From nobody Fri May 3 07:21:58 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zoho.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 149093931574395.18920785814646; Thu, 30 Mar 2017 22:48:35 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id DABDA21A04828; Thu, 30 Mar 2017 22:48:33 -0700 (PDT) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 019E721A04809 for ; Thu, 30 Mar 2017 22:48:31 -0700 (PDT) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Mar 2017 22:48:31 -0700 Received: from czhan46-mobl1.ccr.corp.intel.com ([10.239.192.157]) by FMSMGA003.fm.intel.com with ESMTP; 30 Mar 2017 22:48:30 -0700 X-Original-To: edk2-devel@lists.01.org DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1490939311; x=1522475311; h=from:to:cc:subject:date:message-id; bh=Kta/OLO8JJ+NB4HaK2roQyfYXWgdrQ5+xlombrjyx2s=; b=xBnKv5YJ4xD+z7cksjF5KJIjIuzUlW2UIMvEzLUlutsruB1rPejPfMtw tonHbwbCPhCzBU4dOv4gXQ+5VQsEAQ==; X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,250,1486454400"; d="scan'208";a="840292339" From: "Zhang, Chao B" To: edk2-devel@lists.01.org Date: Fri, 31 Mar 2017 13:48:28 +0800 Message-Id: <20170331054828.5712-1-chao.b.zhang@intel.com> X-Mailer: git-send-email 2.11.0.windows.1 Subject: [edk2] [PATCH V2] SecurityPkg: SecureBootConfigDxe: Support AUTH_2 enrollment to DBX X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: siyuan.fu@intel.com, Chao Zhang , qin.long@intel.com MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Update SecureBootConfigDxe to support AUTH_2 format data enrollment to DBX. Free opened file handle resource after we exit PK/KEK/DB/DBX/DBT enrollment page. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Long Qin --- .../SecureBootConfigDxe/SecureBootConfig.vfr | 54 ++-- .../SecureBootConfigDxe/SecureBootConfigImpl.c | 340 +++++++++++++++++= ---- .../SecureBootConfigDxe/SecureBootConfigImpl.h | 2 + .../SecureBootConfigDxe/SecureBootConfigNvData.h | 7 +- .../SecureBootConfigStrings.uni | 19 +- 5 files changed, 338 insertions(+), 84 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secure= BootConfig.vfr index 6f46d91..bbecff2 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= g.vfr @@ -1,7 +1,7 @@ /** @file VFR file used by the SecureBoot configuration component. =20 -Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -446,24 +446,42 @@ formset label LABEL_END; subtitle text =3D STRING_TOKEN(STR_NULL); =20 - string varid =3D SECUREBOOT_CONFIGURATION.SignatureGuid, - prompt =3D STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), - help =3D STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), - flags =3D INTERACTIVE, - key =3D KEY_SECURE_BOOT_SIGNATURE_GUID_DBX, - minsize =3D SECURE_BOOT_GUID_SIZE, - maxsize =3D SECURE_BOOT_GUID_SIZE, - endstring; + grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 3; + string varid =3D SECUREBOOT_CONFIGURATION.SignatureGuid, + prompt =3D STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), + help =3D STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP= ), + flags =3D INTERACTIVE, + key =3D KEY_SECURE_BOOT_SIGNATURE_GUID_DBX, + minsize =3D SECURE_BOOT_GUID_SIZE, + maxsize =3D SECURE_BOOT_GUID_SIZE, + endstring; + endif; =20 - oneof name =3D SignatureFormatInDbx, - varid =3D SECUREBOOT_CONFIGURATION.CertificateFormat, - prompt =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), - help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256),= value =3D 0x1, flags =3D DEFAULT; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384),= value =3D 0x2, flags =3D 0; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512),= value =3D 0x3, flags =3D 0; - option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), va= lue =3D 0x4, flags =3D 0; - endoneof; + disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 1; + oneof name =3D X509SignatureFormatInDbx, + varid =3D SECUREBOOT_CONFIGURATION.CertificateFormat, + prompt =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT= ), + help =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256= ), value =3D 0x1, flags =3D DEFAULT; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384= ), value =3D 0x2, flags =3D 0; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512= ), value =3D 0x3, flags =3D 0; + option text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), = value =3D 0x4, flags =3D 0; + endoneof; + endif; + + disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 2; + text + help =3D STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP), //= Help string + text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), //= Prompt string + text =3D STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); //= PE image type + endif; + + disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType =3D=3D 3; + text + help =3D STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP), //= Help string + text =3D STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), //= Prompt string + text =3D STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); //= AUTH_2 image type + endif; =20 suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat =3D=3D 4; checkbox varid =3D SECUREBOOT_CONFIGURATION.AlwaysRevocation, diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 3ce4814..cdb6ee7 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -97,6 +97,35 @@ CHAR16* mSupportX509Suffix =3D L"*.cer/der/crt"; SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData =3D NULL; =20 /** + This code cleans up enrolled file by closing file & free related resourc= es attached to + enrolled file + + @param[in] FileSuffix The suffix of the input certificate file + + @retval TRUE It's a DER-encoded certificate. + @retval FALSE It's NOT a DER-encoded certificate. + +**/ + +VOID +CloseEnrolledFile( + IN SECUREBOOT_FILE_CONTEXT *FileContext + ) +{ + if (FileContext->FHandle !=3D NULL) { + CloseFile (FileContext->FHandle); + FileContext->FHandle =3D NULL; + } + + if (FileContext->FileName !=3D NULL){ + FreePool(FileContext->FileName); + FileContext->FileName =3D NULL; + } + FileContext->FileType =3D UNKNOWN_FILE_TYPE; + +} + +/** This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix. =20 @param[in] FileSuffix The suffix of the input certificate file @@ -120,6 +149,61 @@ IsDerEncodeCertificate ( } =20 /** + This code checks if the file content complies with EFI_VARIABLE_AUTHENTI= CATION_2 format +The function reads file content but won't open/close given FileHandle. + + @param[in] FileHandle The FileHandle to be checked + + @retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 = format. + @retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATI= ON_2 format. + +**/ +BOOLEAN +IsAuthentication2Format ( + IN EFI_FILE_HANDLE FileHandle +) +{ + EFI_STATUS Status; + EFI_VARIABLE_AUTHENTICATION_2 *Auth2; + BOOLEAN IsAuth2Format; + + IsAuth2Format =3D FALSE; + + // + // Read the whole file content + // + Status =3D ReadFileContent( + FileHandle, + (VOID **) &mImageBase, + &mImageSize, + 0 + ); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + + Auth2 =3D (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase; + if (Auth2->AuthInfo.Hdr.wCertificateType !=3D WIN_CERT_TYPE_EFI_GUID) { + goto ON_EXIT; + } + + if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) { + IsAuth2Format =3D TRUE; + } + +ON_EXIT: + // + // Do not close File. simply check file content + // + if (mImageBase !=3D NULL) { + FreePool (mImageBase); + mImageBase =3D NULL; + } + + return IsAuth2Format; +} + +/** Set Secure Boot option into variable space. =20 @param[in] VarValue The option of Secure Boot. @@ -474,10 +558,7 @@ ON_EXIT: FreePool(PkCert); } =20 - if (Private->FileContext->FHandle !=3D NULL) { - CloseFile (Private->FileContext->FHandle); - Private->FileContext->FHandle =3D NULL; - } + CloseEnrolledFile(Private->FileContext); =20 return Status; } @@ -654,13 +735,7 @@ EnrollRsa2048ToKek ( =20 ON_EXIT: =20 - CloseFile (Private->FileContext->FHandle); - Private->FileContext->FHandle =3D NULL; - - if (Private->FileContext->FileName !=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -781,13 +856,7 @@ EnrollX509ToKek ( =20 ON_EXIT: =20 - CloseFile (Private->FileContext->FHandle); - if (Private->FileContext->FileName !=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } - - Private->FileContext->FHandle =3D NULL; + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -821,7 +890,7 @@ EnrollKeyExchangeKey ( EFI_STATUS Status; UINTN NameLength; =20 - if ((Private->FileContext->FileName =3D=3D NULL) || (Private->SignatureG= UID =3D=3D NULL)) { + if ((Private->FileContext->FHandle =3D=3D NULL) || (Private->FileContext= ->FileName =3D=3D NULL) || (Private->SignatureGUID =3D=3D NULL)) { return EFI_INVALID_PARAMETER; } =20 @@ -844,6 +913,11 @@ EnrollKeyExchangeKey ( } else if (CompareMem (FilePostFix, L".pbk",4) =3D=3D 0) { return EnrollRsa2048ToKek (Private); } else { + // + // File type is wrong, simply close it + // + CloseEnrolledFile(Private->FileContext); + return EFI_INVALID_PARAMETER; } } @@ -955,13 +1029,7 @@ EnrollX509toSigDB ( =20 ON_EXIT: =20 - CloseFile (Private->FileContext->FHandle); - if (Private->FileContext->FileName !=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } - - Private->FileContext->FHandle =3D NULL; + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -1519,13 +1587,8 @@ EnrollX509HashtoSigDB ( } =20 ON_EXIT: - CloseFile (Private->FileContext->FHandle); - if (Private->FileContext->FileName !=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } =20 - Private->FileContext->FHandle =3D NULL; + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -2081,6 +2144,107 @@ HashPeImageByType ( =20 **/ EFI_STATUS +EnrollAuthentication2Descriptor ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, + IN CHAR16 *VariableName + ) +{ + EFI_STATUS Status; + VOID *Data; + UINTN DataSize; + UINT32 Attr; + + Data =3D NULL; + + // + // DBT only support DER-X509 Cert Enrollment + // + if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) =3D=3D 0) { + return EFI_UNSUPPORTED; + } + + // + // Read the whole file content + // + Status =3D ReadFileContent( + Private->FileContext->FHandle, + (VOID **) &mImageBase, + &mImageSize, + 0 + ); + if (EFI_ERROR (Status)) { + goto ON_EXIT; + } + ASSERT (mImageBase !=3D NULL); + + Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS + | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; + + // + // Check if SigDB variable has been already existed. + // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the + // new signature data to original variable + // + DataSize =3D 0; + Status =3D gRT->GetVariable( + VariableName, + &gEfiImageSecurityDatabaseGuid, + NULL, + &DataSize, + NULL + ); + if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { + Attr |=3D EFI_VARIABLE_APPEND_WRITE; + } else if (Status !=3D EFI_NOT_FOUND) { + goto ON_EXIT; + } + + // + // Diretly set AUTHENTICATION_2 data to SetVariable + // + Status =3D gRT->SetVariable( + VariableName, + &gEfiImageSecurityDatabaseGuid, + Attr, + mImageSize, + mImageBase + ); + + DEBUG((DEBUG_INFO, "Enroll AUTH_2 data to Var:%s Status: %x\n", Variable= Name, Status)); + +ON_EXIT: + + CloseEnrolledFile(Private->FileContext); + + if (Data !=3D NULL) { + FreePool (Data); + } + + if (mImageBase !=3D NULL) { + FreePool (mImageBase); + mImageBase =3D NULL; + } + + return Status; + +} + + +/** + Enroll a new executable's signature into Signature Database. + + @param[in] PrivateData The module's private data. + @param[in] VariableName Variable name of signature database, must be + EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURI= TY_DATABASE1 + or EFI_IMAGE_SECURITY_DATABASE2. + + @retval EFI_SUCCESS New signature is enrolled successfully. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval EFI_UNSUPPORTED Unsupported command. + @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources. + +**/ +EFI_STATUS EnrollImageSignatureToSigDB ( IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN CHAR16 *VariableName @@ -2235,13 +2399,7 @@ EnrollImageSignatureToSigDB ( =20 ON_EXIT: =20 - CloseFile (Private->FileContext->FHandle); - Private->FileContext->FHandle =3D NULL; - - if (Private->FileContext->FileName !=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -2305,9 +2463,11 @@ EnrollSignatureDatabase ( // Supports DER-encoded X509 certificate. // return EnrollX509toSigDB (Private, VariableName); + } else if (IsAuthentication2Format(Private->FileContext->FHandle)){ + return EnrollAuthentication2Descriptor(Private, VariableName); + } else { + return EnrollImageSignatureToSigDB (Private, VariableName); } - - return EnrollImageSignatureToSigDB (Private, VariableName); } =20 /** @@ -2936,11 +3096,13 @@ UpdateSecureBootString( /** This function extracts configuration from variable. =20 + @param[in] Private Point to SecureBoot configuration driver p= rivate data. @param[in, out] ConfigData Point to SecureBoot configuration private = data. =20 **/ VOID SecureBootExtractConfigFromVariable ( + IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private, IN OUT SECUREBOOT_CONFIGURATION *ConfigData ) { @@ -2965,7 +3127,11 @@ SecureBootExtractConfigFromVariable ( ConfigData->RevocationTime.Hour =3D CurrTime.Hour; ConfigData->RevocationTime.Minute =3D CurrTime.Minute; ConfigData->RevocationTime.Second =3D 0; - + if (Private->FileContext->FHandle !=3D NULL) { + ConfigData->FileEnrollType =3D Private->FileContext->FileType; + } else { + ConfigData->FileEnrollType =3D UNKNOWN_FILE_TYPE; + } =20 // // If it is Physical Presence User, set the PhysicalPresent to true. @@ -3088,10 +3254,12 @@ SecureBootExtractConfig ( return EFI_NOT_FOUND; } =20 + ZeroMem(&Configuration, sizeof(SECUREBOOT_CONFIGURATION)); + // // Get Configuration from Variable. // - SecureBootExtractConfigFromVariable (&Configuration); + SecureBootExtractConfigFromVariable (PrivateData, &Configuration); =20 BufferSize =3D sizeof (SECUREBOOT_CONFIGURATION); ConfigRequest =3D Request; @@ -3166,9 +3334,10 @@ SecureBootRouteConfig ( OUT EFI_STRING *Progress ) { - SECUREBOOT_CONFIGURATION IfrNvData; - UINTN BufferSize; - EFI_STATUS Status; + SECUREBOOT_CONFIGURATION IfrNvData; + UINTN BufferSize; + SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; + EFI_STATUS Status; =20 if (Configuration =3D=3D NULL || Progress =3D=3D NULL) { return EFI_INVALID_PARAMETER; @@ -3179,10 +3348,12 @@ SecureBootRouteConfig ( return EFI_NOT_FOUND; } =20 + PrivateData =3D SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); + // // Get Configuration from Variable. // - SecureBootExtractConfigFromVariable (&IfrNvData); + SecureBootExtractConfigFromVariable (PrivateData, &IfrNvData); =20 // // Map the Configuration to the configuration block. @@ -3259,6 +3430,9 @@ SecureBootCallback ( UINT8 *SetupMode; CHAR16 PromptString[100]; EFI_DEVICE_PATH_PROTOCOL *File; + UINTN NameLength; + UINT16 *FilePostFix; + SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData; =20 Status =3D EFI_SUCCESS; SecureBootEnable =3D NULL; @@ -3291,8 +3465,20 @@ SecureBootCallback ( // Update secure boot strings when opening this form // Status =3D UpdateSecureBootString(Private); - SecureBootExtractConfigFromVariable (IfrNvData); + SecureBootExtractConfigFromVariable (Private, IfrNvData); mIsEnterSecureBootForm =3D TRUE; + } else { + // + // When entering SecureBoot OPTION Form + // always close opened file & free resource + // + if ((QuestionId =3D=3D KEY_SECURE_BOOT_PK_OPTION) || + (QuestionId =3D=3D KEY_SECURE_BOOT_KEK_OPTION) || + (QuestionId =3D=3D KEY_SECURE_BOOT_DB_OPTION) || + (QuestionId =3D=3D KEY_SECURE_BOOT_DBX_OPTION) || + (QuestionId =3D=3D KEY_SECURE_BOOT_DBT_OPTION)) { + CloseEnrolledFile(Private->FileContext); + } } goto EXIT; } @@ -3346,6 +3532,7 @@ SecureBootCallback ( case KEY_SECURE_BOOT_DB_OPTION: case KEY_SECURE_BOOT_DBX_OPTION: case KEY_SECURE_BOOT_DBT_OPTION: + PrivateData =3D SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This); // // Clear Signature GUID. // @@ -3357,6 +3544,11 @@ SecureBootCallback ( } } =20 + // + // Cleanup VFRData once leaving PK/KEK/DB/DBX/DBT enroll/delete page + // + SecureBootExtractConfigFromVariable (PrivateData, IfrNvData); + if (QuestionId =3D=3D KEY_SECURE_BOOT_DB_OPTION) { LabelId =3D SECUREBOOT_ENROLL_SIGNATURE_TO_DB; } else if (QuestionId =3D=3D KEY_SECURE_BOOT_DBX_OPTION) { @@ -3394,6 +3586,38 @@ SecureBootCallback ( =20 case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX: ChooseFile (NULL, NULL, UpdateDBXFromFile, &File); + + if (Private->FileContext->FHandle !=3D NULL) { + // + // Parse the file's postfix. + // + NameLength =3D StrLen (Private->FileContext->FileName); + if (NameLength <=3D 4) { + return FALSE; + } + FilePostFix =3D Private->FileContext->FileName + NameLength - 4; + + if (IsDerEncodeCertificate (FilePostFix)) { + // + // Supports DER-encoded X509 certificate. + // + IfrNvData->FileEnrollType =3D X509_CERT_FILE_TYPE; + } else if (IsAuthentication2Format(Private->FileContext->FHandle)){ + IfrNvData->FileEnrollType =3D AUTHENTICATION_2_FILE_TYPE; + } else { + IfrNvData->FileEnrollType =3D PE_IMAGE_FILE_TYPE; + } + Private->FileContext->FileType =3D IfrNvData->FileEnrollType; + + // + // Clean up Certificate Format if File type is not X509 DER + // + if (IfrNvData->FileEnrollType !=3D X509_CERT_FILE_TYPE) { + IfrNvData->CertificateFormat =3D HASHALG_RAW; + } + DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", Private->Fil= eContext->FileType)); + } + break; =20 case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: @@ -3503,7 +3727,12 @@ SecureBootCallback ( L"Enrollment failed! Same certificate had already been in the db= x!", NULL ); - break; + + // + // Cert already exists in DBX. Close opened file before exit. + // + CloseEnrolledFile(Private->FileContext); + break; } =20 if ((IfrNvData !=3D NULL) && (IfrNvData->CertificateFormat < HASHALG= _MAX)) { @@ -3514,6 +3743,7 @@ SecureBootCallback ( &IfrNvData->RevocationTime, IfrNvData->AlwaysRevocation ); + IfrNvData->CertificateFormat =3D HASHALG_RAW; } else { Status =3D EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DA= TABASE1); } @@ -3522,7 +3752,7 @@ SecureBootCallback ( EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, &Key, L"ERROR: Unsupported file type!", - L"Only supports DER-encoded X509 certificate and executable EFI = image", + L"Only supports DER-encoded X509 certificate, AUTH_2 format data= & executable EFI image", NULL ); } @@ -3603,14 +3833,7 @@ SecureBootCallback ( case KEY_VALUE_NO_SAVE_AND_EXIT_DB: case KEY_VALUE_NO_SAVE_AND_EXIT_DBX: case KEY_VALUE_NO_SAVE_AND_EXIT_DBT: - if (Private->FileContext->FHandle !=3D NULL) { - CloseFile (Private->FileContext->FHandle); - Private->FileContext->FHandle =3D NULL; - if (Private->FileContext->FileName!=3D NULL){ - FreePool(Private->FileContext->FileName); - Private->FileContext->FileName =3D NULL; - } - } + CloseEnrolledFile(Private->FileContext); =20 if (Private->SignatureGUID !=3D NULL) { FreePool (Private->SignatureGUID); @@ -3639,7 +3862,6 @@ SecureBootCallback ( =20 *ActionRequest =3D EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; break; - case KEY_SECURE_BOOT_DELETE_PK: GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)= &SetupMode, NULL); if (SetupMode =3D=3D NULL || (*SetupMode) =3D=3D SETUP_MODE) { diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.h index f080f66..75b18f1 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.h @@ -47,6 +47,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. #include #include #include +#include =20 #include "SecureBootConfigNvData.h" =20 @@ -108,6 +109,7 @@ typedef struct { typedef struct { EFI_FILE_HANDLE FHandle; UINT16 *FileName; + UINT8 FileType; } SECUREBOOT_FILE_CONTEXT; =20 =20 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigNvData.h b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Se= cureBootConfigNvData.h index df4d72e..6b69f92 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gNvData.h @@ -1,7 +1,7 @@ /** @file Header file for NV data structure definition. =20 -Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -107,6 +107,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EIT= HER EXPRESS OR IMPLIED. #define SECURE_BOOT_GUID_SIZE 36 #define SECURE_BOOT_GUID_STORAGE_SIZE 37 =20 +#define UNKNOWN_FILE_TYPE 0 +#define X509_CERT_FILE_TYPE 1 +#define PE_IMAGE_FILE_TYPE 2 +#define AUTHENTICATION_2_FILE_TYPE 3 =20 // // Nv Data structure referenced by IFR @@ -123,6 +127,7 @@ typedef struct { UINT8 CertificateFormat; // The type of the certificate EFI_HII_DATE RevocationDate; // The revocation date of the certificate EFI_HII_TIME RevocationTime; // The revocation time of the certificate + UINT8 FileEnrollType; // File type of sigunature enroll } SECUREBOOT_CONFIGURATION; =20 #endif diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigStrings.uni b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe= /SecureBootConfigStrings.uni index af6d83b..320cc79 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gStrings.uni @@ -1,7 +1,7 @@ /** @file String definitions for Secure Boot Configuration form. =20 -Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -18,6 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. #string STR_SECUREBOOT_HELP #language en-US "Press = to select Secure Boot options." =20 #string STR_NULL #language en-US "" +#string STR_DBX_SUBTITLE_TEXT #language en-US "" =20 #string STR_SECURE_BOOT_STATE_PROMPT #language en-US "Current Secure= Boot State" #string STR_SECURE_BOOT_STATE_HELP #language en-US "Current Secure= Boot state: enabled or disabled." @@ -34,11 +35,17 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITH= ER EXPRESS OR IMPLIED. #string STR_SECURE_BOOT_ADD_SIGNATURE_FILE #language en-US "Enroll Signatu= re Using File" =20 #string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Form= at" -#string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "Select the cer= tificate format used to enroll certificate into database." -#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "SHA256" -#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "SHA384" -#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "SHA512" -#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "RAW" +#string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "X509 DER-Cert = enrolled. Select different option to enroll it into DBX." +#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "X509 CERT SHA2= 56" +#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "X509 CERT SHA3= 84" +#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "X509 CERT SHA5= 12" +#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "X509 CERT" + +#string STR_DBX_PE_IMAGE_FORMAT_HELP #language en-US "PE image enrol= led. Use SHA256 hash to enroll it into DBX" +#string STR_DBX_PE_FORMAT_SHA256 #language en-US "PE Image SHA25= 6" + +#string STR_DBX_AUTH_2_FORMAT_HELP #language en-US "VARIABLE_AUTHE= NICATION_2 binary enrolled. Use raw binary to enroll it into DBX" +#string STR_DBX_AUTH_2_FORMAT #language en-US "VARIABLE_AUTHE= NICATION_2" =20 #string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocati= on Time" #string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the = revocation time of the certificate" --=20 1.9.5.msysgit.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel