mirror of
https://github.com/acidanthera/audk.git
synced 2025-07-29 00:24:07 +02:00
SecurityPkg: Add EnrollFromDefaultKeys application.
This application allows user to force key enrollment from Secure Boot default variables. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Sunny Wang <sunny.wang@arm.com>
This commit is contained in:
parent
94e065582b
commit
19107590b6
115
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
Normal file
115
SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.c
Normal file
@ -0,0 +1,115 @@
|
||||
/** @file
|
||||
Enroll default PK, KEK, db, dbx.
|
||||
|
||||
Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
|
||||
Copyright (c) 2021, Semihalf All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
**/
|
||||
|
||||
#include <Guid/AuthenticatedVariableFormat.h> // gEfiCustomModeEnableGuid
|
||||
#include <Guid/GlobalVariable.h> // EFI_SETUP_MODE_NAME
|
||||
#include <Guid/ImageAuthentication.h> // EFI_IMAGE_SECURITY_DATABASE
|
||||
#include <Library/BaseLib.h> // GUID_STRING_LENGTH
|
||||
#include <Library/BaseMemoryLib.h> // CopyGuid()
|
||||
#include <Library/DebugLib.h> // ASSERT()
|
||||
#include <Library/MemoryAllocationLib.h> // FreePool()
|
||||
#include <Library/PrintLib.h> // AsciiSPrint()
|
||||
#include <Library/UefiBootServicesTableLib.h> // gBS
|
||||
#include <Library/UefiLib.h> // AsciiPrint()
|
||||
#include <Library/UefiRuntimeServicesTableLib.h> // gRT
|
||||
#include <Uefi/UefiMultiPhase.h>
|
||||
#include <Library/SecureBootVariableLib.h>
|
||||
#include <Library/SecureBootVariableProvisionLib.h>
|
||||
|
||||
/**
|
||||
Entry point function of this shell application.
|
||||
@param[in] ImageHandle The firmware allocated handle for the EFI image.
|
||||
@param[in] SystemTable A pointer to the EFI System Table.
|
||||
|
||||
@retval 0 The entry point is executed successfully.
|
||||
@retval other Some error occurs when executing this entry point.
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
UefiMain (
|
||||
IN EFI_HANDLE ImageHandle,
|
||||
IN EFI_SYSTEM_TABLE *SystemTable
|
||||
)
|
||||
{
|
||||
EFI_STATUS Status;
|
||||
UINT8 SetupMode;
|
||||
|
||||
Status = GetSetupMode (&SetupMode);
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot get SetupMode variable: %r\n", Status);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (SetupMode == USER_MODE) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Skipped - USER_MODE\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
Status = SetSecureBootMode (CUSTOM_SECURE_BOOT_MODE);
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot set CUSTOM_SECURE_BOOT_MODE: %r\n", Status);
|
||||
return 1;
|
||||
}
|
||||
|
||||
Status = EnrollDbFromDefault ();
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll db: %r\n", Status);
|
||||
goto error;
|
||||
}
|
||||
|
||||
Status = EnrollDbxFromDefault ();
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbt: %r\n", Status);
|
||||
}
|
||||
|
||||
Status = EnrollDbtFromDefault ();
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll dbx: %r\n", Status);
|
||||
}
|
||||
|
||||
Status = EnrollKEKFromDefault ();
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll KEK: %r\n", Status);
|
||||
goto cleardbs;
|
||||
}
|
||||
|
||||
Status = EnrollPKFromDefault ();
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint ("EnrollFromDefaultKeysApp: Cannot enroll PK: %r\n", Status);
|
||||
goto clearKEK;
|
||||
}
|
||||
|
||||
Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint (
|
||||
"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
|
||||
"Please do it manually, otherwise system can be easily compromised\n"
|
||||
);
|
||||
}
|
||||
return 0;
|
||||
|
||||
clearKEK:
|
||||
DeleteKEK ();
|
||||
|
||||
cleardbs:
|
||||
DeleteDbt ();
|
||||
DeleteDbx ();
|
||||
DeleteDb ();
|
||||
|
||||
error:
|
||||
Status = SetSecureBootMode (STANDARD_SECURE_BOOT_MODE);
|
||||
if (EFI_ERROR (Status)) {
|
||||
AsciiPrint (
|
||||
"EnrollFromDefaultKeysApp: Cannot set CustomMode to STANDARD_SECURE_BOOT_MODE\n"
|
||||
"Please do it manually, otherwise system can be easily compromised\n"
|
||||
);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
@ -0,0 +1,48 @@
|
||||
## @file
|
||||
# Enroll PK, KEK, db, dbx from Default variables
|
||||
#
|
||||
# Copyright (c) 2021, ARM Ltd. All rights reserved.<BR>
|
||||
# Copyright (c) 2021, Semihalf All rights reserved.<BR>
|
||||
# SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
##
|
||||
|
||||
[Defines]
|
||||
INF_VERSION = 1.28
|
||||
BASE_NAME = EnrollFromDefaultKeysApp
|
||||
FILE_GUID = 6F18CB2F-1293-4BC1-ABB8-35F84C71812E
|
||||
MODULE_TYPE = UEFI_APPLICATION
|
||||
VERSION_STRING = 0.1
|
||||
ENTRY_POINT = UefiMain
|
||||
|
||||
[Sources]
|
||||
EnrollFromDefaultKeysApp.c
|
||||
|
||||
[Packages]
|
||||
MdeModulePkg/MdeModulePkg.dec
|
||||
MdePkg/MdePkg.dec
|
||||
SecurityPkg/SecurityPkg.dec
|
||||
|
||||
[Guids]
|
||||
gEfiCertPkcs7Guid
|
||||
gEfiCertSha256Guid
|
||||
gEfiCertX509Guid
|
||||
gEfiCustomModeEnableGuid
|
||||
gEfiGlobalVariableGuid
|
||||
gEfiImageSecurityDatabaseGuid
|
||||
gEfiSecureBootEnableDisableGuid
|
||||
|
||||
[Protocols]
|
||||
gEfiSmbiosProtocolGuid ## CONSUMES
|
||||
|
||||
[LibraryClasses]
|
||||
BaseLib
|
||||
BaseMemoryLib
|
||||
DebugLib
|
||||
MemoryAllocationLib
|
||||
PrintLib
|
||||
UefiApplicationEntryPoint
|
||||
UefiBootServicesTableLib
|
||||
UefiLib
|
||||
UefiRuntimeServicesTableLib
|
||||
SecureBootVariableLib
|
||||
SecureBootVariableProvisionLib
|
Loading…
x
Reference in New Issue
Block a user