deleted file mode 100644
@@ -1,90 +0,0 @@
-## @file
-# Component name for SecureBoot configuration module for OVMF.
-#
-# Need custom SecureBootConfigDxe for OVMF that does not force
-# resets after PK changes since OVMF doesn't have persistent variables
-#
-# Copyright (c) 2011 - 2013, Intel Corporation. All rights reserved.<BR>
-# This program and the accompanying materials
-# are licensed and made available under the terms and conditions of the BSD License
-# which accompanies this distribution. The full text of the license may be found at
-# http://opensource.org/licenses/bsd-license.php
-# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = SecureBootConfigDxe
- FILE_GUID = 68E2BC17-198D-41f1-8213-065E3A2A7C12
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- ENTRY_POINT = SecureBootConfigDriverEntryPoint
- UNLOAD_IMAGE = SecureBootConfigDriverUnload
-
-#
-# VALID_ARCHITECTURES = IA32 X64 IPF EBC
-#
-
-[Sources]
- SecureBootConfigDriver.c
- SecureBootConfigImpl.c
- SecureBootConfigFileExplorer.c
- SecureBootConfigDevicePath.c
- SecureBootConfigMisc.c
- SecureBootConfigImpl.h
- SecureBootConfig.vfr
- SecureBootConfigStrings.uni
- SecureBootConfigNvData.h
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- SecurityPkg/SecurityPkg.dec
- CryptoPkg/CryptoPkg.dec
-
-[LibraryClasses]
- BaseLib
- BaseMemoryLib
- BaseCryptLib
- MemoryAllocationLib
- UefiLib
- UefiBootServicesTableLib
- UefiRuntimeServicesTableLib
- UefiDriverEntryPoint
- UefiHiiServicesLib
- DebugLib
- HiiLib
- PlatformSecureLib
- DevicePathLib
-
-[Guids]
- gEfiIfrTianoGuid
- gEfiCustomModeEnableGuid
- gEfiSecureBootEnableDisableGuid
- gSecureBootConfigFormSetGuid
- gEfiCertPkcs7Guid
- gEfiCertRsa2048Guid ## CONSUMES
- gEfiCertX509Guid ## CONSUMES
- gEfiCertSha1Guid ## CONSUMES
- gEfiCertSha256Guid ## CONSUMES
- gEfiCertTypeRsa2048Sha256Guid ## CONSUMES
- gEfiImageSecurityDatabaseGuid ## CONSUMES
- gEfiFileSystemVolumeLabelInfoIdGuid ## CONSUMES
- gEfiGlobalVariableGuid ## PRODUCES ## Variable Guid
- gEfiFileInfoGuid ## CONSUMES ## GUID
-
-[Protocols]
- gEfiHiiConfigAccessProtocolGuid ## PRODUCES
- gEfiHiiConfigRoutingProtocolGuid ## CONSUMES
- gEfiSimpleFileSystemProtocolGuid ## PROTOCOL CONSUMES
- gEfiLoadFileProtocolGuid ## PROTOCOL CONSUMES
- gEfiBlockIoProtocolGuid ## PROTOCOL CONSUMES
- gEfiDevicePathProtocolGuid ## PROTOCOL CONSUMES
-
-[Depex]
- gEfiHiiConfigRoutingProtocolGuid AND
- gEfiHiiDatabaseProtocolGuid AND
- gEfiVariableArchProtocolGuid AND
- gEfiVariableWriteArchProtocolGuid
deleted file mode 100644
@@ -1,613 +0,0 @@
-/** @file
- The header file of HII Config Access protocol implementation of SecureBoot
- configuration module.
-
-Copyright (c) 2011 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __SECUREBOOT_CONFIG_IMPL_H__
-#define __SECUREBOOT_CONFIG_IMPL_H__
-
-#include <Uefi.h>
-
-#include <Protocol/HiiConfigAccess.h>
-#include <Protocol/HiiConfigRouting.h>
-#include <Protocol/SimpleFileSystem.h>
-#include <Protocol/BlockIo.h>
-#include <Protocol/DevicePath.h>
-#include <Protocol/DebugPort.h>
-#include <Protocol/LoadFile.h>
-
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/DebugLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiHiiServicesLib.h>
-#include <Library/UefiLib.h>
-#include <Library/HiiLib.h>
-#include <Library/DevicePathLib.h>
-#include <Library/PrintLib.h>
-#include <Library/PlatformSecureLib.h>
-#include <Library/BaseCryptLib.h>
-#include <Guid/MdeModuleHii.h>
-#include <Guid/AuthenticatedVariableFormat.h>
-#include <Guid/FileSystemVolumeLabelInfo.h>
-#include <Guid/ImageAuthentication.h>
-#include <Guid/FileInfo.h>
-
-#include "SecureBootConfigNvData.h"
-
-//
-// Tool generated IFR binary data and String package data
-//
-extern UINT8 SecureBootConfigBin[];
-extern UINT8 SecureBootConfigDxeStrings[];
-
-//
-// Shared IFR form update data
-//
-extern VOID *mStartOpCodeHandle;
-extern VOID *mEndOpCodeHandle;
-extern EFI_IFR_GUID_LABEL *mStartLabel;
-extern EFI_IFR_GUID_LABEL *mEndLabel;
-
-#define MAX_CHAR 480
-#define TWO_BYTE_ENCODE 0x82
-
-//
-// SHA-1 digest size in bytes.
-//
-#define SHA1_DIGEST_SIZE 20
-//
-// SHA-256 digest size in bytes
-//
-#define SHA256_DIGEST_SIZE 32
-//
-// Set max digest size as SHA256 Output (32 bytes) by far
-//
-#define MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
-
-#define WIN_CERT_UEFI_RSA2048_SIZE 256
-
-//
-// Support hash types
-//
-#define HASHALG_SHA1 0x00000000
-#define HASHALG_SHA224 0x00000001
-#define HASHALG_SHA256 0x00000002
-#define HASHALG_SHA384 0x00000003
-#define HASHALG_SHA512 0x00000004
-#define HASHALG_MAX 0x00000005
-
-
-#define SECUREBOOT_MENU_OPTION_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'u')
-#define SECUREBOOT_MENU_ENTRY_SIGNATURE SIGNATURE_32 ('S', 'b', 'M', 'r')
-
-typedef struct {
- EFI_DEVICE_PATH_PROTOCOL Header;
- EFI_GUID Guid;
- UINT8 VendorDefinedData[1];
-} VENDOR_DEVICE_PATH_WITH_DATA;
-
-typedef struct {
- EFI_DEVICE_PATH_PROTOCOL Header;
- UINT16 NetworkProtocol;
- UINT16 LoginOption;
- UINT64 Lun;
- UINT16 TargetPortalGroupTag;
- CHAR16 TargetName[1];
-} ISCSI_DEVICE_PATH_WITH_NAME;
-
-typedef enum _FILE_EXPLORER_DISPLAY_CONTEXT {
- FileExplorerDisplayFileSystem,
- FileExplorerDisplayDirectory,
- FileExplorerDisplayUnknown
-} FILE_EXPLORER_DISPLAY_CONTEXT;
-
-typedef enum _FILE_EXPLORER_STATE {
- FileExplorerStateInActive = 0,
- FileExplorerStateEnrollPkFile,
- FileExplorerStateEnrollKekFile,
- FileExplorerStateEnrollSignatureFileToDb,
- FileExplorerStateEnrollSignatureFileToDbx,
- FileExplorerStateUnknown
-} FILE_EXPLORER_STATE;
-
-typedef struct {
- CHAR16 *Str;
- UINTN Len;
- UINTN Maxlen;
-} POOL_PRINT;
-
-typedef
-VOID
-(*DEV_PATH_FUNCTION) (
- IN OUT POOL_PRINT *Str,
- IN VOID *DevPath
- );
-
-typedef struct {
- UINT8 Type;
- UINT8 SubType;
- DEV_PATH_FUNCTION Function;
-} DEVICE_PATH_STRING_TABLE;
-
-typedef struct {
- UINTN Signature;
- LIST_ENTRY Head;
- UINTN MenuNumber;
-} SECUREBOOT_MENU_OPTION;
-
-extern SECUREBOOT_MENU_OPTION FsOptionMenu;
-extern SECUREBOOT_MENU_OPTION DirectoryMenu;
-
-typedef struct {
- UINTN Signature;
- LIST_ENTRY Link;
- UINTN OptionNumber;
- UINT16 *DisplayString;
- UINT16 *HelpString;
- EFI_STRING_ID DisplayStringToken;
- EFI_STRING_ID HelpStringToken;
- VOID *FileContext;
-} SECUREBOOT_MENU_ENTRY;
-
-typedef struct {
- EFI_HANDLE Handle;
- EFI_DEVICE_PATH_PROTOCOL *DevicePath;
- EFI_FILE_HANDLE FHandle;
- UINT16 *FileName;
- EFI_FILE_SYSTEM_VOLUME_LABEL *Info;
-
- BOOLEAN IsRoot;
- BOOLEAN IsDir;
- BOOLEAN IsRemovableMedia;
- BOOLEAN IsLoadFile;
- BOOLEAN IsBootLegacy;
-} SECUREBOOT_FILE_CONTEXT;
-
-
-//
-// We define another format of 5th directory entry: security directory
-//
-typedef struct {
- UINT32 Offset; // Offset of certificate
- UINT32 SizeOfCert; // size of certificate appended
-} EFI_IMAGE_SECURITY_DATA_DIRECTORY;
-
-typedef enum{
- ImageType_IA32,
- ImageType_X64
-} IMAGE_TYPE;
-
-///
-/// HII specific Vendor Device Path definition.
-///
-typedef struct {
- VENDOR_DEVICE_PATH VendorDevicePath;
- EFI_DEVICE_PATH_PROTOCOL End;
-} HII_VENDOR_DEVICE_PATH;
-
-typedef struct {
- UINTN Signature;
-
- EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
- EFI_HII_HANDLE HiiHandle;
- EFI_HANDLE DriverHandle;
-
- FILE_EXPLORER_STATE FeCurrentState;
- FILE_EXPLORER_DISPLAY_CONTEXT FeDisplayContext;
-
- SECUREBOOT_MENU_ENTRY *MenuEntry;
- SECUREBOOT_FILE_CONTEXT *FileContext;
-
- EFI_GUID *SignatureGUID;
-} SECUREBOOT_CONFIG_PRIVATE_DATA;
-
-extern SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate;
-
-#define SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('S', 'E', 'C', 'B')
-#define SECUREBOOT_CONFIG_PRIVATE_FROM_THIS(a) CR (a, SECUREBOOT_CONFIG_PRIVATE_DATA, ConfigAccess, SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE)
-
-//
-// Cryptograhpic Key Information
-//
-#pragma pack(1)
-typedef struct _CPL_KEY_INFO {
- UINT32 KeyLengthInBits; // Key Length In Bits
- UINT32 BlockSize; // Operation Block Size in Bytes
- UINT32 CipherBlockSize; // Output Cipher Block Size in Bytes
- UINT32 KeyType; // Key Type
- UINT32 CipherMode; // Cipher Mode for Symmetric Algorithm
- UINT32 Flags; // Additional Key Property Flags
-} CPL_KEY_INFO;
-#pragma pack()
-
-
-/**
- Retrieves the size, in bytes, of the context buffer required for hash operations.
-
- @return The size, in bytes, of the context buffer required for hash operations.
-
-**/
-typedef
-EFI_STATUS
-(EFIAPI *HASH_GET_CONTEXT_SIZE)(
- VOID
- );
-
-/**
- Initializes user-supplied memory pointed by HashContext as hash context for
- subsequent use.
-
- If HashContext is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to Context being initialized.
-
- @retval TRUE HASH context initialization succeeded.
- @retval FALSE HASH context initialization failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_INIT)(
- IN OUT VOID *HashContext
- );
-
-
-/**
- Performs digest on a data buffer of the specified length. This function can
- be called multiple times to compute the digest of long or discontinuous data streams.
-
- If HashContext is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to the MD5 context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataLength Length of Data buffer in bytes.
-
- @retval TRUE HASH data digest succeeded.
- @retval FALSE Invalid HASH context. After HashFinal function has been called, the
- HASH context cannot be reused.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_UPDATE)(
- IN OUT VOID *HashContext,
- IN CONST VOID *Data,
- IN UINTN DataLength
- );
-
-/**
- Completes hash computation and retrieves the digest value into the specified
- memory. After this function has been called, the context cannot be used again.
-
- If HashContext is NULL, then ASSERT().
- If HashValue is NULL, then ASSERT().
-
- @param[in, out] HashContext Pointer to the MD5 context
- @param[out] HashValue Pointer to a buffer that receives the HASH digest
- value (16 bytes).
-
- @retval TRUE HASH digest computation succeeded.
- @retval FALSE HASH digest computation failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *HASH_FINAL)(
- IN OUT VOID *HashContext,
- OUT UINT8 *HashValue
- );
-
-//
-// Hash Algorithm Table
-//
-typedef struct {
- CHAR16 *Name; ///< Name for Hash Algorithm
- UINTN DigestLength; ///< Digest Length
- UINT8 *OidValue; ///< Hash Algorithm OID ASN.1 Value
- UINTN OidLength; ///< Length of Hash OID Value
- HASH_GET_CONTEXT_SIZE GetContextSize; ///< Pointer to Hash GetContentSize function
- HASH_INIT HashInit; ///< Pointer to Hash Init function
- HASH_UPDATE HashUpdate; ///< Pointer to Hash Update function
- HASH_FINAL HashFinal; ///< Pointer to Hash Final function
-} HASH_TABLE;
-
-typedef struct {
- WIN_CERTIFICATE Hdr;
- UINT8 CertData[1];
-} WIN_CERTIFICATE_EFI_PKCS;
-
-
-/**
- This function publish the SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
- @retval EFI_SUCCESS HII Form is installed successfully.
- @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-InstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- This function removes SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
-**/
-VOID
-UninstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- This function allows a caller to extract the current configuration for one
- or more named elements from the target driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Request A null-terminated Unicode string in
- <ConfigRequest> format.
- @param[out] Progress On return, points to a character in the Request
- string. Points to the string's null terminator if
- request was successful. Points to the most recent
- '&' before the first failing name/value pair (or
- the beginning of the string if the failure is in
- the first name/value pair) if the request was not
- successful.
- @param[out] Results A null-terminated Unicode string in
- <ConfigAltResp> format which has all values filled
- in for the names in the Request string. String to
- be allocated by the called function.
-
- @retval EFI_SUCCESS The Results is filled with the requested values.
- @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
- @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootExtractConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Request,
- OUT EFI_STRING *Progress,
- OUT EFI_STRING *Results
- );
-
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
- format.
- @param[out] Progress A pointer to a string filled in with the offset of
- the most recent '&' before the first failing
- name/value pair (or the beginning of the string if
- the failure is in the first name/value pair) or
- the terminating NULL if all was successful.
-
- @retval EFI_SUCCESS The Results is processed successfully.
- @retval EFI_INVALID_PARAMETER Configuration is NULL.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootRouteConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Configuration,
- OUT EFI_STRING *Progress
- );
-
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Action Specifies the type of action taken by the browser.
- @param[in] QuestionId A unique value which is sent to the original
- exporting driver so that it can identify the type
- of data to expect.
- @param[in] Type The type of value for the question.
- @param[in] Value A pointer to the data being sent to the original
- exporting driver.
- @param[out] ActionRequest On return, points to the action requested by the
- callback function.
-
- @retval EFI_SUCCESS The callback successfully handled the action.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
- variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved.
- @retval EFI_UNSUPPORTED The specified Action is not supported by the
- callback.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootCallback (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN EFI_BROWSER_ACTION Action,
- IN EFI_QUESTION_ID QuestionId,
- IN UINT8 Type,
- IN EFI_IFR_TYPE_VALUE *Value,
- OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
- );
-
-
-/**
- This function converts an input device structure to a Unicode string.
-
- @param[in] DevPath A pointer to the device path structure.
-
- @return A new allocated Unicode string that represents the device path.
-
-**/
-CHAR16 *
-EFIAPI
-DevicePathToStr (
- IN EFI_DEVICE_PATH_PROTOCOL *DevPath
- );
-
-
-/**
- Clean up the dynamic opcode at label and form specified by both LabelId.
-
- @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
- @param[in] PrivateData Module private data.
-
-**/
-VOID
-CleanUpPage (
- IN UINT16 LabelId,
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- );
-
-
-/**
- Update the file explorer page with the refreshed file system.
-
- @param[in] PrivateData Module private data.
- @param[in] KeyValue Key value to identify the type of data to expect.
-
- @retval TRUE Inform the caller to create a callback packet to exit file explorer.
- @retval FALSE Indicate that there is no need to exit file explorer.
-
-**/
-BOOLEAN
-UpdateFileExplorer (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN UINT16 KeyValue
- );
-
-
-/**
- Free resources allocated in Allocate Rountine.
-
- @param[in, out] MenuOption Menu to be freed
-
-**/
-VOID
-FreeMenu (
- IN OUT SECUREBOOT_MENU_OPTION *MenuOption
- );
-
-
-/**
- Read file content into BufferPtr, the size of the allocate buffer
- is *FileSize plus AddtionAllocateSize.
-
- @param[in] FileHandle The file to be read.
- @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
- @param[out] FileSize Size of input file
- @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
- In case the buffer need to contain others besides the file content.
-
- @retval EFI_SUCCESS The file was read into the buffer.
- @retval EFI_INVALID_PARAMETER A parameter was invalid.
- @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
- @retval others Unexpected error.
-
-**/
-EFI_STATUS
-ReadFileContent (
- IN EFI_FILE_HANDLE FileHandle,
- IN OUT VOID **BufferPtr,
- OUT UINTN *FileSize,
- IN UINTN AddtionAllocateSize
- );
-
-
-/**
- Close an open file handle.
-
- @param[in] FileHandle The file handle to close.
-
-**/
-VOID
-CloseFile (
- IN EFI_FILE_HANDLE FileHandle
- );
-
-
-/**
- Converts a nonnegative integer to an octet string of a specified length.
-
- @param[in] Integer Pointer to the nonnegative integer to be converted
- @param[in] IntSizeInWords Length of integer buffer in words
- @param[out] OctetString Converted octet string of the specified length
- @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
-
-Returns:
-
- @retval EFI_SUCCESS Data conversion successfully
- @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
-
-**/
-EFI_STATUS
-EFIAPI
-Int2OctStr (
- IN CONST UINTN *Integer,
- IN UINTN IntSizeInWords,
- OUT UINT8 *OctetString,
- IN UINTN OSSizeInBytes
- );
-
-
-/**
- Convert a String to Guid Value.
-
- @param[in] Str Specifies the String to be converted.
- @param[in] StrLen Number of Unicode Characters of String (exclusive \0)
- @param[out] Guid Return the result Guid value.
-
- @retval EFI_SUCCESS The operation is finished successfully.
- @retval EFI_NOT_FOUND Invalid string.
-
-**/
-EFI_STATUS
-StringToGuid (
- IN CHAR16 *Str,
- IN UINTN StrLen,
- OUT EFI_GUID *Guid
- );
-
-
-/**
- Worker function that prints an EFI_GUID into specified Buffer.
-
- @param[in] Guid Pointer to GUID to print.
- @param[in] Buffer Buffer to print Guid into.
- @param[in] BufferSize Size of Buffer.
-
- @retval Number of characters printed.
-
-**/
-UINTN
-GuidToString (
- IN EFI_GUID *Guid,
- IN CHAR16 *Buffer,
- IN UINTN BufferSize
- );
-
-#endif
deleted file mode 100644
@@ -1,118 +0,0 @@
-/** @file
- Header file for NV data structure definition.
-
-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#ifndef __SECUREBOOT_CONFIG_NV_DATA_H__
-#define __SECUREBOOT_CONFIG_NV_DATA_H__
-
-#include <Guid/HiiPlatformSetupFormset.h>
-#include <Guid/SecureBootConfigHii.h>
-
-//
-// Used by VFR for form or button identification
-//
-#define SECUREBOOT_CONFIGURATION_VARSTORE_ID 0x0001
-#define SECUREBOOT_CONFIGURATION_FORM_ID 0x01
-#define FORMID_SECURE_BOOT_OPTION_FORM 0x02
-#define FORMID_SECURE_BOOT_PK_OPTION_FORM 0x03
-#define FORMID_SECURE_BOOT_KEK_OPTION_FORM 0x04
-#define FORMID_SECURE_BOOT_DB_OPTION_FORM 0x05
-#define FORMID_SECURE_BOOT_DBX_OPTION_FORM 0x06
-#define FORMID_ENROLL_PK_FORM 0x07
-#define SECUREBOOT_ADD_PK_FILE_FORM_ID 0x08
-#define FORMID_ENROLL_KEK_FORM 0x09
-#define FORMID_DELETE_KEK_FORM 0x0a
-#define SECUREBOOT_ENROLL_SIGNATURE_TO_DB 0x0b
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DB 0x0c
-#define SECUREBOOT_ENROLL_SIGNATURE_TO_DBX 0x0d
-#define SECUREBOOT_DELETE_SIGNATURE_FROM_DBX 0x0e
-#define FORM_FILE_EXPLORER_ID 0x0f
-#define FORM_FILE_EXPLORER_ID_PK 0x10
-#define FORM_FILE_EXPLORER_ID_KEK 0x11
-#define FORM_FILE_EXPLORER_ID_DB 0x12
-#define FORM_FILE_EXPLORER_ID_DBX 0x13
-
-#define SECURE_BOOT_MODE_CUSTOM 0x01
-#define SECURE_BOOT_MODE_STANDARD 0x00
-
-#define KEY_SECURE_BOOT_ENABLE 0x1000
-#define KEY_SECURE_BOOT_MODE 0x1001
-#define KEY_VALUE_SAVE_AND_EXIT_DB 0x1002
-#define KEY_VALUE_NO_SAVE_AND_EXIT_DB 0x1003
-#define KEY_VALUE_SAVE_AND_EXIT_PK 0x1004
-#define KEY_VALUE_NO_SAVE_AND_EXIT_PK 0x1005
-#define KEY_VALUE_SAVE_AND_EXIT_KEK 0x1008
-#define KEY_VALUE_NO_SAVE_AND_EXIT_KEK 0x1009
-#define KEY_VALUE_SAVE_AND_EXIT_DBX 0x100a
-#define KEY_VALUE_NO_SAVE_AND_EXIT_DBX 0x100b
-
-#define KEY_SECURE_BOOT_OPTION 0x1100
-#define KEY_SECURE_BOOT_PK_OPTION 0x1101
-#define KEY_SECURE_BOOT_KEK_OPTION 0x1102
-#define KEY_SECURE_BOOT_DB_OPTION 0x1103
-#define KEY_SECURE_BOOT_DBX_OPTION 0x1104
-#define KEY_SECURE_BOOT_DELETE_PK 0x1105
-#define KEY_ENROLL_PK 0x1106
-#define KEY_ENROLL_KEK 0x1107
-#define KEY_DELETE_KEK 0x1108
-#define KEY_SECURE_BOOT_KEK_GUID 0x110a
-#define KEY_SECURE_BOOT_SIGNATURE_GUID_DB 0x110b
-#define KEY_SECURE_BOOT_SIGNATURE_GUID_DBX 0x110c
-
-#define LABEL_KEK_DELETE 0x1200
-#define LABEL_DB_DELETE 0x1201
-#define LABEL_DBX_DELETE 0x1202
-#define LABEL_END 0xffff
-
-#define SECURE_BOOT_MAX_ATTEMPTS_NUM 255
-
-#define CONFIG_OPTION_OFFSET 0x2000
-
-#define OPTION_CONFIG_QUESTION_ID 0x2000
-#define OPTION_CONFIG_RANGE 0x1000
-
-//
-// Question ID 0x2000 ~ 0x2FFF is for KEK
-//
-#define OPTION_DEL_KEK_QUESTION_ID 0x2000
-//
-// Question ID 0x3000 ~ 0x3FFF is for DB
-//
-#define OPTION_DEL_DB_QUESTION_ID 0x3000
-//
-// Question ID 0x4000 ~ 0x4FFF is for DBX
-//
-#define OPTION_DEL_DBX_QUESTION_ID 0x4000
-
-
-#define FILE_OPTION_OFFSET 0x8000
-#define FILE_OPTION_MASK 0x7FFF
-
-#define SECURE_BOOT_GUID_SIZE 36
-#define SECURE_BOOT_GUID_STORAGE_SIZE 37
-
-
-//
-// Nv Data structure referenced by IFR
-//
-typedef struct {
- BOOLEAN SecureBootState; //Secure Boot Disable/Enable;
- BOOLEAN HideSecureBoot; //Hiden Attempt Secure Boot
- CHAR16 SignatureGuid[SECURE_BOOT_GUID_STORAGE_SIZE];
- BOOLEAN PhysicalPresent; //If a Physical Present User;
- UINT8 SecureBootMode; //Secure Boot Mode: Standard Or Custom
- BOOLEAN DeletePk;
- BOOLEAN HasPk; //If Pk is existed it is true;
-} SECUREBOOT_CONFIGURATION;
-
-#endif
deleted file mode 100644
@@ -1,495 +0,0 @@
-/** @file
- VFR file used by the SecureBoot configuration component.
-
-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigNvData.h"
-
-formset
- guid = SECUREBOOT_CONFIG_FORM_SET_GUID,
- title = STRING_TOKEN(STR_SECUREBOOT_TITLE),
- help = STRING_TOKEN(STR_SECUREBOOT_HELP),
- classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID,
-
- varstore SECUREBOOT_CONFIGURATION,
- varid = SECUREBOOT_CONFIGURATION_VARSTORE_ID,
- name = SECUREBOOT_CONFIGURATION,
- guid = SECUREBOOT_CONFIG_FORM_SET_GUID;
-
- //
- // ##1 Form "Secure Boot Configuration"
- //
- form formid = SECUREBOOT_CONFIGURATION_FORM_ID,
- title = STRING_TOKEN(STR_SECUREBOOT_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Define of Check Box: Attempt Secure Boot
- //
- suppressif TRUE;
- checkbox varid = SECUREBOOT_CONFIGURATION.HideSecureBoot,
- prompt = STRING_TOKEN(STR_NULL),
- help = STRING_TOKEN(STR_NULL),
- endcheckbox;
- endif;
-
- //
- // Display of Check Box: Attempt Secure Boot
- //
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
- checkbox varid = SECUREBOOT_CONFIGURATION.SecureBootState,
- questionid = KEY_SECURE_BOOT_ENABLE,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_HELP),
- flags = INTERACTIVE,
- endcheckbox;
- endif;
-
- //
- // Display of Oneof: 'Secure Boot Mode'
- //
- oneof varid = SECUREBOOT_CONFIGURATION.SecureBootMode,
- questionid = KEY_SECURE_BOOT_MODE,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_MODE_PROMPT),
- help = STRING_TOKEN(STR_SECURE_BOOT_MODE_HELP),
- flags = INTERACTIVE,
- option text = STRING_TOKEN(STR_STANDARD_MODE), value = SECURE_BOOT_MODE_STANDARD, flags = DEFAULT;
- option text = STRING_TOKEN(STR_CUSTOM_MODE), value = SECURE_BOOT_MODE_CUSTOM, flags = 0;
- endoneof;
-
- //
- //
- // Display of 'Current Secure Boot Mode'
- //
- suppressif ideqval SECUREBOOT_CONFIGURATION.SecureBootMode == SECURE_BOOT_MODE_STANDARD;
- grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_OPTION;
- endif;
- endif;
- endform;
-
- //
- // ##2 Form: 'Custom Secure Boot Options'
- //
- form formid = FORMID_SECURE_BOOT_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_OPTION_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_PK_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_PK_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_KEK_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_KEK_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_DB_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_DB_OPTION;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_DBX_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION),
- help = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_DBX_OPTION;
-
- endform;
-
- //
- // ##3 Form: 'PK Options'
- //
- form formid = FORMID_SECURE_BOOT_PK_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Define of Check Box: 'Delete PK'
- //
- suppressif TRUE;
- checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
- prompt = STRING_TOKEN(STR_NULL),
- help = STRING_TOKEN(STR_NULL),
- endcheckbox;
- endif;
-
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HasPk == 1;
- goto FORMID_ENROLL_PK_FORM,
- prompt = STRING_TOKEN(STR_ENROLL_PK),
- help = STRING_TOKEN(STR_ENROLL_PK_HELP),
- flags = INTERACTIVE,
- key = KEY_ENROLL_PK;
- endif;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Display of Check Box: 'Delete Pk'
- //
- grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;
- checkbox varid = SECUREBOOT_CONFIGURATION.DeletePk,
- questionid = KEY_SECURE_BOOT_DELETE_PK,
- prompt = STRING_TOKEN(STR_DELETE_PK),
- help = STRING_TOKEN(STR_DELETE_PK_HELP),
- flags = INTERACTIVE,
- endcheckbox;
- endif;
- endform;
-
- //
- // ##4 Form: 'Enroll PK'
- //
- form formid = FORMID_ENROLL_PK_FORM,
- title = STRING_TOKEN(STR_ENROLL_PK);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORM_FILE_EXPLORER_ID_PK,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_PK_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ADD_PK_FILE_FORM_ID;
- endform;
-
- //
- // ##5 Form: 'KEK Options'
- //
- form formid = FORMID_SECURE_BOOT_KEK_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_KEK_OPTION);
-
- //
- // Display of 'Enroll KEK'
- //
- goto FORMID_ENROLL_KEK_FORM,
- prompt = STRING_TOKEN(STR_ENROLL_KEK),
- help = STRING_TOKEN(STR_ENROLL_KEK_HELP),
- flags = INTERACTIVE;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- //
- // Display of 'Delete KEK'
- //
- goto FORMID_DELETE_KEK_FORM,
- prompt = STRING_TOKEN(STR_DELETE_KEK),
- help = STRING_TOKEN(STR_DELETE_KEK_HELP),
- flags = INTERACTIVE,
- key = KEY_DELETE_KEK;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- endform;
-
- //
- // ##6 Form: 'Enroll KEK'
- //
- form formid = FORMID_ENROLL_KEK_FORM,
- title = STRING_TOKEN(STR_ENROLL_KEK_TITLE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORM_FILE_EXPLORER_ID_KEK,
- prompt = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE),
- help = STRING_TOKEN(STR_FORM_ENROLL_KEK_FROM_FILE_TITLE_HELP),
- flags = INTERACTIVE,
- key = FORMID_ENROLL_KEK_FORM;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label FORMID_ENROLL_KEK_FORM;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_KEK_GUID,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_KEK;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_KEK;
-
- endform;
-
- //
- // ##7 Form: 'Delete KEK'
- //
- form formid = FORMID_DELETE_KEK_FORM,
- title = STRING_TOKEN(STR_DELETE_KEK_TITLE);
-
- label LABEL_KEK_DELETE;
- label LABEL_END;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // ##8 Form: 'DB Options'
- //
- form formid = FORMID_SECURE_BOOT_DB_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_DB_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- flags = 0;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- flags = INTERACTIVE,
- key = SECUREBOOT_DELETE_SIGNATURE_FROM_DB;
-
- endform;
-
- //
- // ##9 Form: 'DBX Options'
- //
- form formid = FORMID_SECURE_BOOT_DBX_OPTION_FORM,
- title = STRING_TOKEN(STR_SECURE_BOOT_DBX_OPTION);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_ENROLL_SIGNATURE),
- flags = 0;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- prompt = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- help = STRING_TOKEN (STR_SECURE_BOOT_DELETE_SIGNATURE),
- flags = INTERACTIVE,
- key = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX;
-
- endform;
-
- //
- // Form: 'Delete Signature' for DB Options.
- //
- form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
-
- label LABEL_DB_DELETE;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // Form: 'Delete Signature' for DBX Options.
- //
- form formid = SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- title = STRING_TOKEN(STR_SECURE_BOOT_DELETE_SIGNATURE);
-
- label LABEL_DBX_DELETE;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- endform;
-
- //
- // Form: 'Enroll Signature' for DB options.
- //
- form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DB,
- title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORM_FILE_EXPLORER_ID_DB,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_SIGNATURE_GUID_DB,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_DB;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_DB;
-
- endform;
-
- //
- // Form: 'Enroll Signature' for DBX options.
- //
- form formid = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX,
- title = STRING_TOKEN(STR_SECURE_BOOT_ENROLL_SIGNATURE);
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORM_FILE_EXPLORER_ID_DBX,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- help = STRING_TOKEN(STR_SECURE_BOOT_ADD_SIGNATURE_FILE),
- flags = INTERACTIVE,
- key = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- label SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- label LABEL_END;
- subtitle text = STRING_TOKEN(STR_NULL);
-
- string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
- prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
- help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
- flags = INTERACTIVE,
- key = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,
- minsize = SECURE_BOOT_GUID_SIZE,
- maxsize = SECURE_BOOT_GUID_SIZE,
- endstring;
-
- subtitle text = STRING_TOKEN(STR_NULL);
- subtitle text = STRING_TOKEN(STR_NULL);
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_DBX;
-
- goto FORMID_SECURE_BOOT_OPTION_FORM,
- prompt = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_DBX;
-
- endform;
-
- //
- // File Explorer for PK
- //
- form formid = FORM_FILE_EXPLORER_ID_PK,
- title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
-
- label FORM_FILE_EXPLORER_ID;
- label LABEL_END;
- endform;
-
- //
- // File Explorer for KEK
- //
- form formid = FORM_FILE_EXPLORER_ID_KEK,
- title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
-
- label FORM_FILE_EXPLORER_ID;
- label LABEL_END;
- endform;
-
- //
- // File Explorer for DB
- //
- form formid = FORM_FILE_EXPLORER_ID_DB,
- title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
-
- label FORM_FILE_EXPLORER_ID;
- label LABEL_END;
- endform;
-
- //
- // File Explorer for DBX
- //
- form formid = FORM_FILE_EXPLORER_ID_DBX,
- title = STRING_TOKEN(STR_FILE_EXPLORER_TITLE);
-
- label FORM_FILE_EXPLORER_ID;
- label LABEL_END;
- endform;
-
-
- //
- // Enroll Pk from File Commit Form
- //
- form formid = SECUREBOOT_ADD_PK_FILE_FORM_ID,
- title = STRING_TOKEN(STR_SAVE_PK_FILE);
-
- label SECUREBOOT_ADD_PK_FILE_FORM_ID;
- label LABEL_END;
-
- subtitle text = STRING_TOKEN(STR_NULL);
-
- text
- help = STRING_TOKEN(STR_SAVE_AND_EXIT),
- text = STRING_TOKEN(STR_SAVE_AND_EXIT),
- text = STRING_TOKEN(STR_NULL),
- flags = INTERACTIVE,
- key = KEY_VALUE_SAVE_AND_EXIT_PK;
-
- text
- help = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- text = STRING_TOKEN(STR_NO_SAVE_AND_EXIT),
- text = STRING_TOKEN(STR_NULL),
- flags = INTERACTIVE,
- key = KEY_VALUE_NO_SAVE_AND_EXIT_PK;
-
- endform;
-
-endformset;
deleted file mode 100644
@@ -1,38 +0,0 @@
-/** @file
- Internal function defines the default device path string for SecureBoot configuration module.
-
-Copyright (c) 2012 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-
-/**
- This function converts an input device structure to a Unicode string.
-
- @param[in] DevPath A pointer to the device path structure.
-
- @return A new allocated Unicode string that represents the device path.
-
-**/
-CHAR16 *
-EFIAPI
-DevicePathToStr (
- IN EFI_DEVICE_PATH_PROTOCOL *DevPath
- )
-{
- return ConvertDevicePathToText (
- DevPath,
- FALSE,
- TRUE
- );
-}
-
deleted file mode 100644
@@ -1,133 +0,0 @@
-/** @file
- The module entry point for SecureBoot configuration module.
-
-Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-/**
- The entry point for SecureBoot configuration driver.
-
- @param[in] ImageHandle The image handle of the driver.
- @param[in] SystemTable The system table.
-
- @retval EFI_ALREADY_STARTED The driver already exists in system.
- @retval EFI_OUT_OF_RESOURCES Fail to execute entry point due to lack of resources.
- @retval EFI_SUCCES All the related protocols are installed on the driver.
- @retval Others Fail to get the SecureBootEnable variable.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootConfigDriverEntryPoint (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
-
- //
- // If already started, return.
- //
- Status = gBS->OpenProtocol (
- ImageHandle,
- &gEfiCallerIdGuid,
- NULL,
- ImageHandle,
- ImageHandle,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
- if (!EFI_ERROR (Status)) {
- return EFI_ALREADY_STARTED;
- }
-
- //
- // Create a private data structure.
- //
- PrivateData = AllocateCopyPool (sizeof (SECUREBOOT_CONFIG_PRIVATE_DATA), &mSecureBootConfigPrivateDateTemplate);
- if (PrivateData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Install SecureBoot configuration form
- //
- Status = InstallSecureBootConfigForm (PrivateData);
- if (EFI_ERROR (Status)) {
- goto ErrorExit;
- }
-
- //
- // Install private GUID.
- //
- Status = gBS->InstallMultipleProtocolInterfaces (
- &ImageHandle,
- &gEfiCallerIdGuid,
- PrivateData,
- NULL
- );
-
- if (EFI_ERROR (Status)) {
- goto ErrorExit;
- }
-
- return EFI_SUCCESS;
-
-ErrorExit:
- if (PrivateData != NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- }
-
- return Status;
-}
-
-/**
- Unload the SecureBoot configuration form.
-
- @param[in] ImageHandle The driver's image handle.
-
- @retval EFI_SUCCESS The SecureBoot configuration form is unloaded.
- @retval Others Failed to unload the form.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootConfigDriverUnload (
- IN EFI_HANDLE ImageHandle
- )
-{
- EFI_STATUS Status;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
-
- Status = gBS->HandleProtocol (
- ImageHandle,
- &gEfiCallerIdGuid,
- (VOID **) &PrivateData
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- ASSERT (PrivateData->Signature == SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE);
-
- gBS->UninstallMultipleProtocolInterfaces (
- &ImageHandle,
- &gEfiCallerIdGuid,
- PrivateData,
- NULL
- );
-
- UninstallSecureBootConfigForm (PrivateData);
-
- return EFI_SUCCESS;
-}
deleted file mode 100644
@@ -1,1227 +0,0 @@
-/** @file
- Internal file explorer functions for SecureBoot configuration module.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-///
-/// File system selection menu
-///
-SECUREBOOT_MENU_OPTION FsOptionMenu = {
- SECUREBOOT_MENU_OPTION_SIGNATURE,
- {NULL},
- 0
-};
-
-///
-/// Files and sub-directories in current directory menu
-///
-SECUREBOOT_MENU_OPTION DirectoryMenu = {
- SECUREBOOT_MENU_OPTION_SIGNATURE,
- {NULL},
- 0
-};
-
-VOID *mStartOpCodeHandle = NULL;
-VOID *mEndOpCodeHandle = NULL;
-EFI_IFR_GUID_LABEL *mStartLabel = NULL;
-EFI_IFR_GUID_LABEL *mEndLabel = NULL;
-
-/**
- Duplicate a string.
-
- @param[in] Src The source string.
-
- @return A new string which is duplicated copy of the source,
- or NULL if there is not enough memory.
-
-**/
-CHAR16 *
-StrDuplicate (
- IN CHAR16 *Src
- )
-{
- CHAR16 *Dest;
- UINTN Size;
-
- Size = StrSize (Src);
- Dest = AllocateZeroPool (Size);
- ASSERT (Dest != NULL);
- if (Dest != NULL) {
- CopyMem (Dest, Src, Size);
- }
-
- return Dest;
-}
-
-/**
- Helper function called as part of the code needed to allocate
- the proper sized buffer for various EFI interfaces.
-
- @param[in, out] Status Current status
- @param[in, out] Buffer Current allocated buffer, or NULL
- @param[in] BufferSize Current buffer size needed
-
- @retval TRUE If the buffer was reallocated and the caller
- should try the API again.
- @retval FALSE The caller should not call this function again.
-
-**/
-BOOLEAN
-GrowBuffer (
- IN OUT EFI_STATUS *Status,
- IN OUT VOID **Buffer,
- IN UINTN BufferSize
- )
-{
- BOOLEAN TryAgain;
-
- //
- // If this is an initial request, buffer will be null with a new buffer size
- //
- if ((*Buffer == NULL) && (BufferSize != 0)) {
- *Status = EFI_BUFFER_TOO_SMALL;
- }
- //
- // If the status code is "buffer too small", resize the buffer
- //
- TryAgain = FALSE;
- if (*Status == EFI_BUFFER_TOO_SMALL) {
-
- if (*Buffer != NULL) {
- FreePool (*Buffer);
- }
-
- *Buffer = AllocateZeroPool (BufferSize);
-
- if (*Buffer != NULL) {
- TryAgain = TRUE;
- } else {
- *Status = EFI_OUT_OF_RESOURCES;
- }
- }
- //
- // If there's an error, free the buffer
- //
- if (!TryAgain && EFI_ERROR (*Status) && (*Buffer != NULL)) {
- FreePool (*Buffer);
- *Buffer = NULL;
- }
-
- return TryAgain;
-}
-
-/**
- Append file name to existing file name, and allocate a new buffer
- to hold the appended result.
-
- @param[in] Str1 The existing file name
- @param[in] Str2 The file name to be appended
-
- @return A new string with appended result.
-
-**/
-CHAR16 *
-AppendFileName (
- IN CHAR16 *Str1,
- IN CHAR16 *Str2
- )
-{
- UINTN Size1;
- UINTN Size2;
- CHAR16 *Str;
- CHAR16 *TmpStr;
- CHAR16 *Ptr;
- CHAR16 *LastSlash;
-
- Size1 = StrSize (Str1);
- Size2 = StrSize (Str2);
- Str = AllocateZeroPool (Size1 + Size2 + sizeof (CHAR16));
- ASSERT (Str != NULL);
-
- TmpStr = AllocateZeroPool (Size1 + Size2 + sizeof (CHAR16));
- ASSERT (TmpStr != NULL);
-
- StrCat (Str, Str1);
- if (!((*Str == '\\') && (*(Str + 1) == 0))) {
- StrCat (Str, L"\\");
- }
-
- StrCat (Str, Str2);
-
- Ptr = Str;
- LastSlash = Str;
- while (*Ptr != 0) {
- if (*Ptr == '\\' && *(Ptr + 1) == '.' && *(Ptr + 2) == '.' && *(Ptr + 3) == L'\\') {
- //
- // Convert "\Name\..\" to "\"
- // DO NOT convert the .. if it is at the end of the string. This will
- // break the .. behavior in changing directories.
- //
-
- //
- // Use TmpStr as a backup, as StrCpy in BaseLib does not handle copy of two strings
- // that overlap.
- //
- StrCpy (TmpStr, Ptr + 3);
- StrCpy (LastSlash, TmpStr);
- Ptr = LastSlash;
- } else if (*Ptr == '\\' && *(Ptr + 1) == '.' && *(Ptr + 2) == '\\') {
- //
- // Convert a "\.\" to a "\"
- //
-
- //
- // Use TmpStr as a backup, as StrCpy in BaseLib does not handle copy of two strings
- // that overlap.
- //
- StrCpy (TmpStr, Ptr + 2);
- StrCpy (Ptr, TmpStr);
- Ptr = LastSlash;
- } else if (*Ptr == '\\') {
- LastSlash = Ptr;
- }
-
- Ptr++;
- }
-
- FreePool (TmpStr);
-
- return Str;
-}
-
-/**
- Create a SECUREBOOT_MENU_ENTRY, and stores it in a buffer allocated from the pool.
-
- @return The new menu entry or NULL of error happens.
-
-**/
-SECUREBOOT_MENU_ENTRY *
-CreateMenuEntry (
- VOID
- )
-{
- SECUREBOOT_MENU_ENTRY *MenuEntry;
- UINTN ContextSize;
-
- //
- // Create new menu entry
- //
- MenuEntry = AllocateZeroPool (sizeof (SECUREBOOT_MENU_ENTRY));
- if (MenuEntry == NULL) {
- return NULL;
- }
-
- ContextSize = sizeof (SECUREBOOT_FILE_CONTEXT);
- MenuEntry->FileContext = AllocateZeroPool (ContextSize);
- if (MenuEntry->FileContext == NULL) {
- FreePool (MenuEntry);
- return NULL;
- }
-
- MenuEntry->Signature = SECUREBOOT_MENU_ENTRY_SIGNATURE;
-
- return MenuEntry;
-}
-
-/**
- Get Menu Entry from the Menu Entry List by MenuNumber.
-
- If MenuNumber is great or equal to the number of Menu
- Entry in the list, then ASSERT.
-
- @param[in] MenuOption The Menu Entry List to read the menu entry.
- @param[in] MenuNumber The index of Menu Entry.
-
- @return The Menu Entry.
-
-**/
-SECUREBOOT_MENU_ENTRY *
-GetMenuEntry (
- IN SECUREBOOT_MENU_OPTION *MenuOption,
- IN UINTN MenuNumber
- )
-{
- SECUREBOOT_MENU_ENTRY *NewMenuEntry;
- UINTN Index;
- LIST_ENTRY *List;
-
- ASSERT (MenuNumber < MenuOption->MenuNumber);
-
- List = MenuOption->Head.ForwardLink;
- for (Index = 0; Index < MenuNumber; Index++) {
- List = List->ForwardLink;
- }
-
- NewMenuEntry = CR (List, SECUREBOOT_MENU_ENTRY, Link, SECUREBOOT_MENU_ENTRY_SIGNATURE);
-
- return NewMenuEntry;
-}
-
-/**
- Create string tokens for a menu from its help strings and display strings.
-
- @param[in] HiiHandle Hii Handle of the package to be updated.
- @param[in] MenuOption The Menu whose string tokens need to be created.
-
-**/
-VOID
-CreateMenuStringToken (
- IN EFI_HII_HANDLE HiiHandle,
- IN SECUREBOOT_MENU_OPTION *MenuOption
- )
-{
- SECUREBOOT_MENU_ENTRY *NewMenuEntry;
- UINTN Index;
-
- for (Index = 0; Index < MenuOption->MenuNumber; Index++) {
- NewMenuEntry = GetMenuEntry (MenuOption, Index);
-
- NewMenuEntry->DisplayStringToken = HiiSetString (
- HiiHandle,
- 0,
- NewMenuEntry->DisplayString,
- NULL
- );
-
- if (NewMenuEntry->HelpString == NULL) {
- NewMenuEntry->HelpStringToken = NewMenuEntry->DisplayStringToken;
- } else {
- NewMenuEntry->HelpStringToken = HiiSetString (
- HiiHandle,
- 0,
- NewMenuEntry->HelpString,
- NULL
- );
- }
- }
-}
-
-/**
- Free up all resources allocated for a SECUREBOOT_MENU_ENTRY.
-
- @param[in, out] MenuEntry A pointer to SECUREBOOT_MENU_ENTRY.
-
-**/
-VOID
-DestroyMenuEntry (
- IN OUT SECUREBOOT_MENU_ENTRY *MenuEntry
- )
-{
- SECUREBOOT_FILE_CONTEXT *FileContext;
-
-
- FileContext = (SECUREBOOT_FILE_CONTEXT *) MenuEntry->FileContext;
-
- if (!FileContext->IsRoot) {
- FreePool (FileContext->DevicePath);
- } else {
- if (FileContext->FHandle != NULL) {
- FileContext->FHandle->Close (FileContext->FHandle);
- }
- }
-
- if (FileContext->FileName != NULL) {
- FreePool (FileContext->FileName);
- }
- if (FileContext->Info != NULL) {
- FreePool (FileContext->Info);
- }
-
- FreePool (FileContext);
-
- FreePool (MenuEntry->DisplayString);
- if (MenuEntry->HelpString != NULL) {
- FreePool (MenuEntry->HelpString);
- }
-
- FreePool (MenuEntry);
-}
-
-/**
- Free resources allocated in Allocate Rountine.
-
- @param[in, out] MenuOption Menu to be freed
-
-**/
-VOID
-FreeMenu (
- IN OUT SECUREBOOT_MENU_OPTION *MenuOption
- )
-{
- SECUREBOOT_MENU_ENTRY *MenuEntry;
- while (!IsListEmpty (&MenuOption->Head)) {
- MenuEntry = CR (
- MenuOption->Head.ForwardLink,
- SECUREBOOT_MENU_ENTRY,
- Link,
- SECUREBOOT_MENU_ENTRY_SIGNATURE
- );
- RemoveEntryList (&MenuEntry->Link);
- DestroyMenuEntry (MenuEntry);
- }
- MenuOption->MenuNumber = 0;
-}
-
-/**
- This function gets the file information from an open file descriptor, and stores it
- in a buffer allocated from pool.
-
- @param[in] FHand File Handle.
-
- @return A pointer to a buffer with file information or NULL is returned
-
-**/
-EFI_FILE_INFO *
-FileInfo (
- IN EFI_FILE_HANDLE FHand
- )
-{
- EFI_STATUS Status;
- EFI_FILE_INFO *Buffer;
- UINTN BufferSize;
-
- //
- // Initialize for GrowBuffer loop
- //
- Buffer = NULL;
- BufferSize = SIZE_OF_EFI_FILE_INFO + 200;
-
- //
- // Call the real function
- //
- while (GrowBuffer (&Status, (VOID **) &Buffer, BufferSize)) {
- Status = FHand->GetInfo (
- FHand,
- &gEfiFileInfoGuid,
- &BufferSize,
- Buffer
- );
- }
-
- return Buffer;
-}
-
-/**
- This function gets the file system information from an open file descriptor,
- and stores it in a buffer allocated from pool.
-
- @param[in] FHand The file handle.
-
- @return A pointer to a buffer with file information.
- @retval NULL is returned if failed to get Vaolume Label Info.
-
-**/
-EFI_FILE_SYSTEM_VOLUME_LABEL *
-FileSystemVolumeLabelInfo (
- IN EFI_FILE_HANDLE FHand
- )
-{
- EFI_STATUS Status;
- EFI_FILE_SYSTEM_VOLUME_LABEL *Buffer;
- UINTN BufferSize;
- //
- // Initialize for GrowBuffer loop
- //
- Buffer = NULL;
- BufferSize = SIZE_OF_EFI_FILE_SYSTEM_VOLUME_LABEL + 200;
-
- //
- // Call the real function
- //
- while (GrowBuffer (&Status, (VOID **) &Buffer, BufferSize)) {
- Status = FHand->GetInfo (
- FHand,
- &gEfiFileSystemVolumeLabelInfoIdGuid,
- &BufferSize,
- Buffer
- );
- }
-
- return Buffer;
-}
-
-/**
- This function will open a file or directory referenced by DevicePath.
-
- This function opens a file with the open mode according to the file path. The
- Attributes is valid only for EFI_FILE_MODE_CREATE.
-
- @param[in, out] FilePath On input, the device path to the file.
- On output, the remaining device path.
- @param[out] FileHandle Pointer to the file handle.
- @param[in] OpenMode The mode to open the file with.
- @param[in] Attributes The file's file attributes.
-
- @retval EFI_SUCCESS The information was set.
- @retval EFI_INVALID_PARAMETER One of the parameters has an invalid value.
- @retval EFI_UNSUPPORTED Could not open the file path.
- @retval EFI_NOT_FOUND The specified file could not be found on the
- device or the file system could not be found on
- the device.
- @retval EFI_NO_MEDIA The device has no medium.
- @retval EFI_MEDIA_CHANGED The device has a different medium in it or the
- medium is no longer supported.
- @retval EFI_DEVICE_ERROR The device reported an error.
- @retval EFI_VOLUME_CORRUPTED The file system structures are corrupted.
- @retval EFI_WRITE_PROTECTED The file or medium is write protected.
- @retval EFI_ACCESS_DENIED The file was opened read only.
- @retval EFI_OUT_OF_RESOURCES Not enough resources were available to open the
- file.
- @retval EFI_VOLUME_FULL The volume is full.
-**/
-EFI_STATUS
-EFIAPI
-OpenFileByDevicePath(
- IN OUT EFI_DEVICE_PATH_PROTOCOL **FilePath,
- OUT EFI_FILE_HANDLE *FileHandle,
- IN UINT64 OpenMode,
- IN UINT64 Attributes
- )
-{
- EFI_STATUS Status;
- EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *EfiSimpleFileSystemProtocol;
- EFI_FILE_PROTOCOL *Handle1;
- EFI_FILE_PROTOCOL *Handle2;
- EFI_HANDLE DeviceHandle;
-
- if ((FilePath == NULL || FileHandle == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = gBS->LocateDevicePath (
- &gEfiSimpleFileSystemProtocolGuid,
- FilePath,
- &DeviceHandle
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = gBS->OpenProtocol(
- DeviceHandle,
- &gEfiSimpleFileSystemProtocolGuid,
- (VOID**)&EfiSimpleFileSystemProtocol,
- gImageHandle,
- NULL,
- EFI_OPEN_PROTOCOL_GET_PROTOCOL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = EfiSimpleFileSystemProtocol->OpenVolume(EfiSimpleFileSystemProtocol, &Handle1);
- if (EFI_ERROR (Status)) {
- FileHandle = NULL;
- return Status;
- }
-
- //
- // go down directories one node at a time.
- //
- while (!IsDevicePathEnd (*FilePath)) {
- //
- // For file system access each node should be a file path component
- //
- if (DevicePathType (*FilePath) != MEDIA_DEVICE_PATH ||
- DevicePathSubType (*FilePath) != MEDIA_FILEPATH_DP
- ) {
- FileHandle = NULL;
- return (EFI_INVALID_PARAMETER);
- }
- //
- // Open this file path node
- //
- Handle2 = Handle1;
- Handle1 = NULL;
-
- //
- // Try to test opening an existing file
- //
- Status = Handle2->Open (
- Handle2,
- &Handle1,
- ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
- OpenMode &~EFI_FILE_MODE_CREATE,
- 0
- );
-
- //
- // see if the error was that it needs to be created
- //
- if ((EFI_ERROR (Status)) && (OpenMode != (OpenMode &~EFI_FILE_MODE_CREATE))) {
- Status = Handle2->Open (
- Handle2,
- &Handle1,
- ((FILEPATH_DEVICE_PATH*)*FilePath)->PathName,
- OpenMode,
- Attributes
- );
- }
- //
- // Close the last node
- //
- Handle2->Close (Handle2);
-
- if (EFI_ERROR(Status)) {
- return (Status);
- }
-
- //
- // Get the next node
- //
- *FilePath = NextDevicePathNode (*FilePath);
- }
-
- //
- // This is a weak spot since if the undefined SHELL_FILE_HANDLE format changes this must change also!
- //
- *FileHandle = (VOID*)Handle1;
- return EFI_SUCCESS;
-}
-
-/**
- Function opens and returns a file handle to the root directory of a volume.
-
- @param[in] DeviceHandle A handle for a device
-
- @return A valid file handle or NULL if error happens.
-
-**/
-EFI_FILE_HANDLE
-OpenRoot (
- IN EFI_HANDLE DeviceHandle
- )
-{
- EFI_STATUS Status;
- EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *Volume;
- EFI_FILE_HANDLE File;
-
- File = NULL;
-
- //
- // File the file system interface to the device
- //
- Status = gBS->HandleProtocol (
- DeviceHandle,
- &gEfiSimpleFileSystemProtocolGuid,
- (VOID *) &Volume
- );
-
- //
- // Open the root directory of the volume
- //
- if (!EFI_ERROR (Status)) {
- Status = Volume->OpenVolume (
- Volume,
- &File
- );
- }
- //
- // Done
- //
- return EFI_ERROR (Status) ? NULL : File;
-}
-
-/**
- This function builds the FsOptionMenu list which records all
- available file system in the system. They include all instances
- of EFI_SIMPLE_FILE_SYSTEM_PROTOCOL, all instances of EFI_LOAD_FILE_SYSTEM
- and all type of legacy boot device.
-
- @retval EFI_SUCCESS Success find the file system
- @retval EFI_OUT_OF_RESOURCES Can not create menu entry
-
-**/
-EFI_STATUS
-FindFileSystem (
- VOID
- )
-{
- UINTN NoBlkIoHandles;
- UINTN NoSimpleFsHandles;
- UINTN NoLoadFileHandles;
- EFI_HANDLE *BlkIoHandle;
- EFI_HANDLE *SimpleFsHandle;
- UINT16 *VolumeLabel;
- EFI_BLOCK_IO_PROTOCOL *BlkIo;
- UINTN Index;
- EFI_STATUS Status;
- SECUREBOOT_MENU_ENTRY *MenuEntry;
- SECUREBOOT_FILE_CONTEXT *FileContext;
- UINT16 *TempStr;
- UINTN OptionNumber;
- VOID *Buffer;
-
- BOOLEAN RemovableMedia;
-
-
- NoSimpleFsHandles = 0;
- NoLoadFileHandles = 0;
- OptionNumber = 0;
- InitializeListHead (&FsOptionMenu.Head);
-
- //
- // Locate Handles that support BlockIo protocol
- //
- Status = gBS->LocateHandleBuffer (
- ByProtocol,
- &gEfiBlockIoProtocolGuid,
- NULL,
- &NoBlkIoHandles,
- &BlkIoHandle
- );
- if (!EFI_ERROR (Status)) {
-
- for (Index = 0; Index < NoBlkIoHandles; Index++) {
- Status = gBS->HandleProtocol (
- BlkIoHandle[Index],
- &gEfiBlockIoProtocolGuid,
- (VOID **) &BlkIo
- );
-
- if (EFI_ERROR (Status)) {
- continue;
- }
-
- //
- // Issue a dummy read to trigger reinstall of BlockIo protocol for removable media
- //
- if (BlkIo->Media->RemovableMedia) {
- Buffer = AllocateZeroPool (BlkIo->Media->BlockSize);
- if (NULL == Buffer) {
- FreePool (BlkIoHandle);
- return EFI_OUT_OF_RESOURCES;
- }
-
- BlkIo->ReadBlocks (
- BlkIo,
- BlkIo->Media->MediaId,
- 0,
- BlkIo->Media->BlockSize,
- Buffer
- );
- FreePool (Buffer);
- }
- }
- FreePool (BlkIoHandle);
- }
-
- //
- // Locate Handles that support Simple File System protocol
- //
- Status = gBS->LocateHandleBuffer (
- ByProtocol,
- &gEfiSimpleFileSystemProtocolGuid,
- NULL,
- &NoSimpleFsHandles,
- &SimpleFsHandle
- );
- if (!EFI_ERROR (Status)) {
- //
- // Find all the instances of the File System prototocol
- //
- for (Index = 0; Index < NoSimpleFsHandles; Index++) {
- Status = gBS->HandleProtocol (
- SimpleFsHandle[Index],
- &gEfiBlockIoProtocolGuid,
- (VOID **) &BlkIo
- );
- if (EFI_ERROR (Status)) {
- //
- // If no block IO exists assume it's NOT a removable media
- //
- RemovableMedia = FALSE;
- } else {
- //
- // If block IO exists check to see if it's remobable media
- //
- RemovableMedia = BlkIo->Media->RemovableMedia;
- }
-
- //
- // Allocate pool for this instance.
- //
- MenuEntry = CreateMenuEntry ();
- if (NULL == MenuEntry) {
- FreePool (SimpleFsHandle);
- return EFI_OUT_OF_RESOURCES;
- }
-
- FileContext = (SECUREBOOT_FILE_CONTEXT *) MenuEntry->FileContext;
-
- FileContext->Handle = SimpleFsHandle[Index];
- MenuEntry->OptionNumber = Index;
- FileContext->FHandle = OpenRoot (FileContext->Handle);
- if (FileContext->FHandle == NULL) {
- DestroyMenuEntry (MenuEntry);
- continue;
- }
-
- MenuEntry->HelpString = DevicePathToStr (DevicePathFromHandle (FileContext->Handle));
- FileContext->Info = FileSystemVolumeLabelInfo (FileContext->FHandle);
- FileContext->FileName = StrDuplicate (L"\\");
- FileContext->DevicePath = FileDevicePath (
- FileContext->Handle,
- FileContext->FileName
- );
- FileContext->IsDir = TRUE;
- FileContext->IsRoot = TRUE;
- FileContext->IsRemovableMedia = RemovableMedia;
- FileContext->IsLoadFile = FALSE;
-
- //
- // Get current file system's Volume Label
- //
- if (FileContext->Info == NULL) {
- VolumeLabel = L"NO FILE SYSTEM INFO";
- } else {
- if (FileContext->Info->VolumeLabel == NULL) {
- VolumeLabel = L"NULL VOLUME LABEL";
- } else {
- VolumeLabel = FileContext->Info->VolumeLabel;
- if (*VolumeLabel == 0x0000) {
- VolumeLabel = L"NO VOLUME LABEL";
- }
- }
- }
-
- TempStr = MenuEntry->HelpString;
- MenuEntry->DisplayString = AllocateZeroPool (MAX_CHAR);
- ASSERT (MenuEntry->DisplayString != NULL);
- UnicodeSPrint (
- MenuEntry->DisplayString,
- MAX_CHAR,
- L"%s, [%s]",
- VolumeLabel,
- TempStr
- );
- OptionNumber++;
- InsertTailList (&FsOptionMenu.Head, &MenuEntry->Link);
- }
- }
-
- if (NoSimpleFsHandles != 0) {
- FreePool (SimpleFsHandle);
- }
-
- //
- // Remember how many file system options are here
- //
- FsOptionMenu.MenuNumber = OptionNumber;
- return EFI_SUCCESS;
-}
-
-
-/**
- Find files under the current directory. All files and sub-directories
- in current directory will be stored in DirectoryMenu for future use.
-
- @param[in] MenuEntry The Menu Entry.
-
- @retval EFI_SUCCESS Get files from current dir successfully.
- @return Other Can't get files from current dir.
-
-**/
-EFI_STATUS
-FindFiles (
- IN SECUREBOOT_MENU_ENTRY *MenuEntry
- )
-{
- EFI_FILE_HANDLE NewDir;
- EFI_FILE_HANDLE Dir;
- EFI_FILE_INFO *DirInfo;
- UINTN BufferSize;
- UINTN DirBufferSize;
- SECUREBOOT_MENU_ENTRY *NewMenuEntry;
- SECUREBOOT_FILE_CONTEXT *FileContext;
- SECUREBOOT_FILE_CONTEXT *NewFileContext;
- UINTN Pass;
- EFI_STATUS Status;
- UINTN OptionNumber;
-
- FileContext = (SECUREBOOT_FILE_CONTEXT *) MenuEntry->FileContext;
- Dir = FileContext->FHandle;
- OptionNumber = 0;
- //
- // Open current directory to get files from it
- //
- Status = Dir->Open (
- Dir,
- &NewDir,
- FileContext->FileName,
- EFI_FILE_READ_ONLY,
- 0
- );
- if (!FileContext->IsRoot) {
- Dir->Close (Dir);
- }
-
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- DirInfo = FileInfo (NewDir);
- if (DirInfo == NULL) {
- return EFI_NOT_FOUND;
- }
-
- if ((DirInfo->Attribute & EFI_FILE_DIRECTORY) == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- FileContext->DevicePath = FileDevicePath (
- FileContext->Handle,
- FileContext->FileName
- );
-
- DirBufferSize = sizeof (EFI_FILE_INFO) + 1024;
- DirInfo = AllocateZeroPool (DirBufferSize);
- if (DirInfo == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Get all files in current directory
- // Pass 1 to get Directories
- // Pass 2 to get files that are EFI images
- //
- for (Pass = 1; Pass <= 2; Pass++) {
- NewDir->SetPosition (NewDir, 0);
- for (;;) {
- BufferSize = DirBufferSize;
- Status = NewDir->Read (NewDir, &BufferSize, DirInfo);
- if (EFI_ERROR (Status) || BufferSize == 0) {
- break;
- }
-
- if (((DirInfo->Attribute & EFI_FILE_DIRECTORY) != 0 && Pass == 2) ||
- ((DirInfo->Attribute & EFI_FILE_DIRECTORY) == 0 && Pass == 1)
- ) {
- //
- // Pass 1 is for Directories
- // Pass 2 is for file names
- //
- continue;
- }
-
- NewMenuEntry = CreateMenuEntry ();
- if (NULL == NewMenuEntry) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- NewFileContext = (SECUREBOOT_FILE_CONTEXT *) NewMenuEntry->FileContext;
- NewFileContext->Handle = FileContext->Handle;
- NewFileContext->FileName = AppendFileName (
- FileContext->FileName,
- DirInfo->FileName
- );
- NewFileContext->FHandle = NewDir;
- NewFileContext->DevicePath = FileDevicePath (
- NewFileContext->Handle,
- NewFileContext->FileName
- );
- NewMenuEntry->HelpString = NULL;
-
- NewFileContext->IsDir = (BOOLEAN) ((DirInfo->Attribute & EFI_FILE_DIRECTORY) == EFI_FILE_DIRECTORY);
- if (NewFileContext->IsDir) {
- BufferSize = StrLen (DirInfo->FileName) * 2 + 6;
- NewMenuEntry->DisplayString = AllocateZeroPool (BufferSize);
-
- UnicodeSPrint (
- NewMenuEntry->DisplayString,
- BufferSize,
- L"<%s>",
- DirInfo->FileName
- );
-
- } else {
- NewMenuEntry->DisplayString = StrDuplicate (DirInfo->FileName);
- }
-
- NewFileContext->IsRoot = FALSE;
- NewFileContext->IsLoadFile = FALSE;
- NewFileContext->IsRemovableMedia = FALSE;
-
- NewMenuEntry->OptionNumber = OptionNumber;
- OptionNumber++;
- InsertTailList (&DirectoryMenu.Head, &NewMenuEntry->Link);
- }
- }
-
- DirectoryMenu.MenuNumber = OptionNumber;
- FreePool (DirInfo);
- return EFI_SUCCESS;
-}
-
-/**
- Refresh the global UpdateData structure.
-
-**/
-VOID
-RefreshUpdateData (
- VOID
- )
-{
- //
- // Free current updated date
- //
- if (mStartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mStartOpCodeHandle);
- }
-
- //
- // Create new OpCode Handle
- //
- mStartOpCodeHandle = HiiAllocateOpCodeHandle ();
-
- //
- // Create Hii Extend Label OpCode as the start opcode
- //
- mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mStartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
-}
-
-/**
- Update the File Explore page.
-
- @param[in] HiiHandle Hii Handle of the package to be updated.
- @param[in] MenuOption The Menu whose string tokens need to be updated.
- @param[in] FeCurrentState Current file explorer state.
-
-**/
-VOID
-UpdateFileExplorePage (
- IN EFI_HII_HANDLE HiiHandle,
- IN SECUREBOOT_MENU_OPTION *MenuOption,
- IN FILE_EXPLORER_STATE FeCurrentState
- )
-{
- UINTN Index;
- SECUREBOOT_MENU_ENTRY *NewMenuEntry;
- SECUREBOOT_FILE_CONTEXT *NewFileContext;
- EFI_FORM_ID FormId;
- EFI_FORM_ID FileFormId;
-
- if (FeCurrentState == FileExplorerStateEnrollPkFile) {
- FormId = SECUREBOOT_ADD_PK_FILE_FORM_ID;
- FileFormId = FORM_FILE_EXPLORER_ID_PK;
- } else if (FeCurrentState == FileExplorerStateEnrollKekFile) {
- FormId = FORMID_ENROLL_KEK_FORM;
- FileFormId = FORM_FILE_EXPLORER_ID_KEK;
- } else if (FeCurrentState == FileExplorerStateEnrollSignatureFileToDb) {
- FormId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- FileFormId = FORM_FILE_EXPLORER_ID_DB;
- } else if (FeCurrentState == FileExplorerStateEnrollSignatureFileToDbx) {
- FormId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- FileFormId = FORM_FILE_EXPLORER_ID_DBX;
- } else {
- return;
- }
-
- NewMenuEntry = NULL;
- NewFileContext = NULL;
-
- RefreshUpdateData ();
- mStartLabel->Number = FORM_FILE_EXPLORER_ID;
-
- for (Index = 0; Index < MenuOption->MenuNumber; Index++) {
- NewMenuEntry = GetMenuEntry (MenuOption, Index);
- NewFileContext = (SECUREBOOT_FILE_CONTEXT *) NewMenuEntry->FileContext;
-
- if (NewFileContext->IsDir) {
- //
- // Create Text opcode for directory.
- //
- HiiCreateActionOpCode (
- mStartOpCodeHandle,
- (UINT16) (FILE_OPTION_OFFSET + Index),
- NewMenuEntry->DisplayStringToken,
- STRING_TOKEN (STR_NULL),
- EFI_IFR_FLAG_CALLBACK,
- 0
- );
- } else {
-
- //
- // Create Goto opcode for file.
- //
- HiiCreateGotoOpCode (
- mStartOpCodeHandle,
- FormId,
- NewMenuEntry->DisplayStringToken,
- STRING_TOKEN (STR_NULL),
- EFI_IFR_FLAG_CALLBACK,
- (UINT16) (FILE_OPTION_OFFSET + Index)
- );
- }
- }
-
- HiiUpdateForm (
- HiiHandle,
- &gSecureBootConfigFormSetGuid,
- FileFormId,
- mStartOpCodeHandle, // Label FORM_FILE_EXPLORER_ID
- mEndOpCodeHandle // LABEL_END
- );
-}
-
-/**
- Update the file explorer page with the refreshed file system.
-
- @param[in] PrivateData Module private data.
- @param[in] KeyValue Key value to identify the type of data to expect.
-
- @retval TRUE Inform the caller to create a callback packet to exit file explorer.
- @retval FALSE Indicate that there is no need to exit file explorer.
-
-**/
-BOOLEAN
-UpdateFileExplorer (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN UINT16 KeyValue
- )
-{
- UINT16 FileOptionMask;
- SECUREBOOT_MENU_ENTRY *NewMenuEntry;
- SECUREBOOT_FILE_CONTEXT *NewFileContext;
- EFI_FORM_ID FormId;
- BOOLEAN ExitFileExplorer;
- EFI_STATUS Status;
- EFI_DEVICE_PATH_PROTOCOL *TmpDevicePath;
-
- NewMenuEntry = NULL;
- NewFileContext = NULL;
- ExitFileExplorer = FALSE;
- FileOptionMask = (UINT16) (FILE_OPTION_MASK & KeyValue);
-
- if (PrivateData->FeDisplayContext == FileExplorerDisplayUnknown) {
- //
- // First in, display file system.
- //
- FreeMenu (&FsOptionMenu);
- FindFileSystem ();
-
- CreateMenuStringToken (PrivateData->HiiHandle, &FsOptionMenu);
- UpdateFileExplorePage (PrivateData->HiiHandle, &FsOptionMenu, PrivateData->FeCurrentState);
-
- PrivateData->FeDisplayContext = FileExplorerDisplayFileSystem;
- } else {
- if (PrivateData->FeDisplayContext == FileExplorerDisplayFileSystem) {
- NewMenuEntry = GetMenuEntry (&FsOptionMenu, FileOptionMask);
- } else if (PrivateData->FeDisplayContext == FileExplorerDisplayDirectory) {
- NewMenuEntry = GetMenuEntry (&DirectoryMenu, FileOptionMask);
- }
-
- NewFileContext = (SECUREBOOT_FILE_CONTEXT *) NewMenuEntry->FileContext;
-
- if (NewFileContext->IsDir ) {
- PrivateData->FeDisplayContext = FileExplorerDisplayDirectory;
-
- RemoveEntryList (&NewMenuEntry->Link);
- FreeMenu (&DirectoryMenu);
- Status = FindFiles (NewMenuEntry);
- if (EFI_ERROR (Status)) {
- ExitFileExplorer = TRUE;
- goto OnExit;
- }
- CreateMenuStringToken (PrivateData->HiiHandle, &DirectoryMenu);
- DestroyMenuEntry (NewMenuEntry);
-
- UpdateFileExplorePage (PrivateData->HiiHandle, &DirectoryMenu, PrivateData->FeCurrentState);
-
- } else {
- if (PrivateData->FeCurrentState == FileExplorerStateEnrollPkFile) {
- FormId = SECUREBOOT_ADD_PK_FILE_FORM_ID;
- } else if (PrivateData->FeCurrentState == FileExplorerStateEnrollKekFile) {
- FormId = FORMID_ENROLL_KEK_FORM;
- } else if (PrivateData->FeCurrentState == FileExplorerStateEnrollSignatureFileToDb) {
- FormId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- } else if (PrivateData->FeCurrentState == FileExplorerStateEnrollSignatureFileToDbx) {
- FormId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- } else {
- return FALSE;
- }
-
- PrivateData->MenuEntry = NewMenuEntry;
- PrivateData->FileContext->FileName = NewFileContext->FileName;
-
- TmpDevicePath = NewFileContext->DevicePath;
- OpenFileByDevicePath (
- &TmpDevicePath,
- &PrivateData->FileContext->FHandle,
- EFI_FILE_MODE_READ,
- 0
- );
-
- //
- // Create Subtitle op-code for the display string of the option.
- //
- RefreshUpdateData ();
- mStartLabel->Number = FormId;
-
- HiiCreateSubTitleOpCode (
- mStartOpCodeHandle,
- NewMenuEntry->DisplayStringToken,
- 0,
- 0,
- 0
- );
-
- HiiUpdateForm (
- PrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- FormId,
- mStartOpCodeHandle, // Label FormId
- mEndOpCodeHandle // LABEL_END
- );
- }
- }
-
-OnExit:
- return ExitFileExplorer;
-}
-
-/**
- Clean up the dynamic opcode at label and form specified by both LabelId.
-
- @param[in] LabelId It is both the Form ID and Label ID for opcode deletion.
- @param[in] PrivateData Module private data.
-
-**/
-VOID
-CleanUpPage (
- IN UINT16 LabelId,
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- RefreshUpdateData ();
-
- //
- // Remove all op-codes from dynamic page
- //
- mStartLabel->Number = LabelId;
- HiiUpdateForm (
- PrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- LabelId,
- mStartOpCodeHandle, // Label LabelId
- mEndOpCodeHandle // LABEL_END
- );
-}
-
deleted file mode 100644
@@ -1,2819 +0,0 @@
-/** @file
- HII Config Access protocol implementation of SecureBoot configuration module.
-
-Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-CHAR16 mSecureBootStorageName[] = L"SECUREBOOT_CONFIGURATION";
-
-SECUREBOOT_CONFIG_PRIVATE_DATA mSecureBootConfigPrivateDateTemplate = {
- SECUREBOOT_CONFIG_PRIVATE_DATA_SIGNATURE,
- {
- SecureBootExtractConfig,
- SecureBootRouteConfig,
- SecureBootCallback
- }
-};
-
-HII_VENDOR_DEVICE_PATH mSecureBootHiiVendorDevicePath = {
- {
- {
- HARDWARE_DEVICE_PATH,
- HW_VENDOR_DP,
- {
- (UINT8) (sizeof (VENDOR_DEVICE_PATH)),
- (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8)
- }
- },
- SECUREBOOT_CONFIG_FORM_SET_GUID
- },
- {
- END_DEVICE_PATH_TYPE,
- END_ENTIRE_DEVICE_PATH_SUBTYPE,
- {
- (UINT8) (END_DEVICE_PATH_LENGTH),
- (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8)
- }
- }
-};
-
-
-//
-// OID ASN.1 Value for Hash Algorithms
-//
-UINT8 mHashOidValue[] = {
- 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, // OBJ_md5
- 0x2B, 0x0E, 0x03, 0x02, 0x1A, // OBJ_sha1
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, // OBJ_sha224
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, // OBJ_sha256
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, // OBJ_sha384
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, // OBJ_sha512
- };
-
-HASH_TABLE mHash[] = {
- { L"SHA1", 20, &mHashOidValue[8], 5, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final },
- { L"SHA224", 28, &mHashOidValue[13], 9, NULL, NULL, NULL, NULL },
- { L"SHA256", 32, &mHashOidValue[22], 9, Sha256GetContextSize,Sha256Init, Sha256Update, Sha256Final},
- { L"SHA384", 48, &mHashOidValue[31], 9, NULL, NULL, NULL, NULL },
- { L"SHA512", 64, &mHashOidValue[40], 9, NULL, NULL, NULL, NULL }
-};
-
-//
-// Variable Definitions
-//
-UINT32 mPeCoffHeaderOffset = 0;
-WIN_CERTIFICATE *mCertificate = NULL;
-IMAGE_TYPE mImageType;
-UINT8 *mImageBase = NULL;
-UINTN mImageSize = 0;
-UINT8 mImageDigest[MAX_DIGEST_SIZE];
-UINTN mImageDigestSize;
-EFI_GUID mCertType;
-EFI_IMAGE_SECURITY_DATA_DIRECTORY *mSecDataDir = NULL;
-EFI_IMAGE_OPTIONAL_HEADER_PTR_UNION mNtHeader;
-
-//
-// Possible DER-encoded certificate file suffixes, end with NULL pointer.
-//
-CHAR16* mDerEncodedSuffix[] = {
- L".cer",
- L".der",
- L".crt",
- NULL
-};
-CHAR16* mSupportX509Suffix = L"*.cer/der/crt";
-
-/**
- This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.
-
- @param[in] FileSuffix The suffix of the input certificate file
-
- @retval TRUE It's a DER-encoded certificate.
- @retval FALSE It's NOT a DER-encoded certificate.
-
-**/
-BOOLEAN
-IsDerEncodeCertificate (
- IN CONST CHAR16 *FileSuffix
-)
-{
- UINTN Index;
- for (Index = 0; mDerEncodedSuffix[Index] != NULL; Index++) {
- if (StrCmp (FileSuffix, mDerEncodedSuffix[Index]) == 0) {
- return TRUE;
- }
- }
- return FALSE;
-}
-
-/**
- Set Secure Boot option into variable space.
-
- @param[in] VarValue The option of Secure Boot.
-
- @retval EFI_SUCCESS The operation is finished successfully.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-SaveSecureBootVariable (
- IN UINT8 VarValue
- )
-{
- EFI_STATUS Status;
-
- Status = gRT->SetVariable (
- EFI_SECURE_BOOT_ENABLE_NAME,
- &gEfiSecureBootEnableDisableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &VarValue
- );
- return Status;
-}
-
-/**
- Create a time based data payload by concatenating the EFI_VARIABLE_AUTHENTICATION_2
- descriptor with the input data. NO authentication is required in this function.
-
- @param[in, out] DataSize On input, the size of Data buffer in bytes.
- On output, the size of data returned in Data
- buffer in bytes.
- @param[in, out] Data On input, Pointer to data buffer to be wrapped or
- pointer to NULL to wrap an empty payload.
- On output, Pointer to the new payload date buffer allocated from pool,
- it's caller's responsibility to free the memory when finish using it.
-
- @retval EFI_SUCCESS Create time based payload successfully.
- @retval EFI_OUT_OF_RESOURCES There are not enough memory resourses to create time based payload.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval Others Unexpected error happens.
-
-**/
-EFI_STATUS
-CreateTimeBasedPayload (
- IN OUT UINTN *DataSize,
- IN OUT UINT8 **Data
- )
-{
- EFI_STATUS Status;
- UINT8 *NewData;
- UINT8 *Payload;
- UINTN PayloadSize;
- EFI_VARIABLE_AUTHENTICATION_2 *DescriptorData;
- UINTN DescriptorSize;
- EFI_TIME Time;
-
- if (Data == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // In Setup mode or Custom mode, the variable does not need to be signed but the
- // parameters to the SetVariable() call still need to be prepared as authenticated
- // variable. So we create EFI_VARIABLE_AUTHENTICATED_2 descriptor without certificate
- // data in it.
- //
- Payload = *Data;
- PayloadSize = *DataSize;
-
- DescriptorSize = OFFSET_OF (EFI_VARIABLE_AUTHENTICATION_2, AuthInfo) + OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- NewData = (UINT8*) AllocateZeroPool (DescriptorSize + PayloadSize);
- if (NewData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- if ((Payload != NULL) && (PayloadSize != 0)) {
- CopyMem (NewData + DescriptorSize, Payload, PayloadSize);
- }
-
- DescriptorData = (EFI_VARIABLE_AUTHENTICATION_2 *) (NewData);
-
- ZeroMem (&Time, sizeof (EFI_TIME));
- Status = gRT->GetTime (&Time, NULL);
- if (EFI_ERROR (Status)) {
- FreePool(NewData);
- return Status;
- }
- Time.Pad1 = 0;
- Time.Nanosecond = 0;
- Time.TimeZone = 0;
- Time.Daylight = 0;
- Time.Pad2 = 0;
- CopyMem (&DescriptorData->TimeStamp, &Time, sizeof (EFI_TIME));
-
- DescriptorData->AuthInfo.Hdr.dwLength = OFFSET_OF (WIN_CERTIFICATE_UEFI_GUID, CertData);
- DescriptorData->AuthInfo.Hdr.wRevision = 0x0200;
- DescriptorData->AuthInfo.Hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;
- CopyGuid (&DescriptorData->AuthInfo.CertType, &gEfiCertPkcs7Guid);
-
- if (Payload != NULL) {
- FreePool(Payload);
- }
-
- *DataSize = DescriptorSize + PayloadSize;
- *Data = NewData;
- return EFI_SUCCESS;
-}
-
-/**
- Internal helper function to delete a Variable given its name and GUID, NO authentication
- required.
-
- @param[in] VariableName Name of the Variable.
- @param[in] VendorGuid GUID of the Variable.
-
- @retval EFI_SUCCESS Variable deleted successfully.
- @retval Others The driver failed to start the device.
-
-**/
-EFI_STATUS
-DeleteVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid
- )
-{
- EFI_STATUS Status;
- VOID* Variable;
- UINT8 *Data;
- UINTN DataSize;
- UINT32 Attr;
-
- GetVariable2 (VariableName, VendorGuid, &Variable, NULL);
- if (Variable == NULL) {
- return EFI_SUCCESS;
- }
-
- Data = NULL;
- DataSize = 0;
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS
- | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
-
- Status = CreateTimeBasedPayload (&DataSize, &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- return Status;
- }
-
- Status = gRT->SetVariable (
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- Data
- );
- if (Data != NULL) {
- FreePool (Data);
- }
- return Status;
-}
-
-/**
- Generate the PK signature list from the X509 Certificate storing file (.cer)
-
- @param[in] X509File FileHandle of X509 Certificate storing file.
- @param[out] PkCert Point to the data buffer to store the signature list.
-
- @return EFI_UNSUPPORTED Unsupported Key Length.
- @return EFI_OUT_OF_RESOURCES There are not enough memory resourses to form the signature list.
-
-**/
-EFI_STATUS
-CreatePkX509SignatureList (
- IN EFI_FILE_HANDLE X509File,
- OUT EFI_SIGNATURE_LIST **PkCert
- )
-{
- EFI_STATUS Status;
- UINT8 *X509Data;
- UINTN X509DataSize;
- EFI_SIGNATURE_DATA *PkCertData;
-
- X509Data = NULL;
- PkCertData = NULL;
- X509DataSize = 0;
-
- Status = ReadFileContent (X509File, (VOID**) &X509Data, &X509DataSize, 0);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- //
- // Allocate space for PK certificate list and initialize it.
- // Create PK database entry with SignatureHeaderSize equals 0.
- //
- *PkCert = (EFI_SIGNATURE_LIST*) AllocateZeroPool (
- sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1
- + X509DataSize
- );
- if (*PkCert == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- (*PkCert)->SignatureListSize = (UINT32) (sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + X509DataSize);
- (*PkCert)->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- (*PkCert)->SignatureHeaderSize = 0;
- CopyGuid (&(*PkCert)->SignatureType, &gEfiCertX509Guid);
- PkCertData = (EFI_SIGNATURE_DATA*) ((UINTN)(*PkCert)
- + sizeof(EFI_SIGNATURE_LIST)
- + (*PkCert)->SignatureHeaderSize);
- CopyGuid (&PkCertData->SignatureOwner, &gEfiGlobalVariableGuid);
- //
- // Fill the PK database with PKpub data from X509 certificate file.
- //
- CopyMem (&(PkCertData->SignatureData[0]), X509Data, X509DataSize);
-
-ON_EXIT:
-
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- if (EFI_ERROR(Status) && *PkCert != NULL) {
- FreePool (*PkCert);
- *PkCert = NULL;
- }
-
- return Status;
-}
-
-/**
- Enroll new PK into the System without original PK's authentication.
-
- The SignatureOwner GUID will be the same with PK's vendorguid.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New PK enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollPlatformKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA* Private
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *PkCert;
- UINT16* FilePostFix;
- UINTN NameLength;
-
- if (Private->FileContext->FileName == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- PkCert = NULL;
-
- //
- // Parse the file's postfix. Only support DER encoded X.509 certificate files.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (!IsDerEncodeCertificate(FilePostFix)) {
- DEBUG ((EFI_D_ERROR, "Unsupported file type, only DER encoded certificate (%s) is supported.", mSupportX509Suffix));
- return EFI_INVALID_PARAMETER;
- }
- DEBUG ((EFI_D_INFO, "FileName= %s\n", Private->FileContext->FileName));
- DEBUG ((EFI_D_INFO, "FilePostFix = %s\n", FilePostFix));
-
- //
- // Prase the selected PK file and generature PK certificate list.
- //
- Status = CreatePkX509SignatureList (
- Private->FileContext->FHandle,
- &PkCert
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (PkCert != NULL);
-
- //
- // Set Platform Key variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- DataSize = PkCert->SignatureListSize;
- Status = CreateTimeBasedPayload (&DataSize, (UINT8**) &PkCert);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- PkCert
- );
- if (EFI_ERROR (Status)) {
- if (Status == EFI_OUT_OF_RESOURCES) {
- DEBUG ((EFI_D_ERROR, "Enroll PK failed with out of resource.\n"));
- }
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- if (PkCert != NULL) {
- FreePool(PkCert);
- }
-
- if (Private->FileContext->FHandle != NULL) {
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FHandle = NULL;
- }
-
- return Status;
-}
-
-/**
- Remove the PK variable.
-
- @retval EFI_SUCCESS Delete PK successfully.
- @retval Others Could not allow to delete PK.
-
-**/
-EFI_STATUS
-DeletePlatformKey (
- VOID
-)
-{
- EFI_STATUS Status;
-
- Status = DeleteVariable (
- EFI_PLATFORM_KEY_NAME,
- &gEfiGlobalVariableGuid
- );
- return Status;
-}
-
-/**
- Enroll a new KEK item from public key storing file (*.pbk).
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollRsa2048ToKek (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- EFI_STATUS Status;
- UINT32 Attr;
- UINTN DataSize;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN KeyBlobSize;
- UINT8 *KeyBlob;
- CPL_KEY_INFO *KeyInfo;
- EFI_SIGNATURE_DATA *KEKSigData;
- UINTN KekSigListSize;
- UINT8 *KeyBuffer;
- UINTN KeyLenInBytes;
-
- Attr = 0;
- DataSize = 0;
- KeyBuffer = NULL;
- KeyBlobSize = 0;
- KeyBlob = NULL;
- KeyInfo = NULL;
- KEKSigData = NULL;
- KekSigList = NULL;
- KekSigListSize = 0;
-
- //
- // Form the KeKpub certificate list into EFI_SIGNATURE_LIST type.
- // First, We have to parse out public key data from the pbk key file.
- //
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- (VOID**) &KeyBlob,
- &KeyBlobSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (KeyBlob != NULL);
- KeyInfo = (CPL_KEY_INFO *) KeyBlob;
- if (KeyInfo->KeyLengthInBits / 8 != WIN_CERT_UEFI_RSA2048_SIZE) {
- DEBUG ((DEBUG_ERROR, "Unsupported key length, Only RSA2048 is supported.\n"));
- Status = EFI_UNSUPPORTED;
- goto ON_EXIT;
- }
-
- //
- // Convert the Public key to fix octet string format represented in RSA PKCS#1.
- //
- KeyLenInBytes = KeyInfo->KeyLengthInBits / 8;
- KeyBuffer = AllocateZeroPool (KeyLenInBytes);
- if (KeyBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- Int2OctStr (
- (UINTN*) (KeyBlob + sizeof (CPL_KEY_INFO)),
- KeyLenInBytes / sizeof (UINTN),
- KeyBuffer,
- KeyLenInBytes
- );
- CopyMem(KeyBlob + sizeof(CPL_KEY_INFO), KeyBuffer, KeyLenInBytes);
-
- //
- // Form an new EFI_SIGNATURE_LIST.
- //
- KekSigListSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
-
- KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- KekSigList->SignatureListSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + WIN_CERT_UEFI_RSA2048_SIZE;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + WIN_CERT_UEFI_RSA2048_SIZE;
- CopyGuid (&KekSigList->SignatureType, &gEfiCertRsa2048Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA*)((UINT8*)KekSigList + sizeof(EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
- CopyMem (
- KEKSigData->SignatureData,
- KeyBlob + sizeof(CPL_KEY_INFO),
- WIN_CERT_UEFI_RSA2048_SIZE
- );
-
- //
- // Check if KEK entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new KEK to original variable.
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- //
- // Done. Now we have formed the correct KEKpub database item, just set it into variable storage,
- //
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FHandle = NULL;
- Private->FileContext->FileName = NULL;
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (KeyBlob != NULL) {
- FreePool (KeyBlob);
- }
- if (KeyBuffer != NULL) {
- FreePool (KeyBuffer);
- }
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Enroll a new KEK item from X509 certificate file.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509ToKek (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- EFI_SIGNATURE_DATA *KEKSigData;
- EFI_SIGNATURE_LIST *KekSigList;
- UINTN DataSize;
- UINTN KekSigListSize;
- UINT32 Attr;
-
- X509Data = NULL;
- X509DataSize = 0;
- KekSigList = NULL;
- KekSigListSize = 0;
- DataSize = 0;
- KEKSigData = NULL;
-
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- KekSigListSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize;
- KekSigList = (EFI_SIGNATURE_LIST*) AllocateZeroPool (KekSigListSize);
- if (KekSigList == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- KekSigList->SignatureListSize = (UINT32) KekSigListSize;
- KekSigList->SignatureHeaderSize = 0;
- KekSigList->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&KekSigList->SignatureType, &gEfiCertX509Guid);
-
- KEKSigData = (EFI_SIGNATURE_DATA*) ((UINT8*) KekSigList + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&KEKSigData->SignatureOwner, Private->SignatureGUID);
- CopyMem (KEKSigData->SignatureData, X509Data, X509DataSize);
-
- //
- // Check if KEK been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new kek to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&KekSigListSize, (UINT8**) &KekSigList);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- KekSigListSize,
- KekSigList
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FileName = NULL;
- Private->FileContext->FHandle = NULL;
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (KekSigList != NULL) {
- FreePool (KekSigList);
- }
-
- return Status;
-}
-
-/**
- Enroll new KEK into the System without PK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
-
- @retval EFI_SUCCESS New KEK enrolled successful.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll KEK data.
-
-**/
-EFI_STATUS
-EnrollKeyExchangeKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private
- )
-{
- UINT16* FilePostFix;
- UINTN NameLength;
-
- if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Parse the file's postfix. Supports DER-encoded X509 certificate,
- // and .pbk as RSA public key file.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (IsDerEncodeCertificate(FilePostFix)) {
- return EnrollX509ToKek (Private);
- } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {
- return EnrollRsa2048ToKek (Private);
- } else {
- return EFI_INVALID_PARAMETER;
- }
-}
-
-/**
- Enroll a new X509 certificate into Signature Database (DB or DBX) without
- KEK's authentication.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New X509 is enrolled successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollX509toSigDB (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- UINTN X509DataSize;
- VOID *X509Data;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
-
- X509DataSize = 0;
- SigDBSize = 0;
- DataSize = 0;
- X509Data = NULL;
- SigDBCert = NULL;
- SigDBCertData = NULL;
- Data = NULL;
-
- Status = ReadFileContent (
- Private->FileContext->FHandle,
- &X509Data,
- &X509DataSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (X509Data != NULL);
-
- SigDBSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize;
-
- Data = AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST*) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + X509DataSize);
- CopyGuid (&SigDBCert->SignatureType, &gEfiCertX509Guid);
-
- SigDBCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigDBCert + sizeof (EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);
- CopyMem ((UINT8* ) (SigDBCertData->SignatureData), X509Data, X509DataSize);
-
- //
- // Check if signature database entry has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FileName = NULL;
- Private->FileContext->FHandle = NULL;
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (X509Data != NULL) {
- FreePool (X509Data);
- }
-
- return Status;
-}
-
-/**
- Load PE/COFF image information into internal buffer and check its validity.
-
- @retval EFI_SUCCESS Successful
- @retval EFI_UNSUPPORTED Invalid PE/COFF file
- @retval EFI_ABORTED Serious error occurs, like file I/O error etc.
-
-**/
-EFI_STATUS
-LoadPeImage (
- VOID
- )
-{
- EFI_IMAGE_DOS_HEADER *DosHdr;
- EFI_IMAGE_NT_HEADERS32 *NtHeader32;
- EFI_IMAGE_NT_HEADERS64 *NtHeader64;
-
- NtHeader32 = NULL;
- NtHeader64 = NULL;
- //
- // Read the Dos header
- //
- DosHdr = (EFI_IMAGE_DOS_HEADER*)(mImageBase);
- if (DosHdr->e_magic == EFI_IMAGE_DOS_SIGNATURE)
- {
- //
- // DOS image header is present,
- // So read the PE header after the DOS image header
- //
- mPeCoffHeaderOffset = DosHdr->e_lfanew;
- }
- else
- {
- mPeCoffHeaderOffset = 0;
- }
-
- //
- // Read PE header and check the signature validity and machine compatibility
- //
- NtHeader32 = (EFI_IMAGE_NT_HEADERS32*) (mImageBase + mPeCoffHeaderOffset);
- if (NtHeader32->Signature != EFI_IMAGE_NT_SIGNATURE)
- {
- return EFI_UNSUPPORTED;
- }
-
- mNtHeader.Pe32 = NtHeader32;
-
- //
- // Check the architecture field of PE header and get the Certificate Data Directory data
- // Note the size of FileHeader field is constant for both IA32 and X64 arch
- //
- if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA32)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_EBC)) {
- //
- // IA-32 Architecture
- //
- mImageType = ImageType_IA32;
- mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]);
- }
- else if ((NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_IA64)
- || (NtHeader32->FileHeader.Machine == EFI_IMAGE_MACHINE_X64)) {
- //
- // 64-bits Architecture
- //
- mImageType = ImageType_X64;
- NtHeader64 = (EFI_IMAGE_NT_HEADERS64 *) (mImageBase + mPeCoffHeaderOffset);
- mSecDataDir = (EFI_IMAGE_SECURITY_DATA_DIRECTORY*) &(NtHeader64->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]);
- } else {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Calculate hash of Pe/Coff image based on the authenticode image hashing in
- PE/COFF Specification 8.0 Appendix A
-
- @param[in] HashAlg Hash algorithm type.
-
- @retval TRUE Successfully hash image.
- @retval FALSE Fail in hash image.
-
-**/
-BOOLEAN
-HashPeImage (
- IN UINT32 HashAlg
- )
-{
- BOOLEAN Status;
- UINT16 Magic;
- EFI_IMAGE_SECTION_HEADER *Section;
- VOID *HashCtx;
- UINTN CtxSize;
- UINT8 *HashBase;
- UINTN HashSize;
- UINTN SumOfBytesHashed;
- EFI_IMAGE_SECTION_HEADER *SectionHeader;
- UINTN Index;
- UINTN Pos;
-
- HashCtx = NULL;
- SectionHeader = NULL;
- Status = FALSE;
-
- if ((HashAlg != HASHALG_SHA1) && (HashAlg != HASHALG_SHA256)) {
- return FALSE;
- }
-
- //
- // Initialize context of hash.
- //
- ZeroMem (mImageDigest, MAX_DIGEST_SIZE);
-
- if (HashAlg == HASHALG_SHA1) {
- mImageDigestSize = SHA1_DIGEST_SIZE;
- mCertType = gEfiCertSha1Guid;
- } else if (HashAlg == HASHALG_SHA256) {
- mImageDigestSize = SHA256_DIGEST_SIZE;
- mCertType = gEfiCertSha256Guid;
- }
-
- CtxSize = mHash[HashAlg].GetContextSize();
-
- HashCtx = AllocatePool (CtxSize);
- ASSERT (HashCtx != NULL);
-
- // 1. Load the image header into memory.
-
- // 2. Initialize a SHA hash context.
- Status = mHash[HashAlg].HashInit(HashCtx);
- if (!Status) {
- goto Done;
- }
- //
- // Measuring PE/COFF Image Header;
- // But CheckSum field and SECURITY data directory (certificate) are excluded
- //
- if (mNtHeader.Pe32->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 && mNtHeader.Pe32->OptionalHeader.Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // NOTE: Some versions of Linux ELILO for Itanium have an incorrect magic value
- // in the PE/COFF Header. If the MachineType is Itanium(IA64) and the
- // Magic value in the OptionalHeader is EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC
- // then override the magic value to EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC
- //
- Magic = EFI_IMAGE_NT_OPTIONAL_HDR64_MAGIC;
- } else {
- //
- // Get the magic value from the PE/COFF Optional Header
- //
- Magic = mNtHeader.Pe32->OptionalHeader.Magic;
- }
-
- //
- // 3. Calculate the distance from the base of the image header to the image checksum address.
- // 4. Hash the image header from its base to beginning of the image checksum.
- //
- HashBase = mImageBase;
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32->OptionalHeader.CheckSum) - HashBase);
- } else {
- //
- // Use PE32+ offset.
- //
- HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32Plus->OptionalHeader.CheckSum) - HashBase);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 5. Skip over the image checksum (it occupies a single ULONG).
- // 6. Get the address of the beginning of the Cert Directory.
- // 7. Hash everything from the end of the checksum to the start of the Cert Directory.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.CheckSum + sizeof (UINT32);
- HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase);
- } else {
- //
- // Use PE32+ offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.CheckSum + sizeof (UINT32);
- HashSize = (UINTN) ((UINT8 *) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY]) - HashBase);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 8. Skip over the Cert Directory. (It is sizeof(IMAGE_DATA_DIRECTORY) bytes.)
- // 9. Hash everything from the end of the Cert Directory to the end of image header.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
- HashSize = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders - (UINTN) ((UINT8 *) (&mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - mImageBase);
- } else {
- //
- // Use PE32+ offset.
- //
- HashBase = (UINT8 *) &mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1];
- HashSize = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders - (UINTN) ((UINT8 *) (&mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY + 1]) - mImageBase);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- //
- // 10. Set the SUM_OF_BYTES_HASHED to the size of the header.
- //
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- SumOfBytesHashed = mNtHeader.Pe32->OptionalHeader.SizeOfHeaders;
- } else {
- //
- // Use PE32+ offset
- //
- SumOfBytesHashed = mNtHeader.Pe32Plus->OptionalHeader.SizeOfHeaders;
- }
-
- //
- // 11. Build a temporary table of pointers to all the IMAGE_SECTION_HEADER
- // structures in the image. The 'NumberOfSections' field of the image
- // header indicates how big the table should be. Do not include any
- // IMAGE_SECTION_HEADERs in the table whose 'SizeOfRawData' field is zero.
- //
- SectionHeader = (EFI_IMAGE_SECTION_HEADER *) AllocateZeroPool (sizeof (EFI_IMAGE_SECTION_HEADER) * mNtHeader.Pe32->FileHeader.NumberOfSections);
- ASSERT (SectionHeader != NULL);
- //
- // 12. Using the 'PointerToRawData' in the referenced section headers as
- // a key, arrange the elements in the table in ascending order. In other
- // words, sort the section headers according to the disk-file offset of
- // the section.
- //
- Section = (EFI_IMAGE_SECTION_HEADER *) (
- mImageBase +
- mPeCoffHeaderOffset +
- sizeof (UINT32) +
- sizeof (EFI_IMAGE_FILE_HEADER) +
- mNtHeader.Pe32->FileHeader.SizeOfOptionalHeader
- );
- for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {
- Pos = Index;
- while ((Pos > 0) && (Section->PointerToRawData < SectionHeader[Pos - 1].PointerToRawData)) {
- CopyMem (&SectionHeader[Pos], &SectionHeader[Pos - 1], sizeof (EFI_IMAGE_SECTION_HEADER));
- Pos--;
- }
- CopyMem (&SectionHeader[Pos], Section, sizeof (EFI_IMAGE_SECTION_HEADER));
- Section += 1;
- }
-
- //
- // 13. Walk through the sorted table, bring the corresponding section
- // into memory, and hash the entire section (using the 'SizeOfRawData'
- // field in the section header to determine the amount of data to hash).
- // 14. Add the section's 'SizeOfRawData' to SUM_OF_BYTES_HASHED .
- // 15. Repeat steps 13 and 14 for all the sections in the sorted table.
- //
- for (Index = 0; Index < mNtHeader.Pe32->FileHeader.NumberOfSections; Index++) {
- Section = &SectionHeader[Index];
- if (Section->SizeOfRawData == 0) {
- continue;
- }
- HashBase = mImageBase + Section->PointerToRawData;
- HashSize = (UINTN) Section->SizeOfRawData;
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
-
- SumOfBytesHashed += HashSize;
- }
-
- //
- // 16. If the file size is greater than SUM_OF_BYTES_HASHED, there is extra
- // data in the file that needs to be added to the hash. This data begins
- // at file offset SUM_OF_BYTES_HASHED and its length is:
- // FileSize - (CertDirectory->Size)
- //
- if (mImageSize > SumOfBytesHashed) {
- HashBase = mImageBase + SumOfBytesHashed;
- if (Magic == EFI_IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
- //
- // Use PE32 offset.
- //
- HashSize = (UINTN)(
- mImageSize -
- mNtHeader.Pe32->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
- SumOfBytesHashed);
- } else {
- //
- // Use PE32+ offset.
- //
- HashSize = (UINTN)(
- mImageSize -
- mNtHeader.Pe32Plus->OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY].Size -
- SumOfBytesHashed);
- }
-
- Status = mHash[HashAlg].HashUpdate(HashCtx, HashBase, HashSize);
- if (!Status) {
- goto Done;
- }
- }
-
- Status = mHash[HashAlg].HashFinal(HashCtx, mImageDigest);
-
-Done:
- if (HashCtx != NULL) {
- FreePool (HashCtx);
- }
- if (SectionHeader != NULL) {
- FreePool (SectionHeader);
- }
- return Status;
-}
-
-/**
- Recognize the Hash algorithm in PE/COFF Authenticode and caculate hash of
- Pe/Coff image based on the authenticated image hashing in PE/COFF Specification
- 8.0 Appendix A
-
- @retval EFI_UNSUPPORTED Hash algorithm is not supported.
- @retval EFI_SUCCESS Hash successfully.
-
-**/
-EFI_STATUS
-HashPeImageByType (
- VOID
- )
-{
- UINT8 Index;
- WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
-
- PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *) (mImageBase + mSecDataDir->Offset);
-
- for (Index = 0; Index < HASHALG_MAX; Index++) {
- //
- // Check the Hash algorithm in PE/COFF Authenticode.
- // According to PKCS#7 Definition:
- // SignedData ::= SEQUENCE {
- // version Version,
- // digestAlgorithms DigestAlgorithmIdentifiers,
- // contentInfo ContentInfo,
- // .... }
- // The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing
- // This field has the fixed offset (+32) in final Authenticode ASN.1 data.
- // Fixed offset (+32) is calculated based on two bytes of length encoding.
- //
- if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
- //
- // Only support two bytes of Long Form of Length Encoding.
- //
- continue;
- }
-
- //
- if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {
- break;
- }
- }
-
- if (Index == HASHALG_MAX) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // HASH PE Image based on Hash algorithm in PE/COFF Authenticode.
- //
- if (!HashPeImage(Index)) {
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Enroll a new executable's signature into Signature Database.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New signature is enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval EFI_UNSUPPORTED Unsupported command.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-EnrollImageSignatureToSigDB (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- EFI_STATUS Status;
- EFI_SIGNATURE_LIST *SigDBCert;
- EFI_SIGNATURE_DATA *SigDBCertData;
- VOID *Data;
- UINTN DataSize;
- UINTN SigDBSize;
- UINT32 Attr;
- WIN_CERTIFICATE_UEFI_GUID *GuidCertData;
-
- Data = NULL;
- GuidCertData = NULL;
-
- //
- // Form the SigDB certificate list.
- // Format the data item into EFI_SIGNATURE_LIST type.
- //
- // We need to parse executable's signature data from specified signed executable file.
- // In current implementation, we simply trust the pass-in signed executable file.
- // In reality, it's OS's responsibility to verify the signed executable file.
- //
-
- //
- // Read the whole file content
- //
- Status = ReadFileContent(
- Private->FileContext->FHandle,
- (VOID **) &mImageBase,
- &mImageSize,
- 0
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- ASSERT (mImageBase != NULL);
-
- Status = LoadPeImage ();
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- if (mSecDataDir->SizeOfCert == 0) {
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_SECURITY_VIOLATION;
- goto ON_EXIT;
- }
- } else {
-
- //
- // Read the certificate data
- //
- mCertificate = (WIN_CERTIFICATE *)(mImageBase + mSecDataDir->Offset);
-
- if (mCertificate->wCertificateType == WIN_CERT_TYPE_EFI_GUID) {
- GuidCertData = (WIN_CERTIFICATE_UEFI_GUID*) mCertificate;
- if (CompareMem (&GuidCertData->CertType, &gEfiCertTypeRsa2048Sha256Guid, sizeof(EFI_GUID)) != 0) {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
-
- if (!HashPeImage (HASHALG_SHA256)) {
- Status = EFI_ABORTED;
- goto ON_EXIT;;
- }
-
- } else if (mCertificate->wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
-
- Status = HashPeImageByType ();
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;;
- }
- } else {
- Status = EFI_ABORTED;
- goto ON_EXIT;
- }
- }
-
- //
- // Create a new SigDB entry.
- //
- SigDBSize = sizeof(EFI_SIGNATURE_LIST)
- + sizeof(EFI_SIGNATURE_DATA) - 1
- + (UINT32) mImageDigestSize;
-
- Data = (UINT8*) AllocateZeroPool (SigDBSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Adjust the Certificate Database parameters.
- //
- SigDBCert = (EFI_SIGNATURE_LIST*) Data;
- SigDBCert->SignatureListSize = (UINT32) SigDBSize;
- SigDBCert->SignatureHeaderSize = 0;
- SigDBCert->SignatureSize = sizeof(EFI_SIGNATURE_DATA) - 1 + (UINT32) mImageDigestSize;
- CopyGuid (&SigDBCert->SignatureType, &mCertType);
-
- SigDBCertData = (EFI_SIGNATURE_DATA*)((UINT8*)SigDBCert + sizeof(EFI_SIGNATURE_LIST));
- CopyGuid (&SigDBCertData->SignatureOwner, Private->SignatureGUID);
- CopyMem (SigDBCertData->SignatureData, mImageDigest, mImageDigestSize);
-
- Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
- | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
- Status = CreateTimeBasedPayload (&SigDBSize, (UINT8**) &Data);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
-
- //
- // Check if SigDB variable has been already existed.
- // If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
- // new signature data to original variable
- //
- DataSize = 0;
- Status = gRT->GetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- NULL,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- Attr |= EFI_VARIABLE_APPEND_WRITE;
- } else if (Status != EFI_NOT_FOUND) {
- goto ON_EXIT;
- }
-
- //
- // Enroll the variable.
- //
- Status = gRT->SetVariable(
- VariableName,
- &gEfiImageSecurityDatabaseGuid,
- Attr,
- SigDBSize,
- Data
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FHandle = NULL;
- Private->FileContext->FileName = NULL;
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (mImageBase != NULL) {
- FreePool (mImageBase);
- mImageBase = NULL;
- }
-
- return Status;
-}
-
-/**
- Enroll signature into DB/DBX without KEK's authentication.
- The SignatureOwner GUID will be Private->SignatureGUID.
-
- @param[in] PrivateData The module's private data.
- @param[in] VariableName Variable name of signature database, must be
- EFI_IMAGE_SECURITY_DATABASE or EFI_IMAGE_SECURITY_DATABASE1.
-
- @retval EFI_SUCCESS New signature enrolled successfully.
- @retval EFI_INVALID_PARAMETER The parameter is invalid.
- @retval others Fail to enroll signature data.
-
-**/
-EFI_STATUS
-EnrollSignatureDatabase (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
- IN CHAR16 *VariableName
- )
-{
- UINT16* FilePostFix;
- UINTN NameLength;
-
- if ((Private->FileContext->FileName == NULL) || (Private->FileContext->FHandle == NULL) || (Private->SignatureGUID == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Parse the file's postfix.
- //
- NameLength = StrLen (Private->FileContext->FileName);
- if (NameLength <= 4) {
- return EFI_INVALID_PARAMETER;
- }
- FilePostFix = Private->FileContext->FileName + NameLength - 4;
- if (IsDerEncodeCertificate(FilePostFix)) {
- //
- // Supports DER-encoded X509 certificate.
- //
- return EnrollX509toSigDB (Private, VariableName);
- }
-
- return EnrollImageSignatureToSigDB (Private, VariableName);
-}
-
-/**
- List all signatures in specified signature database (e.g. KEK/DB/DBX)
- by GUID in the page for user to select and delete as needed.
-
- @param[in] PrivateData Module's private data.
- @param[in] VariableName The variable name of the vendor's signature database.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] LabelNumber Label number to insert opcodes.
- @param[in] FormId Form ID of current page.
- @param[in] QuestionIdBase Base question id of the signature list.
-
- @retval EFI_SUCCESS Success to update the signature list page
- @retval EFI_OUT_OF_RESOURCES Unable to allocate required resources.
-
-**/
-EFI_STATUS
-UpdateDeletePage (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT16 LabelNumber,
- IN EFI_FORM_ID FormId,
- IN EFI_QUESTION_ID QuestionIdBase
- )
-{
- EFI_STATUS Status;
- UINT32 Index;
- UINTN CertCount;
- UINTN GuidIndex;
- VOID *StartOpCodeHandle;
- VOID *EndOpCodeHandle;
- EFI_IFR_GUID_LABEL *StartLabel;
- EFI_IFR_GUID_LABEL *EndLabel;
- UINTN DataSize;
- UINT8 *Data;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_DATA *Cert;
- UINT32 ItemDataSize;
- CHAR16 *GuidStr;
- EFI_STRING_ID GuidID;
- EFI_STRING_ID Help;
-
- Data = NULL;
- CertList = NULL;
- Cert = NULL;
- GuidStr = NULL;
- StartOpCodeHandle = NULL;
- EndOpCodeHandle = NULL;
-
- //
- // Initialize the container for dynamic opcodes.
- //
- StartOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (StartOpCodeHandle == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- EndOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (EndOpCodeHandle == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Create Hii Extend Label OpCode.
- //
- StartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- StartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- StartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- StartLabel->Number = LabelNumber;
-
- EndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- EndOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- EndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- EndLabel->Number = LABEL_END;
-
- //
- // Read Variable.
- //
- DataSize = 0;
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- Data = (UINT8 *) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, Data);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- GuidStr = AllocateZeroPool (100);
- if (GuidStr == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all KEK pub data.
- //
- ItemDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) Data;
- GuidIndex = 0;
-
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
-
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_RSA2048_SHA256_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_PCKS7_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_SHA1_GUID);
- } else if (CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid)) {
- Help = STRING_TOKEN (STR_CERT_TYPE_SHA256_GUID);
- } else {
- //
- // The signature type is not supported in current implementation.
- //
- continue;
- }
-
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList
- + sizeof (EFI_SIGNATURE_LIST)
- + CertList->SignatureHeaderSize
- + Index * CertList->SignatureSize);
- //
- // Display GUID and help
- //
- GuidToString (&Cert->SignatureOwner, GuidStr, 100);
- GuidID = HiiSetString (PrivateData->HiiHandle, 0, GuidStr, NULL);
- HiiCreateCheckBoxOpCode (
- StartOpCodeHandle,
- (EFI_QUESTION_ID) (QuestionIdBase + GuidIndex++),
- 0,
- 0,
- GuidID,
- Help,
- EFI_IFR_FLAG_CALLBACK,
- 0,
- NULL
- );
- }
-
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
-ON_EXIT:
- HiiUpdateForm (
- PrivateData->HiiHandle,
- &gSecureBootConfigFormSetGuid,
- FormId,
- StartOpCodeHandle,
- EndOpCodeHandle
- );
-
- if (StartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (StartOpCodeHandle);
- }
-
- if (EndOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (EndOpCodeHandle);
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (GuidStr != NULL) {
- FreePool (GuidStr);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Delete a KEK entry from KEK database.
-
- @param[in] PrivateData Module's private data.
- @param[in] QuestionId Question id of the KEK item to delete.
-
- @retval EFI_SUCCESS Delete kek item successfully.
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-
-**/
-EFI_STATUS
-DeleteKeyExchangeKey (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN EFI_QUESTION_ID QuestionId
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT8 *Data;
- UINT8 *OldData;
- UINT32 Attr;
- UINT32 Index;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_LIST *NewCertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN CertCount;
- UINT32 Offset;
- BOOLEAN IsKEKItemFound;
- UINT32 KekDataSize;
- UINTN DeleteKekIndex;
- UINTN GuidIndex;
-
- Data = NULL;
- OldData = NULL;
- CertList = NULL;
- Cert = NULL;
- Attr = 0;
- DeleteKekIndex = QuestionId - OPTION_DEL_KEK_QUESTION_ID;
-
- //
- // Get original KEK variable.
- //
- DataSize = 0;
- Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, NULL, &DataSize, NULL);
- if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- OldData = (UINT8*)AllocateZeroPool(DataSize);
- if (OldData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (EFI_KEY_EXCHANGE_KEY_NAME, &gEfiGlobalVariableGuid, &Attr, &DataSize, OldData);
- if (EFI_ERROR(Status)) {
- goto ON_EXIT;
- }
-
- //
- // Allocate space for new variable.
- //
- Data = (UINT8*) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all KEK pub data and erasing the target item.
- //
- IsKEKItemFound = FALSE;
- KekDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) OldData;
- Offset = 0;
- GuidIndex = 0;
- while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid)) {
- CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
- NewCertList = (EFI_SIGNATURE_LIST *)(Data + Offset);
- Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- if (GuidIndex == DeleteKekIndex ) {
- //
- // Find it! Skip it!
- //
- NewCertList->SignatureListSize -= CertList->SignatureSize;
- IsKEKItemFound = TRUE;
- } else {
- //
- // This item doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, Cert, CertList->SignatureSize);
- Offset += CertList->SignatureSize;
- }
- GuidIndex++;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8*) Cert + CertList->SignatureSize);
- }
- } else {
- //
- // This List doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, CertList, CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
-
- KekDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST*) ((UINT8*) CertList + CertList->SignatureListSize);
- }
-
- if (!IsKEKItemFound) {
- //
- // Doesn't find the Kek Item!
- //
- Status = EFI_NOT_FOUND;
- goto ON_EXIT;
- }
-
- //
- // Delete the Signature header if there is no signature in the list.
- //
- KekDataSize = Offset;
- CertList = (EFI_SIGNATURE_LIST*) Data;
- Offset = 0;
- ZeroMem (OldData, KekDataSize);
- while ((KekDataSize > 0) && (KekDataSize >= CertList->SignatureListSize)) {
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- DEBUG ((DEBUG_ERROR, " CertCount = %x\n", CertCount));
- if (CertCount != 0) {
- CopyMem (OldData + Offset, CertList, CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
- KekDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- DataSize = Offset;
- if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- Status = CreateTimeBasedPayload (&DataSize, &OldData);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
- }
-
- Status = gRT->SetVariable(
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- Attr,
- DataSize,
- OldData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (Data != NULL) {
- FreePool(Data);
- }
-
- if (OldData != NULL) {
- FreePool(OldData);
- }
-
- return UpdateDeletePage (
- PrivateData,
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- LABEL_KEK_DELETE,
- FORMID_DELETE_KEK_FORM,
- OPTION_DEL_KEK_QUESTION_ID
- );
-}
-
-/**
- Delete a signature entry from siganture database.
-
- @param[in] PrivateData Module's private data.
- @param[in] VariableName The variable name of the vendor's signature database.
- @param[in] VendorGuid A unique identifier for the vendor.
- @param[in] LabelNumber Label number to insert opcodes.
- @param[in] FormId Form ID of current page.
- @param[in] QuestionIdBase Base question id of the signature list.
- @param[in] DeleteIndex Signature index to delete.
-
- @retval EFI_SUCCESS Delete siganture successfully.
- @retval EFI_NOT_FOUND Can't find the signature item,
- @retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
-**/
-EFI_STATUS
-DeleteSignature (
- IN SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData,
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT16 LabelNumber,
- IN EFI_FORM_ID FormId,
- IN EFI_QUESTION_ID QuestionIdBase,
- IN UINTN DeleteIndex
- )
-{
- EFI_STATUS Status;
- UINTN DataSize;
- UINT8 *Data;
- UINT8 *OldData;
- UINT32 Attr;
- UINT32 Index;
- EFI_SIGNATURE_LIST *CertList;
- EFI_SIGNATURE_LIST *NewCertList;
- EFI_SIGNATURE_DATA *Cert;
- UINTN CertCount;
- UINT32 Offset;
- BOOLEAN IsItemFound;
- UINT32 ItemDataSize;
- UINTN GuidIndex;
-
- Data = NULL;
- OldData = NULL;
- CertList = NULL;
- Cert = NULL;
- Attr = 0;
-
- //
- // Get original signature list data.
- //
- DataSize = 0;
- Status = gRT->GetVariable (VariableName, VendorGuid, NULL, &DataSize, NULL);
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- OldData = (UINT8 *) AllocateZeroPool (DataSize);
- if (OldData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gRT->GetVariable (VariableName, VendorGuid, &Attr, &DataSize, OldData);
- if (EFI_ERROR(Status)) {
- goto ON_EXIT;
- }
-
- //
- // Allocate space for new variable.
- //
- Data = (UINT8*) AllocateZeroPool (DataSize);
- if (Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Enumerate all signature data and erasing the target item.
- //
- IsItemFound = FALSE;
- ItemDataSize = (UINT32) DataSize;
- CertList = (EFI_SIGNATURE_LIST *) OldData;
- Offset = 0;
- GuidIndex = 0;
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
- if (CompareGuid (&CertList->SignatureType, &gEfiCertRsa2048Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertX509Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertSha1Guid) ||
- CompareGuid (&CertList->SignatureType, &gEfiCertSha256Guid)
- ) {
- //
- // Copy EFI_SIGNATURE_LIST header then calculate the signature count in this list.
- //
- CopyMem (Data + Offset, CertList, (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize));
- NewCertList = (EFI_SIGNATURE_LIST*) (Data + Offset);
- Offset += (sizeof(EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- for (Index = 0; Index < CertCount; Index++) {
- if (GuidIndex == DeleteIndex) {
- //
- // Find it! Skip it!
- //
- NewCertList->SignatureListSize -= CertList->SignatureSize;
- IsItemFound = TRUE;
- } else {
- //
- // This item doesn't match. Copy it to the Data buffer.
- //
- CopyMem (Data + Offset, (UINT8*)(Cert), CertList->SignatureSize);
- Offset += CertList->SignatureSize;
- }
- GuidIndex++;
- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
- }
- } else {
- //
- // This List doesn't match. Just copy it to the Data buffer.
- //
- CopyMem (Data + Offset, (UINT8*)(CertList), CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
-
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- if (!IsItemFound) {
- //
- // Doesn't find the signature Item!
- //
- Status = EFI_NOT_FOUND;
- goto ON_EXIT;
- }
-
- //
- // Delete the EFI_SIGNATURE_LIST header if there is no signature in the list.
- //
- ItemDataSize = Offset;
- CertList = (EFI_SIGNATURE_LIST *) Data;
- Offset = 0;
- ZeroMem (OldData, ItemDataSize);
- while ((ItemDataSize > 0) && (ItemDataSize >= CertList->SignatureListSize)) {
- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
- DEBUG ((DEBUG_ERROR, " CertCount = %x\n", CertCount));
- if (CertCount != 0) {
- CopyMem (OldData + Offset, (UINT8*)(CertList), CertList->SignatureListSize);
- Offset += CertList->SignatureListSize;
- }
- ItemDataSize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
- }
-
- DataSize = Offset;
- if ((Attr & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) != 0) {
- Status = CreateTimeBasedPayload (&DataSize, &OldData);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_ERROR, "Fail to create time-based data payload: %r", Status));
- goto ON_EXIT;
- }
- }
-
- Status = gRT->SetVariable(
- VariableName,
- VendorGuid,
- Attr,
- DataSize,
- OldData
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Failed to set variable, Status = %r\n", Status));
- goto ON_EXIT;
- }
-
-ON_EXIT:
- if (Data != NULL) {
- FreePool(Data);
- }
-
- if (OldData != NULL) {
- FreePool(OldData);
- }
-
- return UpdateDeletePage (
- PrivateData,
- VariableName,
- VendorGuid,
- LabelNumber,
- FormId,
- QuestionIdBase
- );
-}
-
-/**
- This function extracts configuration from variable.
-
- @param[in, out] ConfigData Point to SecureBoot configuration private data.
-
-**/
-VOID
-SecureBootExtractConfigFromVariable (
- IN OUT SECUREBOOT_CONFIGURATION *ConfigData
- )
-{
- UINT8 *SecureBootEnable;
- UINT8 *SetupMode;
- UINT8 *SecureBoot;
- UINT8 *SecureBootMode;
-
- SecureBootEnable = NULL;
- SetupMode = NULL;
- SecureBoot = NULL;
- SecureBootMode = NULL;
-
- //
- // If the SecureBootEnable Variable doesn't exist, hide the SecureBoot Enable/Disable
- // Checkbox.
- //
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (SecureBootEnable == NULL) {
- ConfigData->HideSecureBoot = TRUE;
- } else {
- ConfigData->HideSecureBoot = FALSE;
- }
-
- //
- // If it is Physical Presence User, set the PhysicalPresent to true.
- //
- if (UserPhysicalPresent()) {
- ConfigData->PhysicalPresent = TRUE;
- } else {
- ConfigData->PhysicalPresent = FALSE;
- }
-
- //
- // If there is no PK then the Delete Pk button will be gray.
- //
- GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
- if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {
- ConfigData->HasPk = FALSE;
- } else {
- ConfigData->HasPk = TRUE;
- }
-
- //
- // If the value of SecureBoot variable is 1, the platform is operating in secure boot mode.
- //
- GetVariable2 (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SecureBoot, NULL);
- if (SecureBoot != NULL && *SecureBoot == SECURE_BOOT_MODE_ENABLE) {
- ConfigData->SecureBootState = TRUE;
- } else {
- ConfigData->SecureBootState = FALSE;
- }
-
- //
- // Get the SecureBootMode from CustomMode variable.
- //
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootMode, NULL);
- if (SecureBootMode == NULL) {
- ConfigData->SecureBootMode = STANDARD_SECURE_BOOT_MODE;
- } else {
- ConfigData->SecureBootMode = *(SecureBootMode);
- }
-
-}
-
-/**
- This function allows a caller to extract the current configuration for one
- or more named elements from the target driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Request A null-terminated Unicode string in
- <ConfigRequest> format.
- @param[out] Progress On return, points to a character in the Request
- string. Points to the string's null terminator if
- request was successful. Points to the most recent
- '&' before the first failing name/value pair (or
- the beginning of the string if the failure is in
- the first name/value pair) if the request was not
- successful.
- @param[out] Results A null-terminated Unicode string in
- <ConfigAltResp> format which has all values filled
- in for the names in the Request string. String to
- be allocated by the called function.
-
- @retval EFI_SUCCESS The Results is filled with the requested values.
- @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results.
- @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown name.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootExtractConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Request,
- OUT EFI_STRING *Progress,
- OUT EFI_STRING *Results
- )
-{
- EFI_STATUS Status;
- UINTN BufferSize;
- UINTN Size;
- SECUREBOOT_CONFIGURATION Configuration;
- EFI_STRING ConfigRequest;
- EFI_STRING ConfigRequestHdr;
- SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
- BOOLEAN AllocatedRequest;
-
- if (Progress == NULL || Results == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- AllocatedRequest = FALSE;
- ConfigRequestHdr = NULL;
- ConfigRequest = NULL;
- Size = 0;
-
- ZeroMem (&Configuration, sizeof (Configuration));
- PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
- *Progress = Request;
-
- if ((Request != NULL) && !HiiIsConfigHdrMatch (Request, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
- return EFI_NOT_FOUND;
- }
-
- //
- // Get Configuration from Variable.
- //
- SecureBootExtractConfigFromVariable (&Configuration);
-
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- ConfigRequest = Request;
- if ((Request == NULL) || (StrStr (Request, L"OFFSET") == NULL)) {
- //
- // Request is set to NULL or OFFSET is NULL, construct full request string.
- //
- // Allocate and fill a buffer large enough to hold the <ConfigHdr> template
- // followed by "&OFFSET=0&WIDTH=WWWWWWWWWWWWWWWW" followed by a Null-terminator
- //
- ConfigRequestHdr = HiiConstructConfigHdr (&gSecureBootConfigFormSetGuid, mSecureBootStorageName, PrivateData->DriverHandle);
- Size = (StrLen (ConfigRequestHdr) + 32 + 1) * sizeof (CHAR16);
- ConfigRequest = AllocateZeroPool (Size);
- ASSERT (ConfigRequest != NULL);
- AllocatedRequest = TRUE;
- UnicodeSPrint (ConfigRequest, Size, L"%s&OFFSET=0&WIDTH=%016LX", ConfigRequestHdr, (UINT64)BufferSize);
- FreePool (ConfigRequestHdr);
- ConfigRequestHdr = NULL;
- }
-
- Status = gHiiConfigRouting->BlockToConfig (
- gHiiConfigRouting,
- ConfigRequest,
- (UINT8 *) &Configuration,
- BufferSize,
- Results,
- Progress
- );
-
- //
- // Free the allocated config request string.
- //
- if (AllocatedRequest) {
- FreePool (ConfigRequest);
- }
-
- //
- // Set Progress string to the original request string.
- //
- if (Request == NULL) {
- *Progress = NULL;
- } else if (StrStr (Request, L"OFFSET") == NULL) {
- *Progress = Request + StrLen (Request);
- }
-
- return Status;
-}
-
-/**
- This function processes the results of changes in configuration.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Configuration A null-terminated Unicode string in <ConfigResp>
- format.
- @param[out] Progress A pointer to a string filled in with the offset of
- the most recent '&' before the first failing
- name/value pair (or the beginning of the string if
- the failure is in the first name/value pair) or
- the terminating NULL if all was successful.
-
- @retval EFI_SUCCESS The Results is processed successfully.
- @retval EFI_INVALID_PARAMETER Configuration is NULL.
- @retval EFI_NOT_FOUND Routing data doesn't match any storage in this
- driver.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootRouteConfig (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN CONST EFI_STRING Configuration,
- OUT EFI_STRING *Progress
- )
-{
- if (Configuration == NULL || Progress == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- *Progress = Configuration;
- if (!HiiIsConfigHdrMatch (Configuration, &gSecureBootConfigFormSetGuid, mSecureBootStorageName)) {
- return EFI_NOT_FOUND;
- }
-
- *Progress = Configuration + StrLen (Configuration);
- return EFI_SUCCESS;
-}
-
-/**
- This function is called to provide results data to the driver.
-
- @param[in] This Points to the EFI_HII_CONFIG_ACCESS_PROTOCOL.
- @param[in] Action Specifies the type of action taken by the browser.
- @param[in] QuestionId A unique value which is sent to the original
- exporting driver so that it can identify the type
- of data to expect.
- @param[in] Type The type of value for the question.
- @param[in] Value A pointer to the data being sent to the original
- exporting driver.
- @param[out] ActionRequest On return, points to the action requested by the
- callback function.
-
- @retval EFI_SUCCESS The callback successfully handled the action.
- @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the
- variable and its data.
- @retval EFI_DEVICE_ERROR The variable could not be saved.
- @retval EFI_UNSUPPORTED The specified Action is not supported by the
- callback.
-
-**/
-EFI_STATUS
-EFIAPI
-SecureBootCallback (
- IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This,
- IN EFI_BROWSER_ACTION Action,
- IN EFI_QUESTION_ID QuestionId,
- IN UINT8 Type,
- IN EFI_IFR_TYPE_VALUE *Value,
- OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest
- )
-{
- EFI_INPUT_KEY Key;
- EFI_STATUS Status;
- SECUREBOOT_CONFIG_PRIVATE_DATA *Private;
- UINTN BufferSize;
- SECUREBOOT_CONFIGURATION *IfrNvData;
- UINT16 LabelId;
- UINT8 *SecureBootEnable;
- CHAR16 PromptString[100];
-
- SecureBootEnable = NULL;
-
- if ((This == NULL) || (Value == NULL) || (ActionRequest == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((Action != EFI_BROWSER_ACTION_CHANGED) && (Action != EFI_BROWSER_ACTION_CHANGING)) {
- return EFI_UNSUPPORTED;
- }
-
- Private = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
-
- //
- // Retrieve uncommitted data from Browser
- //
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- IfrNvData = AllocateZeroPool (BufferSize);
- if (IfrNvData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- Status = EFI_SUCCESS;
-
- HiiGetBrowserData (NULL, NULL, BufferSize, (UINT8 *) IfrNvData);
-
- if (Action == EFI_BROWSER_ACTION_CHANGING) {
-
- switch (QuestionId) {
- case KEY_SECURE_BOOT_ENABLE:
- GetVariable2 (EFI_SECURE_BOOT_ENABLE_NAME, &gEfiSecureBootEnableDisableGuid, (VOID**)&SecureBootEnable, NULL);
- if (NULL != SecureBootEnable) {
- if (EFI_ERROR (SaveSecureBootVariable (Value->u8))) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"Only Physical Presence User could disable secure boot!",
- NULL
- );
- Status = EFI_UNSUPPORTED;
- }
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- }
- break;
-
- case KEY_SECURE_BOOT_OPTION:
- FreeMenu (&DirectoryMenu);
- FreeMenu (&FsOptionMenu);
- break;
-
- case KEY_SECURE_BOOT_KEK_OPTION:
- case KEY_SECURE_BOOT_DB_OPTION:
- case KEY_SECURE_BOOT_DBX_OPTION:
- //
- // Clear Signature GUID.
- //
- ZeroMem (IfrNvData->SignatureGuid, sizeof (IfrNvData->SignatureGuid));
- if (Private->SignatureGUID == NULL) {
- Private->SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
- if (Private->SignatureGUID == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- }
-
- if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) {
- LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
- } else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) {
- LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DBX;
- } else {
- LabelId = FORMID_ENROLL_KEK_FORM;
- }
-
- //
- // Refresh selected file.
- //
- CleanUpPage (LabelId, Private);
- break;
-
- case SECUREBOOT_ADD_PK_FILE_FORM_ID:
- case FORMID_ENROLL_KEK_FORM:
- case SECUREBOOT_ENROLL_SIGNATURE_TO_DB:
- case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX:
- if (QuestionId == SECUREBOOT_ADD_PK_FILE_FORM_ID) {
- Private->FeCurrentState = FileExplorerStateEnrollPkFile;
- } else if (QuestionId == FORMID_ENROLL_KEK_FORM) {
- Private->FeCurrentState = FileExplorerStateEnrollKekFile;
- } else if (QuestionId == SECUREBOOT_ENROLL_SIGNATURE_TO_DB) {
- Private->FeCurrentState = FileExplorerStateEnrollSignatureFileToDb;
- } else {
- Private->FeCurrentState = FileExplorerStateEnrollSignatureFileToDbx;
- }
-
- Private->FeDisplayContext = FileExplorerDisplayUnknown;
- CleanUpPage (FORM_FILE_EXPLORER_ID, Private);
- UpdateFileExplorer (Private, 0);
- break;
-
- case KEY_SECURE_BOOT_DELETE_PK:
- if (Value->u8) {
- Status = DeletePlatformKey ();
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- }
- break;
-
- case KEY_DELETE_KEK:
- UpdateDeletePage (
- Private,
- EFI_KEY_EXCHANGE_KEY_NAME,
- &gEfiGlobalVariableGuid,
- LABEL_KEK_DELETE,
- FORMID_DELETE_KEK_FORM,
- OPTION_DEL_KEK_QUESTION_ID
- );
- break;
-
- case SECUREBOOT_DELETE_SIGNATURE_FROM_DB:
- UpdateDeletePage (
- Private,
- EFI_IMAGE_SECURITY_DATABASE,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DB_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- OPTION_DEL_DB_QUESTION_ID
- );
- break;
-
- case SECUREBOOT_DELETE_SIGNATURE_FROM_DBX:
- UpdateDeletePage (
- Private,
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBX_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- OPTION_DEL_DBX_QUESTION_ID
- );
-
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_KEK:
- Status = EnrollKeyExchangeKey (Private);
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_DB:
- Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE);
- break;
-
- case KEY_VALUE_SAVE_AND_EXIT_DBX:
- Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);
- break;
-
- default:
- if (QuestionId >= FILE_OPTION_OFFSET) {
- UpdateFileExplorer (Private, QuestionId);
- } else if ((QuestionId >= OPTION_DEL_KEK_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_KEK_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteKeyExchangeKey (Private, QuestionId);
- } else if ((QuestionId >= OPTION_DEL_DB_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_DB_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteSignature (
- Private,
- EFI_IMAGE_SECURITY_DATABASE,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DB_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DB,
- OPTION_DEL_DB_QUESTION_ID,
- QuestionId - OPTION_DEL_DB_QUESTION_ID
- );
- } else if ((QuestionId >= OPTION_DEL_DBX_QUESTION_ID) &&
- (QuestionId < (OPTION_DEL_DBX_QUESTION_ID + OPTION_CONFIG_RANGE))) {
- DeleteSignature (
- Private,
- EFI_IMAGE_SECURITY_DATABASE1,
- &gEfiImageSecurityDatabaseGuid,
- LABEL_DBX_DELETE,
- SECUREBOOT_DELETE_SIGNATURE_FROM_DBX,
- OPTION_DEL_DBX_QUESTION_ID,
- QuestionId - OPTION_DEL_DBX_QUESTION_ID
- );
- }
- break;
- }
- } else if (Action == EFI_BROWSER_ACTION_CHANGED) {
- switch (QuestionId) {
- case KEY_SECURE_BOOT_ENABLE:
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
- break;
- case KEY_VALUE_SAVE_AND_EXIT_PK:
- Status = EnrollPlatformKey (Private);
- UnicodeSPrint (
- PromptString,
- sizeof (PromptString),
- L"Only DER encoded certificate file (%s) is supported.",
- mSupportX509Suffix
- );
- if (EFI_ERROR (Status)) {
- CreatePopUp (
- EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
- &Key,
- L"ERROR: Unsupported file type!",
- PromptString,
- NULL
- );
- } else {
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
- }
- break;
-
- case KEY_VALUE_NO_SAVE_AND_EXIT_PK:
- case KEY_VALUE_NO_SAVE_AND_EXIT_KEK:
- case KEY_VALUE_NO_SAVE_AND_EXIT_DB:
- case KEY_VALUE_NO_SAVE_AND_EXIT_DBX:
- if (Private->FileContext->FHandle != NULL) {
- CloseFile (Private->FileContext->FHandle);
- Private->FileContext->FHandle = NULL;
- Private->FileContext->FileName = NULL;
- }
-
- if (Private->SignatureGUID != NULL) {
- FreePool (Private->SignatureGUID);
- Private->SignatureGUID = NULL;
- }
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_EXIT;
- break;
-
- case KEY_SECURE_BOOT_MODE:
- GetVariable2 (EFI_CUSTOM_MODE_NAME, &gEfiCustomModeEnableGuid, (VOID**)&SecureBootEnable, NULL);
- if (NULL != SecureBootEnable) {
- Status = gRT->SetVariable (
- EFI_CUSTOM_MODE_NAME,
- &gEfiCustomModeEnableGuid,
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
- sizeof (UINT8),
- &Value->u8
- );
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- IfrNvData->SecureBootMode = Value->u8;
- }
- break;
-
- case KEY_SECURE_BOOT_KEK_GUID:
- case KEY_SECURE_BOOT_SIGNATURE_GUID_DB:
- case KEY_SECURE_BOOT_SIGNATURE_GUID_DBX:
- ASSERT (Private->SignatureGUID != NULL);
- Status = StringToGuid (
- IfrNvData->SignatureGuid,
- StrLen (IfrNvData->SignatureGuid),
- Private->SignatureGUID
- );
- if (EFI_ERROR (Status)) {
- break;
- }
-
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
- break;
-
- case KEY_SECURE_BOOT_DELETE_PK:
- if (Value->u8) {
- *ActionRequest = EFI_BROWSER_ACTION_REQUEST_SUBMIT;
- }
- break;
- }
- }
-
- if (!EFI_ERROR (Status)) {
- BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
- HiiSetBrowserData (NULL, NULL, BufferSize, (UINT8*) IfrNvData, NULL);
- }
- FreePool (IfrNvData);
-
- return EFI_SUCCESS;
-}
-
-/**
- This function publish the SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
- @retval EFI_SUCCESS HII Form is installed successfully.
- @retval EFI_OUT_OF_RESOURCES Not enough resource for HII Form installation.
- @retval Others Other errors as indicated.
-
-**/
-EFI_STATUS
-InstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- EFI_STATUS Status;
- EFI_HII_HANDLE HiiHandle;
- EFI_HANDLE DriverHandle;
- EFI_HII_CONFIG_ACCESS_PROTOCOL *ConfigAccess;
-
- DriverHandle = NULL;
- ConfigAccess = &PrivateData->ConfigAccess;
- Status = gBS->InstallMultipleProtocolInterfaces (
- &DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- ConfigAccess,
- NULL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- PrivateData->DriverHandle = DriverHandle;
-
- //
- // Publish the HII package list
- //
- HiiHandle = HiiAddPackages (
- &gSecureBootConfigFormSetGuid,
- DriverHandle,
- SecureBootConfigDxeStrings,
- SecureBootConfigBin,
- NULL
- );
- if (HiiHandle == NULL) {
- gBS->UninstallMultipleProtocolInterfaces (
- DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- ConfigAccess,
- NULL
- );
- return EFI_OUT_OF_RESOURCES;
- }
-
- PrivateData->HiiHandle = HiiHandle;
-
- PrivateData->FileContext = AllocateZeroPool (sizeof (SECUREBOOT_FILE_CONTEXT));
- PrivateData->MenuEntry = AllocateZeroPool (sizeof (SECUREBOOT_MENU_ENTRY));
-
- if (PrivateData->FileContext == NULL || PrivateData->MenuEntry == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- PrivateData->FeCurrentState = FileExplorerStateInActive;
- PrivateData->FeDisplayContext = FileExplorerDisplayUnknown;
-
- InitializeListHead (&FsOptionMenu.Head);
- InitializeListHead (&DirectoryMenu.Head);
-
- //
- // Init OpCode Handle and Allocate space for creation of Buffer
- //
- mStartOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (mStartOpCodeHandle == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- mEndOpCodeHandle = HiiAllocateOpCodeHandle ();
- if (mEndOpCodeHandle == NULL) {
- UninstallSecureBootConfigForm (PrivateData);
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Create Hii Extend Label OpCode as the start opcode
- //
- mStartLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mStartOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mStartLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
-
- //
- // Create Hii Extend Label OpCode as the end opcode
- //
- mEndLabel = (EFI_IFR_GUID_LABEL *) HiiCreateGuidOpCode (
- mEndOpCodeHandle,
- &gEfiIfrTianoGuid,
- NULL,
- sizeof (EFI_IFR_GUID_LABEL)
- );
- mEndLabel->ExtendOpCode = EFI_IFR_EXTEND_OP_LABEL;
- mEndLabel->Number = LABEL_END;
-
- return EFI_SUCCESS;
-}
-
-/**
- This function removes SecureBoot configuration Form.
-
- @param[in, out] PrivateData Points to SecureBoot configuration private data.
-
-**/
-VOID
-UninstallSecureBootConfigForm (
- IN OUT SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData
- )
-{
- //
- // Uninstall HII package list
- //
- if (PrivateData->HiiHandle != NULL) {
- HiiRemovePackages (PrivateData->HiiHandle);
- PrivateData->HiiHandle = NULL;
- }
-
- //
- // Uninstall HII Config Access Protocol
- //
- if (PrivateData->DriverHandle != NULL) {
- gBS->UninstallMultipleProtocolInterfaces (
- PrivateData->DriverHandle,
- &gEfiDevicePathProtocolGuid,
- &mSecureBootHiiVendorDevicePath,
- &gEfiHiiConfigAccessProtocolGuid,
- &PrivateData->ConfigAccess,
- NULL
- );
- PrivateData->DriverHandle = NULL;
- }
-
- if (PrivateData->SignatureGUID != NULL) {
- FreePool (PrivateData->SignatureGUID);
- }
-
- if (PrivateData->MenuEntry != NULL) {
- FreePool (PrivateData->MenuEntry);
- }
-
- if (PrivateData->FileContext != NULL) {
- FreePool (PrivateData->FileContext);
- }
-
- FreePool (PrivateData);
-
- FreeMenu (&DirectoryMenu);
- FreeMenu (&FsOptionMenu);
-
- if (mStartOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mStartOpCodeHandle);
- }
-
- if (mEndOpCodeHandle != NULL) {
- HiiFreeOpCodeHandle (mEndOpCodeHandle);
- }
-}
deleted file mode 100644
@@ -1,334 +0,0 @@
-/** @file
- Helper functions for SecureBoot configuration module.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "SecureBootConfigImpl.h"
-
-/**
- Read file content into BufferPtr, the size of the allocate buffer
- is *FileSize plus AddtionAllocateSize.
-
- @param[in] FileHandle The file to be read.
- @param[in, out] BufferPtr Pointers to the pointer of allocated buffer.
- @param[out] FileSize Size of input file
- @param[in] AddtionAllocateSize Addtion size the buffer need to be allocated.
- In case the buffer need to contain others besides the file content.
-
- @retval EFI_SUCCESS The file was read into the buffer.
- @retval EFI_INVALID_PARAMETER A parameter was invalid.
- @retval EFI_OUT_OF_RESOURCES A memory allocation failed.
- @retval others Unexpected error.
-
-**/
-EFI_STATUS
-ReadFileContent (
- IN EFI_FILE_HANDLE FileHandle,
- IN OUT VOID **BufferPtr,
- OUT UINTN *FileSize,
- IN UINTN AddtionAllocateSize
- )
-
-{
- UINTN BufferSize;
- UINT64 SourceFileSize;
- VOID *Buffer;
- EFI_STATUS Status;
-
- if ((FileHandle == NULL) || (FileSize == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Buffer = NULL;
-
- //
- // Get the file size
- //
- Status = FileHandle->SetPosition (FileHandle, (UINT64) -1);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Status = FileHandle->GetPosition (FileHandle, &SourceFileSize);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Status = FileHandle->SetPosition (FileHandle, 0);
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- BufferSize = (UINTN) SourceFileSize + AddtionAllocateSize;
- Buffer = AllocateZeroPool(BufferSize);
- if (Buffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- BufferSize = (UINTN) SourceFileSize;
- *FileSize = BufferSize;
-
- Status = FileHandle->Read (FileHandle, &BufferSize, Buffer);
- if (EFI_ERROR (Status) || BufferSize != *FileSize) {
- FreePool (Buffer);
- Buffer = NULL;
- Status = EFI_BAD_BUFFER_SIZE;
- goto ON_EXIT;
- }
-
-ON_EXIT:
-
- *BufferPtr = Buffer;
- return Status;
-}
-
-/**
- Close an open file handle.
-
- @param[in] FileHandle The file handle to close.
-
-**/
-VOID
-CloseFile (
- IN EFI_FILE_HANDLE FileHandle
- )
-{
- if (FileHandle != NULL) {
- FileHandle->Close (FileHandle);
- }
-}
-
-/**
- Convert a nonnegative integer to an octet string of a specified length.
-
- @param[in] Integer Pointer to the nonnegative integer to be converted
- @param[in] IntSizeInWords Length of integer buffer in words
- @param[out] OctetString Converted octet string of the specified length
- @param[in] OSSizeInBytes Intended length of resulting octet string in bytes
-
-Returns:
-
- @retval EFI_SUCCESS Data conversion successfully
- @retval EFI_BUFFER_TOOL_SMALL Buffer is too small for output string
-
-**/
-EFI_STATUS
-EFIAPI
-Int2OctStr (
- IN CONST UINTN *Integer,
- IN UINTN IntSizeInWords,
- OUT UINT8 *OctetString,
- IN UINTN OSSizeInBytes
- )
-{
- CONST UINT8 *Ptr1;
- UINT8 *Ptr2;
-
- for (Ptr1 = (CONST UINT8 *)Integer, Ptr2 = OctetString + OSSizeInBytes - 1;
- Ptr1 < (UINT8 *)(Integer + IntSizeInWords) && Ptr2 >= OctetString;
- Ptr1++, Ptr2--) {
- *Ptr2 = *Ptr1;
- }
-
- for (; Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords) && *Ptr1 == 0; Ptr1++);
-
- if (Ptr1 < (CONST UINT8 *)(Integer + IntSizeInWords)) {
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (Ptr2 >= OctetString) {
- ZeroMem (OctetString, Ptr2 - OctetString + 1);
- }
-
- return EFI_SUCCESS;
-}
-
-
-
-/**
- Convert a String to Guid Value.
-
- @param[in] Str Specifies the String to be converted.
- @param[in] StrLen Number of Unicode Characters of String (exclusive \0)
- @param[out] Guid Return the result Guid value.
-
- @retval EFI_SUCCESS The operation is finished successfully.
- @retval EFI_NOT_FOUND Invalid string.
-
-**/
-EFI_STATUS
-StringToGuid (
- IN CHAR16 *Str,
- IN UINTN StrLen,
- OUT EFI_GUID *Guid
- )
-{
- CHAR16 *PtrBuffer;
- CHAR16 *PtrPosition;
- UINT16 *Buffer;
- UINTN Data;
- UINTN Index;
- UINT16 Digits[3];
-
- Buffer = (CHAR16 *) AllocateZeroPool (sizeof (CHAR16) * (StrLen + 1));
- if (Buffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- StrCpy (Buffer, Str);
-
- //
- // Data1
- //
- PtrBuffer = Buffer;
- PtrPosition = PtrBuffer;
- while (*PtrBuffer != L'\0') {
- if (*PtrBuffer == L'-') {
- break;
- }
- PtrBuffer++;
- }
- if (*PtrBuffer == L'\0') {
- FreePool (Buffer);
- return EFI_NOT_FOUND;
- }
-
- *PtrBuffer = L'\0';
- Data = StrHexToUintn (PtrPosition);
- Guid->Data1 = (UINT32)Data;
-
- //
- // Data2
- //
- PtrBuffer++;
- PtrPosition = PtrBuffer;
- while (*PtrBuffer != L'\0') {
- if (*PtrBuffer == L'-') {
- break;
- }
- PtrBuffer++;
- }
- if (*PtrBuffer == L'\0') {
- FreePool (Buffer);
- return EFI_NOT_FOUND;
- }
- *PtrBuffer = L'\0';
- Data = StrHexToUintn (PtrPosition);
- Guid->Data2 = (UINT16)Data;
-
- //
- // Data3
- //
- PtrBuffer++;
- PtrPosition = PtrBuffer;
- while (*PtrBuffer != L'\0') {
- if (*PtrBuffer == L'-') {
- break;
- }
- PtrBuffer++;
- }
- if (*PtrBuffer == L'\0') {
- FreePool (Buffer);
- return EFI_NOT_FOUND;
- }
- *PtrBuffer = L'\0';
- Data = StrHexToUintn (PtrPosition);
- Guid->Data3 = (UINT16)Data;
-
- //
- // Data4[0..1]
- //
- for ( Index = 0 ; Index < 2 ; Index++) {
- PtrBuffer++;
- if ((*PtrBuffer == L'\0') || ( *(PtrBuffer + 1) == L'\0')) {
- FreePool (Buffer);
- return EFI_NOT_FOUND;
- }
- Digits[0] = *PtrBuffer;
- PtrBuffer++;
- Digits[1] = *PtrBuffer;
- Digits[2] = L'\0';
- Data = StrHexToUintn (Digits);
- Guid->Data4[Index] = (UINT8)Data;
- }
-
- //
- // skip the '-'
- //
- PtrBuffer++;
- if ((*PtrBuffer != L'-' ) || ( *PtrBuffer == L'\0')) {
- return EFI_NOT_FOUND;
- }
-
- //
- // Data4[2..7]
- //
- for ( ; Index < 8; Index++) {
- PtrBuffer++;
- if ((*PtrBuffer == L'\0') || ( *(PtrBuffer + 1) == L'\0')) {
- FreePool (Buffer);
- return EFI_NOT_FOUND;
- }
- Digits[0] = *PtrBuffer;
- PtrBuffer++;
- Digits[1] = *PtrBuffer;
- Digits[2] = L'\0';
- Data = StrHexToUintn (Digits);
- Guid->Data4[Index] = (UINT8)Data;
- }
-
- FreePool (Buffer);
-
- return EFI_SUCCESS;
-}
-
-/**
- Worker function that prints an EFI_GUID into specified Buffer.
-
- @param[in] Guid Pointer to GUID to print.
- @param[in] Buffer Buffer to print Guid into.
- @param[in] BufferSize Size of Buffer.
-
- @retval Number of characters printed.
-
-**/
-UINTN
-GuidToString (
- IN EFI_GUID *Guid,
- IN CHAR16 *Buffer,
- IN UINTN BufferSize
- )
-{
- UINTN Size;
-
- Size = UnicodeSPrint (
- Buffer,
- BufferSize,
- L"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",
- (UINTN)Guid->Data1,
- (UINTN)Guid->Data2,
- (UINTN)Guid->Data3,
- (UINTN)Guid->Data4[0],
- (UINTN)Guid->Data4[1],
- (UINTN)Guid->Data4[2],
- (UINTN)Guid->Data4[3],
- (UINTN)Guid->Data4[4],
- (UINTN)Guid->Data4[5],
- (UINTN)Guid->Data4[6],
- (UINTN)Guid->Data4[7]
- );
-
- //
- // SPrint will null terminate the string. The -1 skips the null
- //
- return Size - 1;
-}
In the previous patch we disabled its use; there are no more clients. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- .../SecureBootConfigDxe/SecureBootConfigDxe.inf | 90 - OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.h | 613 ----- .../SecureBootConfigDxe/SecureBootConfigNvData.h | 118 - OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr | 495 ---- .../SecureBootConfigDevicePath.c | 38 - .../SecureBootConfigDxe/SecureBootConfigDriver.c | 133 - .../SecureBootConfigFileExplorer.c | 1227 --------- OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c | 2819 -------------------- OvmfPkg/SecureBootConfigDxe/SecureBootConfigMisc.c | 334 --- .../SecureBootConfigStrings.uni | Bin 9518 -> 0 bytes 10 files changed, 5867 deletions(-) delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigDxe.inf delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.h delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigNvData.h delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfig.vfr delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigDevicePath.c delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigDriver.c delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigFileExplorer.c delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigImpl.c delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigMisc.c delete mode 100644 OvmfPkg/SecureBootConfigDxe/SecureBootConfigStrings.uni diff --git a/OvmfPkg/SecureBootConfigDxe/SecureBootConfigStrings.uni b/OvmfPkg/SecureBootConfigDxe/SecureBootConfigStrings.uni deleted file mode 100644 index ed4db131e9b0dd8547b4cf22e3915a25fee3abd1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9518 zcmcIq+iu%N5S`Z+=syt7OIuWS<GM{71VLp>P6XSMAj_@uB*-_#h-Dj+oXgKAJ!i)& zlG-JANvj|za_?u)&dkm%_3i7H{ERD+zvW7<<wh>$2l*c9M2=-4GvwXM1gQ&@u*NO! z1@1e%&5?hFx0$JZDd+Nl_e-R9k$Z=FiR_u0Y&kKd<7I2xb}E}@OpeRi_wvPzJCXOM zhab`JPv~h|ewF9A5@{?`+wu$EJHWEQxHoub4>R<^-*l`^lr&M!8l02%P5i_=$32se z_`Lv@S3p0I*9OxN7_QAc?@{9p?bz!S?Zz1M0?!3%aK>YxJV%Ww#%9?Uv{UA$NE02$ z9RmSJ<y^<eVaprjpW}^u5<%KGTatI?e8kQ58Os@dnfG82u-_Dgjx#l5ScF7Htoe1j z!^)-YcCp$mqz`jg6z3<y!8v~2SzZGP=R+2hCyp~mnzKCvMk^~^fkenBv0tG?SA&Q@ zqgDcxSwwkO67V_(rwRJh_IHo-CnmNgqm-8g_<t!|xF|`=D(lV+$D7EVVHLMlSf3;3 z47e{KTltYU(aU?>?4S2g-bx$e^&ulYd4u1k93kBSg9$j~bBNpyr04{1ZNuw{bn$E> zpB!ipDd!zXZ5uU?P0u~NQCj)CfhYTAuN!#onlw|Cd*b;QW$dwMMoW-xVicn4BEN$k z*}i8+9w0^B%;R`N)M6cusI~S{mo4And4Lk4=1A?wQFI1vIbHUX_TB*xeMk_;Y-Mzs z_GN3y-!t$_$($I;=8AKT8bHsUHqe%3T!T4y-^jGHQl(m@ERW1g_RyNM+Qm$In9<10 zY6vV`sj@3Y^8i#6BU^bq$H=Q@*A(-!r542Cr9>Qpy)vvU3*+rWzNwRQ)P7~yRGaV` z=>?=eK?yA-XGOg!njf{t>h2t?8D5DlR^bp=Xb%4J@XW#pDAiULMj2^PU8QsmOVEW8 zG{Fejq>V4;E`I&97~>=$jFI|d_lPa%A@#_nQ+r>u>Q|T@?WykL^%<vip?#!0P)9qk zlwD(OR8v(3;%38rSNDoz%w}Tdmq!?*Ygw*oiD?^Xou7iP^{7dd32Krb9j$a#gf3$v zFn9tUxl7wC%%6)XS@u&;PRo#u%+98EER2m_+dU+WnnbT*f}8L3H0T@Aqf*<IpyU=M z^!~C}13sZ%4f*ZyYRJyx)j-{C<nGAt@`t>TKjklYkkp0L^Q5d>+g5drnplgLSAIsa zkCoEhC(HviwoJwotoz(BKtFsRZ?xVqy4jR}3M4#>&`MMO8OD7KF6lG-B)=X`dLCqy z{sq07JR*N8gp)o6V}dCzm9IS`U)+_|ceQ?U8-6Hjl<P$oR*g2pa$5~^3|h6>=SBw@ z4aDIsvocm1m09{|^att7#du0Fn5|UOQ~V6AzA=6_W0M#;_3zq8KuJqIGQMWdc$cnB zgwSmidN@bG$mptky^DN`6kXZQ{d9CMjRZWv0?>P7<Y{p;V$#Ta0a;;$N2^JRu{C12 zXAD5CW7I(1v-9$6TRt~tcIDWLY%aYxdiY%RYM6*HjB5}3j>~8aUw&Eb8Q)SPsXRy7 zR8?F>URp2bo7a=yEaL3Goy8l&BzLduF0C;}p5M56aL=GbPoH2j^0Q)W>x%;a&vhuX z!$r2Fk63#IS!aAwEJI<`?1!;_Hgc;c9WElDjD!(oeH%t28hNU}%rWYrJHW0GW-N?O z`&kcTK1?oWVN7L==@|7mYat$9hm5hG^)Tila`}q2K-Pa=l`%K|sn6bNkiYQia?Yn~ z<Zl&|%U~E&nZzkx<*dxI<>P&|L;0PgEL9C7&t5~8!^Pt=Q;aAMkGtz-nN*akds>md zlg1Njd9BA@j4@jh#+$}!x;FeClSYxnsQliJk6jmW7?qE&da-W)L}&f-x4LtE2<%)g zo>cz6gZ`IYVcr-K^84D{MBnOhts*=y=k`7LX8htZlTTQ2t^Wb(OZW)sX<({P)pR^2 zdbBeQ&&rjCs&>cj=XT7{vnr;T{Wq^0)+;EB5wj@c5QQv{<ssgm&daN9pG8*o9!8y) z&KMqjh}Nk?ls1<~AI?=99<L*I^^4*Vm(wtlc`d2W<T^3=SPSd!J|dNYiSPY7vyW1Z z|LxvVZg1*w$M5Jxr>jN#;?t0)Qf${hjC=r#&Hn<VHk&8s{3ihaJCF!%I=_zVH*~AN zSFrnfW)!#Ir#$Ny-fHKBb~gG9&na|fSj0ZRl@AapQySjE7vu@yz?{hPA0j(A=jZwC zTbyWZo0EUvmlKOMj54n0@~FaxxQ}z)1K@lCwC<N3i_d+A5py@+Tj{wvK4tKEMRYOo Un%i?-bm8?~<uA;hUvd=Tf9CdUm;e9(