From nobody Sat Nov 2 10:27:29 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1490839255108223.6805398007832; Wed, 29 Mar 2017 19:00:55 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 3B5C320D2C3B9; Wed, 29 Mar 2017 19:00:53 -0700 (PDT) Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id AE23C21DFA8FE for ; Wed, 29 Mar 2017 19:00:51 -0700 (PDT) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Mar 2017 19:00:50 -0700 Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.137]) by FMSMGA003.fm.intel.com with ESMTP; 29 Mar 2017 19:00:48 -0700 X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1490839250; x=1522375250; h=from:to:cc:subject:date:message-id; bh=BM0UEm8XAgBr4GOza8FTBmBZIWVU2FpRppPsD+lFOSw=; b=QAem8pY0AFu9lWtBk6r96XgucvWuW7B/W2bWUGz6c4/nQNYfKRd1yBsK 4JraIYwCp4GVTK8KIkJ836pCzD2wRQ==; X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,244,1486454400"; d="scan'208";a="839874521" From: "Zhang, Chao B" To: edk2-devel@lists.01.org Date: Thu, 30 Mar 2017 10:00:45 +0800 Message-Id: <20170330020045.21452-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [edk2] [PATCH] SecureBoot UI Update X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: siyuan.fu@intel.com, qin.long@intel.com MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Reviewed-by: Long Qin --- .../SecureBootConfigDxe/SecureBootConfig.vfr | 38 +++- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 196 +++++++++++++++++= +++- .../SecureBootConfigDxe/SecureBootConfigImpl.h | 32 ++++ .../SecureBootConfigDxe/SecureBootConfigNvData.h | 5 + .../SecureBootConfigStrings.uni | 13 +- 5 files changed, 268 insertions(+), 16 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index 02ddf4a..e153eca 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -455,15 +455,35 @@ formset maxsize =3D SECURE_BOOT_GUID_SIZE, endstring; =20 - oneof name =3D SignatureFormatInDbx, - varid =3D SECUREBOOT_CONFIGURATION.CertificateFormat, - prompt =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), - help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256),= value =3D 0x2, flags =3D DEFAULT; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384),= value =3D 0x3, flags =3D 0; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512),= value =3D 0x4, flags =3D 0; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), va= lue =3D 0x5, flags =3D 0; - endoneof; + disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 1; + oneof name =3D X509SignatureFormatInDbx, + varid =3D SECUREBOOT_CONFIGURATION.CertificateFormat, + prompt =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT= ), + help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256= ), value =3D 0x2, flags =3D DEFAULT; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384= ), value =3D 0x3, flags =3D 0; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512= ), value =3D 0x4, flags =3D 0; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), = value =3D 0x5, flags =3D 0; + endoneof; + endif; + + disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 2; + grayoutif TRUE; + text + help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), = // Help string + text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), = // Prompt string + text =3D STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); = // TextTwo + endif; + endif; + + suppressif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 3; + grayoutif TRUE; + text + help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), = // Help string + text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), = // Prompt string + text =3D STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); = // TextTwo + endif; + endif; =20 suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat =3D=3D 5; checkbox varid =3D SECUREBOOT_CONFIGURATION.AlwaysRevocation, diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 6f58729..17fe120 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -120,6 +120,61 @@ IsDerEncodeCertificate ( } =20 /** + This code checks if the file content complies with EFI_VARIABLE_AUTHENTI= CATION_2 format +The function reads file content but won't open/close given FileHandle. + + @param[in] FileHandle The FileHandle to be checked + + @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 = format. + @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATI= ON_2 format. + +**/ +BOOLEAN +IsAuthentication2Format ( + IN EFI_FILE_HANDLE FileHandle +) +{ + EFI_STATUS Status; + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; + BOOLEAN IsAuth2Format; + + IsAuth2Format =3D FALSE; + + // + // Read the whole file content + // + Status =3D ReadFileContent( + FileHandle, + (VOID **) &mImageBase, + &mImageSize, + 0 + ); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + + Auth2 =3D (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase; + if (Auth2->AuthInfo.Hdr.wCertificateType !=3D WIN_CERT_TYPE_EFI_GUID) { + goto ON_EXIT; + } + + if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) { + IsAuth2Format =3D TRUE; + } + +ON_EXIT: + // + // Do not close File. simply check file content + // + if (mImageBase !=3D NULL) { + FreePool (mImageBase); + mImageBase =3D NULL; + } + + return IsAuth2Format; +} + +/** Set Secure Boot option into variable space. =20 @param[in] VarValue The option of Secure Boot. @@ -2081,6 +2136,115 @@ HashPeImageByType ( =20 **/ EFI_STATUS +EnrollAuthenication2Descriptor ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, + IN CHAR16 *VariableName + ) +{ + EFI_STATUS Status; + VOID *Data; + UINTN DataSize; + UINT32 Attr; + + Data =3D NULL; + + // + // DBT only support DER-X509 Cert Enrollment + // + if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + // + // Read the whole file content + // + Status =3D ReadFileContent( + Private->FileContext->FHandle, + (VOID **) &mImageBase, + &mImageSize, + 0 + ); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + ASSERT (mImageBase !=3D NULL); + + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS + | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; + + // + // Check if SigDB variable has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + DataSize =3D 0; + Status =3D gRT->GetVariable( + VariableName, + &gEfiImageSecurityDatabaseGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + goto ON_EXIT; + } + + =20 + DEBUG((DEBUG_ERROR, "DBX update binary %s %x %Attr %x\n",VariableName, m= ImageSize, Attr)); + // + // Diretly set AUTHENTICATION_2 data to SetVariable + // + Status =3D gRT->SetVariable( + VariableName, + &gEfiImageSecurityDatabaseGuid, + Attr, + mImageSize, + mImageBase + ); + + DEBUG((DEBUG_ERROR, "DBX update binary status %x\n", Status)); + +ON_EXIT: + + CloseFile (Private->FileContext->FHandle); + Private->FileContext->FHandle =3D NULL; + + if (Private->FileContext->FileName !=3D NULL){ + FreePool(Private->FileContext->FileName); + Private->FileContext->FileName =3D NULL; + } + + if (Data !=3D NULL) { + FreePool (Data); + } + + if (mImageBase !=3D NULL) { + FreePool (mImageBase); + mImageBase =3D NULL; + } + + return Status; + +} + + +/** + Enroll a new executable's signature into Signature Database. + + @param[in] PrivateData The module's private data. + @param[in] VariableName Variable name of signature database, must be + EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURI= TY_DATABASE1 + or EFI_IMAGE_SECURITY_DATABASE2. + + @retval EFI_SUCCESS New signature is enrolled successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported command. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS EnrollImageSignatureToSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName @@ -2305,10 +2469,12 @@ EnrollSignatureDatabase ( // Supports DER-encoded X509 certificate. // return EnrollX509toSigDB (Private, VariableName); + } else if (IsAuthentication2Format(Private->FileContext->FHandle)){ + return EnrollAuthenication2Descriptor(Private, VariableName); + } else { + return EnrollImageSignatureToSigDB (Private, VariableName); } - - return EnrollImageSignatureToSigDB (Private, VariableName); -} +}=20 =20 /** List all signatures in specified signature database (e.g. KEK/DB/DBX/DBT) @@ -2957,6 +3123,7 @@ SecureBootExtractConfigFromVariable ( // Initilize the Date and Time using system time. // ConfigData->CertificateFormat =3D HASHALG_RAW; + ConfigData->FileEnrollType =3D UNKNOWN_FILE_TYPE; ConfigData->AlwaysRevocation =3D TRUE; gRT->GetTime (&CurrTime, NULL); ConfigData->RevocationDate.Year =3D CurrTime.Year; @@ -3258,6 +3425,8 @@ SecureBootCallback ( UINT8 *SetupMode; CHAR16 PromptString[100]; EFI_DEVICE_PATH_PROTOCOL *File; + UINTN NameLength; + UINT16 *FilePostFix; =20 Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -3393,6 +3562,27 @@ SecureBootCallback ( =20 case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX: ChooseFile (NULL, NULL, UpdateDBXFromFile, &File); + // + // Parse the file's postfix. + // + NameLength =3D StrLen (Private->FileContext->FileName); + if (NameLength <=3D 4) { + return FALSE; + } + FilePostFix =3D Private->FileContext->FileName + NameLength - 4; + + if (IsDerEncodeCertificate (FilePostFix)) { + // + // Supports DER-encoded X509 certificate. + // + IfrNvData->FileEnrollType =3D X509_CERT_FILE_TYPE; + } else if (IsAuthentication2Format(gSecureBootPrivateData->FileConte= xt->FHandle)){ + IfrNvData->FileEnrollType =3D AUTHENCIATION_2_FILE_TYPE; + } else { + IfrNvData->FileEnrollType =3D PE_IMAGE_FILE_TYPE; + } + DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", IfrNvData->Fil= eEnrollType)); + HiiSetBrowserData(&gSecureBootConfigFormSetGuid, mSecureBootStorageN= ame, sizeof (SECUREBOOT_CONFIGURATION),(UINT8 *)IfrNvData, NULL); break; =20 case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.h index bea9470..f9b75e6 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h @@ -47,6 +47,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. #include #include #include +#include =20 #include "SecureBootConfigNvData.h" =20 @@ -582,4 +583,35 @@ UpdateDBTFromFile ( IN EFI_DEVICE_PATH_PROTOCOL *FilePath ); =20 +/** + This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix. + + @param[in] FileSuffix The suffix of the input certificate file + + @retval TRUE It's a DER-encoded certificate. + @retval FALSE It's NOT a DER-encoded certificate. + +**/ +BOOLEAN +IsDerEncodeCertificate ( + IN CONST CHAR16 *FileSuffix +); + + +/** + This code checks if the file content complies with EFI_VARIABLE_AUTHENTI= CATION_2 format +The function reads file content but won't open/close given FileHandle. + + @param[in] FileHandle The FileHandle to be checked + + @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 = format. + @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATI= ON_2 format. + +**/ +BOOLEAN +IsAuthentication2Format ( + IN EFI_FILE_HANDLE FileHandle +); + + #endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index df4d72e..c3dc92c 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -107,6 +107,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EIT= HER EXPRESS OR IMPLIED. #define SECURE_BOOT_GUID_SIZE 36 #define SECURE_BOOT_GUID_STORAGE_SIZE 37 =20 +#define UNKNOWN_FILE_TYPE 0 +#define X509_CERT_FILE_TYPE 1 +#define AUTHENCIATION_2_FILE_TYPE 2 +#define PE_IMAGE_FILE_TYPE 3 =20 // // Nv Data structure referenced by IFR @@ -123,6 +127,7 @@ typedef struct { UINT8 CertificateFormat; // The type of the certificate EFI_HII_DATE RevocationDate; // The revocation date of the certificate EFI_HII_TIME RevocationTime; // The revocation time of the certificate + UINT8 FileEnrollType; // File type of sigunature enroll } SECUREBOOT_CONFIGURATION; =20 #endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index af6d83b..96a02b3 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -35,10 +35,15 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. =20 #string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Form= at" #string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "Select the cer= tificate format used to enroll certificate into database." -#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "SHA256" -#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "SHA384" -#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "SHA512" -#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "RAW" +#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "X509 CERT SHA2= 56" +#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "X509 CERT SHA3= 84" +#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "X509 CERT SHA5= 12" +#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "X509 CERT" + +#string STR_DBX_PE_FORMAT_SHA256 #language en-US "PE Image SHA25= 6" + +#string STR_DBX_AUTH_2_FORMAT #language en-US "VARIABLE_AUTHE= NICATION_2" + =20 #string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocati= on Time" #string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the = revocation time of the certificate" --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel