from variable.
[in,out] | ConfigData | Point to SecureBoot configuration private data. |
References EFI_CUSTOM_MODE_NAME, EFI_SECURE_BOOT_ENABLE_NAME, gEfiCustomModeEnableGuid, gEfiSecureBootEnableDisableGuid, HASHALG_RAW, SECURE_BOOT_ENABLE, STANDARD_SECURE_BOOT_MODE, TRUE, and UserPhysicalPresent().
Referenced by SecureBootExtractConfig(), and SecureBootRouteConfig().
EFI_STATUS EFIAPI SecureBootRouteConfig | ( | IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL * | This, | |
IN CONST EFI_STRING | Configuration, | |||
OUT EFI_STRING * | Progress | |||
) |
This function processes the results of changes in configuration.
[in] | This | Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL. |
[in] | Configuration | A null-terminated Unicode string in <ConfigResp> format. |
[out] | Progress | A pointer to a string filled in with the offset of the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) or the terminating NULL if all was successful. |
EFI_SUCCESS | The Results is processed successfully. | |
EFI_INVALID_PARAMETER | Configuration is NULL. | |
EFI_NOT_FOUND | Routing data doesn't match any storage in this driver. |
References EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), gEfiSecureBootEnableDisableGuid, gSecureBootConfigFormSetGuid, mSecureBootStorageName, SaveSecureBootVariable(), SecureBootExtractConfigFromVariable(), and UINTN().
EFI_STATUS SetSecureBootMode | ( | IN UINT8 | SecureBootMode | ) |
Set the platform secure boot mode into "Custom" or "Standard" mode.
[in] | SecureBootMode | New secure boot mode: STANDARD_SECURE_BOOT_MODE or CUSTOM_SECURE_BOOT_MODE. |
other Fail to operate the secure boot mode.
References EFI_CUSTOM_MODE_NAME, and gEfiCustomModeEnableGuid.
Referenced by DeleteKeyExchangeKey(), DeletePlatformKey(), DeleteSignature(), EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), EnrollX509HashtoSigDB(), and SecureBootCallback().
VOID UninstallSecureBootConfigForm | ( | IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA * | PrivateData | ) |
This function removes SecureBoot configuration Form.
[in,out] | PrivateData | Points to SecureBoot configuration private data. |
References DirectoryMenu, FreeMenu(), FsOptionMenu, mEndOpCodeHandle, and mStartOpCodeHandle.
Referenced by InstallSecureBootConfigForm(), SecureBootConfigDriverEntryPoint(), and SecureBootConfigDriverUnload().
EFI_STATUS UpdateDeletePage | ( | IN SECUREBOOT_CONFIG_PRIVATE_DATA * | PrivateData, | |
IN CHAR16 * | VariableName, | |||
IN EFI_GUID * | VendorGuid, | |||
IN UINT16 | LabelNumber, | |||
IN EFI_FORM_ID | FormId, | |||
IN EFI_QUESTION_ID | QuestionIdBase | |||
) |
List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT) by GUID in the page for user to select and delete as needed.
[in] | PrivateData | Module's private data. |
[in] | VariableName | The variable name of the vendor's signature database. |
[in] | VendorGuid | A unique identifier for the vendor. |
[in] | LabelNumber | Label number to insert opcodes. |
[in] | FormId | Form ID of current page. |
[in] | QuestionIdBase | Base question id of the signature list. |
EFI_SUCCESS | Success to update the signature list page | |
EFI_OUT_OF_RESOURCES | Unable to allocate required resources. |
References EFI_STATUS(), gSecureBootConfigFormSetGuid, GuidToString(), LABEL_END, and UINTN().
Referenced by DeleteKeyExchangeKey(), DeleteSignature(), and SecureBootCallback().
WIN_CERTIFICATE* mCertificate = NULL |
EFI_GUID mCertType |
CHAR16* mDerEncodedSuffix[] |
Initial value:
{ L".cer", L".der", L".crt", NULL }
Initial value:
{ { L"SHA1", 20, &mHashOidValue[8], 5, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final }, { L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL }, { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final}, { L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final}, { L"SHA512", 64, &mHashOidValue[40], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final} }
UINT8 mHashOidValue[] |
Initial value:
{ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, }
UINT8* mImageBase = NULL |
UINT8 mImageDigest[MAX_DIGEST_SIZE] |
UINTN mImageDigestSize |
UINTN mImageSize = 0 |
BOOLEAN mIsEnterSecureBootForm = FALSE |
EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader |
UINT32 mPeCoffHeaderOffset = 0 |
Initial value:
{ SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE, { SecureBootExtractConfig, SecureBootRouteConfig, SecureBootCallback } }
Referenced by SecureBootConfigDriverEntryPoint().
Initial value:
{ { { HARDWARE_DEVICE_PATH, HW_VENDOR_DP, { (UINT8) (sizeof (VENDOR_DEVICE_PATH)), (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8) } }, SECUREBOOT_CONFIG_FORM_SET_GUID }, { END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE, { (UINT8) (END_DEVICE_PATH_LENGTH), (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8) } } }
CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION" |
Referenced by SecureBootCallback(), SecureBootExtractConfig(), and SecureBootRouteConfig().
CHAR16* mSupportX509Suffix = L"*.cer/der/crt" |