Revision: 14660
http://sourceforge.net/p/edk2/code/14660
Author: sfu5
Date: 2013-09-12 05:23:28 +0000 (Thu, 12 Sep 2013)
Log Message:
-----------
Add ?\226?\128?\156VendorKeys?\226?\128?\157 variable for indicating out of
band key modification.
Signed-off-by: Fu Siyuan <[email protected]>
Reviewed-by: Ye Ting <[email protected]>
Reviewed-by: Dong Guo <[email protected]>
Modified Paths:
--------------
trunk/edk2/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
trunk/edk2/SecurityPkg/SecurityPkg.dec
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
Modified: trunk/edk2/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
===================================================================
--- trunk/edk2/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
2013-09-12 03:27:00 UTC (rev 14659)
+++ trunk/edk2/SecurityPkg/Include/Guid/AuthenticatedVariableFormat.h
2013-09-12 05:23:28 UTC (rev 14660)
@@ -4,7 +4,7 @@
AuthenticatedVariableFormat.h defines variable data headers
and variable storage region headers.
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD
License
which accompanies this distribution. The full text of the license may be
found at
@@ -29,6 +29,7 @@
extern EFI_GUID gEfiSecureBootEnableDisableGuid;
extern EFI_GUID gEfiCertDbGuid;
extern EFI_GUID gEfiCustomModeEnableGuid;
+extern EFI_GUID gEfiVendorKeysNvGuid;
///
/// "SecureBootEnable" variable for the Secure Boot feature enable/disable.
@@ -52,6 +53,16 @@
#define STANDARD_SECURE_BOOT_MODE 0
///
+/// "VendorKeysNv" variable to record the out of band secure boot keys
modification.
+/// This variable is a read-only NV varaible that indicates whether someone
other than
+/// the platform vendor has used a mechanism not defined by the UEFI
Specification to
+/// transition the system to setup mode or to update secure boot keys.
+///
+#define EFI_VENDOR_KEYS_NV_VARIABLE_NAME L"VendorKeysNv"
+#define VENDOR_KEYS_VALID 1
+#define VENDOR_KEYS_MODIFIED 0
+
+///
/// Alignment of variable name and data, according to the architecture:
/// * For IA-32 and Intel(R) 64 architectures: 1.
/// * For IA-64 architecture: 8.
Modified: trunk/edk2/SecurityPkg/SecurityPkg.dec
===================================================================
--- trunk/edk2/SecurityPkg/SecurityPkg.dec 2013-09-12 03:27:00 UTC (rev
14659)
+++ trunk/edk2/SecurityPkg/SecurityPkg.dec 2013-09-12 05:23:28 UTC (rev
14660)
@@ -42,6 +42,9 @@
gEfiCustomModeEnableGuid = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0,
0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } }
# Include/Guid/AuthenticatedVariableFormat.h
+ gEfiVendorKeysNvGuid = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99,
0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } }
+
+ # Include/Guid/AuthenticatedVariableFormat.h
gEfiCertDbGuid = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4,
0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } }
## Include/Guid/TcgEventHob.h
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2013-09-12 03:27:00 UTC (rev 14659)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2013-09-12 05:23:28 UTC (rev 14660)
@@ -36,6 +36,8 @@
UINT32 mPubKeyNumber;
UINT8 mCertDbStore[MAX_CERTDB_SIZE];
UINT32 mPlatformMode;
+UINT8 mVendorKeyState;
+
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID,
EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
//
// Public Exponent of RSA Key.
@@ -255,7 +257,7 @@
}
//
- // Create "SetupMode" varable with BS+RT attribute set.
+ // Create "SetupMode" variable with BS+RT attribute set.
//
FindVariable (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, &Variable,
&mVariableModuleGlobal->VariableGlobal, FALSE);
if (PkVariable.CurrPtr == NULL) {
@@ -279,7 +281,7 @@
}
//
- // Create "SignatureSupport" varable with BS+RT attribute set.
+ // Create "SignatureSupport" variable with BS+RT attribute set.
//
FindVariable (EFI_SIGNATURE_SUPPORT_NAME, &gEfiGlobalVariableGuid,
&Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (
@@ -328,7 +330,7 @@
}
//
- // Create "SecureBoot" varable with BS+RT attribute set.
+ // Create "SecureBoot" variable with BS+RT attribute set.
//
if (SecureBootEnable == SECURE_BOOT_ENABLE && mPlatformMode == USER_MODE) {
SecureBootMode = SECURE_BOOT_MODE_ENABLE;
@@ -409,6 +411,54 @@
}
}
+ //
+ // Check "VendorKeysNv" variable's existence and create "VendorKeys"
variable accordingly.
+ //
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid,
&Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ if (Variable.CurrPtr != NULL) {
+ mVendorKeyState = *(GetVariableDataPtr (Variable.CurrPtr));
+ } else {
+ //
+ // "VendorKeysNv" not exist, initialize it in VENDOR_KEYS_VALID state.
+ //
+ mVendorKeyState = VENDOR_KEYS_VALID;
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+ &gEfiVendorKeysNvGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ //
+ // Create "VendorKeys" variable with BS+RT attribute set.
+ //
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
&Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ DEBUG ((EFI_D_INFO, "Variable %s is %x\n", EFI_VENDOR_KEYS_VARIABLE_NAME,
mVendorKeyState));
+
return Status;
}
@@ -912,6 +962,56 @@
}
/**
+ Update "VendorKeys" variable to record the out of band secure boot key
modification.
+
+ @return EFI_SUCCESS Variable is updated successfully.
+ @return Others Failed to update variable.
+
+**/
+EFI_STATUS
+VendorKeyIsModified (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ VARIABLE_POINTER_TRACK Variable;
+
+ if (mVendorKeyState == VENDOR_KEYS_MODIFIED) {
+ return EFI_SUCCESS;
+ }
+ mVendorKeyState = VENDOR_KEYS_MODIFIED;
+
+ FindVariable (EFI_VENDOR_KEYS_NV_VARIABLE_NAME, &gEfiVendorKeysNvGuid,
&Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ Status = UpdateVariable (
+ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
+ &gEfiVendorKeysNvGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ FindVariable (EFI_VENDOR_KEYS_VARIABLE_NAME, &gEfiGlobalVariableGuid,
&Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
+ return UpdateVariable (
+ EFI_VENDOR_KEYS_VARIABLE_NAME,
+ &gEfiGlobalVariableGuid,
+ &mVendorKeyState,
+ sizeof (UINT8),
+ EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0,
+ 0,
+ &Variable,
+ NULL
+ );
+}
+
+/**
Process variable with platform key for verification.
Caution: This function may receive untrusted input.
@@ -985,6 +1085,13 @@
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
+ if (EFI_ERROR(Status)) {
+ return Status;
+ }
+
+ if (mPlatformMode != SETUP_MODE) {
+ Status = VendorKeyIsModified ();
+ }
} else if (mPlatformMode == USER_MODE) {
//
// Verify against X509 Cert in PK database.
@@ -1117,6 +1224,13 @@
Variable,
&((EFI_VARIABLE_AUTHENTICATION_2 *) Data)->TimeStamp
);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
+ if (mPlatformMode != SETUP_MODE) {
+ Status = VendorKeyIsModified ();
+ }
}
return Status;
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2013-09-12 03:27:00 UTC (rev 14659)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
2013-09-12 05:23:28 UTC (rev 14660)
@@ -2500,7 +2500,8 @@
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) {
if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) ||
(StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) ||
- (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) {
+ (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0) ||
+ (StrCmp (VariableName, EFI_VENDOR_KEYS_VARIABLE_NAME) == 0)) {
return TRUE;
}
}
Modified:
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
===================================================================
---
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
2013-09-12 03:27:00 UTC (rev 14659)
+++
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf
2013-09-12 05:23:28 UTC (rev 14660)
@@ -80,6 +80,7 @@
gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
gEfiCustomModeEnableGuid
+ gEfiVendorKeysNvGuid
gEfiSystemNvDataFvGuid ## CONSUMES
gEfiCertDbGuid
gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES
Modified:
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
2013-09-12 03:27:00 UTC (rev 14659)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf
2013-09-12 05:23:28 UTC (rev 14660)
@@ -86,6 +86,7 @@
gEfiCertRsa2048Guid
gEfiSecureBootEnableDisableGuid
gEfiCustomModeEnableGuid
+ gEfiVendorKeysNvGuid
gEfiSystemNvDataFvGuid ## CONSUMES
gEfiCertDbGuid
gEfiHardwareErrorVariableGuid ## SOMETIMES_CONSUMES
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
