Hi Patrick, Current implementation does not allow to use data in EFI_VARIABLE_AUTHENTICATION_2 format as a source of default data. I will add the possibility to use that kind of data to initialize secure boot default data. thanks, greg
wt., 24 sie 2021 o 14:26 Grzegorz Bernacki <g...@semihalf.com> napisał(a): > > Hi Patrick, > > Yes, I tested the dbx enrollment, but with my own data. Please let me > try that dbx. > > thanks, > greg > > wt., 24 sie 2021 o 14:22 Patrick Rudolph > <patrick.rudo...@9elements.com> napisał(a): > > > > Hi Grzegorz, > > I tried this patch, but I cannot enroll the DBX downloaded from here: > > https://uefi.org/revocationlistfile > > > > Is it even possible with current code? Did you test DBX enrollment as well > > using the revocation list file? > > > > Regards, > > Patrick > > > > On Mon, Aug 2, 2021 at 12:47 PM Grzegorz Bernacki <g...@semihalf.com> wrote: > >> > >> This commits add library, which consist functions to > >> enrolll Secure Boot keys and initialize Secure Boot > >> default variables. Some of the functions was moved > >> from SecureBootConfigImpl.c file. > >> > >> Signed-off-by: Grzegorz Bernacki <g...@semihalf.com> > >> Reviewed-by: Sunny Wang <sunny.w...@arm.com> > >> Reviewed-by: Jiewen Yao <jiewen....@intel.com> > >> --- > >> SecurityPkg/SecurityPkg.dec > >> | 4 + > >> SecurityPkg/SecurityPkg.dsc > >> | 1 + > >> > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> | 80 ++++ > >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> | 134 ++++++ > >> > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > >> | 482 ++++++++++++++++++++ > >> > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > >> | 16 + > >> 6 files changed, 717 insertions(+) > >> create mode 100644 > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> create mode 100644 > >> SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> create mode 100644 > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > >> create mode 100644 > >> SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > >> > >> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec > >> index 8f3710e59f..e30c39f321 100644 > >> --- a/SecurityPkg/SecurityPkg.dec > >> +++ b/SecurityPkg/SecurityPkg.dec > >> @@ -91,6 +91,10 @@ > >> ## @libraryclass Provides helper functions related to creation/removal > >> Secure Boot variables. > >> # > >> SecureBootVariableLib|Include/Library/SecureBootVariableLib.h > >> + > >> + ## @libraryclass Provides support to enroll Secure Boot keys. > >> + # > >> + > >> SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h > >> [Guids] > >> ## Security package token space guid. > >> # Include/Guid/SecurityPkgTokenSpace.h > >> diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > >> index 854f250625..99c227dad2 100644 > >> --- a/SecurityPkg/SecurityPkg.dsc > >> +++ b/SecurityPkg/SecurityPkg.dsc > >> @@ -71,6 +71,7 @@ > >> > >> TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf > >> > >> MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf > >> > >> SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > >> + > >> SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> > >> [LibraryClasses.ARM] > >> # > >> diff --git > >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> new file mode 100644 > >> index 0000000000..a09abd29ce > >> --- /dev/null > >> +++ > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf > >> @@ -0,0 +1,80 @@ > >> +## @file > >> +# Provides initialization of Secure Boot keys and databases. > >> +# > >> +# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> > >> +# Copyright (c) 2021, Semihalf All rights reserved.<BR> > >> +# > >> +# SPDX-License-Identifier: BSD-2-Clause-Patent > >> +# > >> +## > >> + > >> +[Defines] > >> + INF_VERSION = 0x00010005 > >> + BASE_NAME = SecureBootVariableLib > >> + MODULE_UNI_FILE = SecureBootVariableLib.uni > >> + FILE_GUID = 18192DD0-9430-45F1-80C7-5C52061CD183 > >> + MODULE_TYPE = DXE_DRIVER > >> + VERSION_STRING = 1.0 > >> + LIBRARY_CLASS = > >> SecureBootVariableProvisionLib|DXE_DRIVER DXE_RUNTIME_DRIVER > >> UEFI_APPLICATION > >> + > >> +# > >> +# The following information is for reference only and not required by the > >> build tools. > >> +# > >> +# VALID_ARCHITECTURES = IA32 X64 AARCH64 > >> +# > >> + > >> +[Sources] > >> + SecureBootVariableProvisionLib.c > >> + > >> +[Packages] > >> + MdePkg/MdePkg.dec > >> + MdeModulePkg/MdeModulePkg.dec > >> + SecurityPkg/SecurityPkg.dec > >> + CryptoPkg/CryptoPkg.dec > >> + > >> +[LibraryClasses] > >> + BaseLib > >> + BaseMemoryLib > >> + DebugLib > >> + MemoryAllocationLib > >> + BaseCryptLib > >> + DxeServicesLib > >> + SecureBootVariableLib > >> + > >> +[Guids] > >> + ## CONSUMES ## Variable:L"SetupMode" > >> + ## PRODUCES ## Variable:L"SetupMode" > >> + ## CONSUMES ## Variable:L"SecureBoot" > >> + ## PRODUCES ## Variable:L"SecureBoot" > >> + ## PRODUCES ## Variable:L"PK" > >> + ## PRODUCES ## Variable:L"KEK" > >> + ## CONSUMES ## Variable:L"PKDefault" > >> + ## CONSUMES ## Variable:L"KEKDefault" > >> + ## CONSUMES ## Variable:L"dbDefault" > >> + ## CONSUMES ## Variable:L"dbxDefault" > >> + ## CONSUMES ## Variable:L"dbtDefault" > >> + gEfiGlobalVariableGuid > >> + > >> + ## SOMETIMES_CONSUMES ## Variable:L"DB" > >> + ## SOMETIMES_CONSUMES ## Variable:L"DBX" > >> + ## SOMETIMES_CONSUMES ## Variable:L"DBT" > >> + gEfiImageSecurityDatabaseGuid > >> + > >> + ## CONSUMES ## Variable:L"SecureBootEnable" > >> + ## PRODUCES ## Variable:L"SecureBootEnable" > >> + gEfiSecureBootEnableDisableGuid > >> + > >> + ## CONSUMES ## Variable:L"CustomMode" > >> + ## PRODUCES ## Variable:L"CustomMode" > >> + gEfiCustomModeEnableGuid > >> + > >> + gEfiCertTypeRsa2048Sha256Guid ## CONSUMES > >> + gEfiCertX509Guid ## CONSUMES > >> + gEfiCertPkcs7Guid ## CONSUMES > >> + > >> + gDefaultPKFileGuid > >> + gDefaultKEKFileGuid > >> + gDefaultdbFileGuid > >> + gDefaultdbxFileGuid > >> + gDefaultdbtFileGuid > >> + > >> diff --git a/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> new file mode 100644 > >> index 0000000000..ba8009b5cd > >> --- /dev/null > >> +++ b/SecurityPkg/Include/Library/SecureBootVariableProvisionLib.h > >> @@ -0,0 +1,134 @@ > >> +/** @file > >> + Provides a functions to enroll keys based on default values. > >> + > >> +Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> > >> +(C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR> > >> +Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> > >> +Copyright (c) 2021, Semihalf All rights reserved.<BR> > >> +SPDX-License-Identifier: BSD-2-Clause-Patent > >> + > >> +**/ > >> + > >> +#ifndef SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > >> +#define SECURE_BOOT_VARIABLE_PROVISION_LIB_H_ > >> + > >> +/** > >> + Sets the content of the 'db' variable based on 'dbDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTime() > >> and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTime() > >> and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbxFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTime() > >> and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbtFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTime() > >> and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollKEKFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Sets the content of the 'PK' variable based on 'PKDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2(), GetTime() > >> and SetVariable() > >> +--*/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollPKFromDefault ( > >> + VOID > >> +); > >> + > >> +/** > >> + Initializes PKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitPKDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes KEKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitKEKDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbtDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbtDefault ( > >> + IN VOID > >> + ); > >> + > >> +/** > >> + Initializes dbxDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +--*/ > >> +EFI_STATUS > >> +SecureBootInitDbxDefault ( > >> + IN VOID > >> + ); > >> +#endif > >> diff --git > >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > >> > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > >> new file mode 100644 > >> index 0000000000..848f7ce929 > >> --- /dev/null > >> +++ > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.c > >> @@ -0,0 +1,482 @@ > >> +/** @file > >> + This library provides functions to set/clear Secure Boot > >> + keys and databases. > >> + > >> + Copyright (c) 2011 - 2018, Intel Corporation. All rights reserved.<BR> > >> + (C) Copyright 2018 Hewlett Packard Enterprise Development LP<BR> > >> + Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> > >> + Copyright (c) 2021, Semihalf All rights reserved.<BR> > >> + SPDX-License-Identifier: BSD-2-Clause-Patent > >> +**/ > >> +#include <Guid/GlobalVariable.h> > >> +#include <Guid/AuthenticatedVariableFormat.h> > >> +#include <Guid/ImageAuthentication.h> > >> +#include <Library/BaseLib.h> > >> +#include <Library/BaseMemoryLib.h> > >> +#include <Library/DebugLib.h> > >> +#include <Library/UefiLib.h> > >> +#include <Library/MemoryAllocationLib.h> > >> +#include <Library/UefiRuntimeServicesTableLib.h> > >> +#include <Library/SecureBootVariableLib.h> > >> +#include <Library/SecureBootVariableProvisionLib.h> > >> + > >> +/** > >> + Enroll a key/certificate based on a default variable. > >> + > >> + @param[in] VariableName The name of the key/database. > >> + @param[in] DefaultName The name of the default variable. > >> + @param[in] VendorGuid The namespace (ie. vendor GUID) of the > >> variable > >> + > >> + @retval EFI_OUT_OF_RESOURCES Out of memory while allocating > >> AuthHeader. > >> + @retval EFI_SUCCESS Successful enrollment. > >> + @return Error codes from GetTime () and > >> SetVariable (). > >> +**/ > >> +STATIC > >> +EFI_STATUS > >> +EnrollFromDefault ( > >> + IN CHAR16 *VariableName, > >> + IN CHAR16 *DefaultName, > >> + IN EFI_GUID *VendorGuid > >> + ) > >> +{ > >> + VOID *Data; > >> + UINTN DataSize; > >> + EFI_STATUS Status; > >> + > >> + Status = EFI_SUCCESS; > >> + > >> + DataSize = 0; > >> + Status = GetVariable2 (DefaultName, &gEfiGlobalVariableGuid, &Data, > >> &DataSize); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "error: GetVariable (\"%s): %r\n", > >> DefaultName, Status)); > >> + return Status; > >> + } > >> + > >> + CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", > >> Status)); > >> + return Status; > >> + } > >> + > >> + // > >> + // Allocate memory for auth variable > >> + // > >> + Status = gRT->SetVariable ( > >> + VariableName, > >> + VendorGuid, > >> + (EFI_VARIABLE_NON_VOLATILE | > >> + EFI_VARIABLE_BOOTSERVICE_ACCESS | > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), > >> + DataSize, > >> + Data > >> + ); > >> + > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_ERROR, "error: %a (\"%s\", %g): %r\n", __FUNCTION__, > >> VariableName, > >> + VendorGuid, Status)); > >> + } > >> + > >> + if (Data != NULL) { > >> + FreePool (Data); > >> + } > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes PKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitPKDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status = GetVariable2 (EFI_PK_DEFAULT_VARIABLE_NAME, > >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status == EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > >> EFI_PK_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > >> EFI_PK_DEFAULT_VARIABLE_NAME)); > >> + > >> + Status = SecureBootFetchData (&gDefaultPKFileGuid, &SigListsSize, > >> &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > >> EFI_PK_DEFAULT_VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + Status = gRT->SetVariable ( > >> + EFI_PK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> EFI_VARIABLE_BOOTSERVICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > >> EFI_PK_DEFAULT_VARIABLE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes KEKDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitKEKDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status = GetVariable2 (EFI_KEK_DEFAULT_VARIABLE_NAME, > >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status == EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > >> EFI_KEK_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > >> EFI_KEK_DEFAULT_VARIABLE_NAME)); > >> + > >> + Status = SecureBootFetchData (&gDefaultKEKFileGuid, &SigListsSize, > >> &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > >> EFI_KEK_DEFAULT_VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + > >> + Status = gRT->SetVariable ( > >> + EFI_KEK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> EFI_VARIABLE_BOOTSERVICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > >> EFI_KEK_DEFAULT_VARIABLE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + Status = GetVariable2 (EFI_DB_DEFAULT_VARIABLE_NAME, > >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status == EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > >> EFI_DB_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > >> EFI_DB_DEFAULT_VARIABLE_NAME)); > >> + > >> + Status = SecureBootFetchData (&gDefaultdbFileGuid, &SigListsSize, > >> &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + return Status; > >> + } > >> + > >> + Status = gRT->SetVariable ( > >> + EFI_DB_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> EFI_VARIABLE_BOOTSERVICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > >> EFI_DB_DEFAULT_VARIABLE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbxDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbxDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status = GetVariable2 (EFI_DBX_DEFAULT_VARIABLE_NAME, > >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status == EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > >> EFI_DBX_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > >> EFI_DBX_DEFAULT_VARIABLE_NAME)); > >> + > >> + Status = SecureBootFetchData (&gDefaultdbxFileGuid, &SigListsSize, > >> &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Content for %s not found\n", > >> EFI_DBX_DEFAULT_VARIABLE_NAME)); > >> + return Status; > >> + } > >> + > >> + Status = gRT->SetVariable ( > >> + EFI_DBX_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> EFI_VARIABLE_BOOTSERVICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > >> EFI_DBX_DEFAULT_VARIABLE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return Status; > >> +} > >> + > >> +/** Initializes dbtDefault variable with data from FFS section. > >> + > >> + @retval EFI_SUCCESS Variable was initialized successfully. > >> + @retval EFI_UNSUPPORTED Variable already exists. > >> +**/ > >> +EFI_STATUS > >> +SecureBootInitDbtDefault ( > >> + IN VOID > >> + ) > >> +{ > >> + EFI_SIGNATURE_LIST *EfiSig; > >> + UINTN SigListsSize; > >> + EFI_STATUS Status; > >> + UINT8 *Data; > >> + UINTN DataSize; > >> + > >> + // > >> + // Check if variable exists, if so do not change it > >> + // > >> + Status = GetVariable2 (EFI_DBT_DEFAULT_VARIABLE_NAME, > >> &gEfiGlobalVariableGuid, (VOID **) &Data, &DataSize); > >> + if (Status == EFI_SUCCESS) { > >> + DEBUG ((DEBUG_INFO, "Variable %s exists. Old value is preserved\n", > >> EFI_DBT_DEFAULT_VARIABLE_NAME)); > >> + FreePool (Data); > >> + return EFI_UNSUPPORTED; > >> + } > >> + > >> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { > >> + return Status; > >> + } > >> + > >> + // > >> + // Variable does not exist, can be initialized > >> + // > >> + DEBUG ((DEBUG_INFO, "Variable %s does not exist.\n", > >> EFI_DBT_DEFAULT_VARIABLE_NAME)); > >> + > >> + Status = SecureBootFetchData (&gDefaultdbtFileGuid, &SigListsSize, > >> &EfiSig); > >> + if (EFI_ERROR (Status)) { > >> + return Status; > >> + } > >> + > >> + Status = gRT->SetVariable ( > >> + EFI_DBT_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid, > >> + EFI_VARIABLE_RUNTIME_ACCESS | > >> EFI_VARIABLE_BOOTSERVICE_ACCESS, > >> + SigListsSize, > >> + (VOID *)EfiSig > >> + ); > >> + if (EFI_ERROR (Status)) { > >> + DEBUG ((DEBUG_INFO, "Failed to set %s\n", > >> EFI_DBT_DEFAULT_VARIABLE_NAME)); > >> + } > >> + > >> + FreePool (EfiSig); > >> + > >> + return EFI_SUCCESS; > >> +} > >> + > >> +/** > >> + Sets the content of the 'db' variable based on 'dbDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetTime > >> () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status = EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE, > >> + EFI_DB_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'dbx' variable based on 'dbxDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetTime > >> () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbxFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status = EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE1, > >> + EFI_DBX_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'dbt' variable based on 'dbtDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetTime > >> () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollDbtFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status = EnrollFromDefault ( > >> + EFI_IMAGE_SECURITY_DATABASE2, > >> + EFI_DBT_DEFAULT_VARIABLE_NAME, > >> + &gEfiImageSecurityDatabaseGuid); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetTime > >> () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollKEKFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status = EnrollFromDefault ( > >> + EFI_KEY_EXCHANGE_KEY_NAME, > >> + EFI_KEK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid > >> + ); > >> + > >> + return Status; > >> +} > >> + > >> +/** > >> + Sets the content of the 'KEK' variable based on 'KEKDefault' variable > >> content. > >> + > >> + @retval EFI_OUT_OF_RESOURCES If memory allocation for > >> EFI_VARIABLE_AUTHENTICATION_2 fails > >> + while VendorGuid is NULL. > >> + @retval other Errors from GetVariable2 (), GetTime > >> () and SetVariable () > >> +**/ > >> +EFI_STATUS > >> +EFIAPI > >> +EnrollPKFromDefault ( > >> + VOID > >> +) > >> +{ > >> + EFI_STATUS Status; > >> + > >> + Status = EnrollFromDefault ( > >> + EFI_PLATFORM_KEY_NAME, > >> + EFI_PK_DEFAULT_VARIABLE_NAME, > >> + &gEfiGlobalVariableGuid > >> + ); > >> + > >> + return Status; > >> +} > >> diff --git > >> a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > >> > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > >> new file mode 100644 > >> index 0000000000..68d928ef30 > >> --- /dev/null > >> +++ > >> b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.uni > >> @@ -0,0 +1,16 @@ > >> +// /** @file > >> +// > >> +// Provides initialization of Secure Boot keys and databases. > >> +// > >> +// Copyright (c) 2021, ARM Ltd. All rights reserved.<BR> > >> +// Copyright (c) 2021, Semihalf All rights reserved.<BR> > >> +// > >> +// SPDX-License-Identifier: BSD-2-Clause-Patent > >> +// > >> +// **/ > >> + > >> + > >> +#string STR_MODULE_ABSTRACT #language en-US "Provides > >> functions to initialize PK, KEK and databases based on default variables." > >> + > >> +#string STR_MODULE_DESCRIPTION #language en-US "Provides > >> functions to initialize PK, KEK and databases based on default variables." > >> + > >> -- > >> 2.25.1 > >> > >> > >> > >> > >> > >> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#79952): https://edk2.groups.io/g/devel/message/79952 Mute This Topic: https://groups.io/mt/84608356/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
