Revision: 14376
http://edk2.svn.sourceforge.net/edk2/?rev=14376&view=rev
Author: vanjeff
Date: 2013-05-18 02:56:51 +0000 (Sat, 18 May 2013)
Log Message:
-----------
Sync patches r14373 and r14375 from main trunk.
1. Pop up error message when user tries to enroll an invalid certificate file
into KEK/DB/DBX.
2. Fix a bug that 'SecureBoot' varaible will be updated to NV+AT attribute
incorrectly.
Revision Links:
--------------
http://edk2.svn.sourceforge.net/edk2/?rev=14373&view=rev
http://edk2.svn.sourceforge.net/edk2/?rev=14375&view=rev
Modified Paths:
--------------
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
Modified:
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
===================================================================
---
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
2013-05-17 08:05:01 UTC (rev 14375)
+++
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
2013-05-18 02:56:51 UTC (rev 14376)
@@ -1348,53 +1348,6 @@
}
/**
- When VariableWriteArchProtocol install, create "SecureBoot" variable.
-
- @param[in] Event Event whose notification function is being invoked.
- @param[in] Context Pointer to the notification function's context.
-
-**/
-VOID
-EFIAPI
-VariableWriteCallBack (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- UINT8 SecureBootMode;
- UINT8 *SecureBootModePtr;
- EFI_STATUS Status;
- VOID *ProtocolPointer;
-
- Status = gBS->LocateProtocol (&gEfiVariableWriteArchProtocolGuid, NULL,
&ProtocolPointer);
- if (EFI_ERROR (Status)) {
- return;
- }
-
- //
- // Check whether "SecureBoot" variable exists.
- // If this library is built-in, it means firmware has capability to perform
- // driver signing verification.
- //
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME,
(VOID**)&SecureBootModePtr, NULL);
- if (SecureBootModePtr == NULL) {
- SecureBootMode = SECURE_BOOT_MODE_DISABLE;
- //
- // Authenticated variable driver will update "SecureBoot" depending on
SetupMode variable.
- //
- gRT->SetVariable (
- EFI_SECURE_BOOT_MODE_NAME,
- &gEfiGlobalVariableGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_NON_VOLATILE,
- sizeof (UINT8),
- &SecureBootMode
- );
- } else {
- FreePool (SecureBootModePtr);
- }
-}
-
-/**
Register security measurement handler.
@param ImageHandle ImageHandle of the loaded driver.
@@ -1409,19 +1362,6 @@
IN EFI_SYSTEM_TABLE *SystemTable
)
{
- VOID *Registration;
-
- //
- // Register callback function upon VariableWriteArchProtocol.
- //
- EfiCreateProtocolNotifyEvent (
- &gEfiVariableWriteArchProtocolGuid,
- TPL_CALLBACK,
- VariableWriteCallBack,
- NULL,
- &Registration
- );
-
return RegisterSecurity2Handler (
DxeImageVerificationHandler,
EFI_AUTH_OPERATION_VERIFY_IMAGE | EFI_AUTH_OPERATION_IMAGE_REQUIRED
Modified:
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
===================================================================
---
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
2013-05-17 08:05:01 UTC (rev 14375)
+++
branches/UDK2010.SR1/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
2013-05-18 02:56:51 UTC (rev 14376)
@@ -7,7 +7,7 @@
# This external input must be validated carefully to avoid security issue like
# buffer overflow, integer overflow.
#
-# Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD
License
# which accompanies this distribution. The full text of the license may be
found at
@@ -59,7 +59,6 @@
gEfiFirmwareVolume2ProtocolGuid
gEfiBlockIoProtocolGuid
gEfiSimpleFileSystemProtocolGuid
- gEfiVariableWriteArchProtocolGuid
[Guids]
gEfiCertTypeRsa2048Sha256Guid
Modified:
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
===================================================================
---
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2013-05-17 08:05:01 UTC (rev 14375)
+++
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2013-05-18 02:56:51 UTC (rev 14376)
@@ -675,7 +675,6 @@
{
EFI_STATUS Status;
VARIABLE_POINTER_TRACK Variable;
- UINT32 VarAttr;
UINT8 SecureBootMode;
UINT8 SecureBootEnable;
UINTN VariableDataSize;
@@ -736,13 +735,12 @@
}
}
- VarAttr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS;
Status = UpdateVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
&SecureBootMode,
sizeof(UINT8),
- VarAttr,
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
0,
0,
&Variable,
Modified:
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
===================================================================
---
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
2013-05-17 08:05:01 UTC (rev 14375)
+++
branches/UDK2010.SR1/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
2013-05-18 02:56:51 UTC (rev 14376)
@@ -2601,14 +2601,41 @@
case KEY_VALUE_SAVE_AND_EXIT_KEK:
Status = EnrollKeyExchangeKey (Private);
+ if (EFI_ERROR (Status)) {
+ CreatePopUp (
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+ &Key,
+ L"ERROR: Unsupported file type!",
+ L"Only supports DER-encoded X509 certificate",
+ NULL
+ );
+ }
break;
case KEY_VALUE_SAVE_AND_EXIT_DB:
Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE);
+ if (EFI_ERROR (Status)) {
+ CreatePopUp (
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+ &Key,
+ L"ERROR: Unsupported file type!",
+ L"Only supports DER-encoded X509 certificate and executable EFI
image",
+ NULL
+ );
+ }
break;
case KEY_VALUE_SAVE_AND_EXIT_DBX:
Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);
+ if (EFI_ERROR (Status)) {
+ CreatePopUp (
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+ &Key,
+ L"ERROR: Unsupported file type!",
+ L"Only supports DER-encoded X509 certificate and executable EFI
image",
+ NULL
+ );
+ }
break;
default:
@@ -2649,13 +2676,13 @@
break;
case KEY_VALUE_SAVE_AND_EXIT_PK:
Status = EnrollPlatformKey (Private);
- UnicodeSPrint (
- PromptString,
- sizeof (PromptString),
- L"Only DER encoded certificate file (%s) is supported.",
- mSupportX509Suffix
- );
if (EFI_ERROR (Status)) {
+ UnicodeSPrint (
+ PromptString,
+ sizeof (PromptString),
+ L"Only DER encoded certificate file (%s) is supported.",
+ mSupportX509Suffix
+ );
CreatePopUp (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key,
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
