SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c File Reference


Functions

BOOLEAN IsDerEncodeCertificate (IN CONST CHAR16 *FileSuffix)
EFI_STATUS SaveSecureBootVariable (IN UINT8 VarValue)
EFI_STATUS CreateTimeBasedPayload (IN OUT UINTN *DataSize, IN OUT UINT8 **Data)
EFI_STATUS DeleteVariable (IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid)
EFI_STATUS SetSecureBootMode (IN UINT8 SecureBootMode)
EFI_STATUS CreatePkX509SignatureList (IN EFI_FILE_HANDLE X509File, OUT EFI_SIGNATURE_LIST **PkCert)
EFI_STATUS EnrollPlatformKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
EFI_STATUS DeletePlatformKey (VOID)
EFI_STATUS EnrollRsa2048ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
EFI_STATUS EnrollX509ToKek (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
EFI_STATUS EnrollKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private)
EFI_STATUS EnrollX509toSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
BOOLEAN IsSignatureFoundInDatabase (IN CHAR16 *VariableName, IN UINT8 *Signature, IN UINTN SignatureSize)
BOOLEAN CalculateCertHash (IN UINT8 *CertData, IN UINTN CertSize, IN UINT32 HashAlg, OUT UINT8 *CertHash)
BOOLEAN IsCertHashFoundInDbx (IN UINT8 *Certificate, IN UINTN CertSize)
BOOLEAN GetSignaturelistOffset (IN EFI_SIGNATURE_LIST *Database, IN UINTN DatabaseSize, IN EFI_GUID *SignatureType, OUT UINTN *Offset)
EFI_STATUS EnrollX509HashtoSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN UINT32 HashAlg, IN EFI_HII_DATE *RevocationDate, IN EFI_HII_TIME *RevocationTime, IN BOOLEAN AlwaysRevocation)
BOOLEAN IsX509CertInDbx (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
EFI_STATUS LoadPeImage (VOID)
BOOLEAN HashPeImage (IN UINT32 HashAlg)
EFI_STATUS HashPeImageByType (VOID)
EFI_STATUS EnrollImageSignatureToSigDB (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
EFI_STATUS EnrollSignatureDatabase (IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName)
EFI_STATUS UpdateDeletePage (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase)
EFI_STATUS DeleteKeyExchangeKey (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN EFI_QUESTION_ID QuestionId)
EFI_STATUS DeleteSignature (IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData, IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT16 LabelNumber, IN EFI_FORM_ID FormId, IN EFI_QUESTION_ID QuestionIdBase, IN UINTN DeleteIndex)
VOID SecureBootExtractConfigFromVariable (IN OUT SECUREBOOT_CONFIGURATION *ConfigData)
EFI_STATUS EFIAPI SecureBootExtractConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Request, OUT EFI_STRING *Progress, OUT EFI_STRING *Results)
EFI_STATUS EFIAPI SecureBootRouteConfig (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN CONST EFI_STRING Configuration, OUT EFI_STRING *Progress)
EFI_STATUS EFIAPI SecureBootCallback (IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, IN EFI_BROWSER_ACTION Action, IN EFI_QUESTION_ID QuestionId, IN UINT8 Type, IN EFI_IFR_TYPE_VALUE *Value, OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest)
EFI_STATUS InstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData)
VOID UninstallSecureBootConfigForm (IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData)

Variables

CHAR16 mSecureBootStorageName [] = L"SECUREBOOT_CONFIGURATION"
SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate
HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath
BOOLEAN mIsEnterSecureBootForm = FALSE
UINT8 mHashOidValue []
HASH_TABLE mHash []
UINT32 mPeCoffHeaderOffset = 0
WIN_CERTIFICATE * mCertificate = NULL
IMAGE_TYPE mImageType
UINT8 * mImageBase = NULL
UINTN mImageSize = 0
UINT8 mImageDigest [MAX_DIGEST_SIZE]
UINTN mImageDigestSize
EFI_GUID mCertType
EFI_IMAGE_SECURITY_DATA_DIRECTORYmSecDataDir = NULL
EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader
CHAR16 * mDerEncodedSuffix []
CHAR16 * mSupportX509Suffix = L"*.cer/der/crt"

Detailed Description

HII Config Access protocol implementation of SecureBoot configuration module.

Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php

THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.


Function Documentation

BOOLEAN CalculateCertHash ( IN UINT8 *  CertData,
IN UINTN  CertSize,
IN UINT32  HashAlg,
OUT UINT8 *  CertHash 
)

Calculate the hash of a certificate data with the specified hash algorithm.

Parameters:
[in] CertData The certificate data to be hashed.
[in] CertSize The certificate size in bytes.
[in] HashAlg The specified hash algorithm.
[out] CertHash The output digest of the certificate
Return values:
TRUE Successfully got the hash of the CertData.
FALSE Failed to get the hash of CertData.

References BOOLEAN(), HASH_TABLE::GetContextSize, HASHALG_MAX, HASH_TABLE::HashFinal, HASH_TABLE::HashInit, HASH_TABLE::HashUpdate, and UINTN().

Referenced by EnrollX509HashtoSigDB(), and IsCertHashFoundInDbx().

EFI_STATUS CreatePkX509SignatureList ( IN EFI_FILE_HANDLE  X509File,
OUT EFI_SIGNATURE_LIST **  PkCert 
)

Generate the PK signature list from the X509 Certificate storing file (.cer)

Parameters:
[in] X509File FileHandle of X509 Certificate storing file.
[out] PkCert Point to the data buffer to store the signature list.
Returns:
EFI_UNSUPPORTED Unsupported Key Length.

EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.

References EFI_STATUS(), ReadFileContent(), and UINTN().

Referenced by EnrollPlatformKey().

EFI_STATUS CreateTimeBasedPayload ( IN OUT UINTN *  DataSize,
IN OUT UINT8 **  Data 
)

Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2 descriptor with the input data. NO authentication is required in this function.

Parameters:
[in,out] DataSize On input, the size of Data buffer in bytes. On output, the size of data returned in Data buffer in bytes.
[in,out] Data On input, Pointer to data buffer to be wrapped or pointer to NULL to wrap an empty payload. On output, Pointer to the new payload date buffer allocated from pool, it's caller's responsibility to free the memory when finish using it.
Return values:
EFI_SUCCESS Create time based payload successfully.
EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
EFI_INVALID_PARAMETER The parameter is invalid.
Others Unexpected error happens.

References EFI_STATUS(), and UINTN().

Referenced by DeleteKeyExchangeKey(), DeleteSignature(), DeleteVariable(), EnrollImageSignatureToSigDB(), EnrollPlatformKey(), EnrollRsa2048ToKek(), EnrollX509HashtoSigDB(), EnrollX509ToKek(), and EnrollX509toSigDB().

EFI_STATUS DeleteKeyExchangeKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN EFI_QUESTION_ID  QuestionId 
)

Delete a KEK entry from KEK database.

Parameters:
[in] PrivateData Module's private data.
[in] QuestionId Question id of the KEK item to delete.
Return values:
EFI_SUCCESS Delete kek item successfully.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References BOOLEAN(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), FORMID_DELETE_KEK_FORM, LABEL_KEK_DELETE, OPTION_DEL_KEK_QUESTION_ID, SetSecureBootMode(), TRUE, UINTN(), and UpdateDeletePage().

Referenced by SecureBootCallback().

EFI_STATUS DeletePlatformKey ( VOID   ) 

Remove the PK variable.

Return values:
EFI_SUCCESS Delete PK successfully.
Others Could not allow to delete PK.

References CUSTOM_SECURE_BOOT_MODE, DeleteVariable(), EFI_STATUS(), and SetSecureBootMode().

Referenced by SecureBootCallback().

EFI_STATUS DeleteSignature ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN CHAR16 *  VariableName,
IN EFI_GUID *  VendorGuid,
IN UINT16  LabelNumber,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase,
IN UINTN  DeleteIndex 
)

Delete a signature entry from siganture database.

Parameters:
[in] PrivateData Module's private data.
[in] VariableName The variable name of the vendor's signature database.
[in] VendorGuid A unique identifier for the vendor.
[in] LabelNumber Label number to insert opcodes.
[in] FormId Form ID of current page.
[in] QuestionIdBase Base question id of the signature list.
[in] DeleteIndex Signature index to delete.
Return values:
EFI_SUCCESS Delete siganture successfully.
EFI_NOT_FOUND Can't find the signature item,
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References BOOLEAN(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), SetSecureBootMode(), TRUE, UINTN(), and UpdateDeletePage().

Referenced by SecureBootCallback().

EFI_STATUS DeleteVariable ( IN CHAR16 *  VariableName,
IN EFI_GUID *  VendorGuid 
)

Internal helper function to delete a Variable given its name and GUID, NO authentication required.

Parameters:
[in] VariableName Name of the Variable.
[in] VendorGuid GUID of the Variable.
Return values:
EFI_SUCCESS Variable deleted successfully.
Others The driver failed to start the device.

References CreateTimeBasedPayload(), EFI_STATUS(), and UINTN().

Referenced by DeletePlatformKey().

EFI_STATUS EnrollImageSignatureToSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll a new executable's signature into Signature Database.

Parameters:
[in] PrivateData The module's private data.
[in] VariableName Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1 or EFI_IMAGE_SECURITY_DATABASE2.
Return values:
EFI_SUCCESS New signature is enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_UNSUPPORTED Unsupported command.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), HASHALG_SHA256, HashPeImage(), HashPeImageByType(), LoadPeImage(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::Offset, ReadFileContent(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::SizeOfCert, and UINTN().

Referenced by EnrollSignatureDatabase().

EFI_STATUS EnrollKeyExchangeKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private  ) 

Enroll new KEK into the System without PK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.

Parameters:
[in] PrivateData The module's private data.
Return values:
EFI_SUCCESS New KEK enrolled successful.
EFI_INVALID_PARAMETER The parameter is invalid.
others Fail to enroll KEK data.

References CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), EnrollRsa2048ToKek(), EnrollX509ToKek(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().

Referenced by SecureBootCallback().

EFI_STATUS EnrollPlatformKey ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private  ) 

Enroll new PK into the System without original PK's authentication.

The SignatureOwner GUID will be the same with PK's vendorguid.

Parameters:
[in] PrivateData The module's private data.
Return values:
EFI_SUCCESS New PK enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CloseFile(), CreatePkX509SignatureList(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().

Referenced by SecureBootCallback().

EFI_STATUS EnrollRsa2048ToKek ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private  ) 

Enroll a new KEK item from public key storing file (*.pbk).

Parameters:
[in] PrivateData The module's private data.
Return values:
EFI_SUCCESS New KEK enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_UNSUPPORTED Unsupported command.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), Int2OctStr(), _CPL_KEY_INFO::KeyLengthInBits, ReadFileContent(), UINTN(), and WIN_CERT_UEFI_RSA2048_SIZE.

Referenced by EnrollKeyExchangeKey().

EFI_STATUS EnrollSignatureDatabase ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll signature into DB/DBX/DBT without KEK's authentication. The SignatureOwner GUID will be Private->SignatureGUID.

Parameters:
[in] PrivateData The module's private data.
[in] VariableName Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
Return values:
EFI_SUCCESS New signature enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
others Fail to enroll signature data.

References CUSTOM_SECURE_BOOT_MODE, EFI_STATUS(), EnrollImageSignatureToSigDB(), EnrollX509toSigDB(), IsDerEncodeCertificate(), SetSecureBootMode(), and UINTN().

Referenced by SecureBootCallback().

EFI_STATUS EnrollX509HashtoSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN UINT32  HashAlg,
IN EFI_HII_DATE *  RevocationDate,
IN EFI_HII_TIME *  RevocationTime,
IN BOOLEAN  AlwaysRevocation 
)

Enroll a new X509 certificate hash into Signature Database (dbx) without KEK's authentication.

Parameters:
[in] PrivateData The module's private data.
[in] HashAlg The hash algorithm to enroll the certificate.
[in] RevocationDate The revocation date of the certificate.
[in] RevocationTime The revocation time of the certificate.
[in] AlwaysRevocation Indicate whether the certificate is always revoked.
Return values:
EFI_SUCCESS New X509 is enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CalculateCertHash(), CloseFile(), CreateTimeBasedPayload(), CUSTOM_SECURE_BOOT_MODE, HASH_TABLE::DigestLength, EFI_STATUS(), GetSignaturelistOffset(), HASHALG_SHA256, HASHALG_SHA384, HASHALG_SHA512, IsDerEncodeCertificate(), MAX_DIGEST_SIZE, ReadFileContent(), SetSecureBootMode(), and UINTN().

Referenced by SecureBootCallback().

EFI_STATUS EnrollX509ToKek ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private  ) 

Enroll a new KEK item from X509 certificate file.

Parameters:
[in] PrivateData The module's private data.
Return values:
EFI_SUCCESS New X509 is enrolled successfully.
EFI_INVALID_PARAMETER The parameter is invalid.
EFI_UNSUPPORTED Unsupported command.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), ReadFileContent(), and UINTN().

Referenced by EnrollKeyExchangeKey().

EFI_STATUS EnrollX509toSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Enroll a new X509 certificate into Signature Database (DB or DBX or DBT) without KEK's authentication.

Parameters:
[in] PrivateData The module's private data.
[in] VariableName Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
Return values:
EFI_SUCCESS New X509 is enrolled successfully.
EFI_OUT_OF_RESOURCES Could not allocate needed resources.

References CloseFile(), CreateTimeBasedPayload(), EFI_STATUS(), ReadFileContent(), and UINTN().

Referenced by EnrollSignatureDatabase().

BOOLEAN GetSignaturelistOffset ( IN EFI_SIGNATURE_LIST *  Database,
IN UINTN  DatabaseSize,
IN EFI_GUID *  SignatureType,
OUT UINTN *  Offset 
)

Check whether the signature list exists in given variable data.

It searches the signature list for the ceritificate hash by CertType. If the signature list is found, get the offset of Database for the next hash of a certificate.

Parameters:
[in] Database Variable data to save signature list.
[in] DatabaseSize Variable size.
[in] SignatureType The type of the signature.
[out] Offset The offset to save a new hash of certificate.
Returns:
TRUE The signature list is found in the forbidden database.

FALSE The signature list is not found in the forbidden database.

References TRUE, and UINTN().

Referenced by EnrollX509HashtoSigDB().

BOOLEAN HashPeImage ( IN UINT32  HashAlg  ) 

Calculate hash of Pe/Coff image based on the authenticode image hashing in PE/COFF Specification 8.0 Appendix A

Parameters:
[in] HashAlg Hash algorithm type.
Return values:
TRUE Successfully hash image.
FALSE Fail in hash image.

References BOOLEAN(), HASH_TABLE::GetContextSize, HASHALG_SHA1, HASHALG_SHA256, HASH_TABLE::HashFinal, HASH_TABLE::HashInit, HASH_TABLE::HashUpdate, MAX_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, and UINTN().

EFI_STATUS HashPeImageByType ( VOID   ) 

Recognize the Hash algorithm in PE/COFF Authenticode and calculate hash of Pe/Coff image based on the authenticated image hashing in PE/COFF Specification 8.0 Appendix A

Return values:
EFI_UNSUPPORTED Hash algorithm is not supported.
EFI_SUCCESS Hash successfully.

References WIN_CERTIFICATE_EFI_PKCS::CertData, HASHALG_MAX, HashPeImage(), EFI_IMAGE_SECURITY_DATA_DIRECTORY::Offset, HASH_TABLE::OidLength, HASH_TABLE::OidValue, and TWO_BYTE_ENCODE.

EFI_STATUS InstallSecureBootConfigForm ( IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData  ) 

This function publish the SecureBoot configuration Form.

Parameters:
[in,out] PrivateData Points to SecureBoot configuration private data.
Return values:
EFI_SUCCESS HII Form is installed successfully.
EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
Others Other errors as indicated.

References DirectoryMenu, EFI_STATUS(), FileExplorerDisplayUnknown, FileExplorerStateInActive, FsOptionMenu, gSecureBootConfigFormSetGuid, SECUREBOOT_MENU_OPTION::Head, LABEL_END, mEndLabel, mEndOpCodeHandle, mStartLabel, mStartOpCodeHandle, SecureBootConfigBin, SecureBootConfigDxeStrings, and UninstallSecureBootConfigForm().

Referenced by SecureBootConfigDriverEntryPoint().

BOOLEAN IsCertHashFoundInDbx ( IN UINT8 *  Certificate,
IN UINTN  CertSize 
)

Check whether the hash of an X.509 certificate is in forbidden database (DBX).

Parameters:
[in] Certificate Pointer to X.509 Certificate that is searched for.
[in] CertSize Size of X.509 Certificate.
Returns:
TRUE Found the certificate hash in the forbidden database.

FALSE Certificate hash is Not found in the forbidden database.

References BOOLEAN(), CalculateCertHash(), EFI_STATUS(), HASHALG_MAX, HASHALG_SHA256, HASHALG_SHA384, HASHALG_SHA512, MAX_DIGEST_SIZE, TRUE, and UINTN().

Referenced by IsX509CertInDbx().

BOOLEAN IsDerEncodeCertificate ( IN CONST CHAR16 *  FileSuffix  ) 

This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.

Parameters:
[in] FileSuffix The suffix of the input certificate file
Return values:
TRUE It's a DER-encoded certificate.
FALSE It's NOT a DER-encoded certificate.

References TRUE, and UINTN().

Referenced by EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), and EnrollX509HashtoSigDB().

BOOLEAN IsSignatureFoundInDatabase ( IN CHAR16 *  VariableName,
IN UINT8 *  Signature,
IN UINTN  SignatureSize 
)

Check whether signature is in specified database.

Parameters:
[in] VariableName Name of database variable that is searched in.
[in] Signature Pointer to signature that is searched for.
[in] SignatureSize Size of Signature.
Returns:
TRUE Found the signature in the variable database.

FALSE Not found the signature in the variable database.

References BOOLEAN(), EFI_STATUS(), TRUE, and UINTN().

BOOLEAN IsX509CertInDbx ( IN SECUREBOOT_CONFIG_PRIVATE_DATA Private,
IN CHAR16 *  VariableName 
)

Check whether a certificate from a file exists in dbx.

Parameters:
[in] PrivateData The module's private data.
[in] VariableName Variable name of signature database, must be EFI_IMAGE_SECURITY_DATABASE1.
Return values:
TRUE The X509 certificate is found in dbx successfully.
FALSE The X509 certificate is not found in dbx.

References BOOLEAN(), EFI_STATUS(), IsCertHashFoundInDbx(), IsSignatureFoundInDatabase(), ReadFileContent(), TRUE, and UINTN().

Referenced by SecureBootCallback().

EFI_STATUS LoadPeImage ( VOID   ) 

Load PE/COFF image information into internal buffer and check its validity.

Return values:
EFI_SUCCESS Successful
EFI_UNSUPPORTED Invalid PE/COFF file
EFI_ABORTED Serious error occurs, like file I/O error etc.

References ImageType_IA32, and ImageType_X64.

Referenced by EnrollImageSignatureToSigDB().

EFI_STATUS SaveSecureBootVariable ( IN UINT8  VarValue  ) 

Set Secure Boot option into variable space.

Parameters:
[in] VarValue The option of Secure Boot.
Return values:
EFI_SUCCESS The operation is finished successfully.
Others Other errors as indicated.

References EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), and gEfiSecureBootEnableDisableGuid.

Referenced by SecureBootCallback(), and SecureBootRouteConfig().

EFI_STATUS EFIAPI SecureBootCallback ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *  This,
IN EFI_BROWSER_ACTION  Action,
IN EFI_QUESTION_ID  QuestionId,
IN UINT8  Type,
IN EFI_IFR_TYPE_VALUE *  Value,
OUT EFI_BROWSER_ACTION_REQUEST *  ActionRequest 
)

This function is called to provide results data to the driver.

Parameters:
[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in] Action Specifies the type of action taken by the browser.
[in] QuestionId A unique value which is sent to the original exporting driver so that it can identify the type of data to expect.
[in] Type The type of value for the question.
[in] Value A pointer to the data being sent to the original exporting driver.
[out] ActionRequest On return, points to the action requested by the callback function.
Return values:
EFI_SUCCESS The callback successfully handled the action.
EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data.
EFI_DEVICE_ERROR The variable could not be saved.
EFI_UNSUPPORTED The specified Action is not supported by the callback.

References CleanUpPage(), CloseFile(), CUSTOM_SECURE_BOOT_MODE, DeleteKeyExchangeKey(), DeletePlatformKey(), DeleteSignature(), DirectoryMenu, EFI_CUSTOM_MODE_NAME, EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), EnrollX509HashtoSigDB(), SECUREBOOT_CONFIG_PRIVATE_DATA::FeCurrentState, SECUREBOOT_CONFIG_PRIVATE_DATA::FeDisplayContext, SECUREBOOT_FILE_CONTEXT::FHandle, FILE_OPTION_GOTO_OFFSET, FILE_OPTION_OFFSET, SECUREBOOT_CONFIG_PRIVATE_DATA::FileContext, FileExplorerDisplayUnknown, FileExplorerStateEnrollKekFile, FileExplorerStateEnrollPkFile, FileExplorerStateEnrollSignatureFileToDb, FileExplorerStateEnrollSignatureFileToDbt, FileExplorerStateEnrollSignatureFileToDbx, SECUREBOOT_FILE_CONTEXT::FileName, FORM_FILE_EXPLORER_ID, FORMID_DELETE_KEK_FORM, FORMID_ENROLL_KEK_FORM, FreeMenu(), FsOptionMenu, gEfiCustomModeEnableGuid, gEfiSecureBootEnableDisableGuid, gSecureBootConfigFormSetGuid, HASHALG_MAX, HASHALG_SHA256, IsX509CertInDbx(), KEY_DELETE_KEK, KEY_HIDE_SECURE_BOOT, KEY_SECURE_BOOT_DB_OPTION, KEY_SECURE_BOOT_DBT_OPTION, KEY_SECURE_BOOT_DBX_OPTION, KEY_SECURE_BOOT_DELETE_PK, KEY_SECURE_BOOT_ENABLE, KEY_SECURE_BOOT_KEK_GUID, KEY_SECURE_BOOT_KEK_OPTION, KEY_SECURE_BOOT_MODE, KEY_SECURE_BOOT_OPTION, KEY_SECURE_BOOT_SIGNATURE_GUID_DB, KEY_SECURE_BOOT_SIGNATURE_GUID_DBT, KEY_SECURE_BOOT_SIGNATURE_GUID_DBX, KEY_VALUE_NO_SAVE_AND_EXIT_DB, KEY_VALUE_NO_SAVE_AND_EXIT_DBT, KEY_VALUE_NO_SAVE_AND_EXIT_DBX, KEY_VALUE_NO_SAVE_AND_EXIT_KEK, KEY_VALUE_NO_SAVE_AND_EXIT_PK, KEY_VALUE_SAVE_AND_EXIT_DB, KEY_VALUE_SAVE_AND_EXIT_DBT, KEY_VALUE_SAVE_AND_EXIT_DBX, KEY_VALUE_SAVE_AND_EXIT_KEK, KEY_VALUE_SAVE_AND_EXIT_PK, LABEL_DB_DELETE, LABEL_DBT_DELETE, LABEL_DBX_DELETE, LABEL_KEK_DELETE, mSecureBootStorageName, OPTION_CONFIG_RANGE, OPTION_DEL_DB_QUESTION_ID, OPTION_DEL_DBT_QUESTION_ID, OPTION_DEL_DBX_QUESTION_ID, OPTION_DEL_KEK_QUESTION_ID, SaveSecureBootVariable(), SECURE_BOOT_MODE_STANDARD, SECUREBOOT_ADD_PK_FILE_FORM_ID, SECUREBOOT_CONFIG_PRIVATE_FROM_THIS, SECUREBOOT_DELETE_SIGNATURE_FROM_DB, SECUREBOOT_DELETE_SIGNATURE_FROM_DBT, SECUREBOOT_DELETE_SIGNATURE_FROM_DBX, SECUREBOOT_ENROLL_SIGNATURE_TO_DB, SECUREBOOT_ENROLL_SIGNATURE_TO_DBT, SECUREBOOT_ENROLL_SIGNATURE_TO_DBX, SetSecureBootMode(), SECUREBOOT_CONFIG_PRIVATE_DATA::SignatureGUID, STANDARD_SECURE_BOOT_MODE, StringToGuid(), TRUE, UINTN(), UpdateDeletePage(), and UpdateFileExplorer().

EFI_STATUS EFIAPI SecureBootExtractConfig ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *  This,
IN CONST EFI_STRING  Request,
OUT EFI_STRING *  Progress,
OUT EFI_STRING *  Results 
)

This function allows a caller to extract the current configuration for one or more named elements from the target driver.

Parameters:
[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in] Request A null-terminated Unicode string in <ConfigRequest> format.
[out] Progress On return, points to a character in the Request string. Points to the string's null terminator if request was successful. Points to the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) if the request was not successful.
[out] Results A null-terminated Unicode string in <ConfigAltResp> format which has all values filled in for the names in the Request string. String to be allocated by the called function.
Return values:
EFI_SUCCESS The Results is filled with the requested values.
EFI_OUT_OF_RESOURCES Not enough memory to store the results.
EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
EFI_NOT_FOUND Routing data doesn't match any storage in this driver.

References BOOLEAN(), SECUREBOOT_CONFIG_PRIVATE_DATA::DriverHandle, EFI_STATUS(), gSecureBootConfigFormSetGuid, SECUREBOOT_CONFIG_PRIVATE_DATA::HiiHandle, mSecureBootStorageName, SECUREBOOT_CONFIG_PRIVATE_FROM_THIS, SecureBootExtractConfigFromVariable(), TRUE, and UINTN().

VOID SecureBootExtractConfigFromVariable ( IN OUT SECUREBOOT_CONFIGURATION ConfigData  ) 

This function extracts configuration from variable.

Parameters:
[in,out] ConfigData Point to SecureBoot configuration private data.

References EFI_CUSTOM_MODE_NAME, EFI_SECURE_BOOT_ENABLE_NAME, gEfiCustomModeEnableGuid, gEfiSecureBootEnableDisableGuid, HASHALG_RAW, SECURE_BOOT_ENABLE, STANDARD_SECURE_BOOT_MODE, TRUE, and UserPhysicalPresent().

Referenced by SecureBootExtractConfig(), and SecureBootRouteConfig().

EFI_STATUS EFIAPI SecureBootRouteConfig ( IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *  This,
IN CONST EFI_STRING  Configuration,
OUT EFI_STRING *  Progress 
)

This function processes the results of changes in configuration.

Parameters:
[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
[in] Configuration A null-terminated Unicode string in <ConfigResp> format.
[out] Progress A pointer to a string filled in with the offset of the most recent '&' before the first failing name/value pair (or the beginning of the string if the failure is in the first name/value pair) or the terminating NULL if all was successful.
Return values:
EFI_SUCCESS The Results is processed successfully.
EFI_INVALID_PARAMETER Configuration is NULL.
EFI_NOT_FOUND Routing data doesn't match any storage in this driver.

References EFI_SECURE_BOOT_ENABLE_NAME, EFI_STATUS(), gEfiSecureBootEnableDisableGuid, gSecureBootConfigFormSetGuid, mSecureBootStorageName, SaveSecureBootVariable(), SecureBootExtractConfigFromVariable(), and UINTN().

EFI_STATUS SetSecureBootMode ( IN UINT8  SecureBootMode  ) 

Set the platform secure boot mode into "Custom" or "Standard" mode.

Parameters:
[in] SecureBootMode New secure boot mode: STANDARD_SECURE_BOOT_MODE or CUSTOM_SECURE_BOOT_MODE.
Returns:
EFI_SUCCESS The platform has switched to the special mode successfully.

other Fail to operate the secure boot mode.

References EFI_CUSTOM_MODE_NAME, and gEfiCustomModeEnableGuid.

Referenced by DeleteKeyExchangeKey(), DeletePlatformKey(), DeleteSignature(), EnrollKeyExchangeKey(), EnrollPlatformKey(), EnrollSignatureDatabase(), EnrollX509HashtoSigDB(), and SecureBootCallback().

VOID UninstallSecureBootConfigForm ( IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData  ) 

This function removes SecureBoot configuration Form.

Parameters:
[in,out] PrivateData Points to SecureBoot configuration private data.

References DirectoryMenu, FreeMenu(), FsOptionMenu, mEndOpCodeHandle, and mStartOpCodeHandle.

Referenced by InstallSecureBootConfigForm(), SecureBootConfigDriverEntryPoint(), and SecureBootConfigDriverUnload().

EFI_STATUS UpdateDeletePage ( IN SECUREBOOT_CONFIG_PRIVATE_DATA PrivateData,
IN CHAR16 *  VariableName,
IN EFI_GUID *  VendorGuid,
IN UINT16  LabelNumber,
IN EFI_FORM_ID  FormId,
IN EFI_QUESTION_ID  QuestionIdBase 
)

List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT) by GUID in the page for user to select and delete as needed.

Parameters:
[in] PrivateData Module's private data.
[in] VariableName The variable name of the vendor's signature database.
[in] VendorGuid A unique identifier for the vendor.
[in] LabelNumber Label number to insert opcodes.
[in] FormId Form ID of current page.
[in] QuestionIdBase Base question id of the signature list.
Return values:
EFI_SUCCESS Success to update the signature list page
EFI_OUT_OF_RESOURCES Unable to allocate required resources.

References EFI_STATUS(), gSecureBootConfigFormSetGuid, GuidToString(), LABEL_END, and UINTN().

Referenced by DeleteKeyExchangeKey(), DeleteSignature(), and SecureBootCallback().


Variable Documentation

WIN_CERTIFICATE* mCertificate = NULL

EFI_GUID mCertType

CHAR16* mDerEncodedSuffix[]

Initial value:

 {
  L".cer",
  L".der",
  L".crt",
  NULL
}

Initial value:

 {
  { L"SHA1",   20, &mHashOidValue[8],  5, Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final  },
  { L"SHA224", 28, &mHashOidValue[13], 9, NULL,                 NULL,       NULL,         NULL       },
  { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final},
  { L"SHA384", 48, &mHashOidValue[31], 9, Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final},
  { L"SHA512", 64, &mHashOidValue[40], 9, Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final}
}

UINT8 mHashOidValue[]

Initial value:

 {
  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,         
  0x2B, 0x0E, 0x03, 0x02, 0x1A,                           
  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,   
  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,   
  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,   
  0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,   
  }

UINT8* mImageBase = NULL

UINT8 mImageDigest[MAX_DIGEST_SIZE]

UINTN mImageSize = 0

BOOLEAN mIsEnterSecureBootForm = FALSE

EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader

UINT32 mPeCoffHeaderOffset = 0

Initial value:

 {
  {
    {
      HARDWARE_DEVICE_PATH,
      HW_VENDOR_DP,
      {
        (UINT8) (sizeof (VENDOR_DEVICE_PATH)),
        (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8)
      }
    },
    SECUREBOOT_CONFIG_FORM_SET_GUID
  },
  {
    END_DEVICE_PATH_TYPE,
    END_ENTIRE_DEVICE_PATH_SUBTYPE,
    {
      (UINT8) (END_DEVICE_PATH_LENGTH),
      (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8)
    }
  }
}

CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION"

CHAR16* mSupportX509Suffix = L"*.cer/der/crt"


Generated on Thu Sep 24 23:44:25 2015 for SecurityPkg[ALL] by  doxygen 1.5.7.1