From nobody Mon Feb 9 21:21:26 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89515+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89515+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1651687499; cv=none; d=zohomail.com; s=zohoarc; b=JuI1ckViH60gmen9+7Run0iUxZwCp34koDs+gEl4n6p/JWKXP0cUAj0XySWFJ52lw1JDvr3LM/Q2+zY9yJ7sGngWVAnRLDia+I1+FVKQ3INbnSPKHCOUqsV+HJYiimRTV7qxUgn7ibHEt+J6doIMedGUYd3bqBq2/kNvDxLOPvM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1651687499; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=wp4EDih6bBoN88dSziUdgj1bqcxdd/Lpsk9djzB8+ww=; b=bW6aEXvTyUk1V1RDeQ2eE9JyPXh1zbGXyPOBvVzjWVFugVZ7k5Mzixj5Lmp7kK/RJTxJ5n0xAkFDqQpuOWvnEj2W5xHtDNwyQCmfnqhgxrR+lC70g+4yC/3W1AoaoNJRrYo+CRx+JwX3WxvbPWdSd44Ys3LYhDgobqOdCmXWs/g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89515+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1651687499501238.15120069625664; Wed, 4 May 2022 11:04:59 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id YE15YY1788612xqpXmX9BzIm; Wed, 04 May 2022 11:04:59 -0700 X-Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web08.735.1651687498448349475 for ; Wed, 04 May 2022 11:04:58 -0700 X-Received: by mail-pl1-f180.google.com with SMTP id d22so2101438plr.9 for ; Wed, 04 May 2022 11:04:58 -0700 (PDT) X-Gm-Message-State: PwA9sWvjvpNGTVHzCxPj86Gxx1787277AA= X-Google-Smtp-Source: ABdhPJyHLai0E3r/+rwgKimurXLP96e3SLU5wsYf4D5A6K5IQdE6Tx/h7UOy4+vXH4Y4pGL4bagaBA== X-Received: by 2002:a17:902:8501:b0:15c:ea4b:1398 with SMTP id bj1-20020a170902850100b0015cea4b1398mr22629859plb.109.1651687497611; Wed, 04 May 2022 11:04:57 -0700 (PDT) X-Received: from localhost.localdomain ([50.47.82.110]) by smtp.gmail.com with ESMTPSA id n5-20020aa79045000000b0050dc7628143sm8496347pfo.29.2022.05.04.11.04.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 May 2022 11:04:57 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [edk2-devel] [PATCH v1 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Date: Wed, 4 May 2022 11:04:34 -0700 Message-Id: <20220504180438.1321-9-kuqin12@gmail.com> In-Reply-To: <20220504180438.1321-1-kuqin12@gmail.com> References: <20220504180438.1321-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1651687499; bh=DkixbUCwHlu9P7I8quV/7N3Qb6IPvSBpG+6Ru00ulyk=; h=Cc:Date:From:Reply-To:Subject:To; b=ITVL25cVqpg9zj2K1drCcRs4G/Jrp82W2fj1tB3OOKAZdPcqM1wSFBJ3Ld9Qn4XBNnG nbytJlE+Odk+4VOMpVwxtuZq8s5TAVKgGqCwxy+iNvG9HCZusW1otF2if/og+atlCHaos mFhsq2+TjptOJ+2gbqr8GGr42jBvfj4QoR8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1651687499773100029 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change is in pair with the previous SecureBootVariableLib change, which updated the interface of `CreateTimeBasedPayload`. This change added a helper function to query the current time through Real Time Clock protocol. This function is used when needing to format an authenticated variable payload. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 127 ++++++++++++++++++-- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + 2 files changed, 119 insertions(+), 9 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index a13c349a0f89..4299a6b5e56d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include #include +#include #include #include #include @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType =3D UNKNOWN_FILE_TYPE; } =20 +/** + Helper function to populate an EFI_TIME instance. + + @param[in] Time FileContext cached in SecureBootConfig driver + +**/ +STATIC +EFI_STATUS +GetCurrentTime ( + IN EFI_TIME *Time + ) +{ + EFI_STATUS Status; + VOID *TestPointer; + + if (Time =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + Status =3D gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL= , &TestPointer); + if (EFI_ERROR (Status)) { + return Status; + } + + ZeroMem (Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (Time, NULL); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "%a(), GetTime() failed, status =3D '%r'\n", + __FUNCTION__, + Status + )); + return Status; + } + + Time->Pad1 =3D 0; + Time->Nanosecond =3D 0; + Time->TimeZone =3D 0; + Time->Daylight =3D 0; + Time->Pad2 =3D 0; + + return EFI_SUCCESS; +} + /** This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix. =20 @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr; UINTN DataSize; EFI_SIGNATURE_LIST *PkCert; + EFI_TIME Time; =20 PkCert =3D NULL; =20 @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; DataSize =3D PkCert->SignatureListSize; - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize; UINT8 *KeyBuffer; UINTN KeyLenInBytes; + EFI_TIME Time; =20 Attr =3D 0; DataSize =3D 0; @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize; UINTN KekSigListSize; UINT32 Attr; + EFI_TIME Time; =20 X509Data =3D NULL; X509DataSize =3D 0; @@ -735,7 +796,13 @@ EnrollX509ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize; UINTN SigDBSize; UINT32 Attr; + EFI_TIME Time; =20 X509DataSize =3D 0; SigDBSize =3D 0; @@ -910,7 +978,13 @@ EnrollX509toSigDB ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix; UINTN NameLength; EFI_TIME *Time; + EFI_TIME NewTime; =20 X509DataSize =3D 0; DbSize =3D 0; @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize =3D DbSize; } =20 - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&NewTime); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime); if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize; UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; + EFI_TIME Time; =20 Data =3D NULL; GuidCertData =3D NULL; @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( =20 Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize; UINTN DeleteKekIndex; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound; UINT32 ItemDataSize; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2931,7 +3027,13 @@ DeleteSignature ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset; UINT8 *VariableData; UINT8 *NewVariableData; + EFI_TIME Time; =20 Status =3D EFI_SUCCESS; VariableAttr =3D 0; @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( } =20 if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) = !=3D 0) { - Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= ); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= , &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 420687a21141..1671d5be7ccd 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -111,6 +111,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES gEfiHiiPopupProtocolGuid + gEfiRealTimeClockArchProtocolGuid ## CONSUMES =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND --=20 2.34.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89515): https://edk2.groups.io/g/devel/message/89515 Mute This Topic: https://groups.io/mt/90893936/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-