Functions | |
EFI_STATUS | AuthServiceInternalFindVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT VOID **Data, OUT UINTN *DataSize) |
EFI_STATUS | AuthServiceInternalUpdateVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes) |
EFI_STATUS | AuthServiceInternalUpdateVariableWithMonotonicCount (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN UINT32 KeyIndex, IN UINT64 MonotonicCount) |
EFI_STATUS | AuthServiceInternalUpdateVariableWithTimeStamp (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN EFI_TIME *TimeStamp) |
BOOLEAN | NeedPhysicallyPresent (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid) |
BOOLEAN | InCustomMode (VOID) |
UINT32 | GetAvailableKeyIndex (IN UINT8 *PubKey) |
UINT32 | AddPubKeyInStore (IN UINT8 *PubKey, IN VARIABLE_ENTRY_CONSISTENCY *VariableDataEntry) |
EFI_STATUS | VerifyCounterBasedPayload (IN UINT8 *Data, IN UINTN DataSize, IN UINT8 *PubKey) |
EFI_STATUS | UpdatePlatformMode (IN UINT32 Mode) |
EFI_STATUS | CheckSignatureListFormat (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize) |
EFI_STATUS | VendorKeyIsModified (VOID) |
EFI_STATUS | ProcessVarWithPk (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN BOOLEAN IsPk) |
EFI_STATUS | ProcessVarWithKek (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes) |
BOOLEAN | IsDeleteAuthVariable (IN UINT32 OrgAttributes, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes) |
EFI_STATUS | ProcessVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes) |
EFI_STATUS | FilterSignatureList (IN VOID *Data, IN UINTN DataSize, IN OUT VOID *NewData, IN OUT UINTN *NewDataSize) |
BOOLEAN | AuthServiceInternalCompareTimeStamp (IN EFI_TIME *FirstTime, IN EFI_TIME *SecondTime) |
EFI_STATUS | FindCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT8 *Data, IN UINTN DataSize, OUT UINT32 *CertOffset, OUT UINT32 *CertDataSize, OUT UINT32 *CertNodeOffset, OUT UINT32 *CertNodeSize) |
EFI_STATUS | GetCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, OUT UINT8 **CertData, OUT UINT32 *CertDataSize) |
EFI_STATUS | DeleteCertsFromDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid) |
EFI_STATUS | InsertCertsToDb (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT8 *CertData, IN UINTN CertDataSize) |
EFI_STATUS | CleanCertsFromDb (VOID) |
EFI_STATUS | VerifyTimeBasedPayload (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN AUTHVAR_TYPE AuthVarType, IN EFI_TIME *OrgTimeStamp, OUT UINT8 **VarPayloadPtr, OUT UINTN *VarPayloadSize) |
EFI_STATUS | VerifyTimeBasedPayloadAndUpdate (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN VOID *Data, IN UINTN DataSize, IN UINT32 Attributes, IN AUTHVAR_TYPE AuthVarType, OUT BOOLEAN *VarDel) |
Variables | |
CONST UINT8 | mRsaE [] = { 0x01, 0x00, 0x01 } |
EFI_SIGNATURE_ITEM | mSupportSigItem [] |
Caution: This module requires additional review when modified. This driver will have external input - variable data. It may be input in SMM mode. This external input must be validated carefully to avoid security issue like buffer overflow, integer overflow. Variable attribute should also be checked to avoid authentication bypass. The whole SMM authentication variable design relies on the integrity of flash part and SMM. which is assumed to be protected by platform. All variable code and metadata in flash/SMM Memory may not be modified without authorization. If platform fails to protect these resources, the authentication service provided in this driver will be broken, and the behavior is undefined.
ProcessVarWithPk(), ProcessVarWithKek() and ProcessVariable() are the function to do variable authentication.
VerifyTimeBasedPayloadAndUpdate() and VerifyCounterBasedPayload() are sub function to do verification. They will do basic validation for authentication data structure, then call crypto library to verify the signature.
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
UINT32 AddPubKeyInStore | ( | IN UINT8 * | PubKey, | |
IN VARIABLE_ENTRY_CONSISTENCY * | VariableDataEntry | |||
) |
Add public key in store and return its index.
[in] | PubKey | Input pointer to Public Key data. |
[in] | VariableDataEntry | The variable data entry. |
References AuthServiceInternalUpdateVariable(), AUTHVAR_KEYDB_NAME, EFI_CERT_TYPE_RSA2048_SIZE, EFI_STATUS(), GetAvailableKeyIndex(), mAuthVarLibContextIn, mPubKeyNumber, and mPubKeyStore.
Referenced by ProcessVariable(), and VerifyVariable().
BOOLEAN AuthServiceInternalCompareTimeStamp | ( | IN EFI_TIME * | FirstTime, | |
IN EFI_TIME * | SecondTime | |||
) |
Compare two EFI_TIME data.
FirstTime | A pointer to the first EFI_TIME data. | |
SecondTime | A pointer to the second EFI_TIME data. |
TRUE | The FirstTime is not later than the SecondTime. | |
FALSE | The FirstTime is later than the SecondTime. |
References BOOLEAN().
Referenced by VerifyTimeBasedPayload().
EFI_STATUS AuthServiceInternalFindVariable | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
OUT VOID ** | Data, | |||
OUT UINTN * | DataSize | |||
) |
Finds variable in storage blocks of volatile and non-volatile storage areas.
This code finds variable in storage blocks of volatile and non-volatile storage areas. If VariableName is an empty string, then we just return the first qualified variable without comparing VariableName and VendorGuid.
[in] | VariableName | Name of the variable to be found. |
[in] | VendorGuid | Variable vendor GUID to be found. |
[out] | Data | Pointer to data address. |
[out] | DataSize | Pointer to data size. |
EFI_INVALID_PARAMETER | If VariableName is not an empty string, while VendorGuid is NULL. | |
EFI_SUCCESS | Variable successfully found. | |
EFI_NOT_FOUND | Variable not found |
References EFI_STATUS(), and mAuthVarLibContextIn.
Referenced by AuthServiceInternalUpdateVariableWithTimeStamp(), AuthVariableLibInitialize(), CleanCertsFromDb(), DeleteCertsFromDb(), GetAvailableKeyIndex(), GetCertsFromDb(), InCustomMode(), InsertCertsToDb(), UpdatePlatformMode(), and VerifyTimeBasedPayload().
EFI_STATUS AuthServiceInternalUpdateVariable | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes | |||
) |
Update the variable region with Variable information.
[in] | VariableName | Name of variable. |
[in] | VendorGuid | Guid of variable. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data. |
[in] | Attributes | Attribute value of the variable. |
EFI_SUCCESS | The update operation is success. | |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_WRITE_PROTECTED | Variable is write-protected. | |
EFI_OUT_OF_RESOURCES | There is not enough resource. |
References mAuthVarLibContextIn.
Referenced by AddPubKeyInStore(), AuthVariableLibInitialize(), DeleteCertsFromDb(), InsertCertsToDb(), ProcessVariable(), UpdatePlatformMode(), and VendorKeyIsModified().
EFI_STATUS AuthServiceInternalUpdateVariableWithMonotonicCount | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes, | |||
IN UINT32 | KeyIndex, | |||
IN UINT64 | MonotonicCount | |||
) |
Update the variable region with Variable information.
[in] | VariableName | Name of variable. |
[in] | VendorGuid | Guid of variable. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data. |
[in] | Attributes | Attribute value of the variable. |
[in] | KeyIndex | Index of associated public key. |
[in] | MonotonicCount | Value of associated monotonic count. |
EFI_SUCCESS | The update operation is success. | |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_WRITE_PROTECTED | Variable is write-protected. | |
EFI_OUT_OF_RESOURCES | There is not enough resource. |
References mAuthVarLibContextIn.
Referenced by ProcessVariable().
EFI_STATUS AuthServiceInternalUpdateVariableWithTimeStamp | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes, | |||
IN EFI_TIME * | TimeStamp | |||
) |
Update the variable region with Variable information.
[in] | VariableName | Name of variable. |
[in] | VendorGuid | Guid of variable. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data. |
[in] | Attributes | Attribute value of the variable. |
[in] | TimeStamp | Value of associated TimeStamp. |
EFI_SUCCESS | The update operation is success. | |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_WRITE_PROTECTED | Variable is write-protected. | |
EFI_OUT_OF_RESOURCES | There is not enough resource. |
References AuthServiceInternalFindVariable(), EFI_STATUS(), FilterSignatureList(), mAuthVarLibContextIn, and UINTN().
Referenced by ProcessVarWithKek(), ProcessVarWithPk(), and VerifyTimeBasedPayloadAndUpdate().
EFI_STATUS CheckSignatureListFormat | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize | |||
) |
Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx/dbt variable.
[in] | VariableName | Name of Variable to be check. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Point to the variable data to be checked. |
[in] | DataSize | Size of Data. |
EFI_SUCCESS Passed signature list format check successfully.
References BOOLEAN(), EFI_SIGNATURE_ITEM::SigHeaderSize, EFI_SIGNATURE_ITEM::SigType, TRUE, and UINTN().
Referenced by ProcessVarWithKek(), ProcessVarWithPk(), and VerifyTimeBasedPayload().
EFI_STATUS CleanCertsFromDb | ( | VOID | ) |
Clean up signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb". Sytem may break down during Timebased Variable update & certdb update, make them inconsistent, this function is called in AuthVariable Init to ensure consistency
EFI_NOT_FOUND | Fail to find matching certs. | |
EFI_SUCCESS | Find matching certs and output parameters. |
References AuthServiceInternalFindVariable(), BOOLEAN(), AUTH_CERT_DB_DATA::CertNodeSize, DeleteCertsFromDb(), EFI_CERT_DB_NAME, EFI_STATUS(), gEfiCertDbGuid, AUTH_CERT_DB_DATA::NameSize, TRUE, UINTN(), and AUTH_CERT_DB_DATA::VendorGuid.
Referenced by AuthVariableLibInitialize().
EFI_STATUS DeleteCertsFromDb | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid | |||
) |
Delete matching signer's certificates when deleting common authenticated variable by corresponding VariableName and VendorGuid from "certdb".
[in] | VariableName | Name of authenticated Variable. |
[in] | VendorGuid | Vendor GUID of authenticated Variable. |
EFI_INVALID_PARAMETER | Any input parameter is invalid. | |
EFI_NOT_FOUND | Fail to find "certdb" or matching certs. | |
EFI_OUT_OF_RESOURCES | The operation is failed due to lack of resources. | |
EFI_SUCCESS | The operation is completed successfully. |
References AuthServiceInternalFindVariable(), AuthServiceInternalUpdateVariable(), EFI_CERT_DB_NAME, EFI_STATUS(), FindCertsFromDb(), gEfiCertDbGuid, mCertDbStore, and UINTN().
Referenced by CleanCertsFromDb(), ProcessVariable(), and VerifyTimeBasedPayloadAndUpdate().
EFI_STATUS FilterSignatureList | ( | IN VOID * | Data, | |
IN UINTN | DataSize, | |||
IN OUT VOID * | NewData, | |||
IN OUT UINTN * | NewDataSize | |||
) |
Filter out the duplicated EFI_SIGNATURE_DATA from the new data by comparing to the original data.
[in] | Data | Pointer to original EFI_SIGNATURE_LIST. |
[in] | DataSize | Size of Data buffer. |
[in,out] | NewData | Pointer to new EFI_SIGNATURE_LIST. |
[in,out] | NewDataSize | Size of NewData buffer. |
References BOOLEAN(), EFI_STATUS(), mAuthVarLibContextIn, TRUE, and UINTN().
Referenced by AuthServiceInternalUpdateVariableWithTimeStamp().
EFI_STATUS FindCertsFromDb | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN UINT8 * | Data, | |||
IN UINTN | DataSize, | |||
OUT UINT32 * | CertOffset, | |||
OUT UINT32 * | CertDataSize, | |||
OUT UINT32 * | CertNodeOffset, | |||
OUT UINT32 * | CertNodeSize | |||
) |
Find matching signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb".
The data format of "certdb":
UINT32 CertDbListSize; /// AUTH_CERT_DB_DATA Certs1[]; /// AUTH_CERT_DB_DATA Certs2[]; /// ... /// AUTH_CERT_DB_DATA Certsn[];
[in] | VariableName | Name of authenticated Variable. |
[in] | VendorGuid | Vendor GUID of authenticated Variable. |
[in] | Data | Pointer to variable "certdb". |
[in] | DataSize | Size of variable "certdb". |
[out] | CertOffset | Offset of matching CertData, from starting of Data. |
[out] | CertDataSize | Length of CertData in bytes. |
[out] | CertNodeOffset | Offset of matching AUTH_CERT_DB_DATA , from starting of Data. |
[out] | CertNodeSize | Length of AUTH_CERT_DB_DATA in bytes. |
EFI_INVALID_PARAMETER | Any input parameter is invalid. | |
EFI_NOT_FOUND | Fail to find matching certs. | |
EFI_SUCCESS | Find matching certs and output parameters. |
References AUTH_CERT_DB_DATA::CertDataSize, AUTH_CERT_DB_DATA::CertNodeSize, AUTH_CERT_DB_DATA::NameSize, and AUTH_CERT_DB_DATA::VendorGuid.
Referenced by DeleteCertsFromDb(), GetCertsFromDb(), and InsertCertsToDb().
UINT32 GetAvailableKeyIndex | ( | IN UINT8 * | PubKey | ) |
Get available public key index.
[in] | PubKey | Pointer to Public Key data. |
References AuthServiceInternalFindVariable(), AUTHVAR_KEYDB_NAME, BOOLEAN(), EFI_STATUS(), mAuthVarLibContextIn, mMaxKeyNumber, mPubKeyNumber, mPubKeyStore, TRUE, and UINTN().
Referenced by AddPubKeyInStore().
EFI_STATUS GetCertsFromDb | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
OUT UINT8 ** | CertData, | |||
OUT UINT32 * | CertDataSize | |||
) |
Retrieve signer's certificates for common authenticated variable by corresponding VariableName and VendorGuid from "certdb".
[in] | VariableName | Name of authenticated Variable. |
[in] | VendorGuid | Vendor GUID of authenticated Variable. |
[out] | CertData | Pointer to signer's certificates. |
[out] | CertDataSize | Length of CertData in bytes. |
EFI_INVALID_PARAMETER | Any input parameter is invalid. | |
EFI_NOT_FOUND | Fail to find "certdb" or matching certs. | |
EFI_SUCCESS | Get signer's certificates successfully. |
References AuthServiceInternalFindVariable(), EFI_CERT_DB_NAME, EFI_STATUS(), FindCertsFromDb(), gEfiCertDbGuid, and UINTN().
Referenced by VerifyTimeBasedPayload().
BOOLEAN InCustomMode | ( | VOID | ) |
Determine whether the platform is operating in Custom Secure Boot mode.
TRUE | The platform is operating in Custom mode. | |
FALSE | The platform is operating in Standard mode. |
References AuthServiceInternalFindVariable(), CUSTOM_SECURE_BOOT_MODE, EFI_CUSTOM_MODE_NAME, EFI_STATUS(), gEfiCustomModeEnableGuid, TRUE, and UINTN().
Referenced by ProcessVarWithKek(), and ProcessVarWithPk().
EFI_STATUS InsertCertsToDb | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN UINT8 * | CertData, | |||
IN UINTN | CertDataSize | |||
) |
Insert signer's certificates for common authenticated variable with VariableName and VendorGuid in AUTH_CERT_DB_DATA to "certdb".
[in] | VariableName | Name of authenticated Variable. |
[in] | VendorGuid | Vendor GUID of authenticated Variable. |
[in] | CertData | Pointer to signer's certificates. |
[in] | CertDataSize | Length of CertData in bytes. |
EFI_INVALID_PARAMETER | Any input parameter is invalid. | |
EFI_ACCESS_DENIED | An AUTH_CERT_DB_DATA entry with same VariableName and VendorGuid already exists. | |
EFI_OUT_OF_RESOURCES | The operation is failed due to lack of resources. | |
EFI_SUCCESS | Insert an AUTH_CERT_DB_DATA entry to "certdb" |
References AuthServiceInternalFindVariable(), AuthServiceInternalUpdateVariable(), AUTH_CERT_DB_DATA::CertDataSize, AUTH_CERT_DB_DATA::CertNodeSize, EFI_CERT_DB_NAME, EFI_STATUS(), FindCertsFromDb(), gEfiCertDbGuid, mCertDbStore, mMaxCertDbSize, AUTH_CERT_DB_DATA::NameSize, UINTN(), and AUTH_CERT_DB_DATA::VendorGuid.
Referenced by VerifyTimeBasedPayload().
BOOLEAN IsDeleteAuthVariable | ( | IN UINT32 | OrgAttributes, | |
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes | |||
) |
Check if it is to delete auth variable.
[in] | OrgAttributes | Original attribute value of the variable. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data. |
[in] | Attributes | Attribute value of the variable. |
TRUE | It is to delete auth variable. | |
FALSE | It is not to delete auth variable. |
References AUTHINFO_SIZE, BOOLEAN(), TRUE, and UINTN().
Referenced by ProcessVariable().
BOOLEAN NeedPhysicallyPresent | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid | |||
) |
Determine whether this operation needs a physical present user.
[in] | VariableName | Name of the Variable. |
[in] | VendorGuid | GUID of the Variable. |
TRUE | This variable is protected, only a physical present user could set this variable. | |
FALSE | This variable is not protected. |
References EFI_CUSTOM_MODE_NAME, EFI_SECURE_BOOT_ENABLE_NAME, gEfiCustomModeEnableGuid, gEfiSecureBootEnableDisableGuid, and TRUE.
Referenced by ProcessVariable().
EFI_STATUS ProcessVariable | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes | |||
) |
Process variable with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS/EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.
[in] | VariableName | Name of the variable. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data. |
[in] | Attributes | Attribute value of the variable. |
EFI_WRITE_PROTECTED Variable is write-protected and needs authentication with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set.
EFI_OUT_OF_RESOURCES The Database to save the public key is full.
EFI_SECURITY_VIOLATION The variable is with EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS set, but the AuthInfo does NOT pass the validation check carried out by the firmware.
EFI_SUCCESS Variable is not write-protected or pass validation successfully.
References AddPubKeyInStore(), AUTHINFO_SIZE, AuthServiceInternalUpdateVariable(), AuthServiceInternalUpdateVariableWithMonotonicCount(), AuthVarTypePriv, BOOLEAN(), DeleteCertsFromDb(), EFI_CERT_TYPE_RSA2048_SIZE, EFI_STATUS(), IsDeleteAuthVariable(), mAuthVarLibContextIn, mPubKeyNumber, mPubKeyStore, NeedPhysicallyPresent(), TRUE, UserPhysicalPresent(), VerifyCounterBasedPayload(), and VerifyTimeBasedPayloadAndUpdate().
Referenced by AuthVariableLibProcessVariable().
EFI_STATUS ProcessVarWithKek | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes | |||
) |
Process variable with key exchange key for verification.
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.
[in] | VariableName | Name of Variable to be found. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data found. If size is less than the data, this value contains the required size. |
[in] | Attributes | Attribute value of the variable. |
EFI_SECURITY_VIOLATION The variable does NOT pass the validation check carried out by the firmware.
EFI_SUCCESS Variable pass validation successfully.
References AuthServiceInternalUpdateVariableWithTimeStamp(), AuthVarTypeKek, CheckSignatureListFormat(), EFI_STATUS(), InCustomMode(), mPlatformMode, UINTN(), UserPhysicalPresent(), VendorKeyIsModified(), and VerifyTimeBasedPayloadAndUpdate().
Referenced by AuthVariableLibProcessVariable(), and EsalSetVariable().
EFI_STATUS ProcessVarWithPk | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes, | |||
IN BOOLEAN | IsPk | |||
) |
Process variable with platform key for verification.
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow. This function will check attribute carefully to avoid authentication bypass.
[in] | VariableName | Name of Variable to be found. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data found. If size is less than the data, this value contains the required size. |
[in] | Attributes | Attribute value of the variable |
[in] | IsPk | Indicate whether it is to process pk. |
EFI_SECURITY_VIOLATION The variable does NOT pass the validation. check carried out by the firmware.
EFI_SUCCESS Variable passed validation successfully.
References AuthServiceInternalUpdateVariableWithTimeStamp(), AuthVarTypePayload, AuthVarTypePk, BOOLEAN(), CheckSignatureListFormat(), EFI_STATUS(), InCustomMode(), mPlatformMode, TRUE, UINTN(), UpdatePlatformMode(), UserPhysicalPresent(), VendorKeyIsModified(), and VerifyTimeBasedPayloadAndUpdate().
Referenced by AuthVariableLibProcessVariable(), and EsalSetVariable().
EFI_STATUS UpdatePlatformMode | ( | IN UINT32 | Mode | ) |
Update platform mode.
[in] | Mode | SETUP_MODE or USER_MODE. |
EFI_SUCCESS Update platform mode successfully.
References AuthServiceInternalFindVariable(), AuthServiceInternalUpdateVariable(), EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), gEfiSecureBootEnableDisableGuid, mAuthVarLibContextIn, mPlatformMode, SECURE_BOOT_DISABLE, SECURE_BOOT_ENABLE, and UINTN().
Referenced by ProcessVarWithPk().
EFI_STATUS VendorKeyIsModified | ( | VOID | ) |
Update "VendorKeys" variable to record the out of band secure boot key modification.
Others Failed to update variable.
References AuthServiceInternalUpdateVariable(), EFI_STATUS(), EFI_VENDOR_KEYS_NV_VARIABLE_NAME, gEfiVendorKeysNvGuid, mVendorKeyState, and VENDOR_KEYS_MODIFIED.
Referenced by ProcessVarWithKek(), and ProcessVarWithPk().
EFI_STATUS VerifyCounterBasedPayload | ( | IN UINT8 * | Data, | |
IN UINTN | DataSize, | |||
IN UINT8 * | PubKey | |||
) |
Verify data payload with AuthInfo in EFI_CERT_TYPE_RSA2048_SHA256_GUID type. Follow the steps in UEFI2.2.
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow.
[in] | Data | Pointer to data with AuthInfo. |
[in] | DataSize | Size of Data. |
[in] | PubKey | Public key used for verification. |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_SECURITY_VIOLATION | If authentication failed. | |
EFI_SUCCESS | Authentication successful. |
References AUTHINFO_SIZE, BOOLEAN(), EFI_CERT_TYPE_RSA2048_SHA256_SIZE, EFI_CERT_TYPE_RSA2048_SIZE, mHashCtx, mRsaE, SHA256_DIGEST_SIZE, and UINTN().
Referenced by ProcessVariable().
EFI_STATUS VerifyTimeBasedPayload | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes, | |||
IN AUTHVAR_TYPE | AuthVarType, | |||
IN EFI_TIME * | OrgTimeStamp, | |||
OUT UINT8 ** | VarPayloadPtr, | |||
OUT UINTN * | VarPayloadSize | |||
) |
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow.
[in] | VariableName | Name of Variable to be found. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data found. If size is less than the data, this value contains the required size. |
[in] | Attributes | Attribute value of the variable. |
[in] | AuthVarType | Verify against PK, KEK database, private database or certificate in data payload. |
[in] | OrgTimeStamp | Pointer to original time stamp, original variable is not found if NULL. |
[out] | VarPayloadPtr | Pointer to variable payload address. |
[out] | VarPayloadSize | Pointer to variable payload size. |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_SECURITY_VIOLATION | The variable does NOT pass the validation check carried out by the firmware. | |
EFI_OUT_OF_RESOURCES | Failed to process variable due to lack of resources. | |
EFI_SUCCESS | Variable pass validation successfully. |
References AuthServiceInternalCompareTimeStamp(), AuthServiceInternalFindVariable(), AuthVarTypeKek, AuthVarTypePayload, AuthVarTypePk, AuthVarTypePriv, BOOLEAN(), CheckSignatureListFormat(), EFI_STATUS(), GetCertsFromDb(), InsertCertsToDb(), mAuthVarLibContextIn, and UINTN().
Referenced by VerifyTimeBasedPayloadAndUpdate().
EFI_STATUS VerifyTimeBasedPayloadAndUpdate | ( | IN CHAR16 * | VariableName, | |
IN EFI_GUID * | VendorGuid, | |||
IN VOID * | Data, | |||
IN UINTN | DataSize, | |||
IN UINT32 | Attributes, | |||
IN AUTHVAR_TYPE | AuthVarType, | |||
OUT BOOLEAN * | VarDel | |||
) |
Process variable with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set
Caution: This function may receive untrusted input. This function may be invoked in SMM mode, and datasize and data are external input. This function will do basic validation, before parse the data. This function will parse the authentication carefully to avoid security issues, like buffer overflow, integer overflow.
[in] | VariableName | Name of Variable to be found. |
[in] | VendorGuid | Variable vendor GUID. |
[in] | Data | Data pointer. |
[in] | DataSize | Size of Data found. If size is less than the data, this value contains the required size. |
[in] | Attributes | Attribute value of the variable. |
[in] | AuthVarType | Verify against PK, KEK database, private database or certificate in data payload. |
[out] | VarDel | Delete the variable or not. |
EFI_INVALID_PARAMETER | Invalid parameter. | |
EFI_SECURITY_VIOLATION | The variable does NOT pass the validation check carried out by the firmware. | |
EFI_OUT_OF_RESOURCES | Failed to process variable due to lack of resources. | |
EFI_SUCCESS | Variable pass validation successfully. |
References AuthServiceInternalUpdateVariableWithTimeStamp(), AuthVarTypePriv, BOOLEAN(), DeleteCertsFromDb(), EFI_STATUS(), mAuthVarLibContextIn, TRUE, UINTN(), and VerifyTimeBasedPayload().
Referenced by ProcessVariable(), ProcessVarWithKek(), and ProcessVarWithPk().
CONST UINT8 mRsaE[] = { 0x01, 0x00, 0x01 } |
Referenced by Rsa2048Sha256GuidedSectionHandler(), VerifyCounterBasedPayload(), and VerifyDataPayload().
Initial value:
{ {EFI_CERT_SHA256_GUID, 0, 32 }, {EFI_CERT_RSA2048_GUID, 0, 256 }, {EFI_CERT_RSA2048_SHA256_GUID, 0, 256 }, {EFI_CERT_SHA1_GUID, 0, 20 }, {EFI_CERT_RSA2048_SHA1_GUID, 0, 256 }, {EFI_CERT_X509_GUID, 0, ((UINT32) ~0)}, {EFI_CERT_SHA224_GUID, 0, 28 }, {EFI_CERT_SHA384_GUID, 0, 48 }, {EFI_CERT_SHA512_GUID, 0, 64 }, {EFI_CERT_X509_SHA256_GUID, 0, 48 }, {EFI_CERT_X509_SHA384_GUID, 0, 64 }, {EFI_CERT_X509_SHA512_GUID, 0, 80 } }