From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90949+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90949+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633238; cv=none; d=zohomail.com; s=zohoarc; b=TK0wZ3PVGO1xraIzQTMgP6XAUjbMk9lt1/nFUgSzvqDrEEuk2QdKPxPl9zQ0pGa8meISyOLQQI7wo1tPU+iFnusAz9pthhsFI3Tm/TgdXSixqk8ZRwR8F7xO/PokGetTY+dQmZ3uOzfvG2IYtG0dLuafgEg7ifnORUiaGrV3cGU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633238; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=74I9vdU+w7SdG/OuUg40U+6L/kJ/IRLJASFBh12VnF0=; b=l03MUef+mEhopZ6gGzeAvgLXdPv5BgHaWiSXDCQ1wFB/SE6SvAP9fctw6lxxmAeIR4lBBfmdh2/MdTJqYAoi+XqRahHpBTbhxdeTOvbLs1VACc8+o/pHIA2LT05KexyrZZHHBuyv3Nrxs4mtR9K6FpvzJlP/138HBYkfMbzfDZQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90949+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633238835231.30161151365223; Thu, 30 Jun 2022 16:53:58 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id nT37YY1788612xcsBteEdT6x; Thu, 30 Jun 2022 16:53:58 -0700 X-Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.32233.1656633237943064739 for ; Thu, 30 Jun 2022 16:53:58 -0700 X-Received: by mail-pl1-f175.google.com with SMTP id n10so832829plp.0 for ; Thu, 30 Jun 2022 16:53:57 -0700 (PDT) X-Gm-Message-State: jivHerPeEif7GNT528iWYBe8x1787277AA= X-Google-Smtp-Source: AGRyM1uYYwYOWhUZuIHQWwvTzjG7MWFSkkL9MnvnFdjQf8ejXHMERLZcu+UT5quGUWQSyw6ORqsrhg== X-Received: by 2002:a17:90a:d18a:b0:1ed:4f08:e6a1 with SMTP id fu10-20020a17090ad18a00b001ed4f08e6a1mr13312722pjb.28.1656633237222; Thu, 30 Jun 2022 16:53:57 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:57 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Date: Thu, 30 Jun 2022 16:53:31 -0700 Message-Id: <20220630235341.1746-2-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633238; bh=5U+nMoOuar6TYTwUE12Zfqy73HVqFRPaDspjlCsZl9I=; h=Cc:Date:From:Reply-To:Subject:To; b=qXCGH6Cj3dSuv12H/D9QgPouQw7XBtGTxQjZxhELKBNlc2c2s439pYN89SSyHaQs8T5 FQT0SphNklLgcxeUBLaA9c5sc++XApwK1aX3smmPeVK7pNsg7o89Tnr27Xt3Jlgthjx1h oaL86mxsIi2+XZhnqDhZeAXzPBpMNSs6iew= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633239478100001 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change added certificate and payload structures that can be consumed by SecureBootVariableLib and other Secure Boot related operations. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added reviewed-by tag [Michael Kubacki] SecurityPkg/Include/UefiSecureBoot.h | 94 ++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/SecurityPkg/Include/UefiSecureBoot.h b/SecurityPkg/Include/Uef= iSecureBoot.h new file mode 100644 index 000000000000..642fef38f3a1 --- /dev/null +++ b/SecurityPkg/Include/UefiSecureBoot.h @@ -0,0 +1,94 @@ +/** @file + Provides a Secure Boot related data structure definitions. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef UEFI_SECURE_BOOT_H_ +#define UEFI_SECURE_BOOT_H_ + +#pragma pack (push, 1) + +/* + Data structure to provide certificates to setup authenticated secure + boot variables ('db', 'dbx', 'dbt', 'pk', etc.). + +*/ +typedef struct { + // + // The size, in number of bytes, of supplied certificate in 'Data' field. + // + UINTN DataSize; + // + // The pointer to the certificates in DER-encoded format. + // Note: This certificate data should not contain the EFI_VARIABLE_AUTHE= NTICATION_2 + // for authenticated variables. + // + CONST VOID *Data; +} SECURE_BOOT_CERTIFICATE_INFO; + +/* + Data structure to provide all Secure Boot related certificates. + +*/ +typedef struct { + // + // The human readable name for this set of Secure Boot key sets. + // + CONST CHAR16 *SecureBootKeyName; + // + // The size, in number of bytes, of supplied certificate in 'DbPtr' fiel= d. + // + UINTN DbSize; + // + // The pointer to the DB certificates in signature list format. + // Note: This DB certificates should not contain the EFI_VARIABLE_AUTHEN= TICATION_2 + // for authenticated variables. + // + CONST VOID *DbPtr; + // + // The size, in number of bytes, of supplied certificate in 'DbxPtr' fie= ld. + // + UINTN DbxSize; + // + // The pointer to the DBX certificates in signature list format. + // Note: This DBX certificates should not contain the EFI_VARIABLE_AUTHE= NTICATION_2 + // for authenticated variables. + // + CONST VOID *DbxPtr; + // + // The size, in number of bytes, of supplied certificate in 'DbtPtr' fie= ld. + // + UINTN DbtSize; + // + // The pointer to the DBT certificates in signature list format. + // Note: This DBT certificates should not contain the EFI_VARIABLE_AUTHE= NTICATION_2 + // for authenticated variables. + // + CONST VOID *DbtPtr; + // + // The size, in number of bytes, of supplied certificate in 'KekPtr' fie= ld. + // + UINTN KekSize; + // + // The pointer to the KEK certificates in signature list format. + // Note: This KEK certificates should not contain the EFI_VARIABLE_AUTHE= NTICATION_2 + // for authenticated variables. + // + CONST VOID *KekPtr; + // + // The size, in number of bytes, of supplied certificate in 'PkPtr' fiel= d. + // + UINTN PkSize; + // + // The pointer to the PK certificates in signature list format. + // Note: This PK certificates should not contain the EFI_VARIABLE_AUTHEN= TICATION_2 + // for authenticated variables. + // + CONST VOID *PkPtr; +} SECURE_BOOT_PAYLOAD_INFO; +#pragma pack (pop) + +#endif // UEFI_SECURE_BOOT_H_ --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90949): https://edk2.groups.io/g/devel/message/90949 Mute This Topic: https://groups.io/mt/92098738/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90950+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90950+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633239; cv=none; d=zohomail.com; s=zohoarc; b=DFoSlbHs7xlngPWUyGhsRYPnrPEO4I2/ofb1A5fyz0gQkqsvW/jHoECY1vs2mIQNMDAipMoK3EXkrz4dLcEVSgEBgTu7nB2UYa5/n8zAwpSBSPpauVC/ZCiyo+zK8zKgbSA6FN0f5bRc6xhgZTUGjAzbpqi/tJClPpc9IU5MB/E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633239; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lAx75jpa6NEczAC+AAsTWVMJP3oy5RpOW6K5Eth0Lx4=; b=KRsCFM2BZZnFyS7NFCZulinz86OvmNl6E8O/qphvs2DanagXOzYw6iSybTYT1J4fSCD7YOKirml4a6VTw4DQWac3Cjqy0YJUqScOVXYyj1OnT8BzMlcJiXzcLvk/35d4Q1qvIjGyJydWu6qBq8vwAnfId3SItPq0DF4VCgtzljc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90950+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633239541892.2640729537376; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Z4EkYY1788612xGsngde7tWD; Thu, 30 Jun 2022 16:53:59 -0700 X-Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web10.32235.1656633238523530917 for ; Thu, 30 Jun 2022 16:53:58 -0700 X-Received: by mail-pf1-f181.google.com with SMTP id 136so860982pfy.10 for ; Thu, 30 Jun 2022 16:53:58 -0700 (PDT) X-Gm-Message-State: xH9zGd5cYwCYrIdidXqLiXYyx1787277AA= X-Google-Smtp-Source: AGRyM1u/kcuDeY9d1WlG8ZZC8aaRq8AVRXceD34TAD0rj/0qEgDfx7xYi8gjWc6wwYf7h2Lc2llw+g== X-Received: by 2002:a63:1e49:0:b0:3fd:cf48:3694 with SMTP id p9-20020a631e49000000b003fdcf483694mr9850658pgm.275.1656633237911; Thu, 30 Jun 2022 16:53:57 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:57 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Date: Thu, 30 Jun 2022 16:53:32 -0700 Message-Id: <20220630235341.1746-3-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633239; bh=yIHvT9jkKRMrwLT29IRzfhXzz7m/smBHR02TPAYrIQc=; h=Cc:Date:From:Reply-To:Subject:To; b=ZD6IDasbvhvCnxLOjixGYb2EI+KsTW1iP2nxB+rIjeDO+Kwi2RZLzwz+FKylvIDMkmL h+vQEuAnMszigN3bN5VQEXox3OY0mPkAuQX4oibZqUPrIgaUNeZYiKlMHi/S6CR0yD/4b 79/TW9HBkV9ZMADFe4GGxBuzr6MpdnGzaMQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633241484100013 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3911 This patch provides an abstracted interface for platform to implement PK variable related protection interface, which is designed to be used when PK variable is about to be changed by UEFI firmware. This change also provided a variable policy based library implementation to accomodate platforms that supports variable policy for variable protections. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionL= ibVarPolicy.c | 51 ++++++++++++++++++++ SecurityPkg/Include/Library/PlatformPKProtectionLib.h = | 31 ++++++++++++ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionL= ibVarPolicy.inf | 36 ++++++++++++++ SecurityPkg/SecurityPkg.dec = | 5 ++ SecurityPkg/SecurityPkg.dsc = | 2 + 5 files changed, 125 insertions(+) diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformP= KProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarP= olicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 000000000000..a2649242246f --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtec= tionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file + Provides an abstracted interface for configuring PK related variable pro= tection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include + +#include +#include + +/** + Disable any applicable protection against variable 'PK'. The implementat= ion + of this interface is platform specific, depending on the protection tech= niques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation = after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation s= pecific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ) +{ + EFI_STATUS Status; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__)); + + // IMPORTANT NOTE: This operation is sticky and leaves variable protecti= ons disabled. + // The system *MUST* be reset after performing this ope= ration. + Status =3D gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID **)&VariablePolicy); + if (!EFI_ERROR (Status)) { + Status =3D VariablePolicy->DisableVariablePolicy (); + // EFI_ALREADY_STARTED means that everything is currently disabled. + // This should be considered SUCCESS. + if (Status =3D=3D EFI_ALREADY_STARTED) { + Status =3D EFI_SUCCESS; + } + } + + return Status; +} diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/Securi= tyPkg/Include/Library/PlatformPKProtectionLib.h new file mode 100644 index 000000000000..3586a47b77c2 --- /dev/null +++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h @@ -0,0 +1,31 @@ +/** @file + Provides an abstracted interface for configuring PK related variable pro= tection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef PLATFORM_PK_PROTECTION_LIB_H_ +#define PLATFORM_PK_PROTECTION_LIB_H_ + +/** + Disable any applicable protection against variable 'PK'. The implementat= ion + of this interface is platform specific, depending on the protection tech= niques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation = after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation s= pecific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ); + +#endif diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformP= KProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVa= rPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 000000000000..df42ce06c019 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtec= tionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file +# Provides an abstracted interface for configuring PK related variable pr= otection. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D PlatformPKProtectionLibVarPolicy + FILE_GUID =3D AE0C5992-526C-4518-93BA-3C2611B801E0 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D PlatformPKProtectionLib|DXE_DRIVER DX= E_RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + PlatformPKProtectionLibVarPolicy.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + DebugLib + UefiBootServicesTableLib + +[Protocols] + gEdkiiVariablePolicyProtocolGuid diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a97..7ecf9565d98c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -99,6 +99,11 @@ [LibraryClasses] ## @libraryclass Provides support to enroll Secure Boot keys. # SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisi= onLib.h + + ## @libraryclass Provides support to manage variable 'PK' related prote= ctions. + # + PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h + [Guids] ## Security package token space guid. # Include/Guid/SecurityPkgTokenSpace.h diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474e4..f48187650f2f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ [LibraryClasses] TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo= gRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf TdxLib|MdePkg/Library/TdxLib/TdxLib.inf =20 @@ -261,6 +262,7 @@ [Components] # SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectio= nLibVarPolicy.inf =20 # # Other --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90950): https://edk2.groups.io/g/devel/message/90950 Mute This Topic: https://groups.io/mt/92098739/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90951+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90951+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633240; cv=none; d=zohomail.com; s=zohoarc; b=WES9w7qsuqcn5JUBt7bgnvy7+PcI3GhNA0XalHay4vcLkjTy1JFUqB6uNN5KL21/VuSWkRZZZkHz/1edoaY4oMiz3qFxlqLwAHK3fqM8W7jMit63A1p5svl1N5NjGkhfHke5CWcQFgNhQbVBz1DDgZvHVtpnlRWFaR6UVaPNGb8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633240; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=L9G204i3CZLLPHq5vaJpwvhnLhYlb6HF0Tz1A+nJC/o=; b=USAmCJ0e/rM3pygh4zyzGlpALClRgX2aPEuAPE6F40VKY4z6hlANnSH58+JrfFYHaH9ZlFmfb4nKilVJ6AR0wr6RwAmZ45OVQxdiVaiOFAOGp9KeRcIjoT9VYV5r1dOIRz6xns7QEc5NQXckYlpAgUDgZFNsScdJLnUbgLsWSFk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90951+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 165663324028858.812390477570375; Thu, 30 Jun 2022 16:54:00 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 9MSoYY1788612x7jCH4UCtqC; Thu, 30 Jun 2022 16:53:59 -0700 X-Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web12.32569.1656633237326093412 for ; Thu, 30 Jun 2022 16:53:59 -0700 X-Received: by mail-pg1-f182.google.com with SMTP id q140so838525pgq.6 for ; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) X-Gm-Message-State: J9zRuKCw9LQOvRajHFLPD1pnx1787277AA= X-Google-Smtp-Source: AGRyM1s1RM5a92d0HiXyE8vY26tDg738ZzfDyJ4BFn7rD5SQJ9y7WUozfTl1nJIOChajJ3nCLNCYOg== X-Received: by 2002:a63:8849:0:b0:40d:e25:9fb2 with SMTP id l70-20020a638849000000b0040d0e259fb2mr9923655pgd.592.1656633238555; Thu, 30 Jun 2022 16:53:58 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:58 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Date: Thu, 30 Jun 2022 16:53:33 -0700 Message-Id: <20220630235341.1746-4-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633239; bh=SSlUiSy8YqIRIvgthiqqZBKtpl38HXc/k8ddZRXtHDo=; h=Cc:Date:From:Reply-To:Subject:To; b=Ay+KI+IJVkleponDuf0irgP0rrhX7DHh8XKaTnzOPA0eNZsZI0z94/REevJJMy9V4uZ mY7bLBshgLDVGSjc4McEaUCPPOwiNJEN2HVPcHaDS65DbbEJwVwD3UneS7iNgUeO3POGf 8AFCpmOjNmv5RCZ0EpvmUJRP5JyENuVJzGQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633241510100015 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change updated the interface of 'CreateTimeBasedPayload' by requiring the caller to provide a timestamp, instead of relying on time protocol to be ready during runtime. It intends to extend the library availability during boot environment. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 53 += +++++++++++-------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 9 += ++- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 8 += -- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index e0d137666e0e..3b33a356aba3 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -6,8 +6,10 @@ (C) Copyright 2018 Hewlett Packard Enterprise Development LP
Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) 2021, Semihalf All rights reserved.
+ Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include #include #include #include @@ -21,6 +23,21 @@ #include #include "Library/DxeServicesLib.h" =20 +// This time can be used when deleting variables, as it should be greater = than any variable time. +EFI_TIME mMaxTimestamp =3D { + 0xFFFF, // Year + 0xFF, // Month + 0xFF, // Day + 0xFF, // Hour + 0xFF, // Minute + 0xFF, // Second + 0x00, + 0x00000000, // Nanosecond + 0, + 0, + 0x00 +}; + /** Creates EFI Signature List structure. =20 @param[in] Data A pointer to signature data. @@ -118,7 +135,7 @@ ConcatenateSigList ( =20 @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListOut a pointer to a callee-allocated buffer w= ith signature lists + @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists =20 @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_NOT_FOUND Section with key has not been found. @@ -210,28 +227,30 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payloa= d. On output, Pointer to the new payload d= ate buffer allocated from pool, it's caller's responsibility to free th= e memory when finish using it. + @param[in] Time Pointer to time information to created = time based payload. =20 @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. @retval EFI_INVALID_PARAMETER The parameter is invalid. @retval Others Unexpected error happens. =20 -**/ +--*/ EFI_STATUS +EFIAPI CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data, + IN EFI_TIME *Time ) { - EFI_STATUS Status; UINT8 *NewData; UINT8 *Payload; UINTN PayloadSize; EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData; UINTN DescriptorSize; - EFI_TIME Time; =20 - if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL)) { + if ((Data =3D=3D NULL) || (DataSize =3D=3D NULL) || (Time =3D=3D NULL)) { + DEBUG ((DEBUG_ERROR, "%a(), invalid arg\n", __FUNCTION__)); return EFI_INVALID_PARAMETER; } =20 @@ -247,6 +266,7 @@ CreateTimeBasedPayload ( DescriptorSize =3D OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) += OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData); NewData =3D (UINT8 *)AllocateZeroPool (DescriptorSize + PayloadSi= ze); if (NewData =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "%a() Out of resources.\n", __FUNCTION__)); return EFI_OUT_OF_RESOURCES; } =20 @@ -256,19 +276,7 @@ CreateTimeBasedPayload ( =20 DescriptorData =3D (EFI_VARIABLE_AUTHENTICATION_2 *)(NewData); =20 - ZeroMem (&Time, sizeof (EFI_TIME)); - Status =3D gRT->GetTime (&Time, NULL); - if (EFI_ERROR (Status)) { - FreePool (NewData); - return Status; - } - - Time.Pad1 =3D 0; - Time.Nanosecond =3D 0; - Time.TimeZone =3D 0; - Time.Daylight =3D 0; - Time.Pad2 =3D 0; - CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME)); + CopyMem (&DescriptorData->TimeStamp, Time, sizeof (EFI_TIME)); =20 DescriptorData->AuthInfo.Hdr.dwLength =3D OFFSET_OF (WIN_CERTIFI= CATE_UEFI_GUID, CertData); DescriptorData->AuthInfo.Hdr.wRevision =3D 0x0200; @@ -277,6 +285,7 @@ CreateTimeBasedPayload ( =20 if (Payload !=3D NULL) { FreePool (Payload); + Payload =3D NULL; } =20 *DataSize =3D DescriptorSize + PayloadSize; @@ -296,6 +305,7 @@ CreateTimeBasedPayload ( =20 **/ EFI_STATUS +EFIAPI DeleteVariable ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid @@ -319,7 +329,7 @@ DeleteVariable ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | E= FI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; =20 - Status =3D CreateTimeBasedPayload (&DataSize, &Data); + Status =3D CreateTimeBasedPayload (&DataSize, &Data, &mMaxTimestamp); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); return Status; @@ -351,6 +361,7 @@ DeleteVariable ( =20 **/ EFI_STATUS +EFIAPI SetSecureBootMode ( IN UINT8 SecureBootMode ) diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 7b7afd9cde7c..9f2d41220b70 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -6,6 +6,7 @@ Copyright (c) 2011 - 2018, Intel Corporation. All rights re= served.
(C) Copyright 2018 Hewlett Packard Enterprise Development LP
Copyright (c) 2021, ARM Ltd. All rights reserved.
Copyright (c) 2021, Semihalf All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -24,6 +25,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 --*/ EFI_STATUS +EFIAPI SetSecureBootMode ( IN UINT8 SecureBootMode ); @@ -73,6 +75,7 @@ SecureBootFetchData ( pointer to NULL to wrap an empty payloa= d. On output, Pointer to the new payload d= ate buffer allocated from pool, it's caller's responsibility to free th= e memory when finish using it. + @param[in] Time Pointer to time information to created = time based payload. =20 @retval EFI_SUCCESS Create time based payload successfully. @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. @@ -81,9 +84,11 @@ SecureBootFetchData ( =20 --*/ EFI_STATUS +EFIAPI CreateTimeBasedPayload ( - IN OUT UINTN *DataSize, - IN OUT UINT8 **Data + IN OUT UINTN *DataSize, + IN OUT UINT8 **Data, + IN EFI_TIME *Time ); =20 /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index ed7af3dd9cd5..87db5a258021 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -4,6 +4,7 @@ # # Copyright (c) 2021, ARM Ltd. All rights reserved.
# Copyright (c) 2021, Semihalf All rights reserved.
+# Copyright (c) Microsoft Corporation. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -68,12 +69,5 @@ [Guids] ## PRODUCES ## Variable:L"CustomMode" gEfiCustomModeEnableGuid =20 - gEfiCertTypeRsa2048Sha256Guid ## CONSUMES gEfiCertX509Guid ## CONSUMES gEfiCertPkcs7Guid ## CONSUMES - - gDefaultPKFileGuid - gDefaultKEKFileGuid - gDefaultdbFileGuid - gDefaultdbxFileGuid - gDefaultdbtFileGuid --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90951): https://edk2.groups.io/g/devel/message/90951 Mute This Topic: https://groups.io/mt/92098740/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90952+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90952+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633240; cv=none; d=zohomail.com; s=zohoarc; b=bI9qsN1/d+7QitG7wYBhtI6juvyaL76vnp5sS+80LRrQ1ilXxaQwwUztfq5ZPu8cmh3PkVFjiGdaNgfSQY5wsfWhTojczaVgzhZKHj52oU2PcxXXQrQcsTnL/IUCME6G7TgqMkqo2wd4L7NMoZk5RrGjy4NmtH6qbos8mQi+PpM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633240; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=ruAK5MTusMM9qsvnD2xzuUbHM4mGMQxUMTwytNsGD/E=; b=XMhvg4cucT9AOh6iWOjL4JXAmtSpcvk4RCEQ9QAgjO1WBqd26CeyMiVy8R1KRT4zuQ6Yvik+qr+qjo9cBPckCewQcY9b5u9Q7JPc27MjM3SxrX2HG8SJS9K3IJmdgqhbnBdcL09um00L3Ncj6pdeGHsAQlHhp665on2XWhKRvcY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90952+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633240914688.8736568779857; Thu, 30 Jun 2022 16:54:00 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id NKkEYY1788612xQDPS1dWd7n; Thu, 30 Jun 2022 16:54:00 -0700 X-Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web12.32570.1656633239877360344 for ; Thu, 30 Jun 2022 16:53:59 -0700 X-Received: by mail-pf1-f180.google.com with SMTP id a15so849216pfv.13 for ; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) X-Gm-Message-State: aFAgtgbWL2xGb6jKs3VfFydvx1787277AA= X-Google-Smtp-Source: AGRyM1syaX4jGucvksqTDxFFWoaAzFFtR5GktazDEspD0iBHluigh2MLxpIkIvl+g7F/9msgb249+g== X-Received: by 2002:a63:7417:0:b0:40c:99b5:a866 with SMTP id p23-20020a637417000000b0040c99b5a866mr10097942pgc.73.1656633239265; Thu, 30 Jun 2022 16:53:59 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:59 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Date: Thu, 30 Jun 2022 16:53:34 -0700 Message-Id: <20220630235341.1746-5-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633240; bh=sEZBlgVJlTeWShuvDkBndRAHpHoGyRkaKWOoI+74mCA=; h=Cc:Date:From:Reply-To:Subject:To; b=G+0ekrIo4Wi1iRiatRGHE6DXw5Ivh29u9TiFGyo/oN5MT1BW63ZFf6n5OoYFzUyADhR Tn0EdkiGKR1pQnZkQf10FpA40UZVlbP9I2BEVaIZOOzfkjdLsbDm59Dz4Gp8sXrRvsKhL k3t726KPOdCUEgjQ0atCNRVw4EnRyczLfyE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633241493100014 Content-Type: text/plain; charset="utf-8" From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change removes the interface of SecureBootFetchData, and replaced it with `SecureBootCreateDataFromInput`, which will require caller to prepare available certificates in defined structures. This improvement will eliminate the dependency of reading from FV, extending the availability of this library instance. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 69 += ++++++++++--------- SecurityPkg/Include/Library/SecureBootVariableLib.h | 25 += +++--- SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 - 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index 3b33a356aba3..f56f0322e943 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -10,10 +10,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include +#include #include #include #include -#include #include #include #include @@ -21,7 +21,6 @@ #include #include #include -#include "Library/DxeServicesLib.h" =20 // This time can be used when deleting variables, as it should be greater = than any variable time. EFI_TIME mMaxTimestamp =3D { @@ -130,24 +129,29 @@ ConcatenateSigList ( } =20 /** - Create a EFI Signature List with data fetched from section specified as = a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. =20 - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded, + to be concatenated into signature lists. =20 - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload suc= cessfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL. @retval Others Unexpected error happens. =20 **/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ) { EFI_SIGNATURE_LIST *EfiSig; @@ -155,36 +159,41 @@ SecureBootFetchData ( EFI_SIGNATURE_LIST *TmpEfiSig2; EFI_STATUS Status; VOID *Buffer; - VOID *RsaPubKey; UINTN Size; + UINTN InputIndex; UINTN KeyIndex; =20 + if ((SigListOut =3D=3D NULL) || (SigListsSize =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + if ((KeyInfoCount =3D=3D 0) || (KeyInfo =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + InputIndex =3D 0; KeyIndex =3D 0; EfiSig =3D NULL; *SigListsSize =3D 0; - while (1) { - Status =3D GetSectionFromAnyFv ( - KeyFileGuid, - EFI_SECTION_RAW, - KeyIndex, - &Buffer, - &Size - ); - - if (Status =3D=3D EFI_SUCCESS) { - RsaPubKey =3D NULL; - if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { - DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + while (InputIndex < KeyInfoCount) { + if (KeyInfo[InputIndex].Data !=3D NULL) { + Size =3D KeyInfo[InputIndex].DataSize; + Buffer =3D AllocateCopyPool (Size, KeyInfo[InputIndex].Data); + if (Buffer =3D=3D NULL) { if (EfiSig !=3D NULL) { FreePool (EfiSig); } =20 - FreePool (Buffer); - return EFI_INVALID_PARAMETER; + return EFI_OUT_OF_RESOURCES; } =20 Status =3D CreateSigList (Buffer, Size, &TmpEfiSig); =20 + if (EFI_ERROR (Status)) { + FreePool (Buffer); + break; + } + // // Concatenate lists if more than one section found // @@ -202,9 +211,7 @@ SecureBootFetchData ( FreePool (Buffer); } =20 - if (Status =3D=3D EFI_NOT_FOUND) { - break; - } + InputIndex++; } =20 if (KeyIndex =3D=3D 0) { diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 9f2d41220b70..24ff0df067fa 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -44,24 +44,29 @@ GetSetupMode ( ); =20 /** - Create a EFI Signature List with data fetched from section specified as = a argument. - Found keys are verified using RsaGetPublicKeyFromX509(). + Create a EFI Signature List with data supplied from input argument. + The input certificates from KeyInfo parameter should be DER-encoded + format. =20 - @param[in] KeyFileGuid A pointer to to the FFS filename GUID @param[out] SigListsSize A pointer to size of signature list - @param[out] SigListsOut a pointer to a callee-allocated buffer = with signature lists + @param[out] SigListOut A pointer to a callee-allocated buffer = with signature lists + @param[in] KeyInfoCount The number of certificate pointer and s= ize pairs inside KeyInfo. + @param[in] KeyInfo A pointer to all certificates, in the f= ormat of DER-encoded, + to be concatenated into signature lists. =20 - @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_SUCCESS Created signature list from payload suc= cessfully. @retval EFI_NOT_FOUND Section with key has not been found. - @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format or inpu= t pointers are NULL. @retval Others Unexpected error happens. =20 --*/ EFI_STATUS -SecureBootFetchData ( - IN EFI_GUID *KeyFileGuid, - OUT UINTN *SigListsSize, - OUT EFI_SIGNATURE_LIST **SigListOut +EFIAPI +SecureBootCreateDataFromInput ( + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut, + IN UINTN KeyInfoCount, + IN CONST SECURE_BOOT_CERTIFICATE_INFO *KeyInfo ); =20 /** diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 87db5a258021..3d4b77cfb073 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -32,15 +32,12 @@ [Packages] MdePkg/MdePkg.dec MdeModulePkg/MdeModulePkg.dec SecurityPkg/SecurityPkg.dec - CryptoPkg/CryptoPkg.dec =20 [LibraryClasses] BaseLib BaseMemoryLib DebugLib MemoryAllocationLib - BaseCryptLib - DxeServicesLib =20 [Guids] ## CONSUMES ## Variable:L"SetupMode" --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90952): https://edk2.groups.io/g/devel/message/90952 Mute This Topic: https://groups.io/mt/92098741/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90953+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90953+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633241; cv=none; d=zohomail.com; s=zohoarc; b=hzTdVQjKVxI/Z1ZLJqKpl7AZZ6mInEntvLAFX5Lq2nUYJrqKTApnVnY1jqFmryqbqj+G3g6GcJfVO9YGZz4kFQJNtHwgw3/RHRENU7eu0Ny0VX/hwHUYYXJlRuuO0koTC3/wv0yulCE0yPBkZ20Hl+TDy/VmNNsq0IuAuDF9vAE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633241; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=tncexGBRLoQITMu1A2xIhQgls7wKwK6CuF2Yi1bJqTk=; b=AAk4UgLr8a7BvpBhuvKnrq6e4MEe79h5OoeD6bWMFJXmxCiGCXv26yy7TNTlBFKEGsB7PN7NKgKGKsYP6BU4KrH/aYJ4UIukrE78OWY8sDn+mDRsZOmWHQcvUAGqHc66v4T3lNBWq1zuLqpLF/9o6NDJ6Sm4imWXUrNfQEhgFus= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90953+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633241862642.1748478923848; Thu, 30 Jun 2022 16:54:01 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id UZbNYY1788612x7H3VuIt5Ka; Thu, 30 Jun 2022 16:54:01 -0700 X-Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web11.32157.1656633240853965508 for ; Thu, 30 Jun 2022 16:54:00 -0700 X-Received: by mail-pg1-f182.google.com with SMTP id v126so813276pgv.11 for ; Thu, 30 Jun 2022 16:54:00 -0700 (PDT) X-Gm-Message-State: uZGzFmUBymZt9OcUMmMGt5vxx1787277AA= X-Google-Smtp-Source: AGRyM1tQ/Wha3N/GN7jTfpX7HWoZV5p5rYyxHWQfAa/lNkNlgXj9/U8P58zqNYawtJy+ufewnCauyw== X-Received: by 2002:aa7:8f01:0:b0:525:2428:1157 with SMTP id x1-20020aa78f01000000b0052524281157mr17454620pfr.41.1656633240147; Thu, 30 Jun 2022 16:54:00 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:59 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Date: Thu, 30 Jun 2022 16:53:35 -0700 Message-Id: <20220630235341.1746-6-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633241; bh=Ek+igEjTb2ZwV0LnNi3F7QyMa/mrAPrAcYY7EP9yhZg=; h=Cc:Date:From:Reply-To:Subject:To; b=ZvsBryDdxpXPmEvDzkMeyQpIZ75AWK+BYsd0pYl1SunGUQ40XLl5VGu6rWje/e3gPmd 7rQsusYUoA/11ea7UeFpodeHdsi6oe1DXmsBloJcmg5ImanWLjIQLC6sTA08NGLmf/M5O jINTH16eM8Jl7w9+5rlwsNd9w9bdP4zsfKI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633243490100024 Content-Type: text/plain; charset="utf-8" From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3911 This change updated the interfaces provided by SecureBootVariableLib. The new additions provided interfaces to enroll single authenticated variable from input, a helper function to query secure boot status, enroll all secure boot variables from UefiSecureBoot.h defined data structures, a as well as a routine that deletes all secure boot related variables. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Updated default timestamp to epoch time [Jiewen] - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c | 365 = ++++++++++++++++++++ SecurityPkg/Include/Library/SecureBootVariableLib.h | 69 = ++++ SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf | 3 + 3 files changed, 437 insertions(+) diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.c b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c index f56f0322e943..abca249c6504 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.c @@ -21,6 +21,7 @@ #include #include #include +#include =20 // This time can be used when deleting variables, as it should be greater = than any variable time. EFI_TIME mMaxTimestamp =3D { @@ -37,6 +38,24 @@ EFI_TIME mMaxTimestamp =3D { 0x00 }; =20 +// +// This epoch time is the date that is used when creating SecureBoot defau= lt variables. +// NOTE: This is a placeholder date that doesn't correspond to anything el= se. +// +EFI_TIME mDefaultPayloadTimestamp =3D { + 1970, // Year (1970) + 1, // Month (Jan) + 1, // Day (1) + 0, // Hour + 0, // Minute + 0, // Second + 0, // Pad1 + 0, // Nanosecond + 0, // Timezone (Dummy value) + 0, // Daylight (Dummy value) + 0 // Pad2 +}; + /** Creates EFI Signature List structure. =20 @param[in] Data A pointer to signature data. @@ -413,6 +432,44 @@ GetSetupMode ( return EFI_SUCCESS; } =20 +/** + Helper function to quickly determine whether SecureBoot is enabled. + + @retval TRUE SecureBoot is verifiably enabled. + @retval FALSE SecureBoot is either disabled or an error prevented = checking. + +**/ +BOOLEAN +EFIAPI +IsSecureBootEnabled ( + VOID + ) +{ + EFI_STATUS Status; + UINT8 *SecureBoot; + + SecureBoot =3D NULL; + + Status =3D GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID **)&S= ecureBoot, NULL); + // + // Skip verification if SecureBoot variable doesn't exist. + // + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Cannot check SecureBoot variable %r \n ", Status= )); + return FALSE; + } + + // + // Skip verification if SecureBoot is disabled but not AuditMode + // + if (*SecureBoot =3D=3D SECURE_BOOT_MODE_DISABLE) { + FreePool (SecureBoot); + return FALSE; + } else { + return TRUE; + } +} + /** Clears the content of the 'db' variable. =20 @@ -531,3 +588,311 @@ DeletePlatformKey ( ); return Status; } + +/** + This function will delete the secure boot keys, thus + disabling secure boot. + + @return EFI_SUCCESS or underlying failure code. +**/ +EFI_STATUS +EFIAPI +DeleteSecureBootVariables ( + VOID + ) +{ + EFI_STATUS Status, TempStatus; + + DEBUG ((DEBUG_INFO, "%a - Attempting to delete the Secure Boot variables= .\n", __FUNCTION__)); + + // + // Step 1: Notify that a PK update is coming shortly... + Status =3D DisablePKProtection (); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to signal PK update start! %r\n", __= FUNCTION__, Status)); + // Classify this as a PK deletion error. + Status =3D EFI_ABORTED; + } + + // + // Step 2: Attempt to delete the PK. + // Let's try to nuke the PK, why not... + if (!EFI_ERROR (Status)) { + Status =3D DeletePlatformKey (); + DEBUG ((DEBUG_INFO, "%a - PK Delete =3D %r\n", __FUNCTION__, Status)); + // If the PK is not found, then our work here is done. + if (Status =3D=3D EFI_NOT_FOUND) { + Status =3D EFI_SUCCESS; + } + // If any other error occurred, let's inform the caller that the PK de= lete in particular failed. + else if (EFI_ERROR (Status)) { + Status =3D EFI_ABORTED; + } + } + + // + // Step 3: Attempt to delete remaining keys/databases... + // Now that the PK is deleted (assuming Status =3D=3D EFI_SUCCESS) the s= ystem is in SETUP_MODE. + // Arguably we could leave these variables in place and let them be dele= ted by whoever wants to + // update all the SecureBoot variables. However, for cleanliness sake, l= et's try to + // get rid of them here. + if (!EFI_ERROR (Status)) { + // + // If any of THESE steps have an error, report the error but attempt t= o delete all keys. + // Using TempStatus will prevent an error from being trampled by an EF= I_SUCCESS. + // Overwrite Status ONLY if TempStatus is an error. + // + // If the error is EFI_NOT_FOUND, we can safely ignore it since we wer= e trying to delete + // the variables anyway. + // + TempStatus =3D DeleteKEK (); + DEBUG ((DEBUG_INFO, "%a - KEK Delete =3D %r\n", __FUNCTION__, TempStat= us)); + if (EFI_ERROR (TempStatus) && (TempStatus !=3D EFI_NOT_FOUND)) { + Status =3D EFI_ACCESS_DENIED; + } + + TempStatus =3D DeleteDb (); + DEBUG ((DEBUG_INFO, "%a - db Delete =3D %r\n", __FUNCTION__, TempStatu= s)); + if (EFI_ERROR (TempStatus) && (TempStatus !=3D EFI_NOT_FOUND)) { + Status =3D EFI_ACCESS_DENIED; + } + + TempStatus =3D DeleteDbx (); + DEBUG ((DEBUG_INFO, "%a - dbx Delete =3D %r\n", __FUNCTION__, TempStat= us)); + if (EFI_ERROR (TempStatus) && (TempStatus !=3D EFI_NOT_FOUND)) { + Status =3D EFI_ACCESS_DENIED; + } + + TempStatus =3D DeleteDbt (); + DEBUG ((DEBUG_INFO, "%a - dbt Delete =3D %r\n", __FUNCTION__, TempStat= us)); + if (EFI_ERROR (TempStatus) && (TempStatus !=3D EFI_NOT_FOUND)) { + Status =3D EFI_ACCESS_DENIED; + } + } + + return Status; +}// DeleteSecureBootVariables() + +/** + A helper function to take in a variable payload, wrap it in the + proper authenticated variable structure, and install it in the + EFI variable space. + + @param[in] VariableName The name of the key/database. + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable + @param[in] DataSize Size parameter for target secure boot variable. + @param[in] Data Pointer to signature list formatted secure boo= t variable content. + + @retval EFI_SUCCESS The enrollment for authenticated variab= le was successful. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. +**/ +EFI_STATUS +EFIAPI +EnrollFromInput ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINTN DataSize, + IN VOID *Data + ) +{ + VOID *Payload; + UINTN PayloadSize; + EFI_STATUS Status; + + Payload =3D NULL; + + if ((VariableName =3D=3D NULL) || (VendorGuid =3D=3D 0)) { + DEBUG ((DEBUG_ERROR, "Input vendor variable invalid: %p and %p\n", Var= iableName, VendorGuid)); + Status =3D EFI_INVALID_PARAMETER; + goto Exit; + } + + if ((Data =3D=3D NULL) || (DataSize =3D=3D 0)) { + // You might as well just use DeleteVariable... + DEBUG ((DEBUG_ERROR, "Input argument invalid: %p: %x\n", Data, DataSiz= e)); + Status =3D EFI_INVALID_PARAMETER; + goto Exit; + } + + // Bring in the noise... + PayloadSize =3D DataSize; + Payload =3D AllocateZeroPool (DataSize); + // Bring in the funk... + if (Payload =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } else { + CopyMem (Payload, Data, DataSize); + } + + Status =3D CreateTimeBasedPayload (&PayloadSize, (UINT8 **)&Payload, &mD= efaultPayloadTimestamp); + if (EFI_ERROR (Status) || (Payload =3D=3D NULL)) { + DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r\n", S= tatus)); + Payload =3D NULL; + Status =3D EFI_OUT_OF_RESOURCES; + goto Exit; + } + + // + // Allocate memory for auth variable + // + Status =3D gRT->SetVariable ( + VariableName, + VendorGuid, + (EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), + PayloadSize, + Payload + ); + + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "error: %a (\"%s\", %g): %r\n", + __FUNCTION__, + VariableName, + VendorGuid, + Status + )); + } + +Exit: + // + // Always Put Away Your Toys + // Payload will be reassigned by CreateTimeBasedPayload()... + if (Payload !=3D NULL) { + FreePool (Payload); + Payload =3D NULL; + } + + return Status; +} + +/** + Similar to DeleteSecureBootVariables, this function is used to unilatera= lly + force the state of related SB variables (db, dbx, dbt, KEK, PK, etc.) to= be + the built-in, hardcoded default vars. + + @param[in] SecureBootPayload Payload information for secure boot relat= ed keys. + + @retval EFI_SUCCESS SecureBoot keys are now set to def= aults. + @retval EFI_ABORTED SecureBoot keys are not empty. Ple= ase delete keys first + or follow standard methods of alte= ring keys (ie. use the signing system). + @retval EFI_SECURITY_VIOLATION Failed to create the PK. + @retval Others Something failed in one of the sub= functions. + +**/ +EFI_STATUS +EFIAPI +SetSecureBootVariablesToDefault ( + IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload + ) +{ + EFI_STATUS Status; + UINT8 *Data; + UINTN DataSize; + + DEBUG ((DEBUG_INFO, "%a() Entry\n", __FUNCTION__)); + + if (SecureBootPayload =3D=3D NULL) { + DEBUG ((DEBUG_ERROR, "%a - Invalid SecureBoot payload is supplied!\n",= __FUNCTION__)); + return EFI_INVALID_PARAMETER; + } + + // + // Right off the bat, if SecureBoot is currently enabled, bail. + if (IsSecureBootEnabled ()) { + DEBUG ((DEBUG_ERROR, "%a - Cannot set default keys while SecureBoot is= enabled!\n", __FUNCTION__)); + return EFI_ABORTED; + } + + DEBUG ((DEBUG_INFO, "%a - Setting up key %s!\n", __FUNCTION__, SecureBoo= tPayload->SecureBootKeyName)); + + // + // Start running down the list, creating variables in our wake. + // dbx is a good place to start. + Data =3D (UINT8 *)SecureBootPayload->DbxPtr; + DataSize =3D SecureBootPayload->DbxSize; + Status =3D EnrollFromInput ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + DataSize, + Data + ); + + // If that went well, try the db (make sure to pick the right one!). + if (!EFI_ERROR (Status)) { + Data =3D (UINT8 *)SecureBootPayload->DbPtr; + DataSize =3D SecureBootPayload->DbSize; + Status =3D EnrollFromInput ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + DataSize, + Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DB %r!\n", __FUNCTION__,= Status)); + } + } else { + DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DBX %r!\n", __FUNCTION__, = Status)); + } + + // Keep it going. Keep it going. dbt if supplied... + if (!EFI_ERROR (Status) && (SecureBootPayload->DbtPtr !=3D NULL)) { + Data =3D (UINT8 *)SecureBootPayload->DbtPtr; + DataSize =3D SecureBootPayload->DbtSize; + Status =3D EnrollFromInput ( + EFI_IMAGE_SECURITY_DATABASE2, + &gEfiImageSecurityDatabaseGuid, + DataSize, + Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to enroll DBT %r!\n", __FUNCTION__= , Status)); + } + } + + // Keep it going. Keep it going. KEK... + if (!EFI_ERROR (Status)) { + Data =3D (UINT8 *)SecureBootPayload->KekPtr; + DataSize =3D SecureBootPayload->KekSize; + Status =3D EnrollFromInput ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + DataSize, + Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to enroll KEK %r!\n", __FUNCTION__= , Status)); + } + } + + // + // Finally! The Big Daddy of them all. + // The PK! + // + if (!EFI_ERROR (Status)) { + // + // Finally, install the key. + Data =3D (UINT8 *)SecureBootPayload->PkPtr; + DataSize =3D SecureBootPayload->PkSize; + Status =3D EnrollFromInput ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + DataSize, + Data + ); + + // + // Report PK creation errors. + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a - Failed to update the PK! - %r\n", __FUNCT= ION__, Status)); + Status =3D EFI_SECURITY_VIOLATION; + } + } + + return Status; +} diff --git a/SecurityPkg/Include/Library/SecureBootVariableLib.h b/Security= Pkg/Include/Library/SecureBootVariableLib.h index 24ff0df067fa..c486801c318b 100644 --- a/SecurityPkg/Include/Library/SecureBootVariableLib.h +++ b/SecurityPkg/Include/Library/SecureBootVariableLib.h @@ -43,6 +43,19 @@ GetSetupMode ( OUT UINT8 *SetupMode ); =20 +/** + Helper function to quickly determine whether SecureBoot is enabled. + + @retval TRUE SecureBoot is verifiably enabled. + @retval FALSE SecureBoot is either disabled or an error prevented = checking. + +**/ +BOOLEAN +EFIAPI +IsSecureBootEnabled ( + VOID + ); + /** Create a EFI Signature List with data supplied from input argument. The input certificates from KeyInfo parameter should be DER-encoded @@ -161,4 +174,60 @@ DeletePlatformKey ( VOID ); =20 +/** + This function will delete the secure boot keys, thus + disabling secure boot. + + @return EFI_SUCCESS or underlying failure code. +**/ +EFI_STATUS +EFIAPI +DeleteSecureBootVariables ( + VOID + ); + +/** + A helper function to take in a variable payload, wrap it in the + proper authenticated variable structure, and install it in the + EFI variable space. + + @param[in] VariableName The name of the key/database. + @param[in] VendorGuid The namespace (ie. vendor GUID) of the variable + @param[in] DataSize Size parameter for target secure boot variable. + @param[in] Data Pointer to signature list formatted secure boo= t variable content. + + @retval EFI_SUCCESS The enrollment for authenticated variab= le was successful. + @retval EFI_OUT_OF_RESOURCES There are not enough memory resources t= o create time based payload. + @retval EFI_INVALID_PARAMETER The parameter is invalid. + @retval Others Unexpected error happens. +**/ +EFI_STATUS +EFIAPI +EnrollFromInput ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINTN DataSize, + IN VOID *Data + ); + +/** + Similar to DeleteSecureBootVariables, this function is used to unilatera= lly + force the state of related SB variables (db, dbx, dbt, KEK, PK, etc.) to= be + the built-in, hardcoded default vars. + + @param[in] SecureBootPayload Payload information for secure boot relat= ed keys. + + @retval EFI_SUCCESS SecureBoot keys are now set to def= aults. + @retval EFI_ABORTED SecureBoot keys are not empty. Ple= ase delete keys first + or follow standard methods of alte= ring keys (ie. use the signing system). + @retval EFI_SECURITY_VIOLATION Failed to create the PK. + @retval Others Something failed in one of the sub= functions. + +**/ +EFI_STATUS +EFIAPI +SetSecureBootVariablesToDefault ( + IN CONST SECURE_BOOT_PAYLOAD_INFO *SecureBootPayload + ); + #endif diff --git a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLi= b.inf b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf index 3d4b77cfb073..eabe9db6c93f 100644 --- a/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf +++ b/SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf @@ -38,6 +38,9 @@ [LibraryClasses] BaseMemoryLib DebugLib MemoryAllocationLib + PlatformPKProtectionLib + UefiLib + UefiRuntimeServicesTableLib =20 [Guids] ## CONSUMES ## Variable:L"SetupMode" --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90953): https://edk2.groups.io/g/devel/message/90953 Mute This Topic: https://groups.io/mt/92098742/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90954+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90954+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633243; cv=none; d=zohomail.com; s=zohoarc; b=WCHFPtrMrf676jRpv+Tt4OrExjfA/4Cy/ZZHweM+KicLLXi3dYkYiHts997TokxDEDzvZ97h+Ne8623sTmvvr4UPsvVoBa2bQdQOMQDMQq/8Y7B3Lcyv//ZOpTPS32z4LoqUBC7UKZUoNqqO1Cmv77hhTAkAE1Qk6i+0MOfrkS0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633243; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=K9oqL1q2wNAbOBVo5uHALILYEyrG0Hk4rJa5rfvDlos=; b=eHYAM+EBwToY2uOV8cUutFfsVhjwfSqmJ4HbJ8w9UCk3N5Op2OqlP2RFUjQ+GZJQ/ktbrj4KVmGh499yExlfc1dpYwzNP4rHgWUAdwIgFsPYnqymOMFuFD1ZEFLjLDSR6RSTlalsEMLqS/Ed4Z3LOZjXkO5KERVXwjwOA1/+Q+0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90954+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633243088348.5947854790302; Thu, 30 Jun 2022 16:54:03 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id KAMgYY1788612xvZrSFzdaVx; Thu, 30 Jun 2022 16:54:02 -0700 X-Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web11.32159.1656633241474910488 for ; Thu, 30 Jun 2022 16:54:01 -0700 X-Received: by mail-pg1-f171.google.com with SMTP id 145so809455pga.12 for ; Thu, 30 Jun 2022 16:54:01 -0700 (PDT) X-Gm-Message-State: esse5CvAmCg72bK91KbMIuqLx1787277AA= X-Google-Smtp-Source: AGRyM1tPEmjg6lBe9vLSRQnvM64p+V6ussBFP11WQc2esGqFNOrF5cQbv2XIBU1jZgdb7A+a7Cq20Q== X-Received: by 2002:aa7:9885:0:b0:525:2b50:a423 with SMTP id r5-20020aa79885000000b005252b50a423mr16867258pfl.14.1656633240860; Thu, 30 Jun 2022 16:54:00 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:00 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Date: Thu, 30 Jun 2022 16:53:36 -0700 Message-Id: <20220630235341.1746-7-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633242; bh=ruVBsNssVkgLy19Jx3xO30yQ5SGiYB9lruTHl3ltWeo=; h=Cc:Date:From:Reply-To:Subject:To; b=uQMglcfIrO/mR5umqnwL7q2joeZUzK/LBoI68ppHXQpMSQZCovjKNWLrwwsJsfYNipk ib3IPyPS8hQ2otTNj3iSDXr/HCWd6YFaFUOSGSxwLMNw4M58AglWQNCHWejXK7809/oEw bFwE7dGY+uUevnFVtNOJLXVAfd2USwya/iE= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633243470100023 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change is in pair with the previous SecureBootVariableLib, which removes the explicit invocation of `CreateTimeBasedPayload` and used new interface `EnrollFromInput` instead. The original `SecureBootFetchData` is also moved to this library and incorporated with the newly defined `SecureBootCreateDataFromInput` to keep the original code flow. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvi= sionLib.c | 145 ++++++++++++++++---- 1 file changed, 115 insertions(+), 30 deletions(-) diff --git a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootV= ariableProvisionLib.c b/SecurityPkg/Library/SecureBootVariableProvisionLib/= SecureBootVariableProvisionLib.c index 536b0f369907..bed1fe86205d 100644 --- a/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c +++ b/SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariable= ProvisionLib.c @@ -8,10 +8,13 @@ Copyright (c) 2021, Semihalf All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ +#include +#include #include #include #include #include +#include #include #include #include @@ -19,6 +22,117 @@ #include #include #include +#include + +/** + Create a EFI Signature List with data fetched from section specified as = a argument. + Found keys are verified using RsaGetPublicKeyFromX509(). + + @param[in] KeyFileGuid A pointer to to the FFS filename GUID + @param[out] SigListsSize A pointer to size of signature list + @param[out] SigListOut a pointer to a callee-allocated buffer w= ith signature lists + + @retval EFI_SUCCESS Create time based payload successfully. + @retval EFI_NOT_FOUND Section with key has not been found. + @retval EFI_INVALID_PARAMETER Embedded key has a wrong format. + @retval Others Unexpected error happens. + +**/ +STATIC +EFI_STATUS +SecureBootFetchData ( + IN EFI_GUID *KeyFileGuid, + OUT UINTN *SigListsSize, + OUT EFI_SIGNATURE_LIST **SigListOut + ) +{ + EFI_SIGNATURE_LIST *EfiSig; + EFI_STATUS Status; + VOID *Buffer; + VOID *RsaPubKey; + UINTN Size; + UINTN KeyIndex; + UINTN Index; + SECURE_BOOT_CERTIFICATE_INFO *CertInfo; + SECURE_BOOT_CERTIFICATE_INFO *NewCertInfo; + + KeyIndex =3D 0; + EfiSig =3D NULL; + *SigListOut =3D NULL; + *SigListsSize =3D 0; + CertInfo =3D AllocatePool (sizeof (SECURE_BOOT_CERTIFICATE_INFO)); + NewCertInfo =3D CertInfo; + while (1) { + if (NewCertInfo =3D=3D NULL) { + Status =3D EFI_OUT_OF_RESOURCES; + break; + } else { + CertInfo =3D NewCertInfo; + } + + Status =3D GetSectionFromAnyFv ( + KeyFileGuid, + EFI_SECTION_RAW, + KeyIndex, + &Buffer, + &Size + ); + + if (Status =3D=3D EFI_SUCCESS) { + RsaPubKey =3D NULL; + if (RsaGetPublicKeyFromX509 (Buffer, Size, &RsaPubKey) =3D=3D FALSE)= { + DEBUG ((DEBUG_ERROR, "%a: Invalid key format: %d\n", __FUNCTION__,= KeyIndex)); + if (EfiSig !=3D NULL) { + FreePool (EfiSig); + } + + FreePool (Buffer); + Status =3D EFI_INVALID_PARAMETER; + break; + } + + CertInfo[KeyIndex].Data =3D Buffer; + CertInfo[KeyIndex].DataSize =3D Size; + KeyIndex++; + NewCertInfo =3D ReallocatePool ( + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * KeyIndex, + sizeof (SECURE_BOOT_CERTIFICATE_INFO) * (KeyIndex + = 1), + CertInfo + ); + } + + if (Status =3D=3D EFI_NOT_FOUND) { + Status =3D EFI_SUCCESS; + break; + } + } + + if (EFI_ERROR (Status)) { + goto Cleanup; + } + + if (KeyIndex =3D=3D 0) { + Status =3D EFI_NOT_FOUND; + goto Cleanup; + } + + // Now that we collected all certs from FV, convert it into sig list + Status =3D SecureBootCreateDataFromInput (SigListsSize, SigListOut, KeyI= ndex, CertInfo); + if (EFI_ERROR (Status)) { + goto Cleanup; + } + +Cleanup: + if (CertInfo) { + for (Index =3D 0; Index < KeyIndex; Index++) { + FreePool ((VOID *)CertInfo[Index].Data); + } + + FreePool (CertInfo); + } + + return Status; +} =20 /** Enroll a key/certificate based on a default variable. @@ -52,36 +166,7 @@ EnrollFromDefault ( return Status; } =20 - CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); - return Status; - } - - // - // Allocate memory for auth variable - // - Status =3D gRT->SetVariable ( - VariableName, - VendorGuid, - (EFI_VARIABLE_NON_VOLATILE | - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS | - EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS), - DataSize, - Data - ); - - if (EFI_ERROR (Status)) { - DEBUG (( - DEBUG_ERROR, - "error: %a (\"%s\", %g): %r\n", - __FUNCTION__, - VariableName, - VendorGuid, - Status - )); - } + Status =3D EnrollFromInput (VariableName, VendorGuid, DataSize, Data); =20 if (Data !=3D NULL) { FreePool (Data); --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90954): https://edk2.groups.io/g/devel/message/90954 Mute This Topic: https://groups.io/mt/92098743/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90955+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90955+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633243; cv=none; d=zohomail.com; s=zohoarc; b=U3zpABsasCPRvN1LA6SrFmB3qHIUNwjRpfpnrIofvr94NkxKfqt6X8pbexSjD1OrDuVDllSEMfKDJoWFFpGrG5f6uCa+hVRlPkW6bpxVdURBNuV0WwkqiEgWkTfHtIIvyfOAj7kYbvItvSZ0fgucZ43tJb6Fy1+ulwJZPiTB2+4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633243; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=wQwRugQgxviffzKFofHK/44THiu6KjRW00qbWxTDCcY=; b=hHvCr8LDSTvRg/kK8ettDdBg9f+GL4wqKPzzZqhoi0MBwg+HafiGRDnu0rxC86SWzKH1nEZkdv2QK6Mc23EjCxSovUseO9PJEPMc7pULqigf5Fq80mDpgTwgmixXOkdzUNZIG3HjCM+97mr8YrBDHn12Xv+7aqQTcaDJOhnDbUU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90955+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 165663324371495.9125099854142; Thu, 30 Jun 2022 16:54:03 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lqnEYY1788612xYtmeyX9Cgl; Thu, 30 Jun 2022 16:54:02 -0700 X-Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web10.32237.1656633242077959782 for ; Thu, 30 Jun 2022 16:54:02 -0700 X-Received: by mail-pj1-f51.google.com with SMTP id g16-20020a17090a7d1000b001ea9f820449so4740203pjl.5 for ; Thu, 30 Jun 2022 16:54:02 -0700 (PDT) X-Gm-Message-State: Dik7x7nOuVQOPskk4dpj2oP1x1787277AA= X-Google-Smtp-Source: AGRyM1uHjji58aRRZnbgdT/NbhdR2/FiQjUrphwnqJAq6onVDqm4e1H47vb1Dn2e1X3Lx3pA1bxAIw== X-Received: by 2002:a17:902:eac2:b0:169:847f:9443 with SMTP id p2-20020a170902eac200b00169847f9443mr17603023pld.156.1656633241487; Thu, 30 Jun 2022 16:54:01 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:01 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Date: Thu, 30 Jun 2022 16:53:37 -0700 Message-Id: <20220630235341.1746-8-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633242; bh=yniaG2+iTIJTaKGXr8JhOXbzI54rvmhp69IWpFSDItU=; h=Cc:Date:From:Reply-To:Subject:To; b=L/zKIq9W8t+jRYCS+TaDqLs881eymigrekTw7wIiEjhbWZGF2hOC6uDxRqKsJDfAIDt 7z7btE4dRxEcj4YaOUVCKLN5uHJFxUHbOKRZ8xzWhP0p1PgjLh7ChQEn5OzetUlBjWeil KFx6J1FLYc/vUSZSI0U8ZtCQq9AZxDHfhkQ= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633245523100033 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3910 This change added common header files to consumer drivers to unblock pipeline builds. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c = | 1 + SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 1 + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefau= ltKeysDxe.c | 1 + 3 files changed, 3 insertions(+) diff --git a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.= c b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c index cb7095b269b1..aa4d0c7a993d 100644 --- a/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c +++ b/SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c @@ -19,6 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include // AsciiPrint() #include // gRT #include +#include #include #include =20 diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index 0122e8d55fa0..a13c349a0f89 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ =20 #include "SecureBootConfigImpl.h" +#include #include #include #include diff --git a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/Sec= ureBootDefaultKeysDxe.c b/SecurityPkg/VariableAuthenticated/SecureBootDefau= ltKeysDxe/SecureBootDefaultKeysDxe.c index ef7b01f16119..0abde52a05ae 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBoot= DefaultKeysDxe.c @@ -15,6 +15,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #include #include =20 --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90955): https://edk2.groups.io/g/devel/message/90955 Mute This Topic: https://groups.io/mt/92098744/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90956+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90956+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633243; cv=none; d=zohomail.com; s=zohoarc; b=CckuWhHqHf6pHbBkJmTWU/PxbMN/c5Cha3sJawOTYmtwNtKdrtZLBqLFFdKhSd1x1O3f6GqMf50kblqh7WpM0YO8p7Ik6LEuJI+I+RjPbv+3Ar3JYtC8giydveuY+b1Pv9CVK1k9IP3Akn35tvwwDv0OAPwVGGKzx6yvWFDysYc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633243; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=T3CzUQ9y5cDFyZ00wSpOpERUDPnPbNovu2fUyGpOYWk=; b=EZL54aPtLwU0EvbHuDrvj6f3aSyJA94VOej0//3nYNjpzYz0sygIcLMuVeZNwoC9D0d9dqwiiMhhoFwYR5+xbo2D/U4b0VtkRor4fVbA507fOhGbDmw9rT60BX1E+IJnzVU1vvyt+MCwEvHSfpnBNSrhe2glyy6L8osEswlHf84= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90956+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633243733206.82918229962138; Thu, 30 Jun 2022 16:54:03 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id uHZtYY1788612xlCUGqJVKvl; Thu, 30 Jun 2022 16:54:03 -0700 X-Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web12.32572.1656633242932660723 for ; Thu, 30 Jun 2022 16:54:03 -0700 X-Received: by mail-pg1-f174.google.com with SMTP id r66so856480pgr.2 for ; Thu, 30 Jun 2022 16:54:02 -0700 (PDT) X-Gm-Message-State: xkoq1xoQ04MOXnRH2AC5QMNZx1787277AA= X-Google-Smtp-Source: AGRyM1t2soh95Y7Zb2c4XZht2AIKYlUdsQzWify4qfE3tK67wz0/biLVQKjWEf4PfnKgkpEoszzYjQ== X-Received: by 2002:a62:542:0:b0:525:a313:fe28 with SMTP id 63-20020a620542000000b00525a313fe28mr18338553pff.73.1656633242118; Thu, 30 Jun 2022 16:54:02 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:01 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Date: Thu, 30 Jun 2022 16:53:38 -0700 Message-Id: <20220630235341.1746-9-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633243; bh=T40nb9n7TDLVeEj6OFyvLb8omypWR8nxkSSOS1OUkjQ=; h=Cc:Date:From:Reply-To:Subject:To; b=Cy74WP3nrW4z8labE4pWbbevr25gIazhWpdHuFb4DUTTQTJ3Dhq9fC36ri+wCp1RhCL Weo/kUGEzEWjw15Iwn1xfjkR1wHbp1vHLgS39M/bwHv4Nn2eYoJ/m0XE1zep2eqyLWvBs dyaKkrExoPkwhMku7iyV/mYIcU9wInsKQ1A= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633245557100034 Content-Type: text/plain; charset="utf-8" From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3909 This change is in pair with the previous SecureBootVariableLib change, which updated the interface of `CreateTimeBasedPayload`. This change added a helper function to query the current time through Real Time Clock protocol. This function is used when needing to format an authenticated variable payload. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl= .c | 127 ++++++++++++++++++-- SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.= inf | 1 + 2 files changed, 119 insertions(+), 9 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Secu= reBootConfigImpl.c index a13c349a0f89..4299a6b5e56d 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gImpl.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "SecureBootConfigImpl.h" #include #include +#include #include #include #include @@ -136,6 +137,51 @@ CloseEnrolledFile ( FileContext->FileType =3D UNKNOWN_FILE_TYPE; } =20 +/** + Helper function to populate an EFI_TIME instance. + + @param[in] Time FileContext cached in SecureBootConfig driver + +**/ +STATIC +EFI_STATUS +GetCurrentTime ( + IN EFI_TIME *Time + ) +{ + EFI_STATUS Status; + VOID *TestPointer; + + if (Time =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + Status =3D gBS->LocateProtocol (&gEfiRealTimeClockArchProtocolGuid, NULL= , &TestPointer); + if (EFI_ERROR (Status)) { + return Status; + } + + ZeroMem (Time, sizeof (EFI_TIME)); + Status =3D gRT->GetTime (Time, NULL); + if (EFI_ERROR (Status)) { + DEBUG (( + DEBUG_ERROR, + "%a(), GetTime() failed, status =3D '%r'\n", + __FUNCTION__, + Status + )); + return Status; + } + + Time->Pad1 =3D 0; + Time->Nanosecond =3D 0; + Time->TimeZone =3D 0; + Time->Daylight =3D 0; + Time->Pad2 =3D 0; + + return EFI_SUCCESS; +} + /** This code checks if the FileSuffix is one of the possible DER-encoded ce= rtificate suffix. =20 @@ -436,6 +482,7 @@ EnrollPlatformKey ( UINT32 Attr; UINTN DataSize; EFI_SIGNATURE_LIST *PkCert; + EFI_TIME Time; =20 PkCert =3D NULL; =20 @@ -463,7 +510,13 @@ EnrollPlatformKey ( Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; DataSize =3D PkCert->SignatureListSize; - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&PkCert, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -522,6 +575,7 @@ EnrollRsa2048ToKek ( UINTN KekSigListSize; UINT8 *KeyBuffer; UINTN KeyLenInBytes; + EFI_TIME Time; =20 Attr =3D 0; DataSize =3D 0; @@ -608,7 +662,13 @@ EnrollRsa2048ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -689,6 +749,7 @@ EnrollX509ToKek ( UINTN DataSize; UINTN KekSigListSize; UINT32 Attr; + EFI_TIME Time; =20 X509Data =3D NULL; X509DataSize =3D 0; @@ -735,7 +796,13 @@ EnrollX509ToKek ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&KekSigListSize, (UINT8 **)&KekSigLis= t, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -861,6 +928,7 @@ EnrollX509toSigDB ( UINTN DataSize; UINTN SigDBSize; UINT32 Attr; + EFI_TIME Time; =20 X509DataSize =3D 0; SigDBSize =3D 0; @@ -910,7 +978,13 @@ EnrollX509toSigDB ( // Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -1321,6 +1395,7 @@ EnrollX509HashtoSigDB ( UINT16 *FilePostFix; UINTN NameLength; EFI_TIME *Time; + EFI_TIME NewTime; =20 X509DataSize =3D 0; DbSize =3D 0; @@ -1490,7 +1565,13 @@ EnrollX509HashtoSigDB ( DataSize =3D DbSize; } =20 - Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&NewTime); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, (UINT8 **)&Data, &NewTime); if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2169,6 +2250,7 @@ EnrollImageSignatureToSigDB ( UINTN SigDBSize; UINT32 Attr; WIN_CERTIFICATE_UEFI_GUID *GuidCertData; + EFI_TIME Time; =20 Data =3D NULL; GuidCertData =3D NULL; @@ -2267,7 +2349,13 @@ EnrollImageSignatureToSigDB ( =20 Attr =3D EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHE= NTICATED_WRITE_ACCESS; - Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&SigDBSize, (UINT8 **)&Data, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", Sta= tus)); goto ON_EXIT; @@ -2609,6 +2697,7 @@ DeleteKeyExchangeKey ( UINT32 KekDataSize; UINTN DeleteKekIndex; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2727,7 +2816,13 @@ DeleteKeyExchangeKey ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -2805,6 +2900,7 @@ DeleteSignature ( BOOLEAN IsItemFound; UINT32 ItemDataSize; UINTN GuidIndex; + EFI_TIME Time; =20 Data =3D NULL; OldData =3D NULL; @@ -2931,7 +3027,13 @@ DeleteSignature ( =20 DataSize =3D Offset; if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) !=3D 0) { - Status =3D CreateTimeBasedPayload (&DataSize, &OldData); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&DataSize, &OldData, &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; @@ -3000,6 +3102,7 @@ DeleteSignatureEx ( UINTN Offset; UINT8 *VariableData; UINT8 *NewVariableData; + EFI_TIME Time; =20 Status =3D EFI_SUCCESS; VariableAttr =3D 0; @@ -3120,7 +3223,13 @@ DeleteSignatureEx ( } =20 if ((VariableAttr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) = !=3D 0) { - Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= ); + Status =3D GetCurrentTime (&Time); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Fail to fetch valid time data: %r", Status)); + goto ON_EXIT; + } + + Status =3D CreateTimeBasedPayload (&VariableDataSize, &NewVariableData= , &Time); if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "Fail to create time-based data payload: %r", S= tatus)); goto ON_EXIT; diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBo= otConfigDxe.inf b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/Sec= ureBootConfigDxe.inf index 420687a21141..1671d5be7ccd 100644 --- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf +++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfi= gDxe.inf @@ -111,6 +111,7 @@ [Protocols] gEfiHiiConfigAccessProtocolGuid ## PRODUCES gEfiDevicePathProtocolGuid ## PRODUCES gEfiHiiPopupProtocolGuid + gEfiRealTimeClockArchProtocolGuid ## CONSUMES =20 [Depex] gEfiHiiConfigRoutingProtocolGuid AND --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90956): https://edk2.groups.io/g/devel/message/90956 Mute This Topic: https://groups.io/mt/92098745/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90958+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90958+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633246; cv=none; d=zohomail.com; s=zohoarc; b=Ccq/SyNgK6Mz7tDZJtbC4nEN6Unx35LStcE0Dw7e10TXCGFMnNavc7Zhi4EkMF872ilsZ2fpyrtEdhfe/HwEfJ1E4wXxVoTrtv3W1gawX4AYDLqsLrceskYi5o+2sjrIEWsb8MZtv/ewoCNdMPoxyuGgpmPNVszhNBats97CH2I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633246; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=VOEeCuciVDb8TwPV0jlfrpKUA8Ak1DBb/h97Q/Kfigk=; b=JYLX6SZ0Q4tIn7TB6MaNRTSqb87ykiiAf1qUi1PcGK0B1pLKa/WdohYD4YYWws/OXMZpVmTiRmkaCL3U8Lh17ipWnuJbWeAy9QiOPjSk6Tn7mlyMl7wKR3kqz20gM3efz1+6u9XEEUdU/n10w6o8zs8lItLmp5C7pT1fg0Z4fUk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90958+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633246320510.91438315606797; Thu, 30 Jun 2022 16:54:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id uohcYY1788612xYKUKiia2G1; Thu, 30 Jun 2022 16:54:05 -0700 X-Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web11.32161.1656633244628786295 for ; Thu, 30 Jun 2022 16:54:04 -0700 X-Received: by mail-pj1-f48.google.com with SMTP id h9-20020a17090a648900b001ecb8596e43so989718pjj.5 for ; Thu, 30 Jun 2022 16:54:04 -0700 (PDT) X-Gm-Message-State: 6iSJUl9CTwIEnxldqhEpAjhZx1787277AA= X-Google-Smtp-Source: AGRyM1tcB+OfqiVL6EyUyUpaM1EsEcm7fZBFFEVUEeV6Ul+x1t9RffEyU6Egg/A3I25eYjl+Sr1EOQ== X-Received: by 2002:a17:903:228d:b0:16a:59bc:6132 with SMTP id b13-20020a170903228d00b0016a59bc6132mr16966988plh.126.1656633243487; Thu, 30 Jun 2022 16:54:03 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:03 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Date: Thu, 30 Jun 2022 16:53:39 -0700 Message-Id: <20220630235341.1746-10-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633245; bh=GuCEeKvEyKVUlMbvhcMGMUICuv//vcSVrJGg9hmefiI=; h=Cc:Date:From:Reply-To:Subject:To; b=QtSO+j66OT4epe/rIoDJPzLfUmttYjegysI7i+ygR8Bg2K4zg92RcfqbSTLAD0F8SJX /Ys1Jp9chOsuxTbUyJtgv3FFjcSfREQYwfK0mWKaPRLriJvwNub6B1m/6qB0pXSm40SoW msdrzENt/hTxcBpa/6lpzIA4QxxYflfnGl8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633247582100041 Content-Type: text/plain; charset="utf-8" From: kuqin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3911 This change added unit test and enabled it from pipeline for the updated SecureBootVariableLib. The unit test covers all implemented interfaces and certain corner cases. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectio= nLib.c | 36 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c = | 201 ++ SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServices= TableLib.c | 13 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUn= itTest.c | 2037 ++++++++++++++++++++ SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtectio= nLib.inf | 33 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf = | 45 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServices= TableLib.inf | 25 + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLibUn= itTest.inf | 36 + SecurityPkg/SecurityPkg.ci.yaml = | 11 + SecurityPkg/Test/SecurityPkgHostTest.dsc = | 38 + 10 files changed, 2475 insertions(+) diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatfor= mPKProtectionLib.c b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/Moc= kPlatformPKProtectionLib.c new file mode 100644 index 000000000000..a8644d272df6 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProt= ectionLib.c @@ -0,0 +1,36 @@ +/** @file + Provides a mocked interface for configuring PK related variable protecti= on. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ +#include +#include +#include +#include +#include +#include + +#include + +/** + Disable any applicable protection against variable 'PK'. The implementat= ion + of this interface is platform specific, depending on the protection tech= niques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation = after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation s= pecific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ) +{ + return (EFI_STATUS)mock (); +} diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib= .c b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c new file mode 100644 index 000000000000..df271c39f26c --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.c @@ -0,0 +1,201 @@ +/** @file + The UEFI Library provides functions and macros that simplify the develop= ment of + UEFI Drivers and UEFI Applications. These functions and macros help man= age EFI + events, build simple locks utilizing EFI Task Priority Levels (TPLs), in= stall + EFI Driver Model related protocols, manage Unicode string tables for UEF= I Drivers, + and print messages on the console output and standard error devices. + + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include +#include +#include + +/** + Returns the status whether get the variable success. The function retrie= ves + variable through the UEFI Runtime Service GetVariable(). The + returned buffer is allocated using AllocatePool(). The caller is respon= sible + for freeing this buffer with FreePool(). + + If Name is NULL, then ASSERT(). + If Guid is NULL, then ASSERT(). + If Value is NULL, then ASSERT(). + + @param[in] Name The pointer to a Null-terminated Unicode string. + @param[in] Guid The pointer to an EFI_GUID structure + @param[out] Value The buffer point saved the variable info. + @param[out] Size The buffer size of the variable. + + @return EFI_OUT_OF_RESOURCES Allocate buffer failed. + @return EFI_SUCCESS Find the specified variable. + @return Others Errors Return errors from call to gRT->GetVar= iable. + +**/ +EFI_STATUS +EFIAPI +GetVariable2 ( + IN CONST CHAR16 *Name, + IN CONST EFI_GUID *Guid, + OUT VOID **Value, + OUT UINTN *Size OPTIONAL + ) +{ + EFI_STATUS Status; + UINTN BufferSize; + + ASSERT (Name !=3D NULL && Guid !=3D NULL && Value !=3D NULL); + + // + // Try to get the variable size. + // + BufferSize =3D 0; + *Value =3D NULL; + if (Size !=3D NULL) { + *Size =3D 0; + } + + Status =3D gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, NULL, &Bu= fferSize, *Value); + if (Status !=3D EFI_BUFFER_TOO_SMALL) { + return Status; + } + + // + // Allocate buffer to get the variable. + // + *Value =3D AllocatePool (BufferSize); + ASSERT (*Value !=3D NULL); + if (*Value =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Get the variable data. + // + Status =3D gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, NULL, &Bu= fferSize, *Value); + if (EFI_ERROR (Status)) { + FreePool (*Value); + *Value =3D NULL; + } + + if (Size !=3D NULL) { + *Size =3D BufferSize; + } + + return Status; +} + +/** Return the attributes of the variable. + + Returns the status whether get the variable success. The function retrie= ves + variable through the UEFI Runtime Service GetVariable(). The + returned buffer is allocated using AllocatePool(). The caller is respon= sible + for freeing this buffer with FreePool(). The attributes are returned if + the caller provides a valid Attribute parameter. + + If Name is NULL, then ASSERT(). + If Guid is NULL, then ASSERT(). + If Value is NULL, then ASSERT(). + + @param[in] Name The pointer to a Null-terminated Unicode string. + @param[in] Guid The pointer to an EFI_GUID structure + @param[out] Value The buffer point saved the variable info. + @param[out] Size The buffer size of the variable. + @param[out] Attr The pointer to the variable attributes as found in var= store + + @retval EFI_OUT_OF_RESOURCES Allocate buffer failed. + @retval EFI_SUCCESS Find the specified variable. + @retval Others Errors Return errors from call to gRT->GetVar= iable. + +**/ +EFI_STATUS +EFIAPI +GetVariable3 ( + IN CONST CHAR16 *Name, + IN CONST EFI_GUID *Guid, + OUT VOID **Value, + OUT UINTN *Size OPTIONAL, + OUT UINT32 *Attr OPTIONAL + ) +{ + EFI_STATUS Status; + UINTN BufferSize; + + ASSERT (Name !=3D NULL && Guid !=3D NULL && Value !=3D NULL); + + // + // Try to get the variable size. + // + BufferSize =3D 0; + *Value =3D NULL; + if (Size !=3D NULL) { + *Size =3D 0; + } + + if (Attr !=3D NULL) { + *Attr =3D 0; + } + + Status =3D gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, Attr, &Bu= fferSize, *Value); + if (Status !=3D EFI_BUFFER_TOO_SMALL) { + return Status; + } + + // + // Allocate buffer to get the variable. + // + *Value =3D AllocatePool (BufferSize); + ASSERT (*Value !=3D NULL); + if (*Value =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + // + // Get the variable data. + // + Status =3D gRT->GetVariable ((CHAR16 *)Name, (EFI_GUID *)Guid, Attr, &Bu= fferSize, *Value); + if (EFI_ERROR (Status)) { + FreePool (*Value); + *Value =3D NULL; + } + + if (Size !=3D NULL) { + *Size =3D BufferSize; + } + + return Status; +} + +/** + Returns a pointer to an allocated buffer that contains the contents of a + variable retrieved through the UEFI Runtime Service GetVariable(). This + function always uses the EFI_GLOBAL_VARIABLE GUID to retrieve variables. + The returned buffer is allocated using AllocatePool(). The caller is + responsible for freeing this buffer with FreePool(). + + If Name is NULL, then ASSERT(). + If Value is NULL, then ASSERT(). + + @param[in] Name The pointer to a Null-terminated Unicode string. + @param[out] Value The buffer point saved the variable info. + @param[out] Size The buffer size of the variable. + + @return EFI_OUT_OF_RESOURCES Allocate buffer failed. + @return EFI_SUCCESS Find the specified variable. + @return Others Errors Return errors from call to gRT->GetVar= iable. + +**/ +EFI_STATUS +EFIAPI +GetEfiGlobalVariable2 ( + IN CONST CHAR16 *Name, + OUT VOID **Value, + OUT UINTN *Size OPTIONAL + ) +{ + return GetVariable2 (Name, &gEfiGlobalVariableGuid, Value, Size); +} diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRun= timeServicesTableLib.c b/SecurityPkg/Library/SecureBootVariableLib/UnitTest= /MockUefiRuntimeServicesTableLib.c new file mode 100644 index 000000000000..e86192a05f32 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeSer= vicesTableLib.c @@ -0,0 +1,13 @@ +/** @file + Mock implementation of the UEFI Runtime Services Table Library. + + Copyright (C) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +extern EFI_RUNTIME_SERVICES gMockRuntime; + +EFI_RUNTIME_SERVICES *gRT =3D &gMockRuntime; diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootV= ariableLibUnitTest.c b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/S= ecureBootVariableLibUnitTest.c new file mode 100644 index 000000000000..a23135dfb016 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariable= LibUnitTest.c @@ -0,0 +1,2037 @@ +/** @file + Unit tests of the implementation of SecureBootVariableLib. + + Copyright (C) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include + +#define UNIT_TEST_APP_NAME "SecureBootVariableLib Unit Tests" +#define UNIT_TEST_APP_VERSION "1.0" +#define VAR_AUTH_DESC_SIZE OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, A= uthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData) + +extern EFI_TIME mMaxTimestamp; +extern EFI_TIME mDefaultPayloadTimestamp; + +/** + Sets the value of a variable. + + @param[in] VariableName A Null-terminated string that is the name= of the vendor's variable. + Each VariableName is unique for each Vend= orGuid. VariableName must + contain 1 or more characters. If Variable= Name is an empty string, + then EFI_INVALID_PARAMETER is returned. + @param[in] VendorGuid A unique identifier for the vendor. + @param[in] Attributes Attributes bitmask to set for the variabl= e. + @param[in] DataSize The size in bytes of the Data buffer. Unl= ess the EFI_VARIABLE_APPEND_WRITE or + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRI= TE_ACCESS attribute is set, a size of zero + causes the variable to be deleted. When t= he EFI_VARIABLE_APPEND_WRITE attribute is + set, then a SetVariable() call with a Dat= aSize of zero will not cause any change to + the variable value (the timestamp associa= ted with the variable may be updated however + even if no new data value is provided,see= the description of the + EFI_VARIABLE_AUTHENTICATION_2 descriptor = below. In this case the DataSize will not + be zero since the EFI_VARIABLE_AUTHENTICA= TION_2 descriptor will be populated). + @param[in] Data The contents for the variable. + + @retval EFI_SUCCESS The firmware has successfully stored the = variable and its data as + defined by the Attributes. + @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits,= name, and GUID was supplied, or the + DataSize exceeds the maximum allowed. + @retval EFI_INVALID_PARAMETER VariableName is an empty string. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold t= he variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be retrieved due t= o a hardware error. + @retval EFI_WRITE_PROTECTED The variable in question is read-only. + @retval EFI_WRITE_PROTECTED The variable in question cannot be delete= d. + @retval EFI_SECURITY_VIOLATION The variable could not be written due to = EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACESS being set, + but the AuthInfo does NOT pass the valida= tion check carried out by the firmware. + + @retval EFI_NOT_FOUND The variable trying to be updated or dele= ted was not found. + +**/ +STATIC +EFI_STATUS +EFIAPI +MockSetVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINT32 Attributes, + IN UINTN DataSize, + IN VOID *Data + ) +{ + DEBUG (( + DEBUG_INFO, + "%a %s %g %x %x %p\n", + __FUNCTION__, + VariableName, + VendorGuid, + Attributes, + DataSize, + Data + )); + check_expected_ptr (VariableName); + check_expected_ptr (VendorGuid); + check_expected_ptr (Attributes); + check_expected (DataSize); + check_expected (Data); + + return (EFI_STATUS)mock (); +} + +/** + Returns the value of a variable. + + @param[in] VariableName A Null-terminated string that is the name= of the vendor's + variable. + @param[in] VendorGuid A unique identifier for the vendor. + @param[out] Attributes If not NULL, a pointer to the memory loca= tion to return the + attributes bitmask for the variable. + @param[in, out] DataSize On input, the size in bytes of the return= Data buffer. + On output the size of data returned in Da= ta. + @param[out] Data The buffer to return the contents of the = variable. May be NULL + with a zero DataSize in order to determin= e the size buffer needed. + + @retval EFI_SUCCESS The function completed successfully. + @retval EFI_NOT_FOUND The variable was not found. + @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. + @retval EFI_INVALID_PARAMETER VariableName is NULL. + @retval EFI_INVALID_PARAMETER VendorGuid is NULL. + @retval EFI_INVALID_PARAMETER DataSize is NULL. + @retval EFI_INVALID_PARAMETER The DataSize is not too small and Data is= NULL. + @retval EFI_DEVICE_ERROR The variable could not be retrieved due t= o a hardware error. + @retval EFI_SECURITY_VIOLATION The variable could not be retrieved due t= o an authentication failure. + +**/ +STATIC +EFI_STATUS +EFIAPI +MockGetVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + OUT UINT32 *Attributes OPTIONAL, + IN OUT UINTN *DataSize, + OUT VOID *Data OPTIONAL + ) +{ + UINTN TargetSize; + BOOLEAN Exist; + + DEBUG (( + DEBUG_INFO, + "%a %s %g %p %x %p\n", + __FUNCTION__, + VariableName, + VendorGuid, + Attributes, + *DataSize, + Data + )); + assert_non_null (DataSize); + check_expected_ptr (VariableName); + check_expected_ptr (VendorGuid); + check_expected (*DataSize); + + Exist =3D (BOOLEAN)mock (); + + if (!Exist) { + return EFI_NOT_FOUND; + } + + TargetSize =3D (UINTN)mock (); + if (TargetSize > *DataSize) { + *DataSize =3D TargetSize; + return EFI_BUFFER_TOO_SMALL; + } else { + assert_non_null (Data); + CopyMem (Data, (VOID *)mock (), TargetSize); + } + + return EFI_SUCCESS; +} + +/// +/// Mock version of the UEFI Runtime Services Table +/// +EFI_RUNTIME_SERVICES gMockRuntime =3D { + { + EFI_RUNTIME_SERVICES_SIGNATURE, // Signature + EFI_RUNTIME_SERVICES_REVISION, // Revision + sizeof (EFI_RUNTIME_SERVICES), // HeaderSize + 0, // CRC32 + 0 // Reserved + }, + NULL, // GetTime + NULL, // SetTime + NULL, // GetWakeupTime + NULL, // SetWakeupTime + NULL, // SetVirtualAddressMap + NULL, // ConvertPointer + MockGetVariable, // GetVariable + NULL, // GetNextVariableName + MockSetVariable, // SetVariable + NULL, // GetNextHighMonotonicCount + NULL, // ResetSystem + NULL, // UpdateCapsule + NULL, // QueryCapsuleCapabilities + NULL // QueryVariableInfo +}; + +/** + Unit test for SetSecureBootMode () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootModeShouldSetVar ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINT8 SecureBootMode; + EFI_STATUS Status; + + SecureBootMode =3D 0xAB; // Any random magic number... + expect_memory (MockSetVariable, VariableName, EFI_CUSTOM_MODE_NAME, size= of (EFI_CUSTOM_MODE_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiCustomModeEnableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_BOOTSERVICE_ACCESS); + expect_value (MockSetVariable, DataSize, sizeof (SecureBootMode)); + expect_memory (MockSetVariable, Data, &SecureBootMode, sizeof (SecureBoo= tMode)); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D SetSecureBootMode (SecureBootMode); + + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for GetSetupMode () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +GetSetupModeShouldGetVar ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 TargetMode; + UINT8 SetupMode; + + TargetMode =3D 0xAB; // Any random magic number... + expect_memory (MockGetVariable, VariableName, EFI_SETUP_MODE_NAME, sizeo= f (EFI_SETUP_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (SetupMode)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (SetupMode)); + will_return (MockGetVariable, &TargetMode); + + Status =3D GetSetupMode (&SetupMode); + + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (SetupMode, TargetMode); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for GetSetupMode () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +IsSecureBootEnableShouldGetVar ( + IN UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Enabled; + UINT8 TargetMode; + + TargetMode =3D SECURE_BOOT_MODE_ENABLE; + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (TargetMode)); + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (TargetMode)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (TargetMode)); + will_return (MockGetVariable, &TargetMode); + + Enabled =3D IsSecureBootEnabled (); + + UT_ASSERT_EQUAL (Enabled, SECURE_BOOT_MODE_ENABLE); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SecureBootCreateDataFromInput () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SecureBootCreateDataFromInputSimple ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_SIGNATURE_LIST *SigList =3D NULL; + EFI_SIGNATURE_DATA *SigData =3D NULL; + UINTN SigListSize =3D 0; + EFI_STATUS Status; + UINT8 TestData[] =3D { 0 }; + SECURE_BOOT_CERTIFICATE_INFO KeyInfo =3D { + .Data =3D TestData, + .DataSize =3D sizeof (TestData) + }; + + Status =3D SecureBootCreateDataFromInput (&SigListSize, &SigList, 1, &Ke= yInfo); + + UT_ASSERT_NOT_EFI_ERROR (Status); + + UT_ASSERT_NOT_NULL (SigList); + UT_ASSERT_TRUE (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)= ); + UT_ASSERT_EQUAL (SigList->SignatureSize, sizeof (EFI_SIGNATURE_DATA) - 1= + sizeof (TestData)); + UT_ASSERT_EQUAL (SigList->SignatureHeaderSize, 0); + UT_ASSERT_EQUAL (SigList->SignatureListSize, sizeof (EFI_SIGNATURE_LIST)= + sizeof (EFI_SIGNATURE_DATA) - 1 + sizeof (TestData)); + UT_ASSERT_EQUAL (SigList->SignatureListSize, SigListSize); + + SigData =3D (EFI_SIGNATURE_DATA *)((UINTN)SigList + sizeof (EFI_SIGNATUR= E_LIST)); + UT_ASSERT_TRUE (CompareGuid (&SigData->SignatureOwner, &gEfiGlobalVariab= leGuid)); + UT_ASSERT_MEM_EQUAL (SigData->SignatureData, TestData, sizeof (TestData)= ); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SecureBootCreateDataFromInput () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SecureBootCreateDataFromInputNull ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_SIGNATURE_LIST *SigList =3D NULL; + UINTN SigListSize =3D 0; + EFI_STATUS Status; + SECURE_BOOT_CERTIFICATE_INFO KeyInfo =3D { + .Data =3D NULL, + .DataSize =3D 0 + }; + + Status =3D SecureBootCreateDataFromInput (&SigListSize, &SigList, 0, NUL= L); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + Status =3D SecureBootCreateDataFromInput (&SigListSize, &SigList, 1, &Ke= yInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_NOT_FOUND); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SecureBootCreateDataFromInput () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SecureBootCreateDataFromInputMultiple ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_SIGNATURE_LIST *SigList =3D NULL; + EFI_SIGNATURE_DATA *SigData =3D NULL; + UINTN SigListSize =3D 0; + UINTN TotalSize =3D 0; + UINTN Index =3D 0; + UINT8 TestData1[] =3D { 0 }; + UINT8 TestData2[] =3D { 1, 2 }; + EFI_STATUS Status; + SECURE_BOOT_CERTIFICATE_INFO KeyInfo[2] =3D { + { + .Data =3D TestData1, + .DataSize =3D sizeof (TestData1) + }, + { + .Data =3D TestData2, + .DataSize =3D sizeof (TestData2) + } + }; + + Status =3D SecureBootCreateDataFromInput (&SigListSize, &SigList, 2, Key= Info); + UT_ASSERT_NOT_EFI_ERROR (Status); + + UT_ASSERT_NOT_NULL (SigList); + + for (Index =3D 0; Index < 2; Index++) { + UT_ASSERT_TRUE (SigListSize > TotalSize); + + UT_ASSERT_TRUE (CompareGuid (&SigList->SignatureType, &gEfiCertX509Gui= d)); + UT_ASSERT_EQUAL (SigList->SignatureSize, sizeof (EFI_SIGNATURE_DATA) -= 1 + KeyInfo[Index].DataSize); + UT_ASSERT_EQUAL (SigList->SignatureHeaderSize, 0); + UT_ASSERT_EQUAL (SigList->SignatureListSize, sizeof (EFI_SIGNATURE_LIS= T) + sizeof (EFI_SIGNATURE_DATA) - 1 + KeyInfo[Index].DataSize); + + SigData =3D (EFI_SIGNATURE_DATA *)((UINTN)SigList + sizeof (EFI_SIGNAT= URE_LIST)); + UT_ASSERT_TRUE (CompareGuid (&SigData->SignatureOwner, &gEfiGlobalVari= ableGuid)); + UT_ASSERT_MEM_EQUAL (SigData->SignatureData, KeyInfo[Index].Data, KeyI= nfo[Index].DataSize); + TotalSize =3D TotalSize + SigList->SignatureListSize; + SigList =3D (EFI_SIGNATURE_LIST *)((UINTN)SigList + SigList->Signatu= reListSize); + } + + UT_ASSERT_EQUAL (SigListSize, TotalSize); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for CreateTimeBasedPayload () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +CreateTimeBasedPayloadShouldPopulateDescriptor ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINT8 Data[] =3D { 2 }; + UINTN DataSize =3D sizeof (Data); + UINT8 *CheckData; + EFI_VARIABLE_AUTHENTICATION_2 *VarAuth; + EFI_STATUS Status; + EFI_TIME Time =3D { + .Year =3D 2012, + .Month =3D 3, + .Day =3D 4, + .Hour =3D 5, + .Minute =3D 6, + .Second =3D 7, + .Pad1 =3D 0, + .Nanosecond =3D 8910, + .TimeZone =3D 1112, + .Pad2 =3D 0 + }; + + CheckData =3D AllocateCopyPool (DataSize, Data); + Status =3D CreateTimeBasedPayload (&DataSize, &CheckData, &Time); + UT_ASSERT_NOT_EFI_ERROR (Status); + + // This is result that we did not pack this structure... + // we cannot even use the sizeof (EFI_VARIABLE_AUTHENTICATION_2) - 1, + // because the structure is not at the end of this structure, but partia= lly + // inside it... + UT_ASSERT_EQUAL (DataSize, VAR_AUTH_DESC_SIZE + sizeof (Data)); + UT_ASSERT_NOT_NULL (CheckData); + + VarAuth =3D (EFI_VARIABLE_AUTHENTICATION_2 *)CheckData; + UT_ASSERT_MEM_EQUAL (&(VarAuth->TimeStamp), &Time, sizeof (EFI_TIME)); + + UT_ASSERT_EQUAL (VarAuth->AuthInfo.Hdr.dwLength, OFFSET_OF (WIN_CERTIFIC= ATE_UEFI_GUID, CertData)); + UT_ASSERT_EQUAL (VarAuth->AuthInfo.Hdr.wRevision, 0x0200); + UT_ASSERT_EQUAL (VarAuth->AuthInfo.Hdr.wCertificateType, WIN_CERT_TYPE_E= FI_GUID); + UT_ASSERT_TRUE (CompareGuid (&VarAuth->AuthInfo.CertType, &gEfiCertPkcs7= Guid)); + + UT_ASSERT_MEM_EQUAL (VarAuth->AuthInfo.CertData, Data, sizeof (Data)); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for CreateTimeBasedPayload () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +CreateTimeBasedPayloadShouldCheckInput ( + IN UNIT_TEST_CONTEXT Context + ) +{ + UINTN DataSize =3D 0; + UINT8 *Data =3D NULL; + EFI_TIME Time; + EFI_STATUS Status; + + Status =3D CreateTimeBasedPayload (NULL, &Data, &Time); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + Status =3D CreateTimeBasedPayload (&DataSize, NULL, &Time); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + Status =3D CreateTimeBasedPayload (&DataSize, &Data, NULL); + UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteDb () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteDbShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeleteDb (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteDbx () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteDbxShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeleteDbx (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteDbt () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteDbtShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeleteDbt (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteKEK () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteKEKShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + + expect_memory (MockGetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeleteKEK (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeletePlatformKey () API of the SecureBootVariableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeletePKShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + UINT8 BootMode =3D CUSTOM_SECURE_BOOT_MODE; + + expect_memory (MockSetVariable, VariableName, EFI_CUSTOM_MODE_NAME, size= of (EFI_CUSTOM_MODE_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiCustomModeEnableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_BOOTSERVICE_ACCESS); + expect_value (MockSetVariable, DataSize, sizeof (BootMode)); + expect_memory (MockSetVariable, Data, &BootMode, sizeof (BootMode)); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeletePlatformKey (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteSecureBootVariables () API of the SecureBootVariable= Lib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteSecureBootVariablesShouldDelete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D 0; + UINT8 BootMode =3D CUSTOM_SECURE_BOOT_MODE; + + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mMaxTimestam= p); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE); + + will_return (DisablePKProtection, EFI_SUCCESS); + + expect_memory (MockSetVariable, VariableName, EFI_CUSTOM_MODE_NAME, size= of (EFI_CUSTOM_MODE_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiCustomModeEnableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_BOOTSERVICE_ACCESS); + expect_value (MockSetVariable, DataSize, sizeof (BootMode)); + expect_memory (MockSetVariable, Data, &BootMode, sizeof (BootMode)); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, sizeof (Dummy)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (Dummy)); + will_return (MockGetVariable, &Dummy); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D DeleteSecureBootVariables (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteSecureBootVariables () API of the SecureBootVariable= Lib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteSecureBootVariablesShouldCheckProtection ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + + will_return (DisablePKProtection, EFI_SECURITY_VIOLATION); + + Status =3D DeleteSecureBootVariables (); + UT_ASSERT_STATUS_EQUAL (Status, EFI_ABORTED); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteSecureBootVariables () API of the SecureBootVariable= Lib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +DeleteSecureBootVariablesShouldProceedWithNotFound ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 BootMode =3D CUSTOM_SECURE_BOOT_MODE; + + will_return (DisablePKProtection, EFI_SUCCESS); + + expect_memory (MockSetVariable, VariableName, EFI_CUSTOM_MODE_NAME, size= of (EFI_CUSTOM_MODE_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiCustomModeEnableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_BOOTSERVICE_ACCESS); + expect_value (MockSetVariable, DataSize, sizeof (BootMode)); + expect_memory (MockSetVariable, Data, &BootMode, sizeof (BootMode)); + + will_return (MockSetVariable, EFI_SUCCESS); + + expect_memory (MockGetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + expect_memory (MockGetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + expect_memory (MockGetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockGetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Status =3D DeleteSecureBootVariables (); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for DeleteSecureBootVariables () API of the SecureBootVariable= Lib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +EnrollFromInputShouldComplete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 Dummy =3D 3; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (Dummy); + + Payload =3D AllocateCopyPool (sizeof (Dummy), &Dummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (Dummy)); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Du= mmy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (Dummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D EnrollFromInput (EFI_PLATFORM_KEY_NAME, &gEfiGlobalVariableGu= id, sizeof (Dummy), &Dummy); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldComplete ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbtDummy =3D 0xAD; + UINT8 DbxDummy =3D 0xBE; + UINT8 KekDummy =3D 0xEF; + UINT8 PkDummy =3D 0xFE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .DbtPtr =3D &DbtDummy, + .DbtSize =3D sizeof (DbtDummy), + .KekPtr =3D &KekDummy, + .KekSize =3D sizeof (KekDummy), + .PkPtr =3D &PkDummy, + .PkSize =3D sizeof (PkDummy), + .SecureBootKeyName =3D L"Food" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbtDummy, sizeof (DbtDummy)); + PayloadSize =3D sizeof (DbtDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbtDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= tDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbtDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &KekDummy, sizeof (KekDummy)); + PayloadSize =3D sizeof (KekDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (KekDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Ke= kDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (KekDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &PkDummy, sizeof (PkDummy)); + PayloadSize =3D sizeof (PkDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (PkDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Pk= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (PkDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopWhenSecure ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 TargetMode =3D SECURE_BOOT_MODE_ENABLE; + SECURE_BOOT_PAYLOAD_INFO PayloadInfo; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (TargetMode)); + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, sizeof (TargetMode)); + + will_return (MockGetVariable, TRUE); + will_return (MockGetVariable, sizeof (TargetMode)); + will_return (MockGetVariable, &TargetMode); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_ABORTED); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopFailDBX ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbxDummy =3D 0xBE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbxDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .SecureBootKeyName =3D L"Fail DBX" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_WRITE_PROTECTED); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_WRITE_PROTECTED); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopFailDB ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbxDummy =3D 0xBE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .SecureBootKeyName =3D L"Fail DB" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_WRITE_PROTECTED); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_WRITE_PROTECTED); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopFailDBT ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbtDummy =3D 0xAD; + UINT8 DbxDummy =3D 0xBE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .DbtPtr =3D &DbtDummy, + .DbtSize =3D sizeof (DbtDummy), + .SecureBootKeyName =3D L"Fail DBT" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbtDummy, sizeof (DbtDummy)); + PayloadSize =3D sizeof (DbtDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbtDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= tDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbtDummy)); + + will_return (MockSetVariable, EFI_ACCESS_DENIED); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_ACCESS_DENIED); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopFailKEK ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbtDummy =3D 0xAD; + UINT8 DbxDummy =3D 0xBE; + UINT8 KekDummy =3D 0xEF; + UINT8 PkDummy =3D 0xFE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .DbtPtr =3D &DbtDummy, + .DbtSize =3D sizeof (DbtDummy), + .KekPtr =3D &KekDummy, + .KekSize =3D sizeof (KekDummy), + .PkPtr =3D &PkDummy, + .PkSize =3D sizeof (PkDummy), + .SecureBootKeyName =3D L"Food" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbtDummy, sizeof (DbtDummy)); + PayloadSize =3D sizeof (DbtDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbtDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= tDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbtDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &KekDummy, sizeof (KekDummy)); + PayloadSize =3D sizeof (KekDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (KekDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Ke= kDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (KekDummy)); + + will_return (MockSetVariable, EFI_DEVICE_ERROR); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_DEVICE_ERROR); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesShouldStopFailPK ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbtDummy =3D 0xAD; + UINT8 DbxDummy =3D 0xBE; + UINT8 KekDummy =3D 0xEF; + UINT8 PkDummy =3D 0xFE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .DbtPtr =3D &DbtDummy, + .DbtSize =3D sizeof (DbtDummy), + .KekPtr =3D &KekDummy, + .KekSize =3D sizeof (KekDummy), + .PkPtr =3D &PkDummy, + .PkSize =3D sizeof (PkDummy), + .SecureBootKeyName =3D L"Food" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbtDummy, sizeof (DbtDummy)); + PayloadSize =3D sizeof (DbtDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbtDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E2, sizeof (EFI_IMAGE_SECURITY_DATABASE2)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= tDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbtDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &KekDummy, sizeof (KekDummy)); + PayloadSize =3D sizeof (KekDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (KekDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Ke= kDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (KekDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &PkDummy, sizeof (PkDummy)); + PayloadSize =3D sizeof (PkDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (PkDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Pk= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (PkDummy)); + + will_return (MockSetVariable, EFI_INVALID_PARAMETER); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_STATUS_EQUAL (Status, EFI_SECURITY_VIOLATION); + + return UNIT_TEST_PASSED; +} + +/** + Unit test for SetDefaultSecureBootVariables () API of the SecureBootVari= ableLib. + + @param[in] Context [Optional] An optional parameter that enables: + 1) test-case reuse with varied parameters and + 2) test-case re-entry for Target tests that need a + reboot. This parameter is a VOID* and it is the + responsibility of the test author to ensure that = the + contents are well understood by all test cases th= at may + consume it. + + @retval UNIT_TEST_PASSED The Unit test has completed and th= e test + case was successful. + @retval UNIT_TEST_ERROR_TEST_FAILED A test case assertion has failed. +**/ +UNIT_TEST_STATUS +EFIAPI +SetSecureBootVariablesDBTOptional ( + IN UNIT_TEST_CONTEXT Context + ) +{ + EFI_STATUS Status; + UINT8 DbDummy =3D 0xDE; + UINT8 DbxDummy =3D 0xBE; + UINT8 KekDummy =3D 0xEF; + UINT8 PkDummy =3D 0xFE; + UINT8 *Payload =3D NULL; + UINTN PayloadSize =3D sizeof (DbDummy); + SECURE_BOOT_PAYLOAD_INFO PayloadInfo =3D { + .DbPtr =3D &DbDummy, + .DbSize =3D sizeof (DbDummy), + .DbxPtr =3D &DbxDummy, + .DbxSize =3D sizeof (DbxDummy), + .DbtPtr =3D NULL, + .DbtSize =3D 0, + .KekPtr =3D &KekDummy, + .KekSize =3D sizeof (KekDummy), + .PkPtr =3D &PkDummy, + .PkSize =3D sizeof (PkDummy), + .SecureBootKeyName =3D L"Food" + }; + + expect_memory (MockGetVariable, VariableName, EFI_SECURE_BOOT_MODE_NAME,= sizeof (EFI_SECURE_BOOT_MODE_NAME)); + expect_value (MockGetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockGetVariable, *DataSize, 0); + + will_return (MockGetVariable, FALSE); + + Payload =3D AllocateCopyPool (sizeof (DbxDummy), &DbxDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaultPay= loadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbxDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E1, sizeof (EFI_IMAGE_SECURITY_DATABASE1)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= xDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbxDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &DbDummy, sizeof (DbDummy)); + PayloadSize =3D sizeof (DbDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (DbDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_IMAGE_SECURITY_DATABAS= E, sizeof (EFI_IMAGE_SECURITY_DATABASE)); + expect_value (MockSetVariable, VendorGuid, &gEfiImageSecurityDatabaseGui= d); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Db= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (DbDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &KekDummy, sizeof (KekDummy)); + PayloadSize =3D sizeof (KekDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (KekDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_KEY_EXCHANGE_KEY_NAME,= sizeof (EFI_KEY_EXCHANGE_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Ke= kDummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (KekDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + CopyMem (Payload, &PkDummy, sizeof (PkDummy)); + PayloadSize =3D sizeof (PkDummy); + Status =3D CreateTimeBasedPayload (&PayloadSize, &Payload, &mDefaul= tPayloadTimestamp); + UT_ASSERT_NOT_EFI_ERROR (Status); + UT_ASSERT_EQUAL (PayloadSize, VAR_AUTH_DESC_SIZE + sizeof (PkDummy)); + + expect_memory (MockSetVariable, VariableName, EFI_PLATFORM_KEY_NAME, siz= eof (EFI_PLATFORM_KEY_NAME)); + expect_value (MockSetVariable, VendorGuid, &gEfiGlobalVariableGuid); + expect_value (MockSetVariable, Attributes, EFI_VARIABLE_NON_VOLATILE | E= FI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE= _TIME_BASED_AUTHENTICATED_WRITE_ACCESS); + expect_value (MockSetVariable, DataSize, VAR_AUTH_DESC_SIZE + sizeof (Pk= Dummy)); + expect_memory (MockSetVariable, Data, Payload, VAR_AUTH_DESC_SIZE + size= of (PkDummy)); + + will_return (MockSetVariable, EFI_SUCCESS); + + Status =3D SetSecureBootVariablesToDefault (&PayloadInfo); + UT_ASSERT_NOT_EFI_ERROR (Status); + + return UNIT_TEST_PASSED; +} + +/** + Initialze the unit test framework, suite, and unit tests for the + SecureBootVariableLib and run the SecureBootVariableLib unit test. + + @retval EFI_SUCCESS All test cases were dispatched. + @retval EFI_OUT_OF_RESOURCES There are not enough resources available = to + initialize the unit tests. +**/ +STATIC +EFI_STATUS +EFIAPI +UnitTestingEntry ( + VOID + ) +{ + EFI_STATUS Status; + UNIT_TEST_FRAMEWORK_HANDLE Framework; + UNIT_TEST_SUITE_HANDLE SecureBootVarMiscTests; + UNIT_TEST_SUITE_HANDLE SecureBootVarDeleteTests; + UNIT_TEST_SUITE_HANDLE SecureBootVarEnrollTests; + + Framework =3D NULL; + + DEBUG ((DEBUG_INFO, "%a v%a\n", UNIT_TEST_APP_NAME, UNIT_TEST_APP_VERSIO= N)); + + // + // Start setting up the test framework for running the tests. + // + Status =3D InitUnitTestFramework (&Framework, UNIT_TEST_APP_NAME, gEfiCa= llerBaseName, UNIT_TEST_APP_VERSION); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed in InitUnitTestFramework. Status =3D %r\n= ", Status)); + goto EXIT; + } + + // + // Populate the SecureBootVariableLib Unit Test Suite. + // + Status =3D CreateUnitTestSuite (&SecureBootVarMiscTests, Framework, "Sec= ureBootVariableLib Miscellaneous Tests", "SecureBootVariableLib.Miscellaneo= us", NULL, NULL); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed in CreateUnitTestSuite for SecureBootVari= ableLib\n")); + Status =3D EFI_OUT_OF_RESOURCES; + goto EXIT; + } + + Status =3D CreateUnitTestSuite (&SecureBootVarDeleteTests, Framework, "S= ecureBootVariableLib Deletion Tests", "SecureBootVariableLib.Deletion", NUL= L, NULL); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed in CreateUnitTestSuite for SecureBootVari= ableLib\n")); + Status =3D EFI_OUT_OF_RESOURCES; + goto EXIT; + } + + Status =3D CreateUnitTestSuite (&SecureBootVarEnrollTests, Framework, "S= ecureBootVariableLib Enrollment Tests", "SecureBootVariableLib.Enrollment",= NULL, NULL); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "Failed in CreateUnitTestSuite for SecureBootVari= ableLib\n")); + Status =3D EFI_OUT_OF_RESOURCES; + goto EXIT; + } + + // + // --------------Suite-----------Description--------------Name----------= Function--------Pre---Post-------------------Context----------- + // + AddTestCase (SecureBootVarMiscTests, "SetSecureBootMode should propagate= to set variable", "SetSecureBootMode", SetSecureBootModeShouldSetVar, NULL= , NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "GetSetupMode should propagate to g= et variable", "GetSetupMode", GetSetupModeShouldGetVar, NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "IsSecureBootEnabled should propaga= te to get variable", "IsSecureBootEnabled", IsSecureBootEnableShouldGetVar,= NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "SecureBootCreateDataFromInput with= one input cert", "SecureBootCreateDataFromInput One Cert", SecureBootCreat= eDataFromInputSimple, NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "SecureBootCreateDataFromInput with= no input cert", "SecureBootCreateDataFromInput No Cert", SecureBootCreateD= ataFromInputNull, NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "SecureBootCreateDataFromInput with= multiple input cert", "SecureBootCreateDataFromInput No Cert", SecureBootC= reateDataFromInputMultiple, NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "CreateTimeBasedPayload should popu= late descriptor data", "CreateTimeBasedPayload Normal", CreateTimeBasedPayl= oadShouldPopulateDescriptor, NULL, NULL, NULL); + AddTestCase (SecureBootVarMiscTests, "CreateTimeBasedPayload should fail= on NULL inputs", "CreateTimeBasedPayload NULL", CreateTimeBasedPayloadShou= ldCheckInput, NULL, NULL, NULL); + + AddTestCase (SecureBootVarDeleteTests, "DeleteDb should delete DB with a= uth info", "DeleteDb", DeleteDbShouldDelete, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteDbx should delete DBX with= auth info", "DeleteDbx", DeleteDbxShouldDelete, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteDbt should delete DBT with= auth info", "DeleteDbt", DeleteDbtShouldDelete, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteKEK should delete KEK with= auth info", "DeleteKEK", DeleteKEKShouldDelete, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeletePlatformKey should delete = PK with auth info", "DeletePlatformKey", DeletePKShouldDelete, NULL, NULL, = NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteSecureBootVariables should= delete properly", "DeleteSecureBootVariables Normal", DeleteSecureBootVari= ablesShouldDelete, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteSecureBootVariables should= fail if protection disable fails", "DeleteSecureBootVariables Fail", Delet= eSecureBootVariablesShouldCheckProtection, NULL, NULL, NULL); + AddTestCase (SecureBootVarDeleteTests, "DeleteSecureBootVariables should= continue if any variable is not found", "DeleteSecureBootVariables Proceed= ", DeleteSecureBootVariablesShouldProceedWithNotFound, NULL, NULL, NULL); + + AddTestCase (SecureBootVarEnrollTests, "EnrollFromInput should supply wi= th authenticated payload", "EnrollFromInput Normal", EnrollFromInputShouldC= omplete, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should complete", "SetSecureBootVariablesToDefault Normal", SetSecureBootVa= riablesShouldComplete, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when already enabled", "SetSecureBootVariablesToDefault Already= Started", SetSecureBootVariablesShouldStopWhenSecure, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when DB failed", "SetSecureBootVariablesToDefault Fails DB", Se= tSecureBootVariablesShouldStopFailDB, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when DBT failed", "SetSecureBootVariablesToDefault Fails DBT", = SetSecureBootVariablesShouldStopFailDBT, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when DBX failed", "SetSecureBootVariablesToDefault Fails DBX", = SetSecureBootVariablesShouldStopFailDBX, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when KEK failed", "SetSecureBootVariablesToDefault Fails KEK", = SetSecureBootVariablesShouldStopFailKEK, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should stop when PK failed", "SetSecureBootVariablesToDefault Fails PK", Se= tSecureBootVariablesShouldStopFailPK, NULL, NULL, NULL); + AddTestCase (SecureBootVarEnrollTests, "SetSecureBootVariablesToDefault = should only be optional", "SetSecureBootVariablesToDefault DBT Optional", S= etSecureBootVariablesDBTOptional, NULL, NULL, NULL); + + // + // Execute the tests. + // + Status =3D RunAllTestSuites (Framework); + +EXIT: + if (Framework) { + FreeUnitTestFramework (Framework); + } + + return Status; +} + +/** + Standard POSIX C entry point for host based unit test execution. +**/ +int +main ( + int argc, + char *argv[] + ) +{ + return UnitTestingEntry (); +} diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatfor= mPKProtectionLib.inf b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/M= ockPlatformPKProtectionLib.inf new file mode 100644 index 000000000000..1e19033c5a91 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProt= ectionLib.inf @@ -0,0 +1,33 @@ +## @file +# Provides an abstracted interface for configuring PK related variable pr= otection. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D MockPlatformPKProtectionLib + FILE_GUID =3D 5FCD74D3-3965-4D56-AB83-000B9B4806A0 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D PlatformPKProtectionLib|HOST_APPLICAT= ION + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64 +# + +[Sources] + MockPlatformPKProtectionLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + +[LibraryClasses] + UnitTestLib diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib= .inf b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf new file mode 100644 index 000000000000..a84242ac7205 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf @@ -0,0 +1,45 @@ +## @file +# Instance of UEFI Library. +# +# The UEFI Library provides functions and macros that simplify the develop= ment of +# UEFI Drivers and UEFI Applications. These functions and macros help ma= nage EFI +# events, build simple locks utilizing EFI Task Priority Levels (TPLs), i= nstall +# EFI Driver Model related protocols, manage Unicode string tables for UE= FI Drivers, +# and print messages on the console output and standard error devices. +# +# Copyright (c) 2007 - 2018, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D MockUefiLib + FILE_GUID =3D E3B7AEF9-4E55-49AF-B035-ED776C928EC6 + MODULE_TYPE =3D UEFI_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D UefiLib|HOST_APPLICATION + +# +# VALID_ARCHITECTURES =3D IA32 X64 EBC +# + +[Sources] + MockUefiLib.c + +[Packages] + MdePkg/MdePkg.dec + +[LibraryClasses] + PrintLib + PcdLib + MemoryAllocationLib + DebugLib + BaseMemoryLib + BaseLib + UefiRuntimeServicesTableLib + +[Guids] + gEfiGlobalVariableGuid ## SOMETIMES_CONSUMES ## = Variable diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRun= timeServicesTableLib.inf b/SecurityPkg/Library/SecureBootVariableLib/UnitTe= st/MockUefiRuntimeServicesTableLib.inf new file mode 100644 index 000000000000..f832a93e2254 --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeSer= vicesTableLib.inf @@ -0,0 +1,25 @@ +## @file +# Mock implementation of the UEFI Runtime Services Table Library. +# +# Copyright (c) 2020, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D MockUefiRuntimeServicesTableLib + FILE_GUID =3D 84CE0021-ABEE-403C-9A1B-763CCF2D40F1 + MODULE_TYPE =3D UEFI_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D UefiRuntimeServicesTableLib|HOST_APPL= ICATION + +# +# VALID_ARCHITECTURES =3D IA32 X64 EBC +# + +[Sources] + MockUefiRuntimeServicesTableLib.c + +[Packages] + MdePkg/MdePkg.dec diff --git a/SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootV= ariableLibUnitTest.inf b/SecurityPkg/Library/SecureBootVariableLib/UnitTest= /SecureBootVariableLibUnitTest.inf new file mode 100644 index 000000000000..f99fb09be52e --- /dev/null +++ b/SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariable= LibUnitTest.inf @@ -0,0 +1,36 @@ +## @file +# Unit tests of the implementation of SecureBootVariableLib. +# +# Copyright (C) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION =3D 0x00010006 + BASE_NAME =3D SecureBootVariableLibUnitTest + FILE_GUID =3D 71C5359E-08FB-450E-9766-BC70482DF66B + MODULE_TYPE =3D HOST_APPLICATION + VERSION_STRING =3D 1.0 + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 +# + +[Sources] + SecureBootVariableLibUnitTest.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec + +[LibraryClasses] + SecureBootVariableLib + BaseLib + BaseMemoryLib + DebugLib + UefiLib + UnitTestLib diff --git a/SecurityPkg/SecurityPkg.ci.yaml b/SecurityPkg/SecurityPkg.ci.y= aml index 791214239899..2138b0a5e21b 100644 --- a/SecurityPkg/SecurityPkg.ci.yaml +++ b/SecurityPkg/SecurityPkg.ci.yaml @@ -15,6 +15,7 @@ ## "", "" ## ] "ExceptionList": [ + "8005", "gRT", ], ## Both file path and directory path are accepted. "IgnoreFiles": [ @@ -26,6 +27,10 @@ "CompilerPlugin": { "DscPath": "SecurityPkg.dsc" }, + ## options defined .pytool/Plugin/HostUnitTestCompilerPlugin + "HostUnitTestCompilerPlugin": { + "DscPath": "Test/SecurityPkgHostTest.dsc" + }, "CharEncodingCheck": { "IgnoreFiles": [] }, @@ -33,6 +38,7 @@ "AcceptableDependencies": [ "MdePkg/MdePkg.dec", "MdeModulePkg/MdeModulePkg.dec", + "UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec", "SecurityPkg/SecurityPkg.dec", "StandaloneMmPkg/StandaloneMmPkg.dec", "CryptoPkg/CryptoPkg.dec" @@ -47,6 +53,11 @@ "DscPath": "SecurityPkg.dsc", "IgnoreInf": [] }, + ## options defined .pytool/Plugin/HostUnitTestDscCompleteCheck + "HostUnitTestDscCompleteCheck": { + "IgnoreInf": [""], + "DscPath": "Test/SecurityPkgHostTest.dsc" + }, "GuidCheck": { "IgnoreGuidName": [], "IgnoreGuidValue": ["00000000-0000-0000-0000-000000000000"], diff --git a/SecurityPkg/Test/SecurityPkgHostTest.dsc b/SecurityPkg/Test/Se= curityPkgHostTest.dsc new file mode 100644 index 000000000000..c4df01fe1b73 --- /dev/null +++ b/SecurityPkg/Test/SecurityPkgHostTest.dsc @@ -0,0 +1,38 @@ +## @file +# SecurityPkg DSC file used to build host-based unit tests. +# +# Copyright (C) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + PLATFORM_NAME =3D SecurityPkgHostTest + PLATFORM_GUID =3D 9D78A9B4-00CD-477E-A5BF-90CC793EEFB0 + PLATFORM_VERSION =3D 0.1 + DSC_SPECIFICATION =3D 0x00010005 + OUTPUT_DIRECTORY =3D Build/SecurityPkg/HostTest + SUPPORTED_ARCHITECTURES =3D IA32|X64 + BUILD_TARGETS =3D NOOPT + SKUID_IDENTIFIER =3D DEFAULT + +!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc + +[LibraryClasses] + SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf + +[Components] + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiRuntimeServic= esTableLib.inf + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockPlatformPKProtect= ionLib.inf + SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiLib.inf + + # + # Build SecurityPkg HOST_APPLICATION Tests + # + SecurityPkg/Library/SecureBootVariableLib/UnitTest/SecureBootVariableLib= UnitTest.inf { + + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/Secu= reBootVariableLib.inf + UefiRuntimeServicesTableLib|SecurityPkg/Library/SecureBootVariableLi= b/UnitTest/MockUefiRuntimeServicesTableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/SecureBootVariableLib/Un= itTest/MockPlatformPKProtectionLib.inf + UefiLib|SecurityPkg/Library/SecureBootVariableLib/UnitTest/MockUefiL= ib.inf + } --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90958): https://edk2.groups.io/g/devel/message/90958 Mute This Topic: https://groups.io/mt/92098747/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90957+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90957+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633245; cv=none; d=zohomail.com; s=zohoarc; b=TLrlcHWfXESe5363en3X79cFkUHA0r1y2vnSYVU13L2y1vbWWoIL7F+BYBbJ3q5j4rMQ4ei04bT3tpLSiBwJydo4k1CHFZc0uqkFcvchkH6lEdfpYy5tazHfuegOAFAqbH7pCaoO6jAfLkCbuHdj+usWzH07w1l+7SQ9eqJFq94= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633245; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=fTjBIrMMH9OMz3udRonGRtE9p6uL36bhyH/vBKIkO5s=; b=h8FnzHL1Ma6Li8X5e4Js776Kp0EgAqWfCwYqKPRRD+/dfpzY04j74A6FjYZ3Dr/x3WDaL6cubbS5ed21pYnL7WwTfbiz3wzbsl/RZCbiSzI3LMzsEkXFsqhLsWDYjTuMwhCPasOspyGICJbPg+gxzaCbiNrfdnrjiEZuoaOKNPk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90957+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633245562806.9115123911818; Thu, 30 Jun 2022 16:54:05 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id S8NxYY1788612xx3ermhNxdm; Thu, 30 Jun 2022 16:54:05 -0700 X-Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web11.32157.1656633240853965508 for ; Thu, 30 Jun 2022 16:54:04 -0700 X-Received: by mail-pg1-f182.google.com with SMTP id v126so813407pgv.11 for ; Thu, 30 Jun 2022 16:54:04 -0700 (PDT) X-Gm-Message-State: tiRvXYK8aIAxIRb31pZUyfMlx1787277AA= X-Google-Smtp-Source: AGRyM1uOfl3AEk+ZGCphooEtUEEHqrqxFnyCdCmqHhh3L9s9qElA+W6twvx9TE4NZcny+LVZIJoQQg== X-Received: by 2002:a05:6a00:2148:b0:4fa:92f2:bae3 with SMTP id o8-20020a056a00214800b004fa92f2bae3mr18289367pfk.69.1656633244265; Thu, 30 Jun 2022 16:54:04 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:04 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Ard Biesheuvel , Jiewen Yao , Jordan Justen , Gerd Hoffmann , Rebecca Cran , Peter Grehan , Sebastien Boeuf , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Date: Thu, 30 Jun 2022 16:53:40 -0700 Message-Id: <20220630235341.1746-11-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633245; bh=QoRl+/Vd3DohhrLUAKgYpVyTZBjiQdDr5ypqIcjalJI=; h=Cc:Date:From:Reply-To:Subject:To; b=fAdJ2PbnTTlCHZOiF7ig8pIwsFqC/QQ7LZm/RUAyufFRw9FrA0LM8J0WhZw+NlHg5pN D6yrUzkGNWlCAJX7D+fJxaGVmCwtBWz6MvhXqYvWJjpACGPdIendpNc8FLV4KTKMBnGeh f2PBByw/hppSlGKbKdMLbah6ziwsifgQc0A= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633247500100040 Content-Type: text/plain; charset="utf-8" The new changes in SecureBootVariableLib brought in a new dependency of PlatformPKProtectionLib. This change added the new library instance from SecurityPkg to resolve pipeline builds. Cc: Ard Biesheuvel Cc: Jiewen Yao Cc: Jordan Justen Cc: Gerd Hoffmann Cc: Rebecca Cran Cc: Peter Grehan Cc: Sebastien Boeuf Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] OvmfPkg/Bhyve/BhyveX64.dsc | 1 + OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/IntelTdx/IntelTdxX64.dsc | 1 + OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + 6 files changed, 6 insertions(+) diff --git a/OvmfPkg/Bhyve/BhyveX64.dsc b/OvmfPkg/Bhyve/BhyveX64.dsc index ec8ad98db765..d4f0c90b8e00 100644 --- a/OvmfPkg/Bhyve/BhyveX64.dsc +++ b/OvmfPkg/Bhyve/BhyveX64.dsc @@ -201,6 +201,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Bhyve/Library/PlatformSecureLib/PlatformSecure= Lib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/OvmfPkg/CloudHv/CloudHvX64.dsc b/OvmfPkg/CloudHv/CloudHvX64.dsc index ca601aa09d3a..0bfe542f8a88 100644 --- a/OvmfPkg/CloudHv/CloudHvX64.dsc +++ b/OvmfPkg/CloudHv/CloudHvX64.dsc @@ -212,6 +212,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/OvmfPkg/IntelTdx/IntelTdxX64.dsc b/OvmfPkg/IntelTdx/IntelTdxX6= 4.dsc index c662ae8720ff..144d50aa9dba 100644 --- a/OvmfPkg/IntelTdx/IntelTdxX64.dsc +++ b/OvmfPkg/IntelTdx/IntelTdxX64.dsc @@ -185,6 +185,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index 934edbbd2a7b..e708411076ca 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -209,6 +209,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 4f432c294958..0b036d8bb53f 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -213,6 +213,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index b22da97d4f77..8ad04b50f74f 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -229,6 +229,7 @@ [LibraryClasses] PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90957): https://edk2.groups.io/g/devel/message/90957 Mute This Topic: https://groups.io/mt/92098746/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sun Apr 28 12:18:06 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+90959+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90959+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1656633246; cv=none; d=zohomail.com; s=zohoarc; b=fTqN3X1pxEKW1tjVoAte9q9oo4LZan+pc/jpNOe8QoppjxQrOexYxILivP7I7YCOvVwDNQq27um1Qug9NZZ1HxTjhaGSePphZ/zvhPe3ffo0mWhyioQioC3/nOaGpbE3TlK4476rL5xpP+CMVLveeCGt0675FjhJV1On++7sX4s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1656633246; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=vXCaJyE0qLSWb7y9xwo8V7xHOljGlO4y8oo/AcjCMSI=; b=EYQIpBIQyN2vVSa3sftvCUjXd2DH9o8qtkfehqnP34Z5kOMNTnooaKlYBKYJTFknAz7zrYoo8u9Vr3UZfBvjcMM3AvcHs34MmU6mLB5FQENcd0foWNKp7XXNOOxqp/jAz/6qLB5t0JnhpImo2go6db/3tgaWwjDrODQELiXcb7Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+90959+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1656633246670913.961371264044; Thu, 30 Jun 2022 16:54:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id yxhMYY1788612x66AdJZ3k6Y; Thu, 30 Jun 2022 16:54:06 -0700 X-Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web11.32162.1656633245485425056 for ; Thu, 30 Jun 2022 16:54:05 -0700 X-Received: by mail-pg1-f179.google.com with SMTP id 68so820084pgb.10 for ; Thu, 30 Jun 2022 16:54:05 -0700 (PDT) X-Gm-Message-State: 9YAsz9QdOaFSfzIA1iW69Ff3x1787277AA= X-Google-Smtp-Source: AGRyM1sywc9yhQesCOtfmNfSoRDpbc/fSF07xE5sVV0OcgLJYHgPQqY5MQ6HR18dIMoF+WlYIXQuOQ== X-Received: by 2002:a63:3e0e:0:b0:40c:9d29:9a6c with SMTP id l14-20020a633e0e000000b0040c9d299a6cmr9887314pga.396.1656633244886; Thu, 30 Jun 2022 16:54:04 -0700 (PDT) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.54.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:54:04 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Andrew Fish , Ray Ni , Jiewen Yao , Michael Kubacki Subject: [edk2-devel] [PATCH v3 11/11] EmulatorPkg: Pipeline: Resolve SecureBootVariableLib dependency Date: Thu, 30 Jun 2022 16:53:41 -0700 Message-Id: <20220630235341.1746-12-kuqin12@gmail.com> In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1656633246; bh=G7wZA0dx1cfYgsZuloUadiAM/gntvYMcF63FBZDxKis=; h=Cc:Date:From:Reply-To:Subject:To; b=fw7DPHVtViuPQLAa8TDfapW1QL5wGUxIrJQvtg9BFH44HVz3qQfkoNeWqfJc1Zuc65E joeSSFyIO5nYA//PP3qvI/1MubseHf5wVG88AKCE5MNkKWq2sqkDk0U7ZHaRDpVVAYB6m XVQwk4hNqP91ywLqi6nyrx4aNg9iclNETp8= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1656633247474100039 Content-Type: text/plain; charset="utf-8" The new changes in SecureBootVariableLib brought in a new dependency of PlatformPKProtectionLib. This change added the new library instance from SecurityPkg to resolve pipeline builds. Cc: Andrew Fish Cc: Ray Ni Signed-off-by: Kun Qin Reviewed-by: Ray Ni Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Ray] - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] EmulatorPkg/EmulatorPkg.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc index 4cf886b9eac7..b44435d7e6ee 100644 --- a/EmulatorPkg/EmulatorPkg.dsc +++ b/EmulatorPkg/EmulatorPkg.dsc @@ -134,6 +134,7 @@ [LibraryClasses] PlatformSecureLib|SecurityPkg/Library/PlatformSecureLibNull/PlatformSecu= reLibNull.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf !else AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf --=20 2.36.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#90959): https://edk2.groups.io/g/devel/message/90959 Mute This Topic: https://groups.io/mt/92098748/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-