tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-30 00:54:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: SecureBootConfigDxe: Support AUTH_2 enrollment to DBX

Browse Source 
Update SecureBootConfigDxe to support AUTH_2 format data enrollment
to DBX.
Free opened file handle resource after exit PK/KEK/DB/DBX/DBT
enrollment page.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
This commit is contained in:
Zhang, Chao B 2017-02-28 10:23:19 +08:00
parent 245e98bfcb
commit 4de754e15f
5 changed files with 338 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
View File

@ -1,7 +1,7 @@
/** @file /** @file
VFR file used by the SecureBoot configuration component. VFR file used by the SecureBoot configuration component.
Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -446,6 +446,7 @@ formset
label LABEL_END; label LABEL_END;
subtitle text = STRING_TOKEN(STR_NULL); subtitle text = STRING_TOKEN(STR_NULL);
grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
string varid = SECUREBOOT_CONFIGURATION.SignatureGuid, string varid = SECUREBOOT_CONFIGURATION.SignatureGuid,
prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID), prompt = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),
help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP), help = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),
@ -454,8 +455,10 @@ formset
minsize = SECURE_BOOT_GUID_SIZE, minsize = SECURE_BOOT_GUID_SIZE,
maxsize = SECURE_BOOT_GUID_SIZE, maxsize = SECURE_BOOT_GUID_SIZE,
endstring; endstring;
endif;
oneof name = SignatureFormatInDbx, disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 1;
oneof name = X509SignatureFormatInDbx,
varid = SECUREBOOT_CONFIGURATION.CertificateFormat, varid = SECUREBOOT_CONFIGURATION.CertificateFormat,
prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), prompt = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),
help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP), help = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),
@ -464,6 +467,21 @@ formset
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0; option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;
option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0; option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;
endoneof; endoneof;
endif;
disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 2;
text
help = STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP), // Help string
text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string
text = STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256); // PE image type
endif;
disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;
text
help = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP), // Help string
text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT), // Prompt string
text = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT); // AUTH_2 image type
endif;
suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4; suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;
checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation, checkbox varid = SECUREBOOT_CONFIGURATION.AlwaysRevocation,

332
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
View File

@ -96,6 +96,35 @@ CHAR16* mSupportX509Suffix = L"*.cer/der/crt";
SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL; SECUREBOOT_CONFIG_PRIVATE_DATA *gSecureBootPrivateData = NULL;
/**
This code cleans up enrolled file by closing file & free related resources attached to
enrolled file
@param[in] FileSuffix The suffix of the input certificate file
@retval TRUE It's a DER-encoded certificate.
@retval FALSE It's NOT a DER-encoded certificate.
**/
VOID
CloseEnrolledFile(
IN SECUREBOOT_FILE_CONTEXT *FileContext
)
{
if (FileContext->FHandle != NULL) {
CloseFile (FileContext->FHandle);
FileContext->FHandle = NULL;
}
if (FileContext->FileName != NULL){
FreePool(FileContext->FileName);
FileContext->FileName = NULL;
}
FileContext->FileType = UNKNOWN_FILE_TYPE;
}
/** /**
This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix. This code checks if the FileSuffix is one of the possible DER-encoded certificate suffix.
@ -119,6 +148,61 @@ IsDerEncodeCertificate (
return FALSE; return FALSE;
} }
/**
This code checks if the file content complies with EFI_VARIABLE_AUTHENTICATION_2 format
The function reads file content but won't open/close given FileHandle.
@param[in] FileHandle The FileHandle to be checked
@retval TRUE The content is EFI_VARIABLE_AUTHENTICATION_2 format.
@retval FALSE The content is NOT a EFI_VARIABLE_AUTHENTICATION_2 format.
**/
BOOLEAN
IsAuthentication2Format (
IN EFI_FILE_HANDLE FileHandle
)
{
EFI_STATUS Status;
EFI_VARIABLE_AUTHENTICATION_2 *Auth2;
BOOLEAN IsAuth2Format;
IsAuth2Format = FALSE;
//
// Read the whole file content
//
Status = ReadFileContent(
FileHandle,
(VOID **) &mImageBase,
&mImageSize,
0
);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
Auth2 = (EFI_VARIABLE_AUTHENTICATION_2 *)mImageBase;
if (Auth2->AuthInfo.Hdr.wCertificateType != WIN_CERT_TYPE_EFI_GUID) {
goto ON_EXIT;
}
if (CompareGuid(&gEfiCertPkcs7Guid, &Auth2->AuthInfo.CertType)) {
IsAuth2Format = TRUE;
}
ON_EXIT:
//
// Do not close File. simply check file content
//
if (mImageBase != NULL) {
FreePool (mImageBase);
mImageBase = NULL;
}
return IsAuth2Format;
}
/** /**
Set Secure Boot option into variable space. Set Secure Boot option into variable space.
@ -474,10 +558,7 @@ ON_EXIT:
FreePool(PkCert); FreePool(PkCert);
} }
if (Private->FileContext->FHandle != NULL) { CloseEnrolledFile(Private->FileContext);
CloseFile (Private->FileContext->FHandle);
Private->FileContext->FHandle = NULL;
}
return Status; return Status;
} }
@ -654,13 +735,7 @@ EnrollRsa2048ToKek (
ON_EXIT: ON_EXIT:
CloseFile (Private->FileContext->FHandle); CloseEnrolledFile(Private->FileContext);
Private->FileContext->FHandle = NULL;
if (Private->FileContext->FileName != NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -781,13 +856,7 @@ EnrollX509ToKek (
ON_EXIT: ON_EXIT:
CloseFile (Private->FileContext->FHandle); CloseEnrolledFile(Private->FileContext);
if (Private->FileContext->FileName != NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
Private->FileContext->FHandle = NULL;
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -821,7 +890,7 @@ EnrollKeyExchangeKey (
EFI_STATUS Status; EFI_STATUS Status;
UINTN NameLength; UINTN NameLength;
if ((Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) { if ((Private->FileContext->FHandle == NULL) || (Private->FileContext->FileName == NULL) || (Private->SignatureGUID == NULL)) {
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
@ -844,6 +913,11 @@ EnrollKeyExchangeKey (
} else if (CompareMem (FilePostFix, L".pbk",4) == 0) { } else if (CompareMem (FilePostFix, L".pbk",4) == 0) {
return EnrollRsa2048ToKek (Private); return EnrollRsa2048ToKek (Private);
} else { } else {
//
// File type is wrong, simply close it
//
CloseEnrolledFile(Private->FileContext);
return EFI_INVALID_PARAMETER; return EFI_INVALID_PARAMETER;
} }
} }
@ -955,13 +1029,7 @@ EnrollX509toSigDB (
ON_EXIT: ON_EXIT:
CloseFile (Private->FileContext->FHandle); CloseEnrolledFile(Private->FileContext);
if (Private->FileContext->FileName != NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
Private->FileContext->FHandle = NULL;
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -1519,13 +1587,8 @@ EnrollX509HashtoSigDB (
} }
ON_EXIT: ON_EXIT:
CloseFile (Private->FileContext->FHandle);
if (Private->FileContext->FileName != NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
Private->FileContext->FHandle = NULL; CloseEnrolledFile(Private->FileContext);
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -2066,6 +2129,107 @@ HashPeImageByType (
return EFI_SUCCESS; return EFI_SUCCESS;
} }
/**
Enroll a new executable's signature into Signature Database.
@param[in] PrivateData The module's private data.
@param[in] VariableName Variable name of signature database, must be
EFI_IMAGE_SECURITY_DATABASE, EFI_IMAGE_SECURITY_DATABASE1
or EFI_IMAGE_SECURITY_DATABASE2.
@retval EFI_SUCCESS New signature is enrolled successfully.
@retval EFI_INVALID_PARAMETER The parameter is invalid.
@retval EFI_UNSUPPORTED Unsupported command.
@retval EFI_OUT_OF_RESOURCES Could not allocate needed resources.
**/
EFI_STATUS
EnrollAuthentication2Descriptor (
IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
IN CHAR16 *VariableName
)
{
EFI_STATUS Status;
VOID *Data;
UINTN DataSize;
UINT32 Attr;
Data = NULL;
//
// DBT only support DER-X509 Cert Enrollment
//
if (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE2) == 0) {
return EFI_UNSUPPORTED;
}
//
// Read the whole file content
//
Status = ReadFileContent(
Private->FileContext->FHandle,
(VOID **) &mImageBase,
&mImageSize,
0
);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
ASSERT (mImageBase != NULL);
Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS
| EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
//
// Check if SigDB variable has been already existed.
// If true, use EFI_VARIABLE_APPEND_WRITE attribute to append the
// new signature data to original variable
//
DataSize = 0;
Status = gRT->GetVariable(
VariableName,
&gEfiImageSecurityDatabaseGuid,
NULL,
&DataSize,
NULL
);
if (Status == EFI_BUFFER_TOO_SMALL) {
Attr |= EFI_VARIABLE_APPEND_WRITE;
} else if (Status != EFI_NOT_FOUND) {
goto ON_EXIT;
}
//
// Diretly set AUTHENTICATION_2 data to SetVariable
//
Status = gRT->SetVariable(
VariableName,
&gEfiImageSecurityDatabaseGuid,
Attr,
mImageSize,
mImageBase
);
DEBUG((DEBUG_INFO, "Enroll AUTH_2 data to Var:%s Status: %x\n", VariableName, Status));
ON_EXIT:
CloseEnrolledFile(Private->FileContext);
if (Data != NULL) {
FreePool (Data);
}
if (mImageBase != NULL) {
FreePool (mImageBase);
mImageBase = NULL;
}
return Status;
}
/** /**
Enroll a new executable's signature into Signature Database. Enroll a new executable's signature into Signature Database.
@ -2235,13 +2399,7 @@ EnrollImageSignatureToSigDB (
ON_EXIT: ON_EXIT:
CloseFile (Private->FileContext->FHandle); CloseEnrolledFile(Private->FileContext);
Private->FileContext->FHandle = NULL;
if (Private->FileContext->FileName != NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -2305,9 +2463,11 @@ EnrollSignatureDatabase (
// Supports DER-encoded X509 certificate. // Supports DER-encoded X509 certificate.
// //
return EnrollX509toSigDB (Private, VariableName); return EnrollX509toSigDB (Private, VariableName);
} } else if (IsAuthentication2Format(Private->FileContext->FHandle)){
return EnrollAuthentication2Descriptor(Private, VariableName);
} else {
return EnrollImageSignatureToSigDB (Private, VariableName); return EnrollImageSignatureToSigDB (Private, VariableName);
}
} }
/** /**
@ -2936,11 +3096,13 @@ UpdateSecureBootString(
/** /**
This function extracts configuration from variable. This function extracts configuration from variable.
@param[in] Private Point to SecureBoot configuration driver private data.
@param[in, out] ConfigData Point to SecureBoot configuration private data. @param[in, out] ConfigData Point to SecureBoot configuration private data.
**/ **/
VOID VOID
SecureBootExtractConfigFromVariable ( SecureBootExtractConfigFromVariable (
IN SECUREBOOT_CONFIG_PRIVATE_DATA *Private,
IN OUT SECUREBOOT_CONFIGURATION *ConfigData IN OUT SECUREBOOT_CONFIGURATION *ConfigData
) )
{ {
@ -2965,7 +3127,11 @@ SecureBootExtractConfigFromVariable (
ConfigData->RevocationTime.Hour = CurrTime.Hour; ConfigData->RevocationTime.Hour = CurrTime.Hour;
ConfigData->RevocationTime.Minute = CurrTime.Minute; ConfigData->RevocationTime.Minute = CurrTime.Minute;
ConfigData->RevocationTime.Second = 0; ConfigData->RevocationTime.Second = 0;
if (Private->FileContext->FHandle != NULL) {
ConfigData->FileEnrollType = Private->FileContext->FileType;
} else {
ConfigData->FileEnrollType = UNKNOWN_FILE_TYPE;
}
// //
// If it is Physical Presence User, set the PhysicalPresent to true. // If it is Physical Presence User, set the PhysicalPresent to true.
@ -3088,10 +3254,12 @@ SecureBootExtractConfig (
return EFI_NOT_FOUND; return EFI_NOT_FOUND;
} }
ZeroMem(&Configuration, sizeof(SECUREBOOT_CONFIGURATION));
// //
// Get Configuration from Variable. // Get Configuration from Variable.
// //
SecureBootExtractConfigFromVariable (&Configuration); SecureBootExtractConfigFromVariable (PrivateData, &Configuration);
BufferSize = sizeof (SECUREBOOT_CONFIGURATION); BufferSize = sizeof (SECUREBOOT_CONFIGURATION);
ConfigRequest = Request; ConfigRequest = Request;
@ -3168,6 +3336,7 @@ SecureBootRouteConfig (
{ {
SECUREBOOT_CONFIGURATION IfrNvData; SECUREBOOT_CONFIGURATION IfrNvData;
UINTN BufferSize; UINTN BufferSize;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
EFI_STATUS Status; EFI_STATUS Status;
if (Configuration == NULL || Progress == NULL) { if (Configuration == NULL || Progress == NULL) {
@ -3179,10 +3348,12 @@ SecureBootRouteConfig (
return EFI_NOT_FOUND; return EFI_NOT_FOUND;
} }
PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
// //
// Get Configuration from Variable. // Get Configuration from Variable.
// //
SecureBootExtractConfigFromVariable (&IfrNvData); SecureBootExtractConfigFromVariable (PrivateData, &IfrNvData);
// //
// Map the Configuration to the configuration block. // Map the Configuration to the configuration block.
@ -3259,6 +3430,9 @@ SecureBootCallback (
UINT8 *SetupMode; UINT8 *SetupMode;
CHAR16 PromptString[100]; CHAR16 PromptString[100];
EFI_DEVICE_PATH_PROTOCOL *File; EFI_DEVICE_PATH_PROTOCOL *File;
UINTN NameLength;
UINT16 *FilePostFix;
SECUREBOOT_CONFIG_PRIVATE_DATA *PrivateData;
Status = EFI_SUCCESS; Status = EFI_SUCCESS;
SecureBootEnable = NULL; SecureBootEnable = NULL;
@ -3291,8 +3465,20 @@ SecureBootCallback (
// Update secure boot strings when opening this form // Update secure boot strings when opening this form
// //
Status = UpdateSecureBootString(Private); Status = UpdateSecureBootString(Private);
SecureBootExtractConfigFromVariable (IfrNvData); SecureBootExtractConfigFromVariable (Private, IfrNvData);
mIsEnterSecureBootForm = TRUE; mIsEnterSecureBootForm = TRUE;
} else {
//
// When entering SecureBoot OPTION Form
// always close opened file & free resource
//
if ((QuestionId == KEY_SECURE_BOOT_PK_OPTION) ||
(QuestionId == KEY_SECURE_BOOT_KEK_OPTION) ||
(QuestionId == KEY_SECURE_BOOT_DB_OPTION) ||
(QuestionId == KEY_SECURE_BOOT_DBX_OPTION) ||
(QuestionId == KEY_SECURE_BOOT_DBT_OPTION)) {
CloseEnrolledFile(Private->FileContext);
}
} }
goto EXIT; goto EXIT;
} }
@ -3346,6 +3532,7 @@ SecureBootCallback (
case KEY_SECURE_BOOT_DB_OPTION: case KEY_SECURE_BOOT_DB_OPTION:
case KEY_SECURE_BOOT_DBX_OPTION: case KEY_SECURE_BOOT_DBX_OPTION:
case KEY_SECURE_BOOT_DBT_OPTION: case KEY_SECURE_BOOT_DBT_OPTION:
PrivateData = SECUREBOOT_CONFIG_PRIVATE_FROM_THIS (This);
// //
// Clear Signature GUID. // Clear Signature GUID.
// //
@ -3357,6 +3544,11 @@ SecureBootCallback (
} }
} }
//
// Cleanup VFRData once leaving PK/KEK/DB/DBX/DBT enroll/delete page
//
SecureBootExtractConfigFromVariable (PrivateData, IfrNvData);
if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) { if (QuestionId == KEY_SECURE_BOOT_DB_OPTION) {
LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB; LabelId = SECUREBOOT_ENROLL_SIGNATURE_TO_DB;
} else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) { } else if (QuestionId == KEY_SECURE_BOOT_DBX_OPTION) {
@ -3394,6 +3586,38 @@ SecureBootCallback (
case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX: case SECUREBOOT_ENROLL_SIGNATURE_TO_DBX:
ChooseFile (NULL, NULL, UpdateDBXFromFile, &File); ChooseFile (NULL, NULL, UpdateDBXFromFile, &File);
if (Private->FileContext->FHandle != NULL) {
//
// Parse the file's postfix.
//
NameLength = StrLen (Private->FileContext->FileName);
if (NameLength <= 4) {
return FALSE;
}
FilePostFix = Private->FileContext->FileName + NameLength - 4;
if (IsDerEncodeCertificate (FilePostFix)) {
//
// Supports DER-encoded X509 certificate.
//
IfrNvData->FileEnrollType = X509_CERT_FILE_TYPE;
} else if (IsAuthentication2Format(Private->FileContext->FHandle)){
IfrNvData->FileEnrollType = AUTHENTICATION_2_FILE_TYPE;
} else {
IfrNvData->FileEnrollType = PE_IMAGE_FILE_TYPE;
}
Private->FileContext->FileType = IfrNvData->FileEnrollType;
//
// Clean up Certificate Format if File type is not X509 DER
//
if (IfrNvData->FileEnrollType != X509_CERT_FILE_TYPE) {
IfrNvData->CertificateFormat = HASHALG_RAW;
}
DEBUG((DEBUG_ERROR, "IfrNvData->FileEnrollType %d\n", Private->FileContext->FileType));
}
break; break;
case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT: case SECUREBOOT_ENROLL_SIGNATURE_TO_DBT:
@ -3503,6 +3727,11 @@ SecureBootCallback (
L"Enrollment failed! Same certificate had already been in the dbx!", L"Enrollment failed! Same certificate had already been in the dbx!",
NULL NULL
); );
//
// Cert already exists in DBX. Close opened file before exit.
//
CloseEnrolledFile(Private->FileContext);
break; break;
} }
@ -3514,6 +3743,7 @@ SecureBootCallback (
&IfrNvData->RevocationTime, &IfrNvData->RevocationTime,
IfrNvData->AlwaysRevocation IfrNvData->AlwaysRevocation
); );
IfrNvData->CertificateFormat = HASHALG_RAW;
} else { } else {
Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1); Status = EnrollSignatureDatabase (Private, EFI_IMAGE_SECURITY_DATABASE1);
} }
@ -3522,7 +3752,7 @@ SecureBootCallback (
EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
&Key, &Key,
L"ERROR: Unsupported file type!", L"ERROR: Unsupported file type!",
L"Only supports DER-encoded X509 certificate and executable EFI image", L"Only supports DER-encoded X509 certificate, AUTH_2 format data & executable EFI image",
NULL NULL
); );
} }
@ -3603,14 +3833,7 @@ SecureBootCallback (
case KEY_VALUE_NO_SAVE_AND_EXIT_DB: case KEY_VALUE_NO_SAVE_AND_EXIT_DB:
case KEY_VALUE_NO_SAVE_AND_EXIT_DBX: case KEY_VALUE_NO_SAVE_AND_EXIT_DBX:
case KEY_VALUE_NO_SAVE_AND_EXIT_DBT: case KEY_VALUE_NO_SAVE_AND_EXIT_DBT:
if (Private->FileContext->FHandle != NULL) { CloseEnrolledFile(Private->FileContext);
CloseFile (Private->FileContext->FHandle);
Private->FileContext->FHandle = NULL;
if (Private->FileContext->FileName!= NULL){
FreePool(Private->FileContext->FileName);
Private->FileContext->FileName = NULL;
}
}
if (Private->SignatureGUID != NULL) { if (Private->SignatureGUID != NULL) {
FreePool (Private->SignatureGUID); FreePool (Private->SignatureGUID);
@ -3639,7 +3862,6 @@ SecureBootCallback (
*ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY; *ActionRequest = EFI_BROWSER_ACTION_REQUEST_FORM_APPLY;
break; break;
case KEY_SECURE_BOOT_DELETE_PK: case KEY_SECURE_BOOT_DELETE_PK:
GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL); GetVariable2 (EFI_SETUP_MODE_NAME, &gEfiGlobalVariableGuid, (VOID**)&SetupMode, NULL);
if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) { if (SetupMode == NULL || (*SetupMode) == SETUP_MODE) {

2
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.h
View File

@ -47,6 +47,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Guid/FileSystemVolumeLabelInfo.h> #include <Guid/FileSystemVolumeLabelInfo.h>
#include <Guid/ImageAuthentication.h> #include <Guid/ImageAuthentication.h>
#include <Guid/FileInfo.h> #include <Guid/FileInfo.h>
#include <Guid/WinCertificate.h>
#include "SecureBootConfigNvData.h" #include "SecureBootConfigNvData.h"
@ -108,6 +109,7 @@ typedef struct {
typedef struct { typedef struct {
EFI_FILE_HANDLE FHandle; EFI_FILE_HANDLE FHandle;
UINT16 *FileName; UINT16 *FileName;
UINT8 FileType;
} SECUREBOOT_FILE_CONTEXT; } SECUREBOOT_FILE_CONTEXT;

7
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigNvData.h
View File

@ -1,7 +1,7 @@
/** @file /** @file
Header file for NV data structure definition. Header file for NV data structure definition.
Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -107,6 +107,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define SECURE_BOOT_GUID_SIZE 36 #define SECURE_BOOT_GUID_SIZE 36
#define SECURE_BOOT_GUID_STORAGE_SIZE 37 #define SECURE_BOOT_GUID_STORAGE_SIZE 37
#define UNKNOWN_FILE_TYPE 0
#define X509_CERT_FILE_TYPE 1
#define PE_IMAGE_FILE_TYPE 2
#define AUTHENTICATION_2_FILE_TYPE 3
// //
// Nv Data structure referenced by IFR // Nv Data structure referenced by IFR
@ -123,6 +127,7 @@ typedef struct {
UINT8 CertificateFormat; // The type of the certificate UINT8 CertificateFormat; // The type of the certificate
EFI_HII_DATE RevocationDate; // The revocation date of the certificate EFI_HII_DATE RevocationDate; // The revocation date of the certificate
EFI_HII_TIME RevocationTime; // The revocation time of the certificate EFI_HII_TIME RevocationTime; // The revocation time of the certificate
UINT8 FileEnrollType; // File type of sigunature enroll
} SECUREBOOT_CONFIGURATION; } SECUREBOOT_CONFIGURATION;
#endif #endif

19
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigStrings.uni
View File

@ -1,7 +1,7 @@
/** @file /** @file
String definitions for Secure Boot Configuration form. String definitions for Secure Boot Configuration form.
Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR> Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -18,6 +18,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_SECUREBOOT_HELP #language en-US "Press <Enter> to select Secure Boot options." #string STR_SECUREBOOT_HELP #language en-US "Press <Enter> to select Secure Boot options."
#string STR_NULL #language en-US "" #string STR_NULL #language en-US ""
#string STR_DBX_SUBTITLE_TEXT #language en-US ""
#string STR_SECURE_BOOT_STATE_PROMPT #language en-US "Current Secure Boot State" #string STR_SECURE_BOOT_STATE_PROMPT #language en-US "Current Secure Boot State"
#string STR_SECURE_BOOT_STATE_HELP #language en-US "Current Secure Boot state: enabled or disabled." #string STR_SECURE_BOOT_STATE_HELP #language en-US "Current Secure Boot state: enabled or disabled."
@ -34,11 +35,17 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#string STR_SECURE_BOOT_ADD_SIGNATURE_FILE #language en-US "Enroll Signature Using File" #string STR_SECURE_BOOT_ADD_SIGNATURE_FILE #language en-US "Enroll Signature Using File"
#string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Format" #string STR_DBX_CERTIFICATE_FORMAT_PROMPT #language en-US "Signature Format"
#string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "Select the certificate format used to enroll certificate into database." #string STR_DBX_CERTIFICATE_FORMAT_HELP #language en-US "X509 DER-Cert enrolled. Select different option to enroll it into DBX."
#string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "SHA256" #string STR_DBX_CERTIFICATE_FORMAT_SHA256 #language en-US "X509 CERT SHA256"
#string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "SHA384" #string STR_DBX_CERTIFICATE_FORMAT_SHA384 #language en-US "X509 CERT SHA384"
#string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "SHA512" #string STR_DBX_CERTIFICATE_FORMAT_SHA512 #language en-US "X509 CERT SHA512"
#string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "RAW" #string STR_DBX_CERTIFICATE_FORMAT_RAW #language en-US "X509 CERT"
#string STR_DBX_PE_IMAGE_FORMAT_HELP #language en-US "PE image enrolled. Use SHA256 hash to enroll it into DBX"
#string STR_DBX_PE_FORMAT_SHA256 #language en-US "PE Image SHA256"
#string STR_DBX_AUTH_2_FORMAT_HELP #language en-US "VARIABLE_AUTHENICATION_2 binary enrolled. Use raw binary to enroll it into DBX"
#string STR_DBX_AUTH_2_FORMAT #language en-US "VARIABLE_AUTHENICATION_2"
#string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocation Time" #string STR_CERTIFICATE_REVOCATION_TIME_PROMPT #language en-US " Revocation Time"
#string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the revocation time of the certificate" #string STR_CERTIFICATE_REVOCATION_TIME_HELP #language en-US "Input the revocation time of the certificate"