From nobody Mon Feb 9 04:03:39 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90499+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90499+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1655152807; cv=none; d=zohomail.com; s=zohoarc; b=aGymxs5FRzUQo9HCJh/F6NiziVs2ElxbEw2d3kne+eB671y+rqaTXg0Dq90qBaYat8eLrK3gENEqlPWJcf/9UjptKGFtWFIO/LIZMLPOeSgRl7P7OYmRjfSzD4bLRYFv3N/H3f7RBu9qPFSbNskEUxqHwim5eHpeLBvRkMjg61k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1655152807; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=IlTCv76Y/aHAf4dyh1qdMd/GNtsagpJWUQdoPXoXb0E=; b=lmLIXC79ZYciRC4UV8WOa0bNTIk/Y0BN72FX0WL3hEMll+O13G3+zfhOIt/Ev1pVIxxcP6TQD9I+TX74xf9ztYKsRpHHlltq0EJxmSI1GZhkZKHUmx5jnJJ09atiTD52O2hFoP8oXZfUsTdyz24OjjfZiQw0T33UCfV/eWgjAjY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90499+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1655152807384727.9216449996561; Mon, 13 Jun 2022 13:40:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lryWYY1788612x1KZiOFVReF; Mon, 13 Jun 2022 13:40:07 -0700 X-Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.10962.1655152806436217573 for ; Mon, 13 Jun 2022 13:40:06 -0700 X-Received: by mail-pj1-f49.google.com with SMTP id v11-20020a17090a4ecb00b001e2c5b837ccso9895498pjl.3 for ; Mon, 13 Jun 2022 13:40:06 -0700 (PDT) X-Gm-Message-State: 1uFMCg3jweD5EgXkaVgOEZQ1x1787277AA= X-Google-Smtp-Source: AGRyM1tUqHIBFEo9uUk+FqCuopmewCHW6MO9lArJj4WkoEWzvGbYj6GsCpDrxHiJUJy7tJAkEO0Z0w== X-Received: by 2002:a17:90b:388f:b0:1e8:57db:443 with SMTP id mu15-20020a17090b388f00b001e857db0443mr587686pjb.52.1655152805830; Mon, 13 Jun 2022 13:40:05 -0700 (PDT) X-Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.40.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:40:05 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [edk2-devel] [PATCH v2 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Date: Mon, 13 Jun 2022 13:39:39 -0700 Message-Id: <20220613203943.704-9-kuqin12@gmail.com> In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1655152807; bh=NAdTrwwAKZtlQAdZZ4L/GozL3zKEq33YtdYSoHxMB+4=; h=Cc:Date:From:Reply-To:Subject:To; b=WGE44cAKD+CkG7/Xft7xTJol0bSQ7Jz3vyOm9N7qDLv61gNcxF6cAqExfQSvufmIS30 wMJhbFGZzUA+Y0rEyUGAlsG6mnl+iCAdXVFIvhGzWbxjVt6kYoENCVEo3jHIKDac2FXvM rqEg1ozRE7xqOU5TnGMgOQP6hTEVVryWAbc= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1655152808706100022 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change is in pair with the previous SecureBootVariableLib change, which updated the interface of `CreateTimeBasedPayload`. This change added a helper function to query the current time through Real Time Clock protocol. This function is used when needing to format an authenticated variable payload. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 127 ++++++++++++++++++-- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + 2 files changed, 119 insertions(+), 9 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index a13c349a0f89..4299a6b5e56d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include #include +#include #include #include #include @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType =3D UNKNOWN_FILE_TYPE; } =20 +/** + Helper function to populate an EFI_TIME instance. + + @param[in] Time FileContext cached in SecureBootConfig driver + +**/ +STATIC +EFI_STATUS +GetCurrentTime ( + IN EFI_TIME *Time + ) +{ + EFI_STATUS Status; + VOID *TestPointer; + + if (Time =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + Status =3D gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL= , &TestPointer); + if (EFI_ERROR (Status)) { + return Status; + } + + ZeroMem (Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (Time, NULL); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "%a(), GetTime() failed, status =3D '%r'\n", + __FUNCTION__, + Status + )); + return Status; + } + + Time->Pad1 =3D 0; + Time->Nanosecond =3D 0; + Time->TimeZone =3D 0; + Time->Daylight =3D 0; + Time->Pad2 =3D 0; + + return EFI_SUCCESS; +} + /** This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix. =20 @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr; UINTN DataSize; EFI_SIGNATURE_LIST *PkCert; + EFI_TIME Time; =20 PkCert =3D NULL; =20 @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; DataSize =3D PkCert->SignatureListSize; - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize; UINT8 *KeyBuffer; UINTN KeyLenInBytes; + EFI_TIME Time; =20 Attr =3D 0; DataSize =3D 0; @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize; UINTN KekSigListSize; UINT32 Attr; + EFI_TIME Time; =20 X509Data =3D NULL; X509DataSize =3D 0; @@ -735,7 +796,13 @@ EnrollX509ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize; UINTN SigDBSize; UINT32 Attr; + EFI_TIME Time; =20 X509DataSize =3D 0; SigDBSize =3D 0; @@ -910,7 +978,13 @@ EnrollX509toSigDB ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix; UINTN NameLength; EFI_TIME *Time; + EFI_TIME NewTime; =20 X509DataSize =3D 0; DbSize =3D 0; @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize =3D DbSize; } =20 - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&NewTime); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime); if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize; UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; + EFI_TIME Time; =20 Data =3D NULL; GuidCertData =3D NULL; @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( =20 Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize; UINTN DeleteKekIndex; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound; UINT32 ItemDataSize; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2931,7 +3027,13 @@ DeleteSignature ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset; UINT8 *VariableData; UINT8 *NewVariableData; + EFI_TIME Time; =20 Status =3D EFI_SUCCESS; VariableAttr =3D 0; @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( } =20 if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) = !=3D 0) { - Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= ); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= , &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 420687a21141..1671d5be7ccd 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -111,6 +111,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES gEfiHiiPopupProtocolGuid + gEfiRealTimeClockArchProtocolGuid ## CONSUMES =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND --=20 2.35.1.windows.2 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90499): https://edk2.groups.io/g/devel/message/90499 Mute This Topic: https://groups.io/mt/91735877/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-